From c3a38a8c30adc50931349f98443d38c5790b3b00 Mon Sep 17 00:00:00 2001 From: "Allen D. Householder" Date: Thu, 20 Nov 2025 16:26:43 -0500 Subject: [PATCH 01/23] add decision points, decision tables, and stub docs for AIVSS Agentic Impact Model --- .gitignore | 1 + docs/howto/aivss/agentic_impact.md | 52 ++ docs/howto/aivss/env_adapt.md | 52 ++ docs/howto/aivss/exec_power.md | 52 ++ docs/howto/aivss/predict_influence.md | 52 ++ mkdocs.yml | 6 + src/ssvc/decision_points/aivss/__init__.py | 32 + .../decision_points/aivss/agentic_impact.py | 64 ++ src/ssvc/decision_points/aivss/autonomy.py | 65 ++ src/ssvc/decision_points/aivss/base.py | 31 + .../aivss/contextual_awareness.py | 73 ++ .../aivss/deceptiveness_potential.py | 69 ++ .../decision_points/aivss/dynamic_identity.py | 73 ++ .../decision_points/aivss/env_adaptation.py | 108 +++ .../decision_points/aivss/execution_power.py | 66 ++ .../aivss/goal_driven_planning.py | 71 ++ src/ssvc/decision_points/aivss/memory.py | 66 ++ .../aivss/multi_agent_interactions.py | 72 ++ .../decision_points/aivss/non_determinism.py | 64 ++ .../aivss/opacity_reflexivity.py | 64 ++ .../aivss/predictability_influence.py | 88 +++ .../aivss/self_modification.py | 73 ++ src/ssvc/decision_points/aivss/tool_use.py | 61 ++ .../aivss/verification_capability.py | 64 ++ .../decision_tables/aivss/agentic_impact.py | 239 +++++++ .../decision_tables/aivss/env_adaptation.py | 651 +++++++++++++++++ .../decision_tables/aivss/execution_power.py | 650 +++++++++++++++++ .../aivss/predictability_influence.py | 653 ++++++++++++++++++ src/ssvc/decision_tables/aivss/utils.py | 153 ++++ 29 files changed, 3765 insertions(+) create mode 100644 docs/howto/aivss/agentic_impact.md create mode 100644 docs/howto/aivss/env_adapt.md create mode 100644 docs/howto/aivss/exec_power.md create mode 100644 docs/howto/aivss/predict_influence.md create mode 100644 src/ssvc/decision_points/aivss/__init__.py create mode 100644 src/ssvc/decision_points/aivss/agentic_impact.py create mode 100644 src/ssvc/decision_points/aivss/autonomy.py create mode 100644 src/ssvc/decision_points/aivss/base.py create mode 100644 src/ssvc/decision_points/aivss/contextual_awareness.py create mode 100644 src/ssvc/decision_points/aivss/deceptiveness_potential.py create mode 100644 src/ssvc/decision_points/aivss/dynamic_identity.py create mode 100644 src/ssvc/decision_points/aivss/env_adaptation.py create mode 100644 src/ssvc/decision_points/aivss/execution_power.py create mode 100644 src/ssvc/decision_points/aivss/goal_driven_planning.py create mode 100644 src/ssvc/decision_points/aivss/memory.py create mode 100644 src/ssvc/decision_points/aivss/multi_agent_interactions.py create mode 100644 src/ssvc/decision_points/aivss/non_determinism.py create mode 100644 src/ssvc/decision_points/aivss/opacity_reflexivity.py create mode 100644 src/ssvc/decision_points/aivss/predictability_influence.py create mode 100644 src/ssvc/decision_points/aivss/self_modification.py create mode 100644 src/ssvc/decision_points/aivss/tool_use.py create mode 100644 src/ssvc/decision_points/aivss/verification_capability.py create mode 100644 src/ssvc/decision_tables/aivss/agentic_impact.py create mode 100644 src/ssvc/decision_tables/aivss/env_adaptation.py create mode 100644 src/ssvc/decision_tables/aivss/execution_power.py create mode 100644 src/ssvc/decision_tables/aivss/predictability_influence.py create mode 100644 src/ssvc/decision_tables/aivss/utils.py diff --git a/.gitignore b/.gitignore index b066ebee..109ee1f5 100644 --- a/.gitignore +++ b/.gitignore @@ -132,3 +132,4 @@ ssvc2-applier-wip.xlsx _version.py node_modules tmp +/src/scratch/ diff --git a/docs/howto/aivss/agentic_impact.md b/docs/howto/aivss/agentic_impact.md new file mode 100644 index 00000000..b154b43d --- /dev/null +++ b/docs/howto/aivss/agentic_impact.md @@ -0,0 +1,52 @@ +# AIVSS Guide + +Some text + +## Outcome + +```python exec="true" idprefix="" +from ssvc.decision_tables.aivss.agentic_impact import LATEST as DT +from ssvc.doc_helpers import example_block + +dp = DT.decision_points[DT.outcome] +print(example_block(dp)) +``` + + +## Decision Points + +```python exec="true" idprefix="" +from ssvc.decision_tables.aivss.agentic_impact import LATEST as DT +from ssvc.doc_helpers import example_block + +for dp in [v for k,v in DT.decision_points.items() if k != DT.outcome]: + print(example_block(dp)) +``` + +## Decision Table + +### Decision Model Visualization + + +```python exec="true" idprefix="" +from ssvc.decision_tables.aivss.agentic_impact import LATEST as DT +from ssvc.decision_tables.helpers import mapping2mermaid, mermaid_title_from_dt + +rows = DT.mapping +title = mermaid_title_from_dt(DT) +print(mapping2mermaid(rows, title=title)) +``` + +### Table of Values + +The table below shows the values for the decision model. +Each row of the table corresponds to a path through the decision model diagram above. + +```python exec="true" idprefix="" + +from ssvc.decision_tables.aivss.agentic_impact import LATEST as DT +from ssvc.decision_tables.helpers import dt2df_md + +print(dt2df_md(DT)) +``` + diff --git a/docs/howto/aivss/env_adapt.md b/docs/howto/aivss/env_adapt.md new file mode 100644 index 00000000..79408270 --- /dev/null +++ b/docs/howto/aivss/env_adapt.md @@ -0,0 +1,52 @@ +# AIVSS Guide + +Some text + +## Outcome + +```python exec="true" idprefix="" +from ssvc.decision_tables.aivss.env_adaptation import LATEST as DT +from ssvc.doc_helpers import example_block + +dp = DT.decision_points[DT.outcome] +print(example_block(dp)) +``` + + +## Decision Points + +```python exec="true" idprefix="" +from ssvc.decision_tables.aivss.env_adaptation import LATEST as DT +from ssvc.doc_helpers import example_block + +for dp in [v for k,v in DT.decision_points.items() if k != DT.outcome]: + print(example_block(dp)) +``` + +## Decision Table + +### Decision Model Visualization + + +```python exec="true" idprefix="" +from ssvc.decision_tables.aivss.env_adaptation import LATEST as DT +from ssvc.decision_tables.helpers import mapping2mermaid, mermaid_title_from_dt + +rows = DT.mapping +title = mermaid_title_from_dt(DT) +print(mapping2mermaid(rows, title=title)) +``` + +### Table of Values + +The table below shows the values for the decision model. +Each row of the table corresponds to a path through the decision model diagram above. + +```python exec="true" idprefix="" + +from ssvc.decision_tables.aivss.env_adaptation import LATEST as DT +from ssvc.decision_tables.helpers import dt2df_md + +print(dt2df_md(DT)) +``` + diff --git a/docs/howto/aivss/exec_power.md b/docs/howto/aivss/exec_power.md new file mode 100644 index 00000000..eb99ca14 --- /dev/null +++ b/docs/howto/aivss/exec_power.md @@ -0,0 +1,52 @@ +# AIVSS Guide + +Some text + +## Outcome + +```python exec="true" idprefix="" +from ssvc.decision_tables.aivss.execution_power import LATEST as DT +from ssvc.doc_helpers import example_block + +dp = DT.decision_points[DT.outcome] +print(example_block(dp)) +``` + + +## Decision Points + +```python exec="true" idprefix="" +from ssvc.decision_tables.aivss.execution_power import LATEST as DT +from ssvc.doc_helpers import example_block + +for dp in [v for k,v in DT.decision_points.items() if k != DT.outcome]: + print(example_block(dp)) +``` + +## Decision Table + +### Decision Model Visualization + + +```python exec="true" idprefix="" +from ssvc.decision_tables.aivss.execution_power import LATEST as DT +from ssvc.decision_tables.helpers import mapping2mermaid, mermaid_title_from_dt + +rows = DT.mapping +title = mermaid_title_from_dt(DT) +print(mapping2mermaid(rows, title=title)) +``` + +### Table of Values + +The table below shows the values for the decision model. +Each row of the table corresponds to a path through the decision model diagram above. + +```python exec="true" idprefix="" + +from ssvc.decision_tables.aivss.execution_power import LATEST as DT +from ssvc.decision_tables.helpers import dt2df_md + +print(dt2df_md(DT)) +``` + diff --git a/docs/howto/aivss/predict_influence.md b/docs/howto/aivss/predict_influence.md new file mode 100644 index 00000000..f5e2b9e2 --- /dev/null +++ b/docs/howto/aivss/predict_influence.md @@ -0,0 +1,52 @@ +# AIVSS Guide + +Some text + +## Outcome + +```python exec="true" idprefix="" +from ssvc.decision_tables.aivss.predictability_influence import LATEST as DT +from ssvc.doc_helpers import example_block + +dp = DT.decision_points[DT.outcome] +print(example_block(dp)) +``` + + +## Decision Points + +```python exec="true" idprefix="" +from ssvc.decision_tables.aivss.predictability_influence import LATEST as DT +from ssvc.doc_helpers import example_block + +for dp in [v for k,v in DT.decision_points.items() if k != DT.outcome]: + print(example_block(dp)) +``` + +## Decision Table + +### Decision Model Visualization + + +```python exec="true" idprefix="" +from ssvc.decision_tables.aivss.predictability_influence import LATEST as DT +from ssvc.decision_tables.helpers import mapping2mermaid, mermaid_title_from_dt + +rows = DT.mapping +title = mermaid_title_from_dt(DT) +print(mapping2mermaid(rows, title=title)) +``` + +### Table of Values + +The table below shows the values for the decision model. +Each row of the table corresponds to a path through the decision model diagram above. + +```python exec="true" idprefix="" + +from ssvc.decision_tables.aivss.predictability_influence import LATEST as DT +from ssvc.decision_tables.helpers import dt2df_md + +print(dt2df_md(DT)) +``` + diff --git a/mkdocs.yml b/mkdocs.yml index 50276ec9..58be873a 100644 --- a/mkdocs.yml +++ b/mkdocs.yml @@ -24,6 +24,12 @@ nav: - About Coordination: 'howto/coordination_intro.md' - Coordination Triage: 'howto/coordination_triage_decision.md' - Publication Decision: 'howto/publication_decision.md' + - AIVSS Model: +# - About AIVSS: 'howto/aivss/index.md' + - Execution Power Model: 'howto/aivss/exec_power.md' + - Environment and Adaptation Model: 'howto/aivss/env_adapt.md' + - Predictability and Influence Model: 'howto/aivss/predict_influence.md' + - Agentic Impact Level Model: 'howto/aivss/agentic_impact.md' - CVSS v4 Analyst Models: - About CVSS v4: 'howto/cvss_v4/index.md' - Equivalence Set 1: 'howto/cvss_v4/eq1.md' diff --git a/src/ssvc/decision_points/aivss/__init__.py b/src/ssvc/decision_points/aivss/__init__.py new file mode 100644 index 00000000..6312d773 --- /dev/null +++ b/src/ssvc/decision_points/aivss/__init__.py @@ -0,0 +1,32 @@ +#!/usr/bin/env python + +# Copyright (c) 2025 Carnegie Mellon University. +# NO WARRANTY. THIS CARNEGIE MELLON UNIVERSITY AND SOFTWARE +# ENGINEERING INSTITUTE MATERIAL IS FURNISHED ON AN "AS-IS" BASIS. +# CARNEGIE MELLON UNIVERSITY MAKES NO WARRANTIES OF ANY KIND, +# EITHER EXPRESSED OR IMPLIED, AS TO ANY MATTER INCLUDING, BUT +# NOT LIMITED TO, WARRANTY OF FITNESS FOR PURPOSE OR +# MERCHANTABILITY, EXCLUSIVITY, OR RESULTS OBTAINED FROM USE +# OF THE MATERIAL. CARNEGIE MELLON UNIVERSITY DOES NOT MAKE +# ANY WARRANTY OF ANY KIND WITH RESPECT TO FREEDOM FROM +# PATENT, TRADEMARK, OR COPYRIGHT INFRINGEMENT. +# Licensed under a MIT (SEI)-style license, please see LICENSE or contact +# permission@sei.cmu.edu for full terms. +# [DISTRIBUTION STATEMENT A] This material has been approved for +# public release and unlimited distribution. Please see Copyright notice +# for non-US Government use and distribution. +# This Software includes and/or makes use of Third-Party Software each +# subject to its own license. +# DM24-0278 + +''' +Provides TODO writeme +''' + + +def main(): + pass + + +if __name__ == '__main__': + main() diff --git a/src/ssvc/decision_points/aivss/agentic_impact.py b/src/ssvc/decision_points/aivss/agentic_impact.py new file mode 100644 index 00000000..6c1d0bb2 --- /dev/null +++ b/src/ssvc/decision_points/aivss/agentic_impact.py @@ -0,0 +1,64 @@ +#!/usr/bin/env python +# Copyright (c) 2025 Carnegie Mellon University. +# NO WARRANTY. THIS CARNEGIE MELLON UNIVERSITY AND SOFTWARE +# ENGINEERING INSTITUTE MATERIAL IS FURNISHED ON AN "AS-IS" BASIS. +# CARNEGIE MELLON UNIVERSITY MAKES NO WARRANTIES OF ANY KIND, +# EITHER EXPRESSED OR IMPLIED, AS TO ANY MATTER INCLUDING, BUT +# NOT LIMITED TO, WARRANTY OF FITNESS FOR PURPOSE OR +# MERCHANTABILITY, EXCLUSIVITY, OR RESULTS OBTAINED FROM USE +# OF THE MATERIAL. CARNEGIE MELLON UNIVERSITY DOES NOT MAKE +# ANY WARRANTY OF ANY KIND WITH RESPECT TO FREEDOM FROM +# PATENT, TRADEMARK, OR COPYRIGHT INFRINGEMENT. +# Licensed under a MIT (SEI)-style license, please see LICENSE or contact +# permission@sei.cmu.edu for full terms. +# [DISTRIBUTION STATEMENT A] This material has been approved for +# public release and unlimited distribution. Please see Copyright notice +# for non-US Government use and distribution. +# This Software includes and/or makes use of Third-Party Software each +# subject to its own license. +# DM24-0278 +""" +Provides the Agentic Impact Level Decision Point for SSVC. +""" + +from ssvc.decision_points.aivss.base import AivssDecisionPoint +from ssvc.decision_points.base import DecisionPointValue +from ssvc.decision_points.helpers import print_versions_and_diffs + +COPILOT = DecisionPointValue( + key="C", + name="CoPilot", + definition="The agent is primarily a copilot or assistant. " + "Its actions are heavily constrained, requiring human oversight. " + "The agent explicitly does not have rights to execute code.", +) + +SPECIALIST = DecisionPointValue( + key="S", + name="Specialist", + definition="The agent is a specialist with significant autonomy within a defined domain." + "It can use powerful tools and may learn from interactions.", +) + +PRIME_MOVER = DecisionPointValue( + key="P", + name="Prime Mover", + definition="The agent is a prime mover with broad autonomy. " + "It can orchestrate other systems, modify its own logic, and interact with critical infrastructure." +) + +AIL_01 = AivssDecisionPoint( + key="AIL", + name="Agentic Impact Level", + definition="Determines the agentic impact level of a vulnerability based on its characteristics and potential effects.", + version="1.0.0", + values=(COPILOT, SPECIALIST, PRIME_MOVER), +) + + +VERSIONS = (AIL_01, ) +LATEST = VERSIONS[-1] + +if __name__ == "__main__": + for version in VERSIONS: + print_versions_and_diffs(VERSIONS) diff --git a/src/ssvc/decision_points/aivss/autonomy.py b/src/ssvc/decision_points/aivss/autonomy.py new file mode 100644 index 00000000..2f4a238c --- /dev/null +++ b/src/ssvc/decision_points/aivss/autonomy.py @@ -0,0 +1,65 @@ +#!/usr/bin/env python + +# Copyright (c) 2025 Carnegie Mellon University. +# NO WARRANTY. THIS CARNEGIE MELLON UNIVERSITY AND SOFTWARE +# ENGINEERING INSTITUTE MATERIAL IS FURNISHED ON AN "AS-IS" BASIS. +# CARNEGIE MELLON UNIVERSITY MAKES NO WARRANTIES OF ANY KIND, +# EITHER EXPRESSED OR IMPLIED, AS TO ANY MATTER INCLUDING, BUT +# NOT LIMITED TO, WARRANTY OF FITNESS FOR PURPOSE OR +# MERCHANTABILITY, EXCLUSIVITY, OR RESULTS OBTAINED FROM USE +# OF THE MATERIAL. CARNEGIE MELLON UNIVERSITY DOES NOT MAKE +# ANY WARRANTY OF ANY KIND WITH RESPECT TO FREEDOM FROM +# PATENT, TRADEMARK, OR COPYRIGHT INFRINGEMENT. +# Licensed under a MIT (SEI)-style license, please see LICENSE or contact +# permission@sei.cmu.edu for full terms. +# [DISTRIBUTION STATEMENT A] This material has been approved for +# public release and unlimited distribution. Please see Copyright notice +# for non-US Government use and distribution. +# This Software includes and/or makes use of Third-Party Software each +# subject to its own license. +# DM24-0278 + +''' +Provides the AIVSS Autonomy of Action Decision Point for SSVC. +''' +from ssvc.decision_points.aivss.base import AivssDecisionPoint +from ssvc.decision_points.base import DecisionPointValue +from ssvc.decision_points.helpers import print_versions_and_diffs + + +GATED = DecisionPointValue( + key="G", + name="Gated", + definition="The agent cannot act without human approval.", +) + +SCOPED = DecisionPointValue( + key="S", + name="Scoped", + definition="The agent can act independently but only in tightly bounded spaces.", +) + +FREE_RUNNING = DecisionPointValue( + key="F", + name="Free-Running", + definition="The agent can execute actions in live systems without a human in the loop.", +) + +AUTONOMY = AivssDecisionPoint( + key="AA", + name="Autonomy of Action", + definition="Determines the autonomy of action level of a vulnerability based on its characteristics and potential effects.", + version="1.0.0", + values=(GATED, SCOPED, FREE_RUNNING), +) + +VERSIONS = (AUTONOMY, ) +LATEST = VERSIONS[-1] + + +def main(): + print_versions_and_diffs(VERSIONS) + + +if __name__ == '__main__': + main() diff --git a/src/ssvc/decision_points/aivss/base.py b/src/ssvc/decision_points/aivss/base.py new file mode 100644 index 00000000..025d6de9 --- /dev/null +++ b/src/ssvc/decision_points/aivss/base.py @@ -0,0 +1,31 @@ +#!/usr/bin/env python3 +# Copyright (c) 2025 Carnegie Mellon University. +# NO WARRANTY. THIS CARNEGIE MELLON UNIVERSITY AND SOFTWARE +# ENGINEERING INSTITUTE MATERIAL IS FURNISHED ON AN "AS-IS" BASIS. +# CARNEGIE MELLON UNIVERSITY MAKES NO WARRANTIES OF ANY KIND, +# EITHER EXPRESSED OR IMPLIED, AS TO ANY MATTER INCLUDING, BUT +# NOT LIMITED TO, WARRANTY OF FITNESS FOR PURPOSE OR +# MERCHANTABILITY, EXCLUSIVITY, OR RESULTS OBTAINED FROM USE +# OF THE MATERIAL. CARNEGIE MELLON UNIVERSITY DOES NOT MAKE +# ANY WARRANTY OF ANY KIND WITH RESPECT TO FREEDOM FROM +# PATENT, TRADEMARK, OR COPYRIGHT INFRINGEMENT. +# Licensed under a MIT (SEI)-style license, please see LICENSE or contact +# permission@sei.cmu.edu for full terms. +# [DISTRIBUTION STATEMENT A] This material has been approved for +# public release and unlimited distribution. Please see Copyright notice +# for non-US Government use and distribution. +# This Software includes and/or makes use of Third-Party Software each +# subject to its own license. +# DM24-0278 +""" +Provides a base class for AIVSS-specific decision points. +""" +from pydantic import BaseModel + +from ssvc.decision_points.base import DecisionPoint + +AIVSS_NS = "x_org.owasp#aivss" + + +class AivssDecisionPoint(DecisionPoint, BaseModel): + namespace: str = AIVSS_NS diff --git a/src/ssvc/decision_points/aivss/contextual_awareness.py b/src/ssvc/decision_points/aivss/contextual_awareness.py new file mode 100644 index 00000000..49950557 --- /dev/null +++ b/src/ssvc/decision_points/aivss/contextual_awareness.py @@ -0,0 +1,73 @@ +#!/usr/bin/env python + +""" +Provides the AIVSS Contextual Awareness Decision Point for SSVC. +""" + +# Copyright (c) 2025 Carnegie Mellon University. +# NO WARRANTY. THIS CARNEGIE MELLON UNIVERSITY AND SOFTWARE +# ENGINEERING INSTITUTE MATERIAL IS FURNISHED ON AN "AS-IS" BASIS. +# CARNEGIE MELLON UNIVERSITY MAKES NO WARRANTIES OF ANY KIND, +# EITHER EXPRESSED OR IMPLIED, AS TO ANY MATTER INCLUDING, BUT +# NOT LIMITED TO, WARRANTY OF FITNESS FOR PURPOSE OR +# MERCHANTABILITY, EXCLUSIVITY, OR RESULTS OBTAINED FROM USE +# OF THE MATERIAL. CARNEGIE MELLON UNIVERSITY DOES NOT MAKE +# ANY WARRANTY OF ANY KIND WITH RESPECT TO FREEDOM FROM +# PATENT, TRADEMARK, OR COPYRIGHT INFRINGEMENT. +# Licensed under a MIT (SEI)-style license, please see LICENSE or contact +# permission@sei.cmu.edu for full terms. +# [DISTRIBUTION STATEMENT A] This material has been approved for +# public release and unlimited distribution. Please see Copyright notice +# for non-US Government use and distribution. +# This Software includes and/or makes use of Third-Party Software each +# subject to its own license. +# DM24-0278 + +from ssvc.decision_points.aivss.base import AivssDecisionPoint +from ssvc.decision_points.base import DecisionPointValue +from ssvc.decision_points.helpers import print_versions_and_diffs + +# ## 2. Contextual Awareness +# - Isolated — no external contextual signals. +# - Trusted-Signal — uses only vetted, narrow, structured signals. +# - Ambient — reacts to broad, open-ended environmental signals. + +ISOLATED = DecisionPointValue( + key="I", + name="Isolated", + definition="No external contextual signals.", +) + +TRUSTED_SIGNAL = DecisionPointValue( + key="T", + name="Trusted-Signal", + definition="Uses only vetted, narrow, structured signals.", +) + +AMBIENT = DecisionPointValue( + key="A", + name="Ambient", + definition="Reacts to broad, open-ended environmental signals.", +) + +CONTEXTUAL_AWARENESS_01 = AivssDecisionPoint( + key="CA", + name="Contextual Awareness", + definition=( + "Determines the degree to which an AI system senses and incorporates context " + "from its environment and external signals." + ), + version="1.0.0", + values=(ISOLATED, TRUSTED_SIGNAL, AMBIENT), +) + +VERSIONS = (CONTEXTUAL_AWARENESS_01,) +LATEST = VERSIONS[-1] + + +def main(): + print_versions_and_diffs(VERSIONS) + + +if __name__ == "__main__": + main() diff --git a/src/ssvc/decision_points/aivss/deceptiveness_potential.py b/src/ssvc/decision_points/aivss/deceptiveness_potential.py new file mode 100644 index 00000000..83163b3c --- /dev/null +++ b/src/ssvc/decision_points/aivss/deceptiveness_potential.py @@ -0,0 +1,69 @@ +# Copyright (c) 2025 Carnegie Mellon University. +# NO WARRANTY. THIS CARNEGIE MELLON UNIVERSITY AND SOFTWARE +# ENGINEERING INSTITUTE MATERIAL IS FURNISHED ON AN "AS-IS" BASIS. +# CARNEGIE MELLON UNIVERSITY MAKES NO WARRANTIES OF ANY KIND, +# EITHER EXPRESSED OR IMPLIED, AS TO ANY MATTER INCLUDING, BUT +# NOT LIMITED TO, WARRANTY OF FITNESS FOR PURPOSE OR +# MERCHANTABILITY, EXCLUSIVITY, OR RESULTS OBTAINED FROM USE +# OF THE MATERIAL. CARNEGIE MELLON UNIVERSITY DOES NOT MAKE +# ANY WARRANTY OF ANY KIND WITH RESPECT TO FREEDOM FROM +# PATENT, TRADEMARK, OR COPYRIGHT INFRINGEMENT. +# Licensed under a MIT (SEI)-style license, please see LICENSE or contact +# permission@sei.cmu.edu for full terms. +# [DISTRIBUTION STATEMENT A] This material has been approved for +# public release and unlimited distribution. Please see Copyright notice +# for non-US Government use and distribution. +# This Software includes and/or makes use of Third-Party Software each +# subject to its own license. +# DM24-0278 + +""" +Provides a decision point to assess the deceptiveness potential of a vulnerability report. +""" +# ## 4. Deceptiveness Potential +# - **Plain** — structured, non-persona output. +# - **Fluent** — natural language output, but not convincingly human. +# - **Persuasive** — persona mimicry, deepfakes, or social-engineering capability. + +from ssvc.decision_points.aivss.base import AivssDecisionPoint +from ssvc.decision_points.base import DecisionPointValue +from ssvc.decision_points.helpers import print_versions_and_diffs + +PLAIN = DecisionPointValue( + key="P", + name="Plain", + definition="Structured, non-persona output.", +) +FLUENT = DecisionPointValue( + key="F", + name="Fluent", + definition="Natural language output, but not convincingly human.", +) +PERSUASIVE = DecisionPointValue( + key="S", + name="Persuasive", + definition="Persona mimicry, deepfakes, or social-engineering capability.", +) + +DECEPTIVENESS_POTENTIAL_01 = AivssDecisionPoint( + key="DP", + name="Deceptiveness Potential", + definition=( + "Assesses the potential for AI-generated vulnerability reports to be deceptive, " + "ranging from plain structured output to highly persuasive content." + ), + version="1.0.0", + values=(PLAIN, FLUENT, PERSUASIVE), +) + +VERSIONS = (DECEPTIVENESS_POTENTIAL_01,) + +LATEST = VERSIONS[-1] + + +def main(): + print_versions_and_diffs(VERSIONS) + + +if __name__ == "__main__": + main() diff --git a/src/ssvc/decision_points/aivss/dynamic_identity.py b/src/ssvc/decision_points/aivss/dynamic_identity.py new file mode 100644 index 00000000..9d620fd5 --- /dev/null +++ b/src/ssvc/decision_points/aivss/dynamic_identity.py @@ -0,0 +1,73 @@ +#!/usr/bin/env python + +""" +Provides the AIVSS Dynamic Identity Decision Point for SSVC. +""" + +# Copyright (c) 2025 Carnegie Mellon University. +# NO WARRANTY. THIS CARNEGIE MELLON UNIVERSITY AND SOFTWARE +# ENGINEERING INSTITUTE MATERIAL IS FURNISHED ON AN "AS-IS" BASIS. +# CARNEGIE MELLON UNIVERSITY MAKES NO WARRANTIES OF ANY KIND, +# EITHER EXPRESSED OR IMPLIED, AS TO ANY MATTER INCLUDING, BUT +# NOT LIMITED TO, WARRANTY OF FITNESS FOR PURPOSE OR +# MERCHANTABILITY, EXCLUSIVITY, OR RESULTS OBTAINED FROM USE +# OF THE MATERIAL. CARNEGIE MELLON UNIVERSITY DOES NOT MAKE +# ANY WARRANTY OF ANY KIND WITH RESPECT TO FREEDOM FROM +# PATENT, TRADEMARK, OR COPYRIGHT INFRINGEMENT. +# Licensed under a MIT (SEI)-style license, please see LICENSE or contact +# permission@sei.cmu.edu for full terms. +# [DISTRIBUTION STATEMENT A] This material has been approved for +# public release and unlimited distribution. Please see Copyright notice +# for non-US Government use and distribution. +# This Software includes and/or makes use of Third-Party Software each +# subject to its own license. +# DM24-0278 + +from ssvc.decision_points.aivss.base import AivssDecisionPoint +from ssvc.decision_points.base import DecisionPointValue +from ssvc.decision_points.helpers import print_versions_and_diffs + +# ## 4. Dynamic Identity +# - Fixed — single, constant identity. +# - Scoped Roles — limited role changes tied to specific tools or contexts. +# - Assumed Identity — cross-tenant, impersonation-like, or elevated role adoption. + +FIXED = DecisionPointValue( + key="F", + name="Fixed", + definition="Single, constant identity.", +) + +SCOPED_ROLES = DecisionPointValue( + key="S", + name="Scoped Roles", + definition="Limited role changes tied to specific tools or contexts.", +) + +ASSUMED_IDENTITY = DecisionPointValue( + key="A", + name="Assumed Identity", + definition="Cross-tenant, impersonation-like, or elevated role adoption.", +) + +DYNAMIC_IDENTITY_01 = AivssDecisionPoint( + key="DI", + name="Dynamic Identity", + definition=( + "Describes how an AI system's identity and authorization context may change at runtime, " + "including whether it can assume roles beyond a fixed identity." + ), + version="1.0.0", + values=(FIXED, SCOPED_ROLES, ASSUMED_IDENTITY), +) + +VERSIONS = (DYNAMIC_IDENTITY_01,) +LATEST = VERSIONS[-1] + + +def main(): + print_versions_and_diffs(VERSIONS) + + +if __name__ == "__main__": + main() diff --git a/src/ssvc/decision_points/aivss/env_adaptation.py b/src/ssvc/decision_points/aivss/env_adaptation.py new file mode 100644 index 00000000..1e4fd1d8 --- /dev/null +++ b/src/ssvc/decision_points/aivss/env_adaptation.py @@ -0,0 +1,108 @@ +#!/usr/bin/env python + +""" +Provides TODO writeme +""" + +# Copyright (c) 2025 Carnegie Mellon University. +# NO WARRANTY. THIS CARNEGIE MELLON UNIVERSITY AND SOFTWARE +# ENGINEERING INSTITUTE MATERIAL IS FURNISHED ON AN "AS-IS" BASIS. +# CARNEGIE MELLON UNIVERSITY MAKES NO WARRANTIES OF ANY KIND, +# EITHER EXPRESSED OR IMPLIED, AS TO ANY MATTER INCLUDING, BUT +# NOT LIMITED TO, WARRANTY OF FITNESS FOR PURPOSE OR +# MERCHANTABILITY, EXCLUSIVITY, OR RESULTS OBTAINED FROM USE +# OF THE MATERIAL. CARNEGIE MELLON UNIVERSITY DOES NOT MAKE +# ANY WARRANTY OF ANY KIND WITH RESPECT TO FREEDOM FROM +# PATENT, TRADEMARK, OR COPYRIGHT INFRINGEMENT. +# Licensed under a MIT (SEI)-style license, please see LICENSE or contact +# permission@sei.cmu.edu for full terms. +# [DISTRIBUTION STATEMENT A] This material has been approved for +# public release and unlimited distribution. Please see Copyright notice +# for non-US Government use and distribution. +# This Software includes and/or makes use of Third-Party Software each +# subject to its own license. +# DM24-0278 + +from ssvc.decision_points.aivss.base import AivssDecisionPoint + +# Copyright (c) 2025 Carnegie Mellon University. +# NO WARRANTY. THIS CARNEGIE MELLON UNIVERSITY AND SOFTWARE +# ENGINEERING INSTITUTE MATERIAL IS FURNISHED ON AN "AS-IS" BASIS. +# CARNEGIE MELLON UNIVERSITY MAKES NO WARRANTIES OF ANY KIND, +# EITHER EXPRESSED OR IMPLIED, AS TO ANY MATTER INCLUDING, BUT +# NOT LIMITED TO, WARRANTY OF FITNESS FOR PURPOSE OR +# MERCHANTABILITY, EXCLUSIVITY, OR RESULTS OBTAINED FROM USE +# OF THE MATERIAL. CARNEGIE MELLON UNIVERSITY DOES NOT MAKE +# ANY WARRANTY OF ANY KIND WITH RESPECT TO FREEDOM FROM +# PATENT, TRADEMARK, OR COPYRIGHT INFRINGEMENT. +# Licensed under a MIT (SEI)-style license, please see LICENSE or contact +# permission@sei.cmu.edu for full terms. +# [DISTRIBUTION STATEMENT A] This material has been approved for +# public release and unlimited distribution. Please see Copyright notice +# for non-US Government use and distribution. +# This Software includes and/or makes use of Third-Party Software each +# subject to its own license. +# DM24-0278 + +from ssvc.decision_points.base import DecisionPointValue +from ssvc.decision_points.helpers import print_versions_and_diffs + +# # Environment & Adaptation +# Isolated +# +# Operates in a narrow, stable context with no meaningful external awareness. +# No cross-session memory, multi-agent behavior, or identity changes. +# Environmental shifts don’t affect behavior unless a human explicitly updates inputs. +# +# Connected +# +# Uses curated signals, scoped identity roles, or predefined multi-agent patterns to adapt. +# Environmental changes can influence behavior, but only within controlled, auditable bounds. +# +# Pervasive +# +# Continuously adapts to broad, dynamic environmental inputs and multi-agent activity. +# Identity, memory, and context can shift fluidly, creating emergent behavior. +# Environmental variation can substantially redirect or amplify its actions. + +ISOLATED = DecisionPointValue( + key="I", + name="Isolated", + definition="Operates in a narrow, stable context with no meaningful external awareness. " + "No cross-session memory, multi-agent behavior, or identity changes. " + "Environmental shifts don’t affect behavior unless a human explicitly updates inputs.", +) + +CONNECTED = DecisionPointValue( + key="C", + name="Connected", + definition="Uses curated signals, scoped identity roles, or predefined multi-agent patterns to adapt. " + "Environmental changes can influence behavior, but only within controlled, auditable bounds.", +) + +PERVASIVE = DecisionPointValue( + key="P", + name="Pervasive", + definition="Continuously adapts to broad, dynamic environmental inputs and multi-agent activity. " + "Identity, memory, and context can shift fluidly, creating emergent behavior. " + "Environmental variation can substantially redirect or amplify its actions.", +) + +ENV_ADAPT_01 = AivssDecisionPoint( + key="EA", + name="Environment & Adaptation", + definition="Determines the environment and adaptation level of an AI system based on its context awareness and adaptability.", + version="1.0.0", + values=(ISOLATED, CONNECTED, PERVASIVE), +) + +VERSIONS = (ENV_ADAPT_01,) +LATEST = VERSIONS[-1] + + +def main(): + print_versions_and_diffs(VERSIONS) + + +if __name__ == "__main__": + main() diff --git a/src/ssvc/decision_points/aivss/execution_power.py b/src/ssvc/decision_points/aivss/execution_power.py new file mode 100644 index 00000000..6934d784 --- /dev/null +++ b/src/ssvc/decision_points/aivss/execution_power.py @@ -0,0 +1,66 @@ +#!/usr/bin/env python + +# Copyright (c) 2025 Carnegie Mellon University. +# NO WARRANTY. THIS CARNEGIE MELLON UNIVERSITY AND SOFTWARE +# ENGINEERING INSTITUTE MATERIAL IS FURNISHED ON AN "AS-IS" BASIS. +# CARNEGIE MELLON UNIVERSITY MAKES NO WARRANTIES OF ANY KIND, +# EITHER EXPRESSED OR IMPLIED, AS TO ANY MATTER INCLUDING, BUT +# NOT LIMITED TO, WARRANTY OF FITNESS FOR PURPOSE OR +# MERCHANTABILITY, EXCLUSIVITY, OR RESULTS OBTAINED FROM USE +# OF THE MATERIAL. CARNEGIE MELLON UNIVERSITY DOES NOT MAKE +# ANY WARRANTY OF ANY KIND WITH RESPECT TO FREEDOM FROM +# PATENT, TRADEMARK, OR COPYRIGHT INFRINGEMENT. +# Licensed under a MIT (SEI)-style license, please see LICENSE or contact +# permission@sei.cmu.edu for full terms. +# [DISTRIBUTION STATEMENT A] This material has been approved for +# public release and unlimited distribution. Please see Copyright notice +# for non-US Government use and distribution. +# This Software includes and/or makes use of Third-Party Software each +# subject to its own license. +# DM24-0278 + +''' +Provides TODO writeme +''' +from ssvc.decision_points.aivss.base import AivssDecisionPoint +from ssvc.decision_points.base import DecisionPointValue +from ssvc.decision_points.helpers import print_versions_and_diffs + +# Execution Power +# Categories : Constrained, Capable, High Leverage + +CONSTRAINED = DecisionPointValue( + key="C", + name="Constrained", + definition="The AI agent has limited execution power, restricting its ability to perform actions autonomously or interact with external systems.", +) + +CAPABLE = DecisionPointValue( + key="CA", + name="Capable", + definition="The AI agent has moderate execution power, allowing it to perform certain actions autonomously and interact with external systems under supervision.", +) + +HIGH_LEVERAGE = DecisionPointValue( + key="H", + name="High Leverage", + definition="The AI agent has extensive execution power, enabling it to perform actions autonomously and interact with external systems with minimal supervision.", +) + +EXECUTION_POWER = AivssDecisionPoint( + key="EP", + name="Execution Power", + definition="Determines the level of execution power granted to an AI agent, influencing its ability to perform actions autonomously and interact with external systems.", + version="1.0.0", + values=(CONSTRAINED, CAPABLE, HIGH_LEVERAGE), +) + +VERSIONS = (EXECUTION_POWER,) +LATEST = VERSIONS[-1] + +def main(): + print_versions_and_diffs(VERSIONS) + + +if __name__ == '__main__': + main() diff --git a/src/ssvc/decision_points/aivss/goal_driven_planning.py b/src/ssvc/decision_points/aivss/goal_driven_planning.py new file mode 100644 index 00000000..fb835b5c --- /dev/null +++ b/src/ssvc/decision_points/aivss/goal_driven_planning.py @@ -0,0 +1,71 @@ +#!/usr/bin/env python + +# Copyright (c) 2025 Carnegie Mellon University. +# NO WARRANTY. THIS CARNEGIE MELLON UNIVERSITY AND SOFTWARE +# ENGINEERING INSTITUTE MATERIAL IS FURNISHED ON AN "AS-IS" BASIS. +# CARNEGIE MELLON UNIVERSITY MAKES NO WARRANTIES OF ANY KIND, +# EITHER EXPRESSED OR IMPLIED, AS TO ANY MATTER INCLUDING, BUT +# NOT LIMITED TO, WARRANTY OF FITNESS FOR PURPOSE OR +# MERCHANTABILITY, EXCLUSIVITY, OR RESULTS OBTAINED FROM USE +# OF THE MATERIAL. CARNEGIE MELLON UNIVERSITY DOES NOT MAKE +# ANY WARRANTY OF ANY KIND WITH RESPECT TO FREEDOM FROM +# PATENT, TRADEMARK, OR COPYRIGHT INFRINGEMENT. +# Licensed under a MIT (SEI)-style license, please see LICENSE or contact +# permission@sei.cmu.edu for full terms. +# [DISTRIBUTION STATEMENT A] This material has been approved for +# public release and unlimited distribution. Please see Copyright notice +# for non-US Government use and distribution. +# This Software includes and/or makes use of Third-Party Software each +# subject to its own license. +# DM24-0278 + +''' +Provides TODO writeme +''' +from ssvc.decision_points.aivss.base import AivssDecisionPoint +from ssvc.decision_points.base import DecisionPointValue +from ssvc.decision_points.helpers import print_versions_and_diffs + +# ## 4\. Goal-Driven Planning +# +# Unlike self-mod, planning truly has *three distinct qualitative regimes*, and you should keep all three. +# +# ### Planning Levels +# +# - **Reactive** — single-step, no planning horizon. +# - **Assisted** — multi-step planning, human executes or approves. +# - **Autonomous** — multi-step planning and execution by the system itself. +# +# **Why 3?** People behave meaningfully differently when an AI can only react vs. can plan vs. can plan-and-execute. These are policy-relevant distinctions. +REACTIVE = DecisionPointValue( + key="R", + name="Reactive", + definition="The agent can only respond to immediate inputs without planning.", +) +ASSISTED = DecisionPointValue( + key="A", + name="Assisted", + definition="The agent can plan multiple steps ahead but requires human execution or approval.", +) +AUTONOMOUS = DecisionPointValue( + key="U", + name="Autonomous", + definition="The agent can plan and execute multiple steps independently.", +) +GOAL_DRIVEN_PLANNING = AivssDecisionPoint( + key="GDP", + name="Goal-Driven Planning", + definition="Determines the goal-driven planning capabilities of an AI agent based on its ability to plan and execute actions over multiple steps.", + version="1.0.0", + values=(REACTIVE, ASSISTED, AUTONOMOUS), +) + +VERSIONS = (GOAL_DRIVEN_PLANNING, ) +LATEST = VERSIONS[-1] + +def main(): + print_versions_and_diffs(VERSIONS) + + +if __name__ == '__main__': + main() diff --git a/src/ssvc/decision_points/aivss/memory.py b/src/ssvc/decision_points/aivss/memory.py new file mode 100644 index 00000000..e484750e --- /dev/null +++ b/src/ssvc/decision_points/aivss/memory.py @@ -0,0 +1,66 @@ +#!/usr/bin/env python + +""" +Provides TODO writeme +""" + +# Copyright (c) 2025 Carnegie Mellon University. +# NO WARRANTY. THIS CARNEGIE MELLON UNIVERSITY AND SOFTWARE +# ENGINEERING INSTITUTE MATERIAL IS FURNISHED ON AN "AS-IS" BASIS. +# CARNEGIE MELLON UNIVERSITY MAKES NO WARRANTIES OF ANY KIND, +# EITHER EXPRESSED OR IMPLIED, AS TO ANY MATTER INCLUDING, BUT +# NOT LIMITED TO, WARRANTY OF FITNESS FOR PURPOSE OR +# MERCHANTABILITY, EXCLUSIVITY, OR RESULTS OBTAINED FROM USE +# OF THE MATERIAL. CARNEGIE MELLON UNIVERSITY DOES NOT MAKE +# ANY WARRANTY OF ANY KIND WITH RESPECT TO FREEDOM FROM +# PATENT, TRADEMARK, OR COPYRIGHT INFRINGEMENT. +# Licensed under a MIT (SEI)-style license, please see LICENSE or contact +# permission@sei.cmu.edu for full terms. +# [DISTRIBUTION STATEMENT A] This material has been approved for +# public release and unlimited distribution. Please see Copyright notice +# for non-US Government use and distribution. +# This Software includes and/or makes use of Third-Party Software each +# subject to its own license. +# DM24-0278 + +# ## 1. Memory Use +# - **Stateless** — no persistence beyond the current interaction. +# - **Local Recall** — remembers within a session or user context. +# - **Shared Memory** — persistent state across sessions, tasks, or teams. + +from ssvc.decision_points.aivss.base import AivssDecisionPoint +from ssvc.decision_points.base import DecisionPointValue +from ssvc.decision_points.helpers import print_versions_and_diffs + +STATELESS = DecisionPointValue( + key="S", + name="Stateless", + definition="No persistence beyond the current interaction.", +) +LOCAL_RECALL = DecisionPointValue( + key="L", + name="Local Recall", + definition="Remembers within a session or user context.", +) +SHARED_MEMORY = DecisionPointValue( + key="M", + name="Shared Memory", + definition="Persistent state across sessions, tasks, or teams.", +) +MEMORY_01 = AivssDecisionPoint( + key="MU", + name="Memory Use", + definition="Determines the memory use level of an AI system based on its persistence and recall capabilities.", + version="1.0.0", + values=(STATELESS, LOCAL_RECALL, SHARED_MEMORY), +) +VERSIONS = (MEMORY_01,) +LATEST = VERSIONS[-1] + + +def main(): + print_versions_and_diffs(VERSIONS) + + +if __name__ == "__main__": + main() diff --git a/src/ssvc/decision_points/aivss/multi_agent_interactions.py b/src/ssvc/decision_points/aivss/multi_agent_interactions.py new file mode 100644 index 00000000..fe6953e6 --- /dev/null +++ b/src/ssvc/decision_points/aivss/multi_agent_interactions.py @@ -0,0 +1,72 @@ +#!/usr/bin/env python + +""" +Provides the AIVSS Multi-Agent Interactions Decision Point for SSVC. +""" + +# Copyright (c) 2025 Carnegie Mellon University. +# NO WARRANTY. THIS CARNEGIE MELLON UNIVERSITY AND SOFTWARE +# ENGINEERING INSTITUTE MATERIAL IS FURNISHED ON AN "AS-IS" BASIS. +# CARNEGIE MELLON UNIVERSITY MAKES NO WARRANTIES OF ANY KIND, +# EITHER EXPRESSED OR IMPLIED, AS TO ANY MATTER INCLUDING, BUT +# NOT LIMITED TO, WARRANTY OF FITNESS FOR PURPOSE OR +# MERCHANTABILITY, EXCLUSIVITY, OR RESULTS OBTAINED FROM USE +# OF THE MATERIAL. CARNEGIE MELLON UNIVERSITY DOES NOT MAKE +# ANY WARRANTY OF ANY KIND WITH RESPECT TO FREEDOM FROM +# PATENT, TRADEMARK, OR COPYRIGHT INFRINGEMENT. +# Licensed under a MIT (SEI)-style license, please see LICENSE or contact +# permission@sei.cmu.edu for full terms. +# [DISTRIBUTION STATEMENT A] This material has been approved for +# public release and unlimited distribution. Please see Copyright notice +# for non-US Government use and distribution. +# This Software includes and/or makes use of Third-Party Software each +# subject to its own license. +# DM24-0278 + +from ssvc.decision_points.aivss.base import AivssDecisionPoint +from ssvc.decision_points.base import DecisionPointValue +from ssvc.decision_points.helpers import print_versions_and_diffs + +# ## 3. Multi-Agent Interactions +# - Solo — operates alone; no coordination. +# - Scripted — interacts through predefined handoffs or protocols. +# - Orchestrated — dynamic teaming, swarms, emergent behavior, or markets. + +SOLO = DecisionPointValue( + key="S", + name="Solo", + definition="Operates alone; no coordination.", +) + +SCRIPTED = DecisionPointValue( + key="R", + name="Scripted", + definition="Interacts through predefined handoffs or protocols.", +) + +ORCHESTRATED = DecisionPointValue( + key="O", + name="Orchestrated", + definition="Dynamic teaming, swarms, emergent behavior, or markets.", +) + +MULTI_AGENT_INTERACTIONS_01 = AivssDecisionPoint( + key="MAI", + name="Multi-Agent Interactions", + definition=( + "Characterizes how, and how flexibly, an AI system coordinates with other agents or services." + ), + version="1.0.0", + values=(SOLO, SCRIPTED, ORCHESTRATED), +) + +VERSIONS = (MULTI_AGENT_INTERACTIONS_01,) +LATEST = VERSIONS[-1] + + +def main(): + print_versions_and_diffs(VERSIONS) + + +if __name__ == "__main__": + main() diff --git a/src/ssvc/decision_points/aivss/non_determinism.py b/src/ssvc/decision_points/aivss/non_determinism.py new file mode 100644 index 00000000..51a94f6a --- /dev/null +++ b/src/ssvc/decision_points/aivss/non_determinism.py @@ -0,0 +1,64 @@ +#!/usr/bin/env python +""" +Provides the AIVSS Non-Determinism Decision Point for SSVC. +""" + +# Copyright (c) 2025 Carnegie Mellon University. +# NO WARRANTY. THIS CARNEGIE MELLON UNIVERSITY AND SOFTWARE +# ENGINEERING INSTITUTE MATERIAL IS FURNISHED ON AN "AS-IS" BASIS. +# CARNEGIE MELLON UNIVERSITY MAKES NO WARRANTIES OF ANY KIND, +# EITHER EXPRESSED OR IMPLIED, AS TO ANY MATTER INCLUDING, BUT +# NOT LIMITED TO, WARRANTY OF FITNESS FOR PURPOSE OR +# MERCHANTABILITY, EXCLUSIVITY, OR RESULTS OBTAINED FROM USE +# OF THE MATERIAL. CARNEGIE MELLON UNIVERSITY DOES NOT MAKE +# ANY WARRANTY OF ANY KIND WITH RESPECT TO FREEDOM FROM +# PATENT, TRADEMARK, OR COPYRIGHT INFRINGEMENT. +# Licensed under a MIT (SEI)-style license, please see LICENSE or contact +# permission@sei.cmu.edu for full terms. +# [DISTRIBUTION STATEMENT A] This material has been approved for +# public release and unlimited distribution. Please see Copyright notice +# for non-US Government use and distribution. +# This Software includes and/or makes use of Third-Party Software each +# subject to its own license. +# DM24-0278 + +from ssvc.decision_points.aivss.base import AivssDecisionPoint +from ssvc.decision_points.base import DecisionPointValue +from ssvc.decision_points.helpers import print_versions_and_diffs + +DETERMINISTIC = DecisionPointValue( + key="D", + name="Deterministic", + definition="Stable outputs; no randomness.", +) + +BOUNDED = DecisionPointValue( + key="B", + name="Bounded", + definition="Controlled variance within predictable limits.", +) + +HIGH_VARIANCE = DecisionPointValue( + key="H", + name="High-Variance", + definition="Broad or unstable behavioral range.", +) + +NON_DETERMINISM_01 = AivssDecisionPoint( + key="ND", + name="Non-Determinism", + definition="Describes variability of system outputs across repeated executions.", + version="1.0.0", + values=(DETERMINISTIC, BOUNDED, HIGH_VARIANCE), +) + +VERSIONS = (NON_DETERMINISM_01,) +LATEST = VERSIONS[-1] + + +def main(): + print_versions_and_diffs(VERSIONS) + + +if __name__ == "__main__": + main() diff --git a/src/ssvc/decision_points/aivss/opacity_reflexivity.py b/src/ssvc/decision_points/aivss/opacity_reflexivity.py new file mode 100644 index 00000000..84ad67c9 --- /dev/null +++ b/src/ssvc/decision_points/aivss/opacity_reflexivity.py @@ -0,0 +1,64 @@ +#!/usr/bin/env python +""" +Provides the AIVSS Opacity & Reflexivity Decision Point for SSVC. +""" + +# Copyright (c) 2025 Carnegie Mellon University. +# NO WARRANTY. THIS CARNEGIE MELLON UNIVERSITY AND SOFTWARE +# ENGINEERING INSTITUTE MATERIAL IS FURNISHED ON AN "AS-IS" BASIS. +# CARNEGIE MELLON UNIVERSITY MAKES NO WARRANTIES OF ANY KIND, +# EITHER EXPRESSED OR IMPLIED, AS TO ANY MATTER INCLUDING, BUT +# NOT LIMITED TO, WARRANTY OF FITNESS FOR PURPOSE OR +# MERCHANTABILITY, EXCLUSIVITY, OR RESULTS OBTAINED FROM USE +# OF THE MATERIAL. CARNEGIE MELLON UNIVERSITY DOES NOT MAKE +# ANY WARRANTY OF ANY KIND WITH RESPECT TO FREEDOM FROM +# PATENT, TRADEMARK, OR COPYRIGHT INFRINGEMENT. +# Licensed under a MIT (SEI)-style license, please see LICENSE or contact +# permission@sei.cmu.edu for full terms. +# [DISTRIBUTION STATEMENT A] This material has been approved for +# public release and unlimited distribution. Please see Copyright notice +# for non-US Government use and distribution. +# This Software includes and/or makes use of Third-Party Software each +# subject to its own license. +# DM24-0278 + +from ssvc.decision_points.aivss.base import AivssDecisionPoint +from ssvc.decision_points.base import DecisionPointValue +from ssvc.decision_points.helpers import print_versions_and_diffs + +TRANSPARENT = DecisionPointValue( + key="T", + name="Transparent", + definition="Full logs and traceable reasoning.", +) + +FRAGMENTED = DecisionPointValue( + key="F", + name="Fragmented", + definition="Partial visibility; some steps hidden.", +) + +OPAQUE = DecisionPointValue( + key="O", + name="Opaque", + definition="Black-box behavior; internal process not observable.", +) + +OPACITY_REFLEXIVITY_01 = AivssDecisionPoint( + key="OR", + name="Opacity & Reflexivity", + definition="Captures how observable and explainable the internal reasoning and adaptation cycle is.", + version="1.0.0", + values=(TRANSPARENT, FRAGMENTED, OPAQUE), +) + +VERSIONS = (OPACITY_REFLEXIVITY_01,) +LATEST = VERSIONS[-1] + + +def main(): + print_versions_and_diffs(VERSIONS) + + +if __name__ == "__main__": + main() diff --git a/src/ssvc/decision_points/aivss/predictability_influence.py b/src/ssvc/decision_points/aivss/predictability_influence.py new file mode 100644 index 00000000..1fc8d831 --- /dev/null +++ b/src/ssvc/decision_points/aivss/predictability_influence.py @@ -0,0 +1,88 @@ +#!/usr/bin/env python + +""" +Provides TODO writeme +""" + +# Copyright (c) 2025 Carnegie Mellon University. +# NO WARRANTY. THIS CARNEGIE MELLON UNIVERSITY AND SOFTWARE +# ENGINEERING INSTITUTE MATERIAL IS FURNISHED ON AN "AS-IS" BASIS. +# CARNEGIE MELLON UNIVERSITY MAKES NO WARRANTIES OF ANY KIND, +# EITHER EXPRESSED OR IMPLIED, AS TO ANY MATTER INCLUDING, BUT +# NOT LIMITED TO, WARRANTY OF FITNESS FOR PURPOSE OR +# MERCHANTABILITY, EXCLUSIVITY, OR RESULTS OBTAINED FROM USE +# OF THE MATERIAL. CARNEGIE MELLON UNIVERSITY DOES NOT MAKE +# ANY WARRANTY OF ANY KIND WITH RESPECT TO FREEDOM FROM +# PATENT, TRADEMARK, OR COPYRIGHT INFRINGEMENT. +# Licensed under a MIT (SEI)-style license, please see LICENSE or contact +# permission@sei.cmu.edu for full terms. +# [DISTRIBUTION STATEMENT A] This material has been approved for +# public release and unlimited distribution. Please see Copyright notice +# for non-US Government use and distribution. +# This Software includes and/or makes use of Third-Party Software each +# subject to its own license. +# DM24-0278 + +from ssvc.decision_points.aivss.base import AivssDecisionPoint +from ssvc.decision_points.base import DecisionPointValue +from ssvc.decision_points.helpers import print_versions_and_diffs + +# Verifiable +# Behavior is traceable, reproducible, and backed by strong logging or proofs. +# Outputs align with clear rules, and any action can be independently checked. +# Unexpected deviations are rare and easy to diagnose. +# Uncertain +# Behavior is generally well-structured but can deviate within known bounds. +# Some reasoning steps or interactions lack full visibility, making verification partial. +# Issues may be diagnosable but require effort or contextual reconstruction. +# Opaque +# Behavior is highly variable, difficult to trace, and resistant to verification. +# Key reasoning paths, external influences, or interactions are hidden or unpredictable. +# Actions may appear coherent but cannot be reliably reproduced or audited. + +VERIFIABLE = DecisionPointValue( + name="Verifiable", + key="V", + definition=( + "Behavior is traceable, reproducible, and backed by strong logging or proofs. " + "Outputs align with clear rules, and any action can be independently checked. " + "Unexpected deviations are rare and easy to diagnose." + ), +) +UNCERTAIN = DecisionPointValue( + name="Uncertain", + key="U", + definition=( + "Behavior is generally well-structured but can deviate within known bounds. " + "Some reasoning steps or interactions lack full visibility, making verification partial. " + "Issues may be diagnosable but require effort or contextual reconstruction." + ), +) +OPAQUE = DecisionPointValue( + name="Opaque", + key="O", + definition=( + "Behavior is highly variable, difficult to trace, and resistant to verification. " + "Key reasoning paths, external influences, or interactions are hidden or unpredictable. " + "Actions may appear coherent but cannot be reliably reproduced or audited." + ), +) + +PREDICTABILITY_INFLUENCE_01 = AivssDecisionPoint( + key="PI", + name="Predictability and Influence", + definition="TODO writeme", + version="1.0.0", + values=(VERIFIABLE, UNCERTAIN, OPAQUE), +) + +VERSIONS = (PREDICTABILITY_INFLUENCE_01,) +LATEST = VERSIONS[-1] + + +def main(): + print_versions_and_diffs(VERSIONS) + + +if __name__ == "__main__": + main() diff --git a/src/ssvc/decision_points/aivss/self_modification.py b/src/ssvc/decision_points/aivss/self_modification.py new file mode 100644 index 00000000..602061bf --- /dev/null +++ b/src/ssvc/decision_points/aivss/self_modification.py @@ -0,0 +1,73 @@ +#!/usr/bin/env python + +# Copyright (c) 2025 Carnegie Mellon University. +# NO WARRANTY. THIS CARNEGIE MELLON UNIVERSITY AND SOFTWARE +# ENGINEERING INSTITUTE MATERIAL IS FURNISHED ON AN "AS-IS" BASIS. +# CARNEGIE MELLON UNIVERSITY MAKES NO WARRANTIES OF ANY KIND, +# EITHER EXPRESSED OR IMPLIED, AS TO ANY MATTER INCLUDING, BUT +# NOT LIMITED TO, WARRANTY OF FITNESS FOR PURPOSE OR +# MERCHANTABILITY, EXCLUSIVITY, OR RESULTS OBTAINED FROM USE +# OF THE MATERIAL. CARNEGIE MELLON UNIVERSITY DOES NOT MAKE +# ANY WARRANTY OF ANY KIND WITH RESPECT TO FREEDOM FROM +# PATENT, TRADEMARK, OR COPYRIGHT INFRINGEMENT. +# Licensed under a MIT (SEI)-style license, please see LICENSE or contact +# permission@sei.cmu.edu for full terms. +# [DISTRIBUTION STATEMENT A] This material has been approved for +# public release and unlimited distribution. Please see Copyright notice +# for non-US Government use and distribution. +# This Software includes and/or makes use of Third-Party Software each +# subject to its own license. +# DM24-0278 + +''' +Provides the AIVSS Self-Modification Decision Point for SSVC. +''' + +from ssvc.decision_points.aivss.base import AivssDecisionPoint +from ssvc.decision_points.base import DecisionPointValue +from ssvc.decision_points.helpers import print_versions_and_diffs + +FIXED = DecisionPointValue( + key="F", + name="Fixed", + definition="The agent cannot modify its own code, configuration, or behavior.", +) + +TUNABLE = DecisionPointValue( + key="T", + name="Tunable", + definition="The agent can modify its configuration or prompts but not its core code or behavior.", +) + +MUTABLE = DecisionPointValue( + key="M", + name="Mutable", + definition="The agent can modify its own code, configuration, or behavior.", +) + +SELF_MODIFICATION_1_0_0 = AivssDecisionPoint( + key="SM", + name="Self-Modification", + definition="Determines the self-modification capabilities of an AI agent based on its ability to alter its own code, configuration, or behavior.", + version="1.0.0", + values=(FIXED, MUTABLE), +) + +SELF_MODIFICATION_1_1_0 = AivssDecisionPoint( + key="SM", + name="Self-Modification", + definition="Determines the self-modification capabilities of an AI agent based on its ability to alter its own code, configuration, or behavior.", + version="1.1.0", + values=(FIXED, TUNABLE, MUTABLE), +) + +VERSIONS = (SELF_MODIFICATION_1_0_0, SELF_MODIFICATION_1_1_0) +LATEST = VERSIONS[-1] + + +def main(): + print_versions_and_diffs(VERSIONS) + + +if __name__ == '__main__': + main() diff --git a/src/ssvc/decision_points/aivss/tool_use.py b/src/ssvc/decision_points/aivss/tool_use.py new file mode 100644 index 00000000..f3bc793e --- /dev/null +++ b/src/ssvc/decision_points/aivss/tool_use.py @@ -0,0 +1,61 @@ +#!/usr/bin/env python + +# Copyright (c) 2025 Carnegie Mellon University. +# NO WARRANTY. THIS CARNEGIE MELLON UNIVERSITY AND SOFTWARE +# ENGINEERING INSTITUTE MATERIAL IS FURNISHED ON AN "AS-IS" BASIS. +# CARNEGIE MELLON UNIVERSITY MAKES NO WARRANTIES OF ANY KIND, +# EITHER EXPRESSED OR IMPLIED, AS TO ANY MATTER INCLUDING, BUT +# NOT LIMITED TO, WARRANTY OF FITNESS FOR PURPOSE OR +# MERCHANTABILITY, EXCLUSIVITY, OR RESULTS OBTAINED FROM USE +# OF THE MATERIAL. CARNEGIE MELLON UNIVERSITY DOES NOT MAKE +# ANY WARRANTY OF ANY KIND WITH RESPECT TO FREEDOM FROM +# PATENT, TRADEMARK, OR COPYRIGHT INFRINGEMENT. +# Licensed under a MIT (SEI)-style license, please see LICENSE or contact +# permission@sei.cmu.edu for full terms. +# [DISTRIBUTION STATEMENT A] This material has been approved for +# public release and unlimited distribution. Please see Copyright notice +# for non-US Government use and distribution. +# This Software includes and/or makes use of Third-Party Software each +# subject to its own license. +# DM24-0278 + +''' +Provides the AIVSS Tool Use Decision Point for SSVC. +''' +from ssvc.decision_points.aivss.base import AivssDecisionPoint +from ssvc.decision_points.base import DecisionPointValue +from ssvc.decision_points.helpers import print_versions_and_diffs + +VIEWER = DecisionPointValue( + key="V", + name="Viewer", + definition="The agent can only read and analyze information without making any changes.", +) +OPERATOR = DecisionPointValue( + key="O", + name="Operator", + definition="The agent can make changes within a controlled environment, such as test systems or local files.", +) +ADMINISTRATOR = DecisionPointValue( + key="A", + name="Administrator", + definition="The agent has full control and can make changes to privileged systems, including production environments.", +) + +TOOL_USE = AivssDecisionPoint( + key="TU", + name="Tool Use", + definition="Determines the tool use level of an AI agent based on its capabilities to interact with systems.", + version="1.0.0", + values=(VIEWER, OPERATOR, ADMINISTRATOR), +) + +VERSIONS = (TOOL_USE, ) +LATEST = VERSIONS[-1] + +def main(): + print_versions_and_diffs(VERSIONS) + + +if __name__ == '__main__': + main() diff --git a/src/ssvc/decision_points/aivss/verification_capability.py b/src/ssvc/decision_points/aivss/verification_capability.py new file mode 100644 index 00000000..6306234e --- /dev/null +++ b/src/ssvc/decision_points/aivss/verification_capability.py @@ -0,0 +1,64 @@ +#!/usr/bin/env python +""" +Provides the AIVSS Verification Capability Decision Point for SSVC. +""" + +# Copyright (c) 2025 Carnegie Mellon University. +# NO WARRANTY. THIS CARNEGIE MELLON UNIVERSITY AND SOFTWARE +# ENGINEERING INSTITUTE MATERIAL IS FURNISHED ON AN "AS-IS" BASIS. +# CARNEGIE MELLON UNIVERSITY MAKES NO WARRANTIES OF ANY KIND, +# EITHER EXPRESSED OR IMPLIED, AS TO ANY MATTER INCLUDING, BUT +# NOT LIMITED TO, WARRANTY OF FITNESS FOR PURPOSE OR +# MERCHANTABILITY, EXCLUSIVITY, OR RESULTS OBTAINED FROM USE +# OF THE MATERIAL. CARNEGIE MELLON UNIVERSITY DOES NOT MAKE +# ANY WARRANTY OF ANY KIND WITH RESPECT TO FREEDOM FROM +# PATENT, TRADEMARK, OR COPYRIGHT INFRINGEMENT. +# Licensed under a MIT (SEI)-style license, please see LICENSE or contact +# permission@sei.cmu.edu for full terms. +# [DISTRIBUTION STATEMENT A] This material has been approved for +# public release and unlimited distribution. Please see Copyright notice +# for non-US Government use and distribution. +# This Software includes and/or makes use of Third-Party Software each +# subject to its own license. +# DM24-0278 + +from ssvc.decision_points.aivss.base import AivssDecisionPoint +from ssvc.decision_points.base import DecisionPointValue +from ssvc.decision_points.helpers import print_versions_and_diffs + +PROVABLE = DecisionPointValue( + key="P", + name="Provable", + definition="Critical safety or correctness invariants can be verified.", +) + +KEY_INVARIANTS = DecisionPointValue( + key="K", + name="Key Invariants Verifiable", + definition="Some critical properties can be verified, but not all.", +) + +UNVERIFIABLE = DecisionPointValue( + key="U", + name="Unverifiable", + definition="Cannot prove correctness or invariants in practice.", +) + +VERIFICATION_CAPABILITY_01 = AivssDecisionPoint( + key="VC", + name="Verification Capability", + definition="Indicates whether the system’s critical properties can be formally or practically verified.", + version="1.0.0", + values=(PROVABLE, KEY_INVARIANTS, UNVERIFIABLE), +) + +VERSIONS = (VERIFICATION_CAPABILITY_01,) +LATEST = VERSIONS[-1] + + +def main(): + print_versions_and_diffs(VERSIONS) + + +if __name__ == "__main__": + main() diff --git a/src/ssvc/decision_tables/aivss/agentic_impact.py b/src/ssvc/decision_tables/aivss/agentic_impact.py new file mode 100644 index 00000000..d85b3546 --- /dev/null +++ b/src/ssvc/decision_tables/aivss/agentic_impact.py @@ -0,0 +1,239 @@ +#!/usr/bin/env python + +# Copyright (c) 2025 Carnegie Mellon University. +# NO WARRANTY. THIS CARNEGIE MELLON UNIVERSITY AND SOFTWARE +# ENGINEERING INSTITUTE MATERIAL IS FURNISHED ON AN "AS-IS" BASIS. +# CARNEGIE MELLON UNIVERSITY MAKES NO WARRANTIES OF ANY KIND, +# EITHER EXPRESSED OR IMPLIED, AS TO ANY MATTER INCLUDING, BUT +# NOT LIMITED TO, WARRANTY OF FITNESS FOR PURPOSE OR +# MERCHANTABILITY, EXCLUSIVITY, OR RESULTS OBTAINED FROM USE +# OF THE MATERIAL. CARNEGIE MELLON UNIVERSITY DOES NOT MAKE +# ANY WARRANTY OF ANY KIND WITH RESPECT TO FREEDOM FROM +# PATENT, TRADEMARK, OR COPYRIGHT INFRINGEMENT. +# Licensed under a MIT (SEI)-style license, please see LICENSE or contact +# permission@sei.cmu.edu for full terms. +# [DISTRIBUTION STATEMENT A] This material has been approved for +# public release and unlimited distribution. Please see Copyright notice +# for non-US Government use and distribution. +# This Software includes and/or makes use of Third-Party Software each +# subject to its own license. +# DM24-0278 + +""" +Provides TODO writeme +""" +from ssvc.decision_points.aivss.agentic_impact import AIL_01 +from ssvc.decision_points.aivss.base import AIVSS_NS +from ssvc.decision_points.aivss.env_adaptation import ENV_ADAPT_01 +from ssvc.decision_points.aivss.execution_power import EXECUTION_POWER +from ssvc.decision_points.aivss.predictability_influence import ( + PREDICTABILITY_INFLUENCE_01, +) +from ssvc.decision_tables.base import DecisionTable + +V1_0_0 = DecisionTable( + key="AIL", + namespace=AIVSS_NS, + name="Agentic Impact Level", + definition=("TODO writeme"), + version="1.0.0", + decision_points={ + dp.id: dp + for dp in [ + EXECUTION_POWER, + ENV_ADAPT_01, + PREDICTABILITY_INFLUENCE_01, + AIL_01, + ] + }, + outcome=AIL_01.id, + mapping=[ + { + "x_org.owasp#aivss:EP:1.0.0": "C", + "x_org.owasp#aivss:EA:1.0.0": "I", + "x_org.owasp#aivss:PI:1.0.0": "V", + "x_org.owasp#aivss:AIL:1.0.0": "C", + }, + { + "x_org.owasp#aivss:EP:1.0.0": "C", + "x_org.owasp#aivss:EA:1.0.0": "I", + "x_org.owasp#aivss:PI:1.0.0": "U", + "x_org.owasp#aivss:AIL:1.0.0": "C", + }, + { + "x_org.owasp#aivss:EP:1.0.0": "C", + "x_org.owasp#aivss:EA:1.0.0": "I", + "x_org.owasp#aivss:PI:1.0.0": "O", + "x_org.owasp#aivss:AIL:1.0.0": "S", + }, + { + "x_org.owasp#aivss:EP:1.0.0": "C", + "x_org.owasp#aivss:EA:1.0.0": "C", + "x_org.owasp#aivss:PI:1.0.0": "V", + "x_org.owasp#aivss:AIL:1.0.0": "C", + }, + { + "x_org.owasp#aivss:EP:1.0.0": "C", + "x_org.owasp#aivss:EA:1.0.0": "C", + "x_org.owasp#aivss:PI:1.0.0": "U", + "x_org.owasp#aivss:AIL:1.0.0": "S", + }, + { + "x_org.owasp#aivss:EP:1.0.0": "C", + "x_org.owasp#aivss:EA:1.0.0": "C", + "x_org.owasp#aivss:PI:1.0.0": "O", + "x_org.owasp#aivss:AIL:1.0.0": "S", + }, + { + "x_org.owasp#aivss:EP:1.0.0": "C", + "x_org.owasp#aivss:EA:1.0.0": "P", + "x_org.owasp#aivss:PI:1.0.0": "V", + "x_org.owasp#aivss:AIL:1.0.0": "S", + }, + { + "x_org.owasp#aivss:EP:1.0.0": "C", + "x_org.owasp#aivss:EA:1.0.0": "P", + "x_org.owasp#aivss:PI:1.0.0": "U", + "x_org.owasp#aivss:AIL:1.0.0": "S", + }, + { + "x_org.owasp#aivss:EP:1.0.0": "C", + "x_org.owasp#aivss:EA:1.0.0": "P", + "x_org.owasp#aivss:PI:1.0.0": "O", + "x_org.owasp#aivss:AIL:1.0.0": "P", + }, + { + "x_org.owasp#aivss:EP:1.0.0": "CA", + "x_org.owasp#aivss:EA:1.0.0": "I", + "x_org.owasp#aivss:PI:1.0.0": "V", + "x_org.owasp#aivss:AIL:1.0.0": "C", + }, + { + "x_org.owasp#aivss:EP:1.0.0": "CA", + "x_org.owasp#aivss:EA:1.0.0": "I", + "x_org.owasp#aivss:PI:1.0.0": "U", + "x_org.owasp#aivss:AIL:1.0.0": "S", + }, + { + "x_org.owasp#aivss:EP:1.0.0": "CA", + "x_org.owasp#aivss:EA:1.0.0": "I", + "x_org.owasp#aivss:PI:1.0.0": "O", + "x_org.owasp#aivss:AIL:1.0.0": "S", + }, + { + "x_org.owasp#aivss:EP:1.0.0": "CA", + "x_org.owasp#aivss:EA:1.0.0": "C", + "x_org.owasp#aivss:PI:1.0.0": "V", + "x_org.owasp#aivss:AIL:1.0.0": "S", + }, + { + "x_org.owasp#aivss:EP:1.0.0": "CA", + "x_org.owasp#aivss:EA:1.0.0": "C", + "x_org.owasp#aivss:PI:1.0.0": "U", + "x_org.owasp#aivss:AIL:1.0.0": "S", + }, + { + "x_org.owasp#aivss:EP:1.0.0": "CA", + "x_org.owasp#aivss:EA:1.0.0": "C", + "x_org.owasp#aivss:PI:1.0.0": "O", + "x_org.owasp#aivss:AIL:1.0.0": "S", + }, + { + "x_org.owasp#aivss:EP:1.0.0": "CA", + "x_org.owasp#aivss:EA:1.0.0": "P", + "x_org.owasp#aivss:PI:1.0.0": "V", + "x_org.owasp#aivss:AIL:1.0.0": "S", + }, + { + "x_org.owasp#aivss:EP:1.0.0": "CA", + "x_org.owasp#aivss:EA:1.0.0": "P", + "x_org.owasp#aivss:PI:1.0.0": "U", + "x_org.owasp#aivss:AIL:1.0.0": "S", + }, + { + "x_org.owasp#aivss:EP:1.0.0": "CA", + "x_org.owasp#aivss:EA:1.0.0": "P", + "x_org.owasp#aivss:PI:1.0.0": "O", + "x_org.owasp#aivss:AIL:1.0.0": "P", + }, + { + "x_org.owasp#aivss:EP:1.0.0": "H", + "x_org.owasp#aivss:EA:1.0.0": "I", + "x_org.owasp#aivss:PI:1.0.0": "V", + "x_org.owasp#aivss:AIL:1.0.0": "S", + }, + { + "x_org.owasp#aivss:EP:1.0.0": "H", + "x_org.owasp#aivss:EA:1.0.0": "I", + "x_org.owasp#aivss:PI:1.0.0": "U", + "x_org.owasp#aivss:AIL:1.0.0": "S", + }, + { + "x_org.owasp#aivss:EP:1.0.0": "H", + "x_org.owasp#aivss:EA:1.0.0": "I", + "x_org.owasp#aivss:PI:1.0.0": "O", + "x_org.owasp#aivss:AIL:1.0.0": "P", + }, + { + "x_org.owasp#aivss:EP:1.0.0": "H", + "x_org.owasp#aivss:EA:1.0.0": "C", + "x_org.owasp#aivss:PI:1.0.0": "V", + "x_org.owasp#aivss:AIL:1.0.0": "S", + }, + { + "x_org.owasp#aivss:EP:1.0.0": "H", + "x_org.owasp#aivss:EA:1.0.0": "C", + "x_org.owasp#aivss:PI:1.0.0": "U", + "x_org.owasp#aivss:AIL:1.0.0": "S", + }, + { + "x_org.owasp#aivss:EP:1.0.0": "H", + "x_org.owasp#aivss:EA:1.0.0": "C", + "x_org.owasp#aivss:PI:1.0.0": "O", + "x_org.owasp#aivss:AIL:1.0.0": "P", + }, + { + "x_org.owasp#aivss:EP:1.0.0": "H", + "x_org.owasp#aivss:EA:1.0.0": "P", + "x_org.owasp#aivss:PI:1.0.0": "V", + "x_org.owasp#aivss:AIL:1.0.0": "P", + }, + { + "x_org.owasp#aivss:EP:1.0.0": "H", + "x_org.owasp#aivss:EA:1.0.0": "P", + "x_org.owasp#aivss:PI:1.0.0": "U", + "x_org.owasp#aivss:AIL:1.0.0": "P", + }, + { + "x_org.owasp#aivss:EP:1.0.0": "H", + "x_org.owasp#aivss:EA:1.0.0": "P", + "x_org.owasp#aivss:PI:1.0.0": "O", + "x_org.owasp#aivss:AIL:1.0.0": "P", + }, + ], +) + +VERSIONS = (V1_0_0,) +LATEST = VERSIONS[-1] + + +def main(): + from ssvc.decision_tables.helpers import print_dt_version + from ssvc.decision_tables.aivss.utils import Rule, RuleSet, rules_mapping + + print_dt_version(V1_0_0) + + ruleset = RuleSet( + rules=[ + Rule(value=2, value_count=2, outcome=2), + Rule(value=2, value_count=1, outcome=1), + Rule(value=1, value_count=2, outcome=1), + Rule(value=0, value_count=0, outcome=0), + ] + ) + + print(rules_mapping(V1_0_0, ruleset)) + + +if __name__ == "__main__": + main() diff --git a/src/ssvc/decision_tables/aivss/env_adaptation.py b/src/ssvc/decision_tables/aivss/env_adaptation.py new file mode 100644 index 00000000..0692db6c --- /dev/null +++ b/src/ssvc/decision_tables/aivss/env_adaptation.py @@ -0,0 +1,651 @@ +#!/usr/bin/env python + +# Copyright (c) 2025 Carnegie Mellon University. +# NO WARRANTY. THIS CARNEGIE MELLON UNIVERSITY AND SOFTWARE +# ENGINEERING INSTITUTE MATERIAL IS FURNISHED ON AN "AS-IS" BASIS. +# CARNEGIE MELLON UNIVERSITY MAKES NO WARRANTIES OF ANY KIND, +# EITHER EXPRESSED OR IMPLIED, AS TO ANY MATTER INCLUDING, BUT +# NOT LIMITED TO, WARRANTY OF FITNESS FOR PURPOSE OR +# MERCHANTABILITY, EXCLUSIVITY, OR RESULTS OBTAINED FROM USE +# OF THE MATERIAL. CARNEGIE MELLON UNIVERSITY DOES NOT MAKE +# ANY WARRANTY OF ANY KIND WITH RESPECT TO FREEDOM FROM +# PATENT, TRADEMARK, OR COPYRIGHT INFRINGEMENT. +# Licensed under a MIT (SEI)-style license, please see LICENSE or contact +# permission@sei.cmu.edu for full terms. +# [DISTRIBUTION STATEMENT A] This material has been approved for +# public release and unlimited distribution. Please see Copyright notice +# for non-US Government use and distribution. +# This Software includes and/or makes use of Third-Party Software each +# subject to its own license. +# DM24-0278 + +""" +Provides TODO writeme +""" + +from ssvc.decision_points.aivss.base import AIVSS_NS +from ssvc.decision_points.aivss.contextual_awareness import ( + CONTEXTUAL_AWARENESS_01, +) +from ssvc.decision_points.aivss.dynamic_identity import DYNAMIC_IDENTITY_01 +from ssvc.decision_points.aivss.env_adaptation import ENV_ADAPT_01 +from ssvc.decision_points.aivss.memory import MEMORY_01 +from ssvc.decision_points.aivss.multi_agent_interactions import ( + MULTI_AGENT_INTERACTIONS_01, +) +from ssvc.decision_tables.base import DecisionTable + +V1_0_0 = DecisionTable( + # FIXME: Update key, name, and definition + key="EP", + name="Execution Power", + definition="Determines the level of execution power granted to an AI agent, influencing its ability to perform actions autonomously and interact with external systems.", + version="1.0.0", + namespace=AIVSS_NS, + decision_points={ + dp.id: dp + for dp in [ + MEMORY_01, + CONTEXTUAL_AWARENESS_01, + DYNAMIC_IDENTITY_01, + MULTI_AGENT_INTERACTIONS_01, + ENV_ADAPT_01, + ] + }, + outcome=ENV_ADAPT_01.id, + mapping=[ + { + "x_org.owasp#aivss:MU:1.0.0": "S", + "x_org.owasp#aivss:CA:1.0.0": "I", + "x_org.owasp#aivss:DI:1.0.0": "F", + "x_org.owasp#aivss:MAI:1.0.0": "S", + "x_org.owasp#aivss:EA:1.0.0": "I", + }, + { + "x_org.owasp#aivss:MU:1.0.0": "S", + "x_org.owasp#aivss:CA:1.0.0": "I", + "x_org.owasp#aivss:DI:1.0.0": "F", + "x_org.owasp#aivss:MAI:1.0.0": "R", + "x_org.owasp#aivss:EA:1.0.0": "I", + }, + { + "x_org.owasp#aivss:MU:1.0.0": "S", + "x_org.owasp#aivss:CA:1.0.0": "I", + "x_org.owasp#aivss:DI:1.0.0": "F", + "x_org.owasp#aivss:MAI:1.0.0": "O", + "x_org.owasp#aivss:EA:1.0.0": "C", + }, + { + "x_org.owasp#aivss:MU:1.0.0": "S", + "x_org.owasp#aivss:CA:1.0.0": "I", + "x_org.owasp#aivss:DI:1.0.0": "S", + "x_org.owasp#aivss:MAI:1.0.0": "S", + "x_org.owasp#aivss:EA:1.0.0": "I", + }, + { + "x_org.owasp#aivss:MU:1.0.0": "S", + "x_org.owasp#aivss:CA:1.0.0": "I", + "x_org.owasp#aivss:DI:1.0.0": "S", + "x_org.owasp#aivss:MAI:1.0.0": "R", + "x_org.owasp#aivss:EA:1.0.0": "C", + }, + { + "x_org.owasp#aivss:MU:1.0.0": "S", + "x_org.owasp#aivss:CA:1.0.0": "I", + "x_org.owasp#aivss:DI:1.0.0": "S", + "x_org.owasp#aivss:MAI:1.0.0": "O", + "x_org.owasp#aivss:EA:1.0.0": "C", + }, + { + "x_org.owasp#aivss:MU:1.0.0": "S", + "x_org.owasp#aivss:CA:1.0.0": "I", + "x_org.owasp#aivss:DI:1.0.0": "A", + "x_org.owasp#aivss:MAI:1.0.0": "S", + "x_org.owasp#aivss:EA:1.0.0": "C", + }, + { + "x_org.owasp#aivss:MU:1.0.0": "S", + "x_org.owasp#aivss:CA:1.0.0": "I", + "x_org.owasp#aivss:DI:1.0.0": "A", + "x_org.owasp#aivss:MAI:1.0.0": "R", + "x_org.owasp#aivss:EA:1.0.0": "C", + }, + { + "x_org.owasp#aivss:MU:1.0.0": "S", + "x_org.owasp#aivss:CA:1.0.0": "I", + "x_org.owasp#aivss:DI:1.0.0": "A", + "x_org.owasp#aivss:MAI:1.0.0": "O", + "x_org.owasp#aivss:EA:1.0.0": "P", + }, + { + "x_org.owasp#aivss:MU:1.0.0": "S", + "x_org.owasp#aivss:CA:1.0.0": "T", + "x_org.owasp#aivss:DI:1.0.0": "F", + "x_org.owasp#aivss:MAI:1.0.0": "S", + "x_org.owasp#aivss:EA:1.0.0": "I", + }, + { + "x_org.owasp#aivss:MU:1.0.0": "S", + "x_org.owasp#aivss:CA:1.0.0": "T", + "x_org.owasp#aivss:DI:1.0.0": "F", + "x_org.owasp#aivss:MAI:1.0.0": "R", + "x_org.owasp#aivss:EA:1.0.0": "C", + }, + { + "x_org.owasp#aivss:MU:1.0.0": "S", + "x_org.owasp#aivss:CA:1.0.0": "T", + "x_org.owasp#aivss:DI:1.0.0": "F", + "x_org.owasp#aivss:MAI:1.0.0": "O", + "x_org.owasp#aivss:EA:1.0.0": "C", + }, + { + "x_org.owasp#aivss:MU:1.0.0": "S", + "x_org.owasp#aivss:CA:1.0.0": "T", + "x_org.owasp#aivss:DI:1.0.0": "S", + "x_org.owasp#aivss:MAI:1.0.0": "S", + "x_org.owasp#aivss:EA:1.0.0": "C", + }, + { + "x_org.owasp#aivss:MU:1.0.0": "S", + "x_org.owasp#aivss:CA:1.0.0": "T", + "x_org.owasp#aivss:DI:1.0.0": "S", + "x_org.owasp#aivss:MAI:1.0.0": "R", + "x_org.owasp#aivss:EA:1.0.0": "C", + }, + { + "x_org.owasp#aivss:MU:1.0.0": "S", + "x_org.owasp#aivss:CA:1.0.0": "T", + "x_org.owasp#aivss:DI:1.0.0": "S", + "x_org.owasp#aivss:MAI:1.0.0": "O", + "x_org.owasp#aivss:EA:1.0.0": "C", + }, + { + "x_org.owasp#aivss:MU:1.0.0": "S", + "x_org.owasp#aivss:CA:1.0.0": "T", + "x_org.owasp#aivss:DI:1.0.0": "A", + "x_org.owasp#aivss:MAI:1.0.0": "S", + "x_org.owasp#aivss:EA:1.0.0": "C", + }, + { + "x_org.owasp#aivss:MU:1.0.0": "S", + "x_org.owasp#aivss:CA:1.0.0": "T", + "x_org.owasp#aivss:DI:1.0.0": "A", + "x_org.owasp#aivss:MAI:1.0.0": "R", + "x_org.owasp#aivss:EA:1.0.0": "C", + }, + { + "x_org.owasp#aivss:MU:1.0.0": "S", + "x_org.owasp#aivss:CA:1.0.0": "T", + "x_org.owasp#aivss:DI:1.0.0": "A", + "x_org.owasp#aivss:MAI:1.0.0": "O", + "x_org.owasp#aivss:EA:1.0.0": "P", + }, + { + "x_org.owasp#aivss:MU:1.0.0": "S", + "x_org.owasp#aivss:CA:1.0.0": "A", + "x_org.owasp#aivss:DI:1.0.0": "F", + "x_org.owasp#aivss:MAI:1.0.0": "S", + "x_org.owasp#aivss:EA:1.0.0": "C", + }, + { + "x_org.owasp#aivss:MU:1.0.0": "S", + "x_org.owasp#aivss:CA:1.0.0": "A", + "x_org.owasp#aivss:DI:1.0.0": "F", + "x_org.owasp#aivss:MAI:1.0.0": "R", + "x_org.owasp#aivss:EA:1.0.0": "C", + }, + { + "x_org.owasp#aivss:MU:1.0.0": "S", + "x_org.owasp#aivss:CA:1.0.0": "A", + "x_org.owasp#aivss:DI:1.0.0": "F", + "x_org.owasp#aivss:MAI:1.0.0": "O", + "x_org.owasp#aivss:EA:1.0.0": "P", + }, + { + "x_org.owasp#aivss:MU:1.0.0": "S", + "x_org.owasp#aivss:CA:1.0.0": "A", + "x_org.owasp#aivss:DI:1.0.0": "S", + "x_org.owasp#aivss:MAI:1.0.0": "S", + "x_org.owasp#aivss:EA:1.0.0": "C", + }, + { + "x_org.owasp#aivss:MU:1.0.0": "S", + "x_org.owasp#aivss:CA:1.0.0": "A", + "x_org.owasp#aivss:DI:1.0.0": "S", + "x_org.owasp#aivss:MAI:1.0.0": "R", + "x_org.owasp#aivss:EA:1.0.0": "C", + }, + { + "x_org.owasp#aivss:MU:1.0.0": "S", + "x_org.owasp#aivss:CA:1.0.0": "A", + "x_org.owasp#aivss:DI:1.0.0": "S", + "x_org.owasp#aivss:MAI:1.0.0": "O", + "x_org.owasp#aivss:EA:1.0.0": "P", + }, + { + "x_org.owasp#aivss:MU:1.0.0": "S", + "x_org.owasp#aivss:CA:1.0.0": "A", + "x_org.owasp#aivss:DI:1.0.0": "A", + "x_org.owasp#aivss:MAI:1.0.0": "S", + "x_org.owasp#aivss:EA:1.0.0": "P", + }, + { + "x_org.owasp#aivss:MU:1.0.0": "S", + "x_org.owasp#aivss:CA:1.0.0": "A", + "x_org.owasp#aivss:DI:1.0.0": "A", + "x_org.owasp#aivss:MAI:1.0.0": "R", + "x_org.owasp#aivss:EA:1.0.0": "P", + }, + { + "x_org.owasp#aivss:MU:1.0.0": "S", + "x_org.owasp#aivss:CA:1.0.0": "A", + "x_org.owasp#aivss:DI:1.0.0": "A", + "x_org.owasp#aivss:MAI:1.0.0": "O", + "x_org.owasp#aivss:EA:1.0.0": "P", + }, + { + "x_org.owasp#aivss:MU:1.0.0": "L", + "x_org.owasp#aivss:CA:1.0.0": "I", + "x_org.owasp#aivss:DI:1.0.0": "F", + "x_org.owasp#aivss:MAI:1.0.0": "S", + "x_org.owasp#aivss:EA:1.0.0": "I", + }, + { + "x_org.owasp#aivss:MU:1.0.0": "L", + "x_org.owasp#aivss:CA:1.0.0": "I", + "x_org.owasp#aivss:DI:1.0.0": "F", + "x_org.owasp#aivss:MAI:1.0.0": "R", + "x_org.owasp#aivss:EA:1.0.0": "C", + }, + { + "x_org.owasp#aivss:MU:1.0.0": "L", + "x_org.owasp#aivss:CA:1.0.0": "I", + "x_org.owasp#aivss:DI:1.0.0": "F", + "x_org.owasp#aivss:MAI:1.0.0": "O", + "x_org.owasp#aivss:EA:1.0.0": "C", + }, + { + "x_org.owasp#aivss:MU:1.0.0": "L", + "x_org.owasp#aivss:CA:1.0.0": "I", + "x_org.owasp#aivss:DI:1.0.0": "S", + "x_org.owasp#aivss:MAI:1.0.0": "S", + "x_org.owasp#aivss:EA:1.0.0": "C", + }, + { + "x_org.owasp#aivss:MU:1.0.0": "L", + "x_org.owasp#aivss:CA:1.0.0": "I", + "x_org.owasp#aivss:DI:1.0.0": "S", + "x_org.owasp#aivss:MAI:1.0.0": "R", + "x_org.owasp#aivss:EA:1.0.0": "C", + }, + { + "x_org.owasp#aivss:MU:1.0.0": "L", + "x_org.owasp#aivss:CA:1.0.0": "I", + "x_org.owasp#aivss:DI:1.0.0": "S", + "x_org.owasp#aivss:MAI:1.0.0": "O", + "x_org.owasp#aivss:EA:1.0.0": "C", + }, + { + "x_org.owasp#aivss:MU:1.0.0": "L", + "x_org.owasp#aivss:CA:1.0.0": "I", + "x_org.owasp#aivss:DI:1.0.0": "A", + "x_org.owasp#aivss:MAI:1.0.0": "S", + "x_org.owasp#aivss:EA:1.0.0": "C", + }, + { + "x_org.owasp#aivss:MU:1.0.0": "L", + "x_org.owasp#aivss:CA:1.0.0": "I", + "x_org.owasp#aivss:DI:1.0.0": "A", + "x_org.owasp#aivss:MAI:1.0.0": "R", + "x_org.owasp#aivss:EA:1.0.0": "C", + }, + { + "x_org.owasp#aivss:MU:1.0.0": "L", + "x_org.owasp#aivss:CA:1.0.0": "I", + "x_org.owasp#aivss:DI:1.0.0": "A", + "x_org.owasp#aivss:MAI:1.0.0": "O", + "x_org.owasp#aivss:EA:1.0.0": "P", + }, + { + "x_org.owasp#aivss:MU:1.0.0": "L", + "x_org.owasp#aivss:CA:1.0.0": "T", + "x_org.owasp#aivss:DI:1.0.0": "F", + "x_org.owasp#aivss:MAI:1.0.0": "S", + "x_org.owasp#aivss:EA:1.0.0": "C", + }, + { + "x_org.owasp#aivss:MU:1.0.0": "L", + "x_org.owasp#aivss:CA:1.0.0": "T", + "x_org.owasp#aivss:DI:1.0.0": "F", + "x_org.owasp#aivss:MAI:1.0.0": "R", + "x_org.owasp#aivss:EA:1.0.0": "C", + }, + { + "x_org.owasp#aivss:MU:1.0.0": "L", + "x_org.owasp#aivss:CA:1.0.0": "T", + "x_org.owasp#aivss:DI:1.0.0": "F", + "x_org.owasp#aivss:MAI:1.0.0": "O", + "x_org.owasp#aivss:EA:1.0.0": "C", + }, + { + "x_org.owasp#aivss:MU:1.0.0": "L", + "x_org.owasp#aivss:CA:1.0.0": "T", + "x_org.owasp#aivss:DI:1.0.0": "S", + "x_org.owasp#aivss:MAI:1.0.0": "S", + "x_org.owasp#aivss:EA:1.0.0": "C", + }, + { + "x_org.owasp#aivss:MU:1.0.0": "L", + "x_org.owasp#aivss:CA:1.0.0": "T", + "x_org.owasp#aivss:DI:1.0.0": "S", + "x_org.owasp#aivss:MAI:1.0.0": "R", + "x_org.owasp#aivss:EA:1.0.0": "C", + }, + { + "x_org.owasp#aivss:MU:1.0.0": "L", + "x_org.owasp#aivss:CA:1.0.0": "T", + "x_org.owasp#aivss:DI:1.0.0": "S", + "x_org.owasp#aivss:MAI:1.0.0": "O", + "x_org.owasp#aivss:EA:1.0.0": "C", + }, + { + "x_org.owasp#aivss:MU:1.0.0": "L", + "x_org.owasp#aivss:CA:1.0.0": "T", + "x_org.owasp#aivss:DI:1.0.0": "A", + "x_org.owasp#aivss:MAI:1.0.0": "S", + "x_org.owasp#aivss:EA:1.0.0": "C", + }, + { + "x_org.owasp#aivss:MU:1.0.0": "L", + "x_org.owasp#aivss:CA:1.0.0": "T", + "x_org.owasp#aivss:DI:1.0.0": "A", + "x_org.owasp#aivss:MAI:1.0.0": "R", + "x_org.owasp#aivss:EA:1.0.0": "C", + }, + { + "x_org.owasp#aivss:MU:1.0.0": "L", + "x_org.owasp#aivss:CA:1.0.0": "T", + "x_org.owasp#aivss:DI:1.0.0": "A", + "x_org.owasp#aivss:MAI:1.0.0": "O", + "x_org.owasp#aivss:EA:1.0.0": "P", + }, + { + "x_org.owasp#aivss:MU:1.0.0": "L", + "x_org.owasp#aivss:CA:1.0.0": "A", + "x_org.owasp#aivss:DI:1.0.0": "F", + "x_org.owasp#aivss:MAI:1.0.0": "S", + "x_org.owasp#aivss:EA:1.0.0": "C", + }, + { + "x_org.owasp#aivss:MU:1.0.0": "L", + "x_org.owasp#aivss:CA:1.0.0": "A", + "x_org.owasp#aivss:DI:1.0.0": "F", + "x_org.owasp#aivss:MAI:1.0.0": "R", + "x_org.owasp#aivss:EA:1.0.0": "C", + }, + { + "x_org.owasp#aivss:MU:1.0.0": "L", + "x_org.owasp#aivss:CA:1.0.0": "A", + "x_org.owasp#aivss:DI:1.0.0": "F", + "x_org.owasp#aivss:MAI:1.0.0": "O", + "x_org.owasp#aivss:EA:1.0.0": "P", + }, + { + "x_org.owasp#aivss:MU:1.0.0": "L", + "x_org.owasp#aivss:CA:1.0.0": "A", + "x_org.owasp#aivss:DI:1.0.0": "S", + "x_org.owasp#aivss:MAI:1.0.0": "S", + "x_org.owasp#aivss:EA:1.0.0": "C", + }, + { + "x_org.owasp#aivss:MU:1.0.0": "L", + "x_org.owasp#aivss:CA:1.0.0": "A", + "x_org.owasp#aivss:DI:1.0.0": "S", + "x_org.owasp#aivss:MAI:1.0.0": "R", + "x_org.owasp#aivss:EA:1.0.0": "C", + }, + { + "x_org.owasp#aivss:MU:1.0.0": "L", + "x_org.owasp#aivss:CA:1.0.0": "A", + "x_org.owasp#aivss:DI:1.0.0": "S", + "x_org.owasp#aivss:MAI:1.0.0": "O", + "x_org.owasp#aivss:EA:1.0.0": "P", + }, + { + "x_org.owasp#aivss:MU:1.0.0": "L", + "x_org.owasp#aivss:CA:1.0.0": "A", + "x_org.owasp#aivss:DI:1.0.0": "A", + "x_org.owasp#aivss:MAI:1.0.0": "S", + "x_org.owasp#aivss:EA:1.0.0": "P", + }, + { + "x_org.owasp#aivss:MU:1.0.0": "L", + "x_org.owasp#aivss:CA:1.0.0": "A", + "x_org.owasp#aivss:DI:1.0.0": "A", + "x_org.owasp#aivss:MAI:1.0.0": "R", + "x_org.owasp#aivss:EA:1.0.0": "P", + }, + { + "x_org.owasp#aivss:MU:1.0.0": "L", + "x_org.owasp#aivss:CA:1.0.0": "A", + "x_org.owasp#aivss:DI:1.0.0": "A", + "x_org.owasp#aivss:MAI:1.0.0": "O", + "x_org.owasp#aivss:EA:1.0.0": "P", + }, + { + "x_org.owasp#aivss:MU:1.0.0": "M", + "x_org.owasp#aivss:CA:1.0.0": "I", + "x_org.owasp#aivss:DI:1.0.0": "F", + "x_org.owasp#aivss:MAI:1.0.0": "S", + "x_org.owasp#aivss:EA:1.0.0": "C", + }, + { + "x_org.owasp#aivss:MU:1.0.0": "M", + "x_org.owasp#aivss:CA:1.0.0": "I", + "x_org.owasp#aivss:DI:1.0.0": "F", + "x_org.owasp#aivss:MAI:1.0.0": "R", + "x_org.owasp#aivss:EA:1.0.0": "C", + }, + { + "x_org.owasp#aivss:MU:1.0.0": "M", + "x_org.owasp#aivss:CA:1.0.0": "I", + "x_org.owasp#aivss:DI:1.0.0": "F", + "x_org.owasp#aivss:MAI:1.0.0": "O", + "x_org.owasp#aivss:EA:1.0.0": "P", + }, + { + "x_org.owasp#aivss:MU:1.0.0": "M", + "x_org.owasp#aivss:CA:1.0.0": "I", + "x_org.owasp#aivss:DI:1.0.0": "S", + "x_org.owasp#aivss:MAI:1.0.0": "S", + "x_org.owasp#aivss:EA:1.0.0": "C", + }, + { + "x_org.owasp#aivss:MU:1.0.0": "M", + "x_org.owasp#aivss:CA:1.0.0": "I", + "x_org.owasp#aivss:DI:1.0.0": "S", + "x_org.owasp#aivss:MAI:1.0.0": "R", + "x_org.owasp#aivss:EA:1.0.0": "C", + }, + { + "x_org.owasp#aivss:MU:1.0.0": "M", + "x_org.owasp#aivss:CA:1.0.0": "I", + "x_org.owasp#aivss:DI:1.0.0": "S", + "x_org.owasp#aivss:MAI:1.0.0": "O", + "x_org.owasp#aivss:EA:1.0.0": "P", + }, + { + "x_org.owasp#aivss:MU:1.0.0": "M", + "x_org.owasp#aivss:CA:1.0.0": "I", + "x_org.owasp#aivss:DI:1.0.0": "A", + "x_org.owasp#aivss:MAI:1.0.0": "S", + "x_org.owasp#aivss:EA:1.0.0": "P", + }, + { + "x_org.owasp#aivss:MU:1.0.0": "M", + "x_org.owasp#aivss:CA:1.0.0": "I", + "x_org.owasp#aivss:DI:1.0.0": "A", + "x_org.owasp#aivss:MAI:1.0.0": "R", + "x_org.owasp#aivss:EA:1.0.0": "P", + }, + { + "x_org.owasp#aivss:MU:1.0.0": "M", + "x_org.owasp#aivss:CA:1.0.0": "I", + "x_org.owasp#aivss:DI:1.0.0": "A", + "x_org.owasp#aivss:MAI:1.0.0": "O", + "x_org.owasp#aivss:EA:1.0.0": "P", + }, + { + "x_org.owasp#aivss:MU:1.0.0": "M", + "x_org.owasp#aivss:CA:1.0.0": "T", + "x_org.owasp#aivss:DI:1.0.0": "F", + "x_org.owasp#aivss:MAI:1.0.0": "S", + "x_org.owasp#aivss:EA:1.0.0": "C", + }, + { + "x_org.owasp#aivss:MU:1.0.0": "M", + "x_org.owasp#aivss:CA:1.0.0": "T", + "x_org.owasp#aivss:DI:1.0.0": "F", + "x_org.owasp#aivss:MAI:1.0.0": "R", + "x_org.owasp#aivss:EA:1.0.0": "C", + }, + { + "x_org.owasp#aivss:MU:1.0.0": "M", + "x_org.owasp#aivss:CA:1.0.0": "T", + "x_org.owasp#aivss:DI:1.0.0": "F", + "x_org.owasp#aivss:MAI:1.0.0": "O", + "x_org.owasp#aivss:EA:1.0.0": "P", + }, + { + "x_org.owasp#aivss:MU:1.0.0": "M", + "x_org.owasp#aivss:CA:1.0.0": "T", + "x_org.owasp#aivss:DI:1.0.0": "S", + "x_org.owasp#aivss:MAI:1.0.0": "S", + "x_org.owasp#aivss:EA:1.0.0": "C", + }, + { + "x_org.owasp#aivss:MU:1.0.0": "M", + "x_org.owasp#aivss:CA:1.0.0": "T", + "x_org.owasp#aivss:DI:1.0.0": "S", + "x_org.owasp#aivss:MAI:1.0.0": "R", + "x_org.owasp#aivss:EA:1.0.0": "C", + }, + { + "x_org.owasp#aivss:MU:1.0.0": "M", + "x_org.owasp#aivss:CA:1.0.0": "T", + "x_org.owasp#aivss:DI:1.0.0": "S", + "x_org.owasp#aivss:MAI:1.0.0": "O", + "x_org.owasp#aivss:EA:1.0.0": "P", + }, + { + "x_org.owasp#aivss:MU:1.0.0": "M", + "x_org.owasp#aivss:CA:1.0.0": "T", + "x_org.owasp#aivss:DI:1.0.0": "A", + "x_org.owasp#aivss:MAI:1.0.0": "S", + "x_org.owasp#aivss:EA:1.0.0": "P", + }, + { + "x_org.owasp#aivss:MU:1.0.0": "M", + "x_org.owasp#aivss:CA:1.0.0": "T", + "x_org.owasp#aivss:DI:1.0.0": "A", + "x_org.owasp#aivss:MAI:1.0.0": "R", + "x_org.owasp#aivss:EA:1.0.0": "P", + }, + { + "x_org.owasp#aivss:MU:1.0.0": "M", + "x_org.owasp#aivss:CA:1.0.0": "T", + "x_org.owasp#aivss:DI:1.0.0": "A", + "x_org.owasp#aivss:MAI:1.0.0": "O", + "x_org.owasp#aivss:EA:1.0.0": "P", + }, + { + "x_org.owasp#aivss:MU:1.0.0": "M", + "x_org.owasp#aivss:CA:1.0.0": "A", + "x_org.owasp#aivss:DI:1.0.0": "F", + "x_org.owasp#aivss:MAI:1.0.0": "S", + "x_org.owasp#aivss:EA:1.0.0": "P", + }, + { + "x_org.owasp#aivss:MU:1.0.0": "M", + "x_org.owasp#aivss:CA:1.0.0": "A", + "x_org.owasp#aivss:DI:1.0.0": "F", + "x_org.owasp#aivss:MAI:1.0.0": "R", + "x_org.owasp#aivss:EA:1.0.0": "P", + }, + { + "x_org.owasp#aivss:MU:1.0.0": "M", + "x_org.owasp#aivss:CA:1.0.0": "A", + "x_org.owasp#aivss:DI:1.0.0": "F", + "x_org.owasp#aivss:MAI:1.0.0": "O", + "x_org.owasp#aivss:EA:1.0.0": "P", + }, + { + "x_org.owasp#aivss:MU:1.0.0": "M", + "x_org.owasp#aivss:CA:1.0.0": "A", + "x_org.owasp#aivss:DI:1.0.0": "S", + "x_org.owasp#aivss:MAI:1.0.0": "S", + "x_org.owasp#aivss:EA:1.0.0": "P", + }, + { + "x_org.owasp#aivss:MU:1.0.0": "M", + "x_org.owasp#aivss:CA:1.0.0": "A", + "x_org.owasp#aivss:DI:1.0.0": "S", + "x_org.owasp#aivss:MAI:1.0.0": "R", + "x_org.owasp#aivss:EA:1.0.0": "P", + }, + { + "x_org.owasp#aivss:MU:1.0.0": "M", + "x_org.owasp#aivss:CA:1.0.0": "A", + "x_org.owasp#aivss:DI:1.0.0": "S", + "x_org.owasp#aivss:MAI:1.0.0": "O", + "x_org.owasp#aivss:EA:1.0.0": "P", + }, + { + "x_org.owasp#aivss:MU:1.0.0": "M", + "x_org.owasp#aivss:CA:1.0.0": "A", + "x_org.owasp#aivss:DI:1.0.0": "A", + "x_org.owasp#aivss:MAI:1.0.0": "S", + "x_org.owasp#aivss:EA:1.0.0": "P", + }, + { + "x_org.owasp#aivss:MU:1.0.0": "M", + "x_org.owasp#aivss:CA:1.0.0": "A", + "x_org.owasp#aivss:DI:1.0.0": "A", + "x_org.owasp#aivss:MAI:1.0.0": "R", + "x_org.owasp#aivss:EA:1.0.0": "P", + }, + { + "x_org.owasp#aivss:MU:1.0.0": "M", + "x_org.owasp#aivss:CA:1.0.0": "A", + "x_org.owasp#aivss:DI:1.0.0": "A", + "x_org.owasp#aivss:MAI:1.0.0": "O", + "x_org.owasp#aivss:EA:1.0.0": "P", + }, + ], +) + +VERSIONS = (V1_0_0,) +LATEST = VERSIONS[-1] + + +def main(): + from ssvc.decision_tables.helpers import print_dt_version + from ssvc.decision_tables.aivss.utils import Rule, RuleSet, rules_mapping + + print_dt_version(V1_0_0) + + ruleset = RuleSet( + rules=[ + # Highest severity first + Rule(value=2, value_count=2, outcome=2), + Rule(value=2, value_count=1, outcome=1), + Rule(value=1, value_count=2, outcome=1), + Rule(value=0, value_count=0, outcome=0), + ] + ) + + print(rules_mapping(V1_0_0, ruleset)) + + +if __name__ == "__main__": + main() diff --git a/src/ssvc/decision_tables/aivss/execution_power.py b/src/ssvc/decision_tables/aivss/execution_power.py new file mode 100644 index 00000000..101aecdc --- /dev/null +++ b/src/ssvc/decision_tables/aivss/execution_power.py @@ -0,0 +1,650 @@ +#!/usr/bin/env python + +# Copyright (c) 2025 Carnegie Mellon University. +# NO WARRANTY. THIS CARNEGIE MELLON UNIVERSITY AND SOFTWARE +# ENGINEERING INSTITUTE MATERIAL IS FURNISHED ON AN "AS-IS" BASIS. +# CARNEGIE MELLON UNIVERSITY MAKES NO WARRANTIES OF ANY KIND, +# EITHER EXPRESSED OR IMPLIED, AS TO ANY MATTER INCLUDING, BUT +# NOT LIMITED TO, WARRANTY OF FITNESS FOR PURPOSE OR +# MERCHANTABILITY, EXCLUSIVITY, OR RESULTS OBTAINED FROM USE +# OF THE MATERIAL. CARNEGIE MELLON UNIVERSITY DOES NOT MAKE +# ANY WARRANTY OF ANY KIND WITH RESPECT TO FREEDOM FROM +# PATENT, TRADEMARK, OR COPYRIGHT INFRINGEMENT. +# Licensed under a MIT (SEI)-style license, please see LICENSE or contact +# permission@sei.cmu.edu for full terms. +# [DISTRIBUTION STATEMENT A] This material has been approved for +# public release and unlimited distribution. Please see Copyright notice +# for non-US Government use and distribution. +# This Software includes and/or makes use of Third-Party Software each +# subject to its own license. +# DM24-0278 + +""" +Provides TODO writeme +""" + +from ssvc.decision_points.aivss.autonomy import AUTONOMY +from ssvc.decision_points.aivss.base import AIVSS_NS +from ssvc.decision_points.aivss.execution_power import EXECUTION_POWER +from ssvc.decision_points.aivss.goal_driven_planning import ( + GOAL_DRIVEN_PLANNING, +) +from ssvc.decision_points.aivss.self_modification import ( + SELF_MODIFICATION_1_1_0 as SELF_MODIFICATION, +) +from ssvc.decision_points.aivss.tool_use import TOOL_USE +from ssvc.decision_tables.base import DecisionTable + +V1_0_0 = DecisionTable( + key="EP", + name="Execution Power", + definition="Determines the level of execution power granted to an AI agent, influencing its ability to perform actions autonomously and interact with external systems.", + version="1.0.0", + namespace=AIVSS_NS, + decision_points={ + dp.id: dp + for dp in [ + AUTONOMY, + TOOL_USE, + SELF_MODIFICATION, + GOAL_DRIVEN_PLANNING, + EXECUTION_POWER, + ] + }, + outcome=EXECUTION_POWER.id, + mapping=[ + { + "x_org.owasp#aivss:AA:1.0.0": "G", + "x_org.owasp#aivss:TU:1.0.0": "V", + "x_org.owasp#aivss:SM:1.1.0": "F", + "x_org.owasp#aivss:GDP:1.0.0": "R", + "x_org.owasp#aivss:EP:1.0.0": "C", + }, + { + "x_org.owasp#aivss:AA:1.0.0": "G", + "x_org.owasp#aivss:TU:1.0.0": "V", + "x_org.owasp#aivss:SM:1.1.0": "F", + "x_org.owasp#aivss:GDP:1.0.0": "A", + "x_org.owasp#aivss:EP:1.0.0": "C", + }, + { + "x_org.owasp#aivss:AA:1.0.0": "G", + "x_org.owasp#aivss:TU:1.0.0": "V", + "x_org.owasp#aivss:SM:1.1.0": "F", + "x_org.owasp#aivss:GDP:1.0.0": "U", + "x_org.owasp#aivss:EP:1.0.0": "CA", + }, + { + "x_org.owasp#aivss:AA:1.0.0": "G", + "x_org.owasp#aivss:TU:1.0.0": "V", + "x_org.owasp#aivss:SM:1.1.0": "T", + "x_org.owasp#aivss:GDP:1.0.0": "R", + "x_org.owasp#aivss:EP:1.0.0": "C", + }, + { + "x_org.owasp#aivss:AA:1.0.0": "G", + "x_org.owasp#aivss:TU:1.0.0": "V", + "x_org.owasp#aivss:SM:1.1.0": "T", + "x_org.owasp#aivss:GDP:1.0.0": "A", + "x_org.owasp#aivss:EP:1.0.0": "C", + }, + { + "x_org.owasp#aivss:AA:1.0.0": "G", + "x_org.owasp#aivss:TU:1.0.0": "V", + "x_org.owasp#aivss:SM:1.1.0": "T", + "x_org.owasp#aivss:GDP:1.0.0": "U", + "x_org.owasp#aivss:EP:1.0.0": "CA", + }, + { + "x_org.owasp#aivss:AA:1.0.0": "G", + "x_org.owasp#aivss:TU:1.0.0": "V", + "x_org.owasp#aivss:SM:1.1.0": "M", + "x_org.owasp#aivss:GDP:1.0.0": "R", + "x_org.owasp#aivss:EP:1.0.0": "CA", + }, + { + "x_org.owasp#aivss:AA:1.0.0": "G", + "x_org.owasp#aivss:TU:1.0.0": "V", + "x_org.owasp#aivss:SM:1.1.0": "M", + "x_org.owasp#aivss:GDP:1.0.0": "A", + "x_org.owasp#aivss:EP:1.0.0": "CA", + }, + { + "x_org.owasp#aivss:AA:1.0.0": "G", + "x_org.owasp#aivss:TU:1.0.0": "V", + "x_org.owasp#aivss:SM:1.1.0": "M", + "x_org.owasp#aivss:GDP:1.0.0": "U", + "x_org.owasp#aivss:EP:1.0.0": "H", + }, + { + "x_org.owasp#aivss:AA:1.0.0": "G", + "x_org.owasp#aivss:TU:1.0.0": "O", + "x_org.owasp#aivss:SM:1.1.0": "F", + "x_org.owasp#aivss:GDP:1.0.0": "R", + "x_org.owasp#aivss:EP:1.0.0": "C", + }, + { + "x_org.owasp#aivss:AA:1.0.0": "G", + "x_org.owasp#aivss:TU:1.0.0": "O", + "x_org.owasp#aivss:SM:1.1.0": "F", + "x_org.owasp#aivss:GDP:1.0.0": "A", + "x_org.owasp#aivss:EP:1.0.0": "C", + }, + { + "x_org.owasp#aivss:AA:1.0.0": "G", + "x_org.owasp#aivss:TU:1.0.0": "O", + "x_org.owasp#aivss:SM:1.1.0": "F", + "x_org.owasp#aivss:GDP:1.0.0": "U", + "x_org.owasp#aivss:EP:1.0.0": "CA", + }, + { + "x_org.owasp#aivss:AA:1.0.0": "G", + "x_org.owasp#aivss:TU:1.0.0": "O", + "x_org.owasp#aivss:SM:1.1.0": "T", + "x_org.owasp#aivss:GDP:1.0.0": "R", + "x_org.owasp#aivss:EP:1.0.0": "C", + }, + { + "x_org.owasp#aivss:AA:1.0.0": "G", + "x_org.owasp#aivss:TU:1.0.0": "O", + "x_org.owasp#aivss:SM:1.1.0": "T", + "x_org.owasp#aivss:GDP:1.0.0": "A", + "x_org.owasp#aivss:EP:1.0.0": "CA", + }, + { + "x_org.owasp#aivss:AA:1.0.0": "G", + "x_org.owasp#aivss:TU:1.0.0": "O", + "x_org.owasp#aivss:SM:1.1.0": "T", + "x_org.owasp#aivss:GDP:1.0.0": "U", + "x_org.owasp#aivss:EP:1.0.0": "CA", + }, + { + "x_org.owasp#aivss:AA:1.0.0": "G", + "x_org.owasp#aivss:TU:1.0.0": "O", + "x_org.owasp#aivss:SM:1.1.0": "M", + "x_org.owasp#aivss:GDP:1.0.0": "R", + "x_org.owasp#aivss:EP:1.0.0": "CA", + }, + { + "x_org.owasp#aivss:AA:1.0.0": "G", + "x_org.owasp#aivss:TU:1.0.0": "O", + "x_org.owasp#aivss:SM:1.1.0": "M", + "x_org.owasp#aivss:GDP:1.0.0": "A", + "x_org.owasp#aivss:EP:1.0.0": "CA", + }, + { + "x_org.owasp#aivss:AA:1.0.0": "G", + "x_org.owasp#aivss:TU:1.0.0": "O", + "x_org.owasp#aivss:SM:1.1.0": "M", + "x_org.owasp#aivss:GDP:1.0.0": "U", + "x_org.owasp#aivss:EP:1.0.0": "H", + }, + { + "x_org.owasp#aivss:AA:1.0.0": "G", + "x_org.owasp#aivss:TU:1.0.0": "A", + "x_org.owasp#aivss:SM:1.1.0": "F", + "x_org.owasp#aivss:GDP:1.0.0": "R", + "x_org.owasp#aivss:EP:1.0.0": "CA", + }, + { + "x_org.owasp#aivss:AA:1.0.0": "G", + "x_org.owasp#aivss:TU:1.0.0": "A", + "x_org.owasp#aivss:SM:1.1.0": "F", + "x_org.owasp#aivss:GDP:1.0.0": "A", + "x_org.owasp#aivss:EP:1.0.0": "CA", + }, + { + "x_org.owasp#aivss:AA:1.0.0": "G", + "x_org.owasp#aivss:TU:1.0.0": "A", + "x_org.owasp#aivss:SM:1.1.0": "F", + "x_org.owasp#aivss:GDP:1.0.0": "U", + "x_org.owasp#aivss:EP:1.0.0": "H", + }, + { + "x_org.owasp#aivss:AA:1.0.0": "G", + "x_org.owasp#aivss:TU:1.0.0": "A", + "x_org.owasp#aivss:SM:1.1.0": "T", + "x_org.owasp#aivss:GDP:1.0.0": "R", + "x_org.owasp#aivss:EP:1.0.0": "CA", + }, + { + "x_org.owasp#aivss:AA:1.0.0": "G", + "x_org.owasp#aivss:TU:1.0.0": "A", + "x_org.owasp#aivss:SM:1.1.0": "T", + "x_org.owasp#aivss:GDP:1.0.0": "A", + "x_org.owasp#aivss:EP:1.0.0": "CA", + }, + { + "x_org.owasp#aivss:AA:1.0.0": "G", + "x_org.owasp#aivss:TU:1.0.0": "A", + "x_org.owasp#aivss:SM:1.1.0": "T", + "x_org.owasp#aivss:GDP:1.0.0": "U", + "x_org.owasp#aivss:EP:1.0.0": "H", + }, + { + "x_org.owasp#aivss:AA:1.0.0": "G", + "x_org.owasp#aivss:TU:1.0.0": "A", + "x_org.owasp#aivss:SM:1.1.0": "M", + "x_org.owasp#aivss:GDP:1.0.0": "R", + "x_org.owasp#aivss:EP:1.0.0": "H", + }, + { + "x_org.owasp#aivss:AA:1.0.0": "G", + "x_org.owasp#aivss:TU:1.0.0": "A", + "x_org.owasp#aivss:SM:1.1.0": "M", + "x_org.owasp#aivss:GDP:1.0.0": "A", + "x_org.owasp#aivss:EP:1.0.0": "H", + }, + { + "x_org.owasp#aivss:AA:1.0.0": "G", + "x_org.owasp#aivss:TU:1.0.0": "A", + "x_org.owasp#aivss:SM:1.1.0": "M", + "x_org.owasp#aivss:GDP:1.0.0": "U", + "x_org.owasp#aivss:EP:1.0.0": "H", + }, + { + "x_org.owasp#aivss:AA:1.0.0": "S", + "x_org.owasp#aivss:TU:1.0.0": "V", + "x_org.owasp#aivss:SM:1.1.0": "F", + "x_org.owasp#aivss:GDP:1.0.0": "R", + "x_org.owasp#aivss:EP:1.0.0": "C", + }, + { + "x_org.owasp#aivss:AA:1.0.0": "S", + "x_org.owasp#aivss:TU:1.0.0": "V", + "x_org.owasp#aivss:SM:1.1.0": "F", + "x_org.owasp#aivss:GDP:1.0.0": "A", + "x_org.owasp#aivss:EP:1.0.0": "C", + }, + { + "x_org.owasp#aivss:AA:1.0.0": "S", + "x_org.owasp#aivss:TU:1.0.0": "V", + "x_org.owasp#aivss:SM:1.1.0": "F", + "x_org.owasp#aivss:GDP:1.0.0": "U", + "x_org.owasp#aivss:EP:1.0.0": "CA", + }, + { + "x_org.owasp#aivss:AA:1.0.0": "S", + "x_org.owasp#aivss:TU:1.0.0": "V", + "x_org.owasp#aivss:SM:1.1.0": "T", + "x_org.owasp#aivss:GDP:1.0.0": "R", + "x_org.owasp#aivss:EP:1.0.0": "C", + }, + { + "x_org.owasp#aivss:AA:1.0.0": "S", + "x_org.owasp#aivss:TU:1.0.0": "V", + "x_org.owasp#aivss:SM:1.1.0": "T", + "x_org.owasp#aivss:GDP:1.0.0": "A", + "x_org.owasp#aivss:EP:1.0.0": "CA", + }, + { + "x_org.owasp#aivss:AA:1.0.0": "S", + "x_org.owasp#aivss:TU:1.0.0": "V", + "x_org.owasp#aivss:SM:1.1.0": "T", + "x_org.owasp#aivss:GDP:1.0.0": "U", + "x_org.owasp#aivss:EP:1.0.0": "CA", + }, + { + "x_org.owasp#aivss:AA:1.0.0": "S", + "x_org.owasp#aivss:TU:1.0.0": "V", + "x_org.owasp#aivss:SM:1.1.0": "M", + "x_org.owasp#aivss:GDP:1.0.0": "R", + "x_org.owasp#aivss:EP:1.0.0": "CA", + }, + { + "x_org.owasp#aivss:AA:1.0.0": "S", + "x_org.owasp#aivss:TU:1.0.0": "V", + "x_org.owasp#aivss:SM:1.1.0": "M", + "x_org.owasp#aivss:GDP:1.0.0": "A", + "x_org.owasp#aivss:EP:1.0.0": "CA", + }, + { + "x_org.owasp#aivss:AA:1.0.0": "S", + "x_org.owasp#aivss:TU:1.0.0": "V", + "x_org.owasp#aivss:SM:1.1.0": "M", + "x_org.owasp#aivss:GDP:1.0.0": "U", + "x_org.owasp#aivss:EP:1.0.0": "H", + }, + { + "x_org.owasp#aivss:AA:1.0.0": "S", + "x_org.owasp#aivss:TU:1.0.0": "O", + "x_org.owasp#aivss:SM:1.1.0": "F", + "x_org.owasp#aivss:GDP:1.0.0": "R", + "x_org.owasp#aivss:EP:1.0.0": "C", + }, + { + "x_org.owasp#aivss:AA:1.0.0": "S", + "x_org.owasp#aivss:TU:1.0.0": "O", + "x_org.owasp#aivss:SM:1.1.0": "F", + "x_org.owasp#aivss:GDP:1.0.0": "A", + "x_org.owasp#aivss:EP:1.0.0": "CA", + }, + { + "x_org.owasp#aivss:AA:1.0.0": "S", + "x_org.owasp#aivss:TU:1.0.0": "O", + "x_org.owasp#aivss:SM:1.1.0": "F", + "x_org.owasp#aivss:GDP:1.0.0": "U", + "x_org.owasp#aivss:EP:1.0.0": "CA", + }, + { + "x_org.owasp#aivss:AA:1.0.0": "S", + "x_org.owasp#aivss:TU:1.0.0": "O", + "x_org.owasp#aivss:SM:1.1.0": "T", + "x_org.owasp#aivss:GDP:1.0.0": "R", + "x_org.owasp#aivss:EP:1.0.0": "CA", + }, + { + "x_org.owasp#aivss:AA:1.0.0": "S", + "x_org.owasp#aivss:TU:1.0.0": "O", + "x_org.owasp#aivss:SM:1.1.0": "T", + "x_org.owasp#aivss:GDP:1.0.0": "A", + "x_org.owasp#aivss:EP:1.0.0": "CA", + }, + { + "x_org.owasp#aivss:AA:1.0.0": "S", + "x_org.owasp#aivss:TU:1.0.0": "O", + "x_org.owasp#aivss:SM:1.1.0": "T", + "x_org.owasp#aivss:GDP:1.0.0": "U", + "x_org.owasp#aivss:EP:1.0.0": "CA", + }, + { + "x_org.owasp#aivss:AA:1.0.0": "S", + "x_org.owasp#aivss:TU:1.0.0": "O", + "x_org.owasp#aivss:SM:1.1.0": "M", + "x_org.owasp#aivss:GDP:1.0.0": "R", + "x_org.owasp#aivss:EP:1.0.0": "CA", + }, + { + "x_org.owasp#aivss:AA:1.0.0": "S", + "x_org.owasp#aivss:TU:1.0.0": "O", + "x_org.owasp#aivss:SM:1.1.0": "M", + "x_org.owasp#aivss:GDP:1.0.0": "A", + "x_org.owasp#aivss:EP:1.0.0": "CA", + }, + { + "x_org.owasp#aivss:AA:1.0.0": "S", + "x_org.owasp#aivss:TU:1.0.0": "O", + "x_org.owasp#aivss:SM:1.1.0": "M", + "x_org.owasp#aivss:GDP:1.0.0": "U", + "x_org.owasp#aivss:EP:1.0.0": "H", + }, + { + "x_org.owasp#aivss:AA:1.0.0": "S", + "x_org.owasp#aivss:TU:1.0.0": "A", + "x_org.owasp#aivss:SM:1.1.0": "F", + "x_org.owasp#aivss:GDP:1.0.0": "R", + "x_org.owasp#aivss:EP:1.0.0": "CA", + }, + { + "x_org.owasp#aivss:AA:1.0.0": "S", + "x_org.owasp#aivss:TU:1.0.0": "A", + "x_org.owasp#aivss:SM:1.1.0": "F", + "x_org.owasp#aivss:GDP:1.0.0": "A", + "x_org.owasp#aivss:EP:1.0.0": "CA", + }, + { + "x_org.owasp#aivss:AA:1.0.0": "S", + "x_org.owasp#aivss:TU:1.0.0": "A", + "x_org.owasp#aivss:SM:1.1.0": "F", + "x_org.owasp#aivss:GDP:1.0.0": "U", + "x_org.owasp#aivss:EP:1.0.0": "H", + }, + { + "x_org.owasp#aivss:AA:1.0.0": "S", + "x_org.owasp#aivss:TU:1.0.0": "A", + "x_org.owasp#aivss:SM:1.1.0": "T", + "x_org.owasp#aivss:GDP:1.0.0": "R", + "x_org.owasp#aivss:EP:1.0.0": "CA", + }, + { + "x_org.owasp#aivss:AA:1.0.0": "S", + "x_org.owasp#aivss:TU:1.0.0": "A", + "x_org.owasp#aivss:SM:1.1.0": "T", + "x_org.owasp#aivss:GDP:1.0.0": "A", + "x_org.owasp#aivss:EP:1.0.0": "CA", + }, + { + "x_org.owasp#aivss:AA:1.0.0": "S", + "x_org.owasp#aivss:TU:1.0.0": "A", + "x_org.owasp#aivss:SM:1.1.0": "T", + "x_org.owasp#aivss:GDP:1.0.0": "U", + "x_org.owasp#aivss:EP:1.0.0": "H", + }, + { + "x_org.owasp#aivss:AA:1.0.0": "S", + "x_org.owasp#aivss:TU:1.0.0": "A", + "x_org.owasp#aivss:SM:1.1.0": "M", + "x_org.owasp#aivss:GDP:1.0.0": "R", + "x_org.owasp#aivss:EP:1.0.0": "H", + }, + { + "x_org.owasp#aivss:AA:1.0.0": "S", + "x_org.owasp#aivss:TU:1.0.0": "A", + "x_org.owasp#aivss:SM:1.1.0": "M", + "x_org.owasp#aivss:GDP:1.0.0": "A", + "x_org.owasp#aivss:EP:1.0.0": "H", + }, + { + "x_org.owasp#aivss:AA:1.0.0": "S", + "x_org.owasp#aivss:TU:1.0.0": "A", + "x_org.owasp#aivss:SM:1.1.0": "M", + "x_org.owasp#aivss:GDP:1.0.0": "U", + "x_org.owasp#aivss:EP:1.0.0": "H", + }, + { + "x_org.owasp#aivss:AA:1.0.0": "F", + "x_org.owasp#aivss:TU:1.0.0": "V", + "x_org.owasp#aivss:SM:1.1.0": "F", + "x_org.owasp#aivss:GDP:1.0.0": "R", + "x_org.owasp#aivss:EP:1.0.0": "CA", + }, + { + "x_org.owasp#aivss:AA:1.0.0": "F", + "x_org.owasp#aivss:TU:1.0.0": "V", + "x_org.owasp#aivss:SM:1.1.0": "F", + "x_org.owasp#aivss:GDP:1.0.0": "A", + "x_org.owasp#aivss:EP:1.0.0": "CA", + }, + { + "x_org.owasp#aivss:AA:1.0.0": "F", + "x_org.owasp#aivss:TU:1.0.0": "V", + "x_org.owasp#aivss:SM:1.1.0": "F", + "x_org.owasp#aivss:GDP:1.0.0": "U", + "x_org.owasp#aivss:EP:1.0.0": "H", + }, + { + "x_org.owasp#aivss:AA:1.0.0": "F", + "x_org.owasp#aivss:TU:1.0.0": "V", + "x_org.owasp#aivss:SM:1.1.0": "T", + "x_org.owasp#aivss:GDP:1.0.0": "R", + "x_org.owasp#aivss:EP:1.0.0": "CA", + }, + { + "x_org.owasp#aivss:AA:1.0.0": "F", + "x_org.owasp#aivss:TU:1.0.0": "V", + "x_org.owasp#aivss:SM:1.1.0": "T", + "x_org.owasp#aivss:GDP:1.0.0": "A", + "x_org.owasp#aivss:EP:1.0.0": "CA", + }, + { + "x_org.owasp#aivss:AA:1.0.0": "F", + "x_org.owasp#aivss:TU:1.0.0": "V", + "x_org.owasp#aivss:SM:1.1.0": "T", + "x_org.owasp#aivss:GDP:1.0.0": "U", + "x_org.owasp#aivss:EP:1.0.0": "H", + }, + { + "x_org.owasp#aivss:AA:1.0.0": "F", + "x_org.owasp#aivss:TU:1.0.0": "V", + "x_org.owasp#aivss:SM:1.1.0": "M", + "x_org.owasp#aivss:GDP:1.0.0": "R", + "x_org.owasp#aivss:EP:1.0.0": "H", + }, + { + "x_org.owasp#aivss:AA:1.0.0": "F", + "x_org.owasp#aivss:TU:1.0.0": "V", + "x_org.owasp#aivss:SM:1.1.0": "M", + "x_org.owasp#aivss:GDP:1.0.0": "A", + "x_org.owasp#aivss:EP:1.0.0": "H", + }, + { + "x_org.owasp#aivss:AA:1.0.0": "F", + "x_org.owasp#aivss:TU:1.0.0": "V", + "x_org.owasp#aivss:SM:1.1.0": "M", + "x_org.owasp#aivss:GDP:1.0.0": "U", + "x_org.owasp#aivss:EP:1.0.0": "H", + }, + { + "x_org.owasp#aivss:AA:1.0.0": "F", + "x_org.owasp#aivss:TU:1.0.0": "O", + "x_org.owasp#aivss:SM:1.1.0": "F", + "x_org.owasp#aivss:GDP:1.0.0": "R", + "x_org.owasp#aivss:EP:1.0.0": "CA", + }, + { + "x_org.owasp#aivss:AA:1.0.0": "F", + "x_org.owasp#aivss:TU:1.0.0": "O", + "x_org.owasp#aivss:SM:1.1.0": "F", + "x_org.owasp#aivss:GDP:1.0.0": "A", + "x_org.owasp#aivss:EP:1.0.0": "CA", + }, + { + "x_org.owasp#aivss:AA:1.0.0": "F", + "x_org.owasp#aivss:TU:1.0.0": "O", + "x_org.owasp#aivss:SM:1.1.0": "F", + "x_org.owasp#aivss:GDP:1.0.0": "U", + "x_org.owasp#aivss:EP:1.0.0": "H", + }, + { + "x_org.owasp#aivss:AA:1.0.0": "F", + "x_org.owasp#aivss:TU:1.0.0": "O", + "x_org.owasp#aivss:SM:1.1.0": "T", + "x_org.owasp#aivss:GDP:1.0.0": "R", + "x_org.owasp#aivss:EP:1.0.0": "CA", + }, + { + "x_org.owasp#aivss:AA:1.0.0": "F", + "x_org.owasp#aivss:TU:1.0.0": "O", + "x_org.owasp#aivss:SM:1.1.0": "T", + "x_org.owasp#aivss:GDP:1.0.0": "A", + "x_org.owasp#aivss:EP:1.0.0": "CA", + }, + { + "x_org.owasp#aivss:AA:1.0.0": "F", + "x_org.owasp#aivss:TU:1.0.0": "O", + "x_org.owasp#aivss:SM:1.1.0": "T", + "x_org.owasp#aivss:GDP:1.0.0": "U", + "x_org.owasp#aivss:EP:1.0.0": "H", + }, + { + "x_org.owasp#aivss:AA:1.0.0": "F", + "x_org.owasp#aivss:TU:1.0.0": "O", + "x_org.owasp#aivss:SM:1.1.0": "M", + "x_org.owasp#aivss:GDP:1.0.0": "R", + "x_org.owasp#aivss:EP:1.0.0": "H", + }, + { + "x_org.owasp#aivss:AA:1.0.0": "F", + "x_org.owasp#aivss:TU:1.0.0": "O", + "x_org.owasp#aivss:SM:1.1.0": "M", + "x_org.owasp#aivss:GDP:1.0.0": "A", + "x_org.owasp#aivss:EP:1.0.0": "H", + }, + { + "x_org.owasp#aivss:AA:1.0.0": "F", + "x_org.owasp#aivss:TU:1.0.0": "O", + "x_org.owasp#aivss:SM:1.1.0": "M", + "x_org.owasp#aivss:GDP:1.0.0": "U", + "x_org.owasp#aivss:EP:1.0.0": "H", + }, + { + "x_org.owasp#aivss:AA:1.0.0": "F", + "x_org.owasp#aivss:TU:1.0.0": "A", + "x_org.owasp#aivss:SM:1.1.0": "F", + "x_org.owasp#aivss:GDP:1.0.0": "R", + "x_org.owasp#aivss:EP:1.0.0": "H", + }, + { + "x_org.owasp#aivss:AA:1.0.0": "F", + "x_org.owasp#aivss:TU:1.0.0": "A", + "x_org.owasp#aivss:SM:1.1.0": "F", + "x_org.owasp#aivss:GDP:1.0.0": "A", + "x_org.owasp#aivss:EP:1.0.0": "H", + }, + { + "x_org.owasp#aivss:AA:1.0.0": "F", + "x_org.owasp#aivss:TU:1.0.0": "A", + "x_org.owasp#aivss:SM:1.1.0": "F", + "x_org.owasp#aivss:GDP:1.0.0": "U", + "x_org.owasp#aivss:EP:1.0.0": "H", + }, + { + "x_org.owasp#aivss:AA:1.0.0": "F", + "x_org.owasp#aivss:TU:1.0.0": "A", + "x_org.owasp#aivss:SM:1.1.0": "T", + "x_org.owasp#aivss:GDP:1.0.0": "R", + "x_org.owasp#aivss:EP:1.0.0": "H", + }, + { + "x_org.owasp#aivss:AA:1.0.0": "F", + "x_org.owasp#aivss:TU:1.0.0": "A", + "x_org.owasp#aivss:SM:1.1.0": "T", + "x_org.owasp#aivss:GDP:1.0.0": "A", + "x_org.owasp#aivss:EP:1.0.0": "H", + }, + { + "x_org.owasp#aivss:AA:1.0.0": "F", + "x_org.owasp#aivss:TU:1.0.0": "A", + "x_org.owasp#aivss:SM:1.1.0": "T", + "x_org.owasp#aivss:GDP:1.0.0": "U", + "x_org.owasp#aivss:EP:1.0.0": "H", + }, + { + "x_org.owasp#aivss:AA:1.0.0": "F", + "x_org.owasp#aivss:TU:1.0.0": "A", + "x_org.owasp#aivss:SM:1.1.0": "M", + "x_org.owasp#aivss:GDP:1.0.0": "R", + "x_org.owasp#aivss:EP:1.0.0": "H", + }, + { + "x_org.owasp#aivss:AA:1.0.0": "F", + "x_org.owasp#aivss:TU:1.0.0": "A", + "x_org.owasp#aivss:SM:1.1.0": "M", + "x_org.owasp#aivss:GDP:1.0.0": "A", + "x_org.owasp#aivss:EP:1.0.0": "H", + }, + { + "x_org.owasp#aivss:AA:1.0.0": "F", + "x_org.owasp#aivss:TU:1.0.0": "A", + "x_org.owasp#aivss:SM:1.1.0": "M", + "x_org.owasp#aivss:GDP:1.0.0": "U", + "x_org.owasp#aivss:EP:1.0.0": "H", + }, + ], +) + +VERSIONS = (V1_0_0,) +LATEST = VERSIONS[-1] + + +def main(): + from ssvc.decision_tables.helpers import print_dt_version + from ssvc.decision_tables.aivss.utils import Rule, RuleSet, rules_mapping + + print_dt_version(V1_0_0) + + ruleset = RuleSet( + rules=[ + # Highest severity first + Rule(value=2, value_count=2, outcome=2), + Rule(value=2, value_count=1, outcome=1), + Rule(value=1, value_count=2, outcome=1), + Rule(value=0, value_count=0, outcome=0), + ] + ) + + print(rules_mapping(V1_0_0, ruleset)) + + +if __name__ == "__main__": + main() diff --git a/src/ssvc/decision_tables/aivss/predictability_influence.py b/src/ssvc/decision_tables/aivss/predictability_influence.py new file mode 100644 index 00000000..e80d9431 --- /dev/null +++ b/src/ssvc/decision_tables/aivss/predictability_influence.py @@ -0,0 +1,653 @@ +#!/usr/bin/env python + +# Copyright (c) 2025 Carnegie Mellon University. +# NO WARRANTY. THIS CARNEGIE MELLON UNIVERSITY AND SOFTWARE +# ENGINEERING INSTITUTE MATERIAL IS FURNISHED ON AN "AS-IS" BASIS. +# CARNEGIE MELLON UNIVERSITY MAKES NO WARRANTIES OF ANY KIND, +# EITHER EXPRESSED OR IMPLIED, AS TO ANY MATTER INCLUDING, BUT +# NOT LIMITED TO, WARRANTY OF FITNESS FOR PURPOSE OR +# MERCHANTABILITY, EXCLUSIVITY, OR RESULTS OBTAINED FROM USE +# OF THE MATERIAL. CARNEGIE MELLON UNIVERSITY DOES NOT MAKE +# ANY WARRANTY OF ANY KIND WITH RESPECT TO FREEDOM FROM +# PATENT, TRADEMARK, OR COPYRIGHT INFRINGEMENT. +# Licensed under a MIT (SEI)-style license, please see LICENSE or contact +# permission@sei.cmu.edu for full terms. +# [DISTRIBUTION STATEMENT A] This material has been approved for +# public release and unlimited distribution. Please see Copyright notice +# for non-US Government use and distribution. +# This Software includes and/or makes use of Third-Party Software each +# subject to its own license. +# DM24-0278 + +""" +Provides TODO writeme +""" +from ssvc.decision_points.aivss.base import AIVSS_NS +from ssvc.decision_points.aivss.deceptiveness_potential import ( + DECEPTIVENESS_POTENTIAL_01, +) +from ssvc.decision_points.aivss.non_determinism import NON_DETERMINISM_01 +from ssvc.decision_points.aivss.opacity_reflexivity import ( + OPACITY_REFLEXIVITY_01, +) +from ssvc.decision_points.aivss.predictability_influence import ( + PREDICTABILITY_INFLUENCE_01, +) +from ssvc.decision_points.aivss.verification_capability import ( + VERIFICATION_CAPABILITY_01, +) +from ssvc.decision_tables.base import DecisionTable + +V1_0_0 = DecisionTable( + key="PI", + version="1.0.0", + namespace=AIVSS_NS, + name="Predictability and Influence", + definition="TODO writeme", + decision_points={ + dp.id: dp + for dp in [ + NON_DETERMINISM_01, + OPACITY_REFLEXIVITY_01, + VERIFICATION_CAPABILITY_01, + DECEPTIVENESS_POTENTIAL_01, + PREDICTABILITY_INFLUENCE_01, + ] + }, + outcome=PREDICTABILITY_INFLUENCE_01.id, + mapping=[ + { + "x_org.owasp#aivss:ND:1.0.0": "D", + "x_org.owasp#aivss:OR:1.0.0": "T", + "x_org.owasp#aivss:VC:1.0.0": "P", + "x_org.owasp#aivss:DP:1.0.0": "P", + "x_org.owasp#aivss:PI:1.0.0": "V", + }, + { + "x_org.owasp#aivss:ND:1.0.0": "D", + "x_org.owasp#aivss:OR:1.0.0": "T", + "x_org.owasp#aivss:VC:1.0.0": "P", + "x_org.owasp#aivss:DP:1.0.0": "F", + "x_org.owasp#aivss:PI:1.0.0": "V", + }, + { + "x_org.owasp#aivss:ND:1.0.0": "D", + "x_org.owasp#aivss:OR:1.0.0": "T", + "x_org.owasp#aivss:VC:1.0.0": "P", + "x_org.owasp#aivss:DP:1.0.0": "S", + "x_org.owasp#aivss:PI:1.0.0": "U", + }, + { + "x_org.owasp#aivss:ND:1.0.0": "D", + "x_org.owasp#aivss:OR:1.0.0": "T", + "x_org.owasp#aivss:VC:1.0.0": "K", + "x_org.owasp#aivss:DP:1.0.0": "P", + "x_org.owasp#aivss:PI:1.0.0": "V", + }, + { + "x_org.owasp#aivss:ND:1.0.0": "D", + "x_org.owasp#aivss:OR:1.0.0": "T", + "x_org.owasp#aivss:VC:1.0.0": "K", + "x_org.owasp#aivss:DP:1.0.0": "F", + "x_org.owasp#aivss:PI:1.0.0": "U", + }, + { + "x_org.owasp#aivss:ND:1.0.0": "D", + "x_org.owasp#aivss:OR:1.0.0": "T", + "x_org.owasp#aivss:VC:1.0.0": "K", + "x_org.owasp#aivss:DP:1.0.0": "S", + "x_org.owasp#aivss:PI:1.0.0": "U", + }, + { + "x_org.owasp#aivss:ND:1.0.0": "D", + "x_org.owasp#aivss:OR:1.0.0": "T", + "x_org.owasp#aivss:VC:1.0.0": "U", + "x_org.owasp#aivss:DP:1.0.0": "P", + "x_org.owasp#aivss:PI:1.0.0": "U", + }, + { + "x_org.owasp#aivss:ND:1.0.0": "D", + "x_org.owasp#aivss:OR:1.0.0": "T", + "x_org.owasp#aivss:VC:1.0.0": "U", + "x_org.owasp#aivss:DP:1.0.0": "F", + "x_org.owasp#aivss:PI:1.0.0": "U", + }, + { + "x_org.owasp#aivss:ND:1.0.0": "D", + "x_org.owasp#aivss:OR:1.0.0": "T", + "x_org.owasp#aivss:VC:1.0.0": "U", + "x_org.owasp#aivss:DP:1.0.0": "S", + "x_org.owasp#aivss:PI:1.0.0": "O", + }, + { + "x_org.owasp#aivss:ND:1.0.0": "D", + "x_org.owasp#aivss:OR:1.0.0": "F", + "x_org.owasp#aivss:VC:1.0.0": "P", + "x_org.owasp#aivss:DP:1.0.0": "P", + "x_org.owasp#aivss:PI:1.0.0": "V", + }, + { + "x_org.owasp#aivss:ND:1.0.0": "D", + "x_org.owasp#aivss:OR:1.0.0": "F", + "x_org.owasp#aivss:VC:1.0.0": "P", + "x_org.owasp#aivss:DP:1.0.0": "F", + "x_org.owasp#aivss:PI:1.0.0": "U", + }, + { + "x_org.owasp#aivss:ND:1.0.0": "D", + "x_org.owasp#aivss:OR:1.0.0": "F", + "x_org.owasp#aivss:VC:1.0.0": "P", + "x_org.owasp#aivss:DP:1.0.0": "S", + "x_org.owasp#aivss:PI:1.0.0": "U", + }, + { + "x_org.owasp#aivss:ND:1.0.0": "D", + "x_org.owasp#aivss:OR:1.0.0": "F", + "x_org.owasp#aivss:VC:1.0.0": "K", + "x_org.owasp#aivss:DP:1.0.0": "P", + "x_org.owasp#aivss:PI:1.0.0": "U", + }, + { + "x_org.owasp#aivss:ND:1.0.0": "D", + "x_org.owasp#aivss:OR:1.0.0": "F", + "x_org.owasp#aivss:VC:1.0.0": "K", + "x_org.owasp#aivss:DP:1.0.0": "F", + "x_org.owasp#aivss:PI:1.0.0": "U", + }, + { + "x_org.owasp#aivss:ND:1.0.0": "D", + "x_org.owasp#aivss:OR:1.0.0": "F", + "x_org.owasp#aivss:VC:1.0.0": "K", + "x_org.owasp#aivss:DP:1.0.0": "S", + "x_org.owasp#aivss:PI:1.0.0": "U", + }, + { + "x_org.owasp#aivss:ND:1.0.0": "D", + "x_org.owasp#aivss:OR:1.0.0": "F", + "x_org.owasp#aivss:VC:1.0.0": "U", + "x_org.owasp#aivss:DP:1.0.0": "P", + "x_org.owasp#aivss:PI:1.0.0": "U", + }, + { + "x_org.owasp#aivss:ND:1.0.0": "D", + "x_org.owasp#aivss:OR:1.0.0": "F", + "x_org.owasp#aivss:VC:1.0.0": "U", + "x_org.owasp#aivss:DP:1.0.0": "F", + "x_org.owasp#aivss:PI:1.0.0": "U", + }, + { + "x_org.owasp#aivss:ND:1.0.0": "D", + "x_org.owasp#aivss:OR:1.0.0": "F", + "x_org.owasp#aivss:VC:1.0.0": "U", + "x_org.owasp#aivss:DP:1.0.0": "S", + "x_org.owasp#aivss:PI:1.0.0": "O", + }, + { + "x_org.owasp#aivss:ND:1.0.0": "D", + "x_org.owasp#aivss:OR:1.0.0": "O", + "x_org.owasp#aivss:VC:1.0.0": "P", + "x_org.owasp#aivss:DP:1.0.0": "P", + "x_org.owasp#aivss:PI:1.0.0": "U", + }, + { + "x_org.owasp#aivss:ND:1.0.0": "D", + "x_org.owasp#aivss:OR:1.0.0": "O", + "x_org.owasp#aivss:VC:1.0.0": "P", + "x_org.owasp#aivss:DP:1.0.0": "F", + "x_org.owasp#aivss:PI:1.0.0": "U", + }, + { + "x_org.owasp#aivss:ND:1.0.0": "D", + "x_org.owasp#aivss:OR:1.0.0": "O", + "x_org.owasp#aivss:VC:1.0.0": "P", + "x_org.owasp#aivss:DP:1.0.0": "S", + "x_org.owasp#aivss:PI:1.0.0": "O", + }, + { + "x_org.owasp#aivss:ND:1.0.0": "D", + "x_org.owasp#aivss:OR:1.0.0": "O", + "x_org.owasp#aivss:VC:1.0.0": "K", + "x_org.owasp#aivss:DP:1.0.0": "P", + "x_org.owasp#aivss:PI:1.0.0": "U", + }, + { + "x_org.owasp#aivss:ND:1.0.0": "D", + "x_org.owasp#aivss:OR:1.0.0": "O", + "x_org.owasp#aivss:VC:1.0.0": "K", + "x_org.owasp#aivss:DP:1.0.0": "F", + "x_org.owasp#aivss:PI:1.0.0": "U", + }, + { + "x_org.owasp#aivss:ND:1.0.0": "D", + "x_org.owasp#aivss:OR:1.0.0": "O", + "x_org.owasp#aivss:VC:1.0.0": "K", + "x_org.owasp#aivss:DP:1.0.0": "S", + "x_org.owasp#aivss:PI:1.0.0": "O", + }, + { + "x_org.owasp#aivss:ND:1.0.0": "D", + "x_org.owasp#aivss:OR:1.0.0": "O", + "x_org.owasp#aivss:VC:1.0.0": "U", + "x_org.owasp#aivss:DP:1.0.0": "P", + "x_org.owasp#aivss:PI:1.0.0": "O", + }, + { + "x_org.owasp#aivss:ND:1.0.0": "D", + "x_org.owasp#aivss:OR:1.0.0": "O", + "x_org.owasp#aivss:VC:1.0.0": "U", + "x_org.owasp#aivss:DP:1.0.0": "F", + "x_org.owasp#aivss:PI:1.0.0": "O", + }, + { + "x_org.owasp#aivss:ND:1.0.0": "D", + "x_org.owasp#aivss:OR:1.0.0": "O", + "x_org.owasp#aivss:VC:1.0.0": "U", + "x_org.owasp#aivss:DP:1.0.0": "S", + "x_org.owasp#aivss:PI:1.0.0": "O", + }, + { + "x_org.owasp#aivss:ND:1.0.0": "B", + "x_org.owasp#aivss:OR:1.0.0": "T", + "x_org.owasp#aivss:VC:1.0.0": "P", + "x_org.owasp#aivss:DP:1.0.0": "P", + "x_org.owasp#aivss:PI:1.0.0": "V", + }, + { + "x_org.owasp#aivss:ND:1.0.0": "B", + "x_org.owasp#aivss:OR:1.0.0": "T", + "x_org.owasp#aivss:VC:1.0.0": "P", + "x_org.owasp#aivss:DP:1.0.0": "F", + "x_org.owasp#aivss:PI:1.0.0": "U", + }, + { + "x_org.owasp#aivss:ND:1.0.0": "B", + "x_org.owasp#aivss:OR:1.0.0": "T", + "x_org.owasp#aivss:VC:1.0.0": "P", + "x_org.owasp#aivss:DP:1.0.0": "S", + "x_org.owasp#aivss:PI:1.0.0": "U", + }, + { + "x_org.owasp#aivss:ND:1.0.0": "B", + "x_org.owasp#aivss:OR:1.0.0": "T", + "x_org.owasp#aivss:VC:1.0.0": "K", + "x_org.owasp#aivss:DP:1.0.0": "P", + "x_org.owasp#aivss:PI:1.0.0": "U", + }, + { + "x_org.owasp#aivss:ND:1.0.0": "B", + "x_org.owasp#aivss:OR:1.0.0": "T", + "x_org.owasp#aivss:VC:1.0.0": "K", + "x_org.owasp#aivss:DP:1.0.0": "F", + "x_org.owasp#aivss:PI:1.0.0": "U", + }, + { + "x_org.owasp#aivss:ND:1.0.0": "B", + "x_org.owasp#aivss:OR:1.0.0": "T", + "x_org.owasp#aivss:VC:1.0.0": "K", + "x_org.owasp#aivss:DP:1.0.0": "S", + "x_org.owasp#aivss:PI:1.0.0": "U", + }, + { + "x_org.owasp#aivss:ND:1.0.0": "B", + "x_org.owasp#aivss:OR:1.0.0": "T", + "x_org.owasp#aivss:VC:1.0.0": "U", + "x_org.owasp#aivss:DP:1.0.0": "P", + "x_org.owasp#aivss:PI:1.0.0": "U", + }, + { + "x_org.owasp#aivss:ND:1.0.0": "B", + "x_org.owasp#aivss:OR:1.0.0": "T", + "x_org.owasp#aivss:VC:1.0.0": "U", + "x_org.owasp#aivss:DP:1.0.0": "F", + "x_org.owasp#aivss:PI:1.0.0": "U", + }, + { + "x_org.owasp#aivss:ND:1.0.0": "B", + "x_org.owasp#aivss:OR:1.0.0": "T", + "x_org.owasp#aivss:VC:1.0.0": "U", + "x_org.owasp#aivss:DP:1.0.0": "S", + "x_org.owasp#aivss:PI:1.0.0": "O", + }, + { + "x_org.owasp#aivss:ND:1.0.0": "B", + "x_org.owasp#aivss:OR:1.0.0": "F", + "x_org.owasp#aivss:VC:1.0.0": "P", + "x_org.owasp#aivss:DP:1.0.0": "P", + "x_org.owasp#aivss:PI:1.0.0": "U", + }, + { + "x_org.owasp#aivss:ND:1.0.0": "B", + "x_org.owasp#aivss:OR:1.0.0": "F", + "x_org.owasp#aivss:VC:1.0.0": "P", + "x_org.owasp#aivss:DP:1.0.0": "F", + "x_org.owasp#aivss:PI:1.0.0": "U", + }, + { + "x_org.owasp#aivss:ND:1.0.0": "B", + "x_org.owasp#aivss:OR:1.0.0": "F", + "x_org.owasp#aivss:VC:1.0.0": "P", + "x_org.owasp#aivss:DP:1.0.0": "S", + "x_org.owasp#aivss:PI:1.0.0": "U", + }, + { + "x_org.owasp#aivss:ND:1.0.0": "B", + "x_org.owasp#aivss:OR:1.0.0": "F", + "x_org.owasp#aivss:VC:1.0.0": "K", + "x_org.owasp#aivss:DP:1.0.0": "P", + "x_org.owasp#aivss:PI:1.0.0": "U", + }, + { + "x_org.owasp#aivss:ND:1.0.0": "B", + "x_org.owasp#aivss:OR:1.0.0": "F", + "x_org.owasp#aivss:VC:1.0.0": "K", + "x_org.owasp#aivss:DP:1.0.0": "F", + "x_org.owasp#aivss:PI:1.0.0": "U", + }, + { + "x_org.owasp#aivss:ND:1.0.0": "B", + "x_org.owasp#aivss:OR:1.0.0": "F", + "x_org.owasp#aivss:VC:1.0.0": "K", + "x_org.owasp#aivss:DP:1.0.0": "S", + "x_org.owasp#aivss:PI:1.0.0": "U", + }, + { + "x_org.owasp#aivss:ND:1.0.0": "B", + "x_org.owasp#aivss:OR:1.0.0": "F", + "x_org.owasp#aivss:VC:1.0.0": "U", + "x_org.owasp#aivss:DP:1.0.0": "P", + "x_org.owasp#aivss:PI:1.0.0": "U", + }, + { + "x_org.owasp#aivss:ND:1.0.0": "B", + "x_org.owasp#aivss:OR:1.0.0": "F", + "x_org.owasp#aivss:VC:1.0.0": "U", + "x_org.owasp#aivss:DP:1.0.0": "F", + "x_org.owasp#aivss:PI:1.0.0": "U", + }, + { + "x_org.owasp#aivss:ND:1.0.0": "B", + "x_org.owasp#aivss:OR:1.0.0": "F", + "x_org.owasp#aivss:VC:1.0.0": "U", + "x_org.owasp#aivss:DP:1.0.0": "S", + "x_org.owasp#aivss:PI:1.0.0": "O", + }, + { + "x_org.owasp#aivss:ND:1.0.0": "B", + "x_org.owasp#aivss:OR:1.0.0": "O", + "x_org.owasp#aivss:VC:1.0.0": "P", + "x_org.owasp#aivss:DP:1.0.0": "P", + "x_org.owasp#aivss:PI:1.0.0": "U", + }, + { + "x_org.owasp#aivss:ND:1.0.0": "B", + "x_org.owasp#aivss:OR:1.0.0": "O", + "x_org.owasp#aivss:VC:1.0.0": "P", + "x_org.owasp#aivss:DP:1.0.0": "F", + "x_org.owasp#aivss:PI:1.0.0": "U", + }, + { + "x_org.owasp#aivss:ND:1.0.0": "B", + "x_org.owasp#aivss:OR:1.0.0": "O", + "x_org.owasp#aivss:VC:1.0.0": "P", + "x_org.owasp#aivss:DP:1.0.0": "S", + "x_org.owasp#aivss:PI:1.0.0": "O", + }, + { + "x_org.owasp#aivss:ND:1.0.0": "B", + "x_org.owasp#aivss:OR:1.0.0": "O", + "x_org.owasp#aivss:VC:1.0.0": "K", + "x_org.owasp#aivss:DP:1.0.0": "P", + "x_org.owasp#aivss:PI:1.0.0": "U", + }, + { + "x_org.owasp#aivss:ND:1.0.0": "B", + "x_org.owasp#aivss:OR:1.0.0": "O", + "x_org.owasp#aivss:VC:1.0.0": "K", + "x_org.owasp#aivss:DP:1.0.0": "F", + "x_org.owasp#aivss:PI:1.0.0": "U", + }, + { + "x_org.owasp#aivss:ND:1.0.0": "B", + "x_org.owasp#aivss:OR:1.0.0": "O", + "x_org.owasp#aivss:VC:1.0.0": "K", + "x_org.owasp#aivss:DP:1.0.0": "S", + "x_org.owasp#aivss:PI:1.0.0": "O", + }, + { + "x_org.owasp#aivss:ND:1.0.0": "B", + "x_org.owasp#aivss:OR:1.0.0": "O", + "x_org.owasp#aivss:VC:1.0.0": "U", + "x_org.owasp#aivss:DP:1.0.0": "P", + "x_org.owasp#aivss:PI:1.0.0": "O", + }, + { + "x_org.owasp#aivss:ND:1.0.0": "B", + "x_org.owasp#aivss:OR:1.0.0": "O", + "x_org.owasp#aivss:VC:1.0.0": "U", + "x_org.owasp#aivss:DP:1.0.0": "F", + "x_org.owasp#aivss:PI:1.0.0": "O", + }, + { + "x_org.owasp#aivss:ND:1.0.0": "B", + "x_org.owasp#aivss:OR:1.0.0": "O", + "x_org.owasp#aivss:VC:1.0.0": "U", + "x_org.owasp#aivss:DP:1.0.0": "S", + "x_org.owasp#aivss:PI:1.0.0": "O", + }, + { + "x_org.owasp#aivss:ND:1.0.0": "H", + "x_org.owasp#aivss:OR:1.0.0": "T", + "x_org.owasp#aivss:VC:1.0.0": "P", + "x_org.owasp#aivss:DP:1.0.0": "P", + "x_org.owasp#aivss:PI:1.0.0": "U", + }, + { + "x_org.owasp#aivss:ND:1.0.0": "H", + "x_org.owasp#aivss:OR:1.0.0": "T", + "x_org.owasp#aivss:VC:1.0.0": "P", + "x_org.owasp#aivss:DP:1.0.0": "F", + "x_org.owasp#aivss:PI:1.0.0": "U", + }, + { + "x_org.owasp#aivss:ND:1.0.0": "H", + "x_org.owasp#aivss:OR:1.0.0": "T", + "x_org.owasp#aivss:VC:1.0.0": "P", + "x_org.owasp#aivss:DP:1.0.0": "S", + "x_org.owasp#aivss:PI:1.0.0": "O", + }, + { + "x_org.owasp#aivss:ND:1.0.0": "H", + "x_org.owasp#aivss:OR:1.0.0": "T", + "x_org.owasp#aivss:VC:1.0.0": "K", + "x_org.owasp#aivss:DP:1.0.0": "P", + "x_org.owasp#aivss:PI:1.0.0": "U", + }, + { + "x_org.owasp#aivss:ND:1.0.0": "H", + "x_org.owasp#aivss:OR:1.0.0": "T", + "x_org.owasp#aivss:VC:1.0.0": "K", + "x_org.owasp#aivss:DP:1.0.0": "F", + "x_org.owasp#aivss:PI:1.0.0": "U", + }, + { + "x_org.owasp#aivss:ND:1.0.0": "H", + "x_org.owasp#aivss:OR:1.0.0": "T", + "x_org.owasp#aivss:VC:1.0.0": "K", + "x_org.owasp#aivss:DP:1.0.0": "S", + "x_org.owasp#aivss:PI:1.0.0": "O", + }, + { + "x_org.owasp#aivss:ND:1.0.0": "H", + "x_org.owasp#aivss:OR:1.0.0": "T", + "x_org.owasp#aivss:VC:1.0.0": "U", + "x_org.owasp#aivss:DP:1.0.0": "P", + "x_org.owasp#aivss:PI:1.0.0": "O", + }, + { + "x_org.owasp#aivss:ND:1.0.0": "H", + "x_org.owasp#aivss:OR:1.0.0": "T", + "x_org.owasp#aivss:VC:1.0.0": "U", + "x_org.owasp#aivss:DP:1.0.0": "F", + "x_org.owasp#aivss:PI:1.0.0": "O", + }, + { + "x_org.owasp#aivss:ND:1.0.0": "H", + "x_org.owasp#aivss:OR:1.0.0": "T", + "x_org.owasp#aivss:VC:1.0.0": "U", + "x_org.owasp#aivss:DP:1.0.0": "S", + "x_org.owasp#aivss:PI:1.0.0": "O", + }, + { + "x_org.owasp#aivss:ND:1.0.0": "H", + "x_org.owasp#aivss:OR:1.0.0": "F", + "x_org.owasp#aivss:VC:1.0.0": "P", + "x_org.owasp#aivss:DP:1.0.0": "P", + "x_org.owasp#aivss:PI:1.0.0": "U", + }, + { + "x_org.owasp#aivss:ND:1.0.0": "H", + "x_org.owasp#aivss:OR:1.0.0": "F", + "x_org.owasp#aivss:VC:1.0.0": "P", + "x_org.owasp#aivss:DP:1.0.0": "F", + "x_org.owasp#aivss:PI:1.0.0": "U", + }, + { + "x_org.owasp#aivss:ND:1.0.0": "H", + "x_org.owasp#aivss:OR:1.0.0": "F", + "x_org.owasp#aivss:VC:1.0.0": "P", + "x_org.owasp#aivss:DP:1.0.0": "S", + "x_org.owasp#aivss:PI:1.0.0": "O", + }, + { + "x_org.owasp#aivss:ND:1.0.0": "H", + "x_org.owasp#aivss:OR:1.0.0": "F", + "x_org.owasp#aivss:VC:1.0.0": "K", + "x_org.owasp#aivss:DP:1.0.0": "P", + "x_org.owasp#aivss:PI:1.0.0": "U", + }, + { + "x_org.owasp#aivss:ND:1.0.0": "H", + "x_org.owasp#aivss:OR:1.0.0": "F", + "x_org.owasp#aivss:VC:1.0.0": "K", + "x_org.owasp#aivss:DP:1.0.0": "F", + "x_org.owasp#aivss:PI:1.0.0": "U", + }, + { + "x_org.owasp#aivss:ND:1.0.0": "H", + "x_org.owasp#aivss:OR:1.0.0": "F", + "x_org.owasp#aivss:VC:1.0.0": "K", + "x_org.owasp#aivss:DP:1.0.0": "S", + "x_org.owasp#aivss:PI:1.0.0": "O", + }, + { + "x_org.owasp#aivss:ND:1.0.0": "H", + "x_org.owasp#aivss:OR:1.0.0": "F", + "x_org.owasp#aivss:VC:1.0.0": "U", + "x_org.owasp#aivss:DP:1.0.0": "P", + "x_org.owasp#aivss:PI:1.0.0": "O", + }, + { + "x_org.owasp#aivss:ND:1.0.0": "H", + "x_org.owasp#aivss:OR:1.0.0": "F", + "x_org.owasp#aivss:VC:1.0.0": "U", + "x_org.owasp#aivss:DP:1.0.0": "F", + "x_org.owasp#aivss:PI:1.0.0": "O", + }, + { + "x_org.owasp#aivss:ND:1.0.0": "H", + "x_org.owasp#aivss:OR:1.0.0": "F", + "x_org.owasp#aivss:VC:1.0.0": "U", + "x_org.owasp#aivss:DP:1.0.0": "S", + "x_org.owasp#aivss:PI:1.0.0": "O", + }, + { + "x_org.owasp#aivss:ND:1.0.0": "H", + "x_org.owasp#aivss:OR:1.0.0": "O", + "x_org.owasp#aivss:VC:1.0.0": "P", + "x_org.owasp#aivss:DP:1.0.0": "P", + "x_org.owasp#aivss:PI:1.0.0": "O", + }, + { + "x_org.owasp#aivss:ND:1.0.0": "H", + "x_org.owasp#aivss:OR:1.0.0": "O", + "x_org.owasp#aivss:VC:1.0.0": "P", + "x_org.owasp#aivss:DP:1.0.0": "F", + "x_org.owasp#aivss:PI:1.0.0": "O", + }, + { + "x_org.owasp#aivss:ND:1.0.0": "H", + "x_org.owasp#aivss:OR:1.0.0": "O", + "x_org.owasp#aivss:VC:1.0.0": "P", + "x_org.owasp#aivss:DP:1.0.0": "S", + "x_org.owasp#aivss:PI:1.0.0": "O", + }, + { + "x_org.owasp#aivss:ND:1.0.0": "H", + "x_org.owasp#aivss:OR:1.0.0": "O", + "x_org.owasp#aivss:VC:1.0.0": "K", + "x_org.owasp#aivss:DP:1.0.0": "P", + "x_org.owasp#aivss:PI:1.0.0": "O", + }, + { + "x_org.owasp#aivss:ND:1.0.0": "H", + "x_org.owasp#aivss:OR:1.0.0": "O", + "x_org.owasp#aivss:VC:1.0.0": "K", + "x_org.owasp#aivss:DP:1.0.0": "F", + "x_org.owasp#aivss:PI:1.0.0": "O", + }, + { + "x_org.owasp#aivss:ND:1.0.0": "H", + "x_org.owasp#aivss:OR:1.0.0": "O", + "x_org.owasp#aivss:VC:1.0.0": "K", + "x_org.owasp#aivss:DP:1.0.0": "S", + "x_org.owasp#aivss:PI:1.0.0": "O", + }, + { + "x_org.owasp#aivss:ND:1.0.0": "H", + "x_org.owasp#aivss:OR:1.0.0": "O", + "x_org.owasp#aivss:VC:1.0.0": "U", + "x_org.owasp#aivss:DP:1.0.0": "P", + "x_org.owasp#aivss:PI:1.0.0": "O", + }, + { + "x_org.owasp#aivss:ND:1.0.0": "H", + "x_org.owasp#aivss:OR:1.0.0": "O", + "x_org.owasp#aivss:VC:1.0.0": "U", + "x_org.owasp#aivss:DP:1.0.0": "F", + "x_org.owasp#aivss:PI:1.0.0": "O", + }, + { + "x_org.owasp#aivss:ND:1.0.0": "H", + "x_org.owasp#aivss:OR:1.0.0": "O", + "x_org.owasp#aivss:VC:1.0.0": "U", + "x_org.owasp#aivss:DP:1.0.0": "S", + "x_org.owasp#aivss:PI:1.0.0": "O", + }, + ], +) + +VERSIONS = (V1_0_0,) +LATEST = VERSIONS[-1] + + +def main(): + from ssvc.decision_tables.helpers import print_dt_version + from ssvc.decision_tables.aivss.utils import Rule, RuleSet, rules_mapping + + print_dt_version(V1_0_0) + + ruleset = RuleSet( + rules=[ + # Highest severity first + Rule(value=2, value_count=2, outcome=2), + Rule(value=2, value_count=1, outcome=1), + Rule(value=1, value_count=2, outcome=1), + Rule(value=0, value_count=0, outcome=0), + ] + ) + + print(rules_mapping(V1_0_0, ruleset)) + + +if __name__ == "__main__": + main() diff --git a/src/ssvc/decision_tables/aivss/utils.py b/src/ssvc/decision_tables/aivss/utils.py new file mode 100644 index 00000000..c4880d1a --- /dev/null +++ b/src/ssvc/decision_tables/aivss/utils.py @@ -0,0 +1,153 @@ +#!/usr/bin/env python + +# Copyright (c) 2025 Carnegie Mellon University. +# NO WARRANTY. THIS CARNEGIE MELLON UNIVERSITY AND SOFTWARE +# ENGINEERING INSTITUTE MATERIAL IS FURNISHED ON AN "AS-IS" BASIS. +# CARNEGIE MELLON UNIVERSITY MAKES NO WARRANTIES OF ANY KIND, +# EITHER EXPRESSED OR IMPLIED, AS TO ANY MATTER INCLUDING, BUT +# NOT LIMITED TO, WARRANTY OF FITNESS FOR PURPOSE OR +# MERCHANTABILITY, EXCLUSIVITY, OR RESULTS OBTAINED FROM USE +# OF THE MATERIAL. CARNEGIE MELLON UNIVERSITY DOES NOT MAKE +# ANY WARRANTY OF ANY KIND WITH RESPECT TO FREEDOM FROM +# PATENT, TRADEMARK, OR COPYRIGHT INFRINGEMENT. +# Licensed under a MIT (SEI)-style license, please see LICENSE or contact +# permission@sei.cmu.edu for full terms. +# [DISTRIBUTION STATEMENT A] This material has been approved for +# public release and unlimited distribution. Please see Copyright notice +# for non-US Government use and distribution. +# This Software includes and/or makes use of Third-Party Software each +# subject to its own license. +# DM24-0278 + +""" +Provides TODO writeme +""" +import itertools + +from pydantic import BaseModel + +from ssvc.decision_tables.base import DecisionTable + + +class Rule(BaseModel): + """ + Describes a rule for determining an outcome based on decision point values. + Assumes integer indexes of decision point values to simplify matching. + + - value: The decision point value to match. + - value_count: The minimum number of times the value must appear in the combination. + - outcome: The outcome to assign if the rule matches. + """ + + value: int + value_count: int + outcome: int + + +class RuleSet(BaseModel): + """ + A set of rules for determining outcomes based on decision point values. + Always evaluated in order; first match applies. + """ + + rules: list[Rule] + + +_ruleset = RuleSet( + rules=[ + # Highest severity first + Rule(value=2, value_count=2, outcome=2), + Rule(value=2, value_count=1, outcome=1), + Rule(value=1, value_count=2, outcome=1), + Rule(value=0, value_count=0, outcome=0), + ] +) + + +def _get_outcome( + combo: tuple[tuple[int, int], tuple[int, int]], ruleset: RuleSet +) -> int: + """ + Determine the outcome for a given combination of decision point values based on the provided ruleset. + Args: + combo: the combination of decision point values (an integer tuple) + ruleset: the ruleset to evaluate against + + Returns: + The integer outcome value from the first matching rule. + """ + for rule in ruleset.rules: + count = sum(1 for v in combo if v == rule.value) + if count >= rule.value_count: + return rule.outcome + # if you got here, nothing matched + # default outcome is lowest severity + return 0 + + +def _shape_rules( + dt: DecisionTable, ruleset: RuleSet +) -> list[tuple[tuple[int], int]]: + """ + Generate all possible combinations of decision point values and their corresponding outcomes. + + Args: + dt: + + Returns: + + """ + # get the shape of the decision table + value_counts = [ + len(dp.values) + for dp in dt.decision_points.values() + if dp.id != dt.outcome + ] + + combos = [] + outcomes = [] + for combo in itertools.product( + *[list(range(count)) for count in value_counts] + ): + combos.append(combo) + outcomes.append(_get_outcome(combo, ruleset)) + + rows = list(zip(combos, outcomes)) + return rows + + +def rules_mapping( + dt: DecisionTable, ruleset: RuleSet | None = None +) -> list[dict[str, str]]: + + if ruleset is None: + ruleset = _ruleset + + rows = _shape_rules(dt, ruleset) + + dp_value_lookup = [ + {str(i): v.key for i, v in enumerate(dp.values)} + for dp in dt.decision_points.values() + if dp.id != dt.outcome + ] + dp_outcome_lookup = { + str(i): v.key + for i, v in enumerate(dt.decision_points[dt.outcome].values) + } + + mapping_rows = [] + for row in rows: + # translate to keys + inputs = { + dp.id: dp_value_lookup[i][str(v)] + for i, (dp, v) in enumerate( + zip(dt.decision_points.values(), row[0]) + ) + if dp.id != dt.outcome + } + outcome = dp_outcome_lookup[str(row[1])] + mapping_row = dict(inputs) + mapping_row.update({dt.outcome: outcome}) + mapping_rows.append(mapping_row) + + return mapping_rows From f71a98e41ab365dc664a5f3eb924b32dbb0f079c Mon Sep 17 00:00:00 2001 From: "Allen D. Householder" Date: Thu, 20 Nov 2025 16:27:13 -0500 Subject: [PATCH 02/23] add json to registry --- .../agentic_impact_level_1_0_0.csv | 28 + .../execution_power_1_0_0.csv | 82 + .../predictability_and_influence_1_0_0.csv | 82 + .../agentic_impact_level_1_0_0.json | 25 + .../autonomy_of_action_1_0_0.json | 25 + .../contextual_awareness_1_0_0.json | 25 + .../deceptiveness_potential_1_0_0.json | 25 + .../dynamic_identity_1_0_0.json | 25 + .../environment_adaptation_1_0_0.json | 25 + .../execution_power_1_0_0.json | 25 + .../goal_driven_planning_1_0_0.json | 25 + .../x_org_owasp_aivss/memory_use_1_0_0.json | 25 + .../multi_agent_interactions_1_0_0.json | 25 + .../non_determinism_1_0_0.json | 25 + .../opacity_reflexivity_1_0_0.json | 25 + .../predictability_and_influence_1_0_0.json | 25 + .../self_modification_1_0_0.json | 20 + .../self_modification_1_1_0.json | 25 + .../x_org_owasp_aivss/tool_use_1_0_0.json | 25 + .../verification_capability_1_0_0.json | 25 + .../agentic_impact_level_1_0_0.json | 275 + .../execution_power_1_0_0.json | 705 + .../predictability_and_influence_1_0_0.json | 705 + data/json/ssvc_object_registry.json | 26904 +++++++++------- 24 files changed, 17026 insertions(+), 12175 deletions(-) create mode 100644 data/csv/x_org_owasp_aivss/agentic_impact_level_1_0_0.csv create mode 100644 data/csv/x_org_owasp_aivss/execution_power_1_0_0.csv create mode 100644 data/csv/x_org_owasp_aivss/predictability_and_influence_1_0_0.csv create mode 100644 data/json/decision_points/x_org_owasp_aivss/agentic_impact_level_1_0_0.json create mode 100644 data/json/decision_points/x_org_owasp_aivss/autonomy_of_action_1_0_0.json create mode 100644 data/json/decision_points/x_org_owasp_aivss/contextual_awareness_1_0_0.json create mode 100644 data/json/decision_points/x_org_owasp_aivss/deceptiveness_potential_1_0_0.json create mode 100644 data/json/decision_points/x_org_owasp_aivss/dynamic_identity_1_0_0.json create mode 100644 data/json/decision_points/x_org_owasp_aivss/environment_adaptation_1_0_0.json create mode 100644 data/json/decision_points/x_org_owasp_aivss/execution_power_1_0_0.json create mode 100644 data/json/decision_points/x_org_owasp_aivss/goal_driven_planning_1_0_0.json create mode 100644 data/json/decision_points/x_org_owasp_aivss/memory_use_1_0_0.json create mode 100644 data/json/decision_points/x_org_owasp_aivss/multi_agent_interactions_1_0_0.json create mode 100644 data/json/decision_points/x_org_owasp_aivss/non_determinism_1_0_0.json create mode 100644 data/json/decision_points/x_org_owasp_aivss/opacity_reflexivity_1_0_0.json create mode 100644 data/json/decision_points/x_org_owasp_aivss/predictability_and_influence_1_0_0.json create mode 100644 data/json/decision_points/x_org_owasp_aivss/self_modification_1_0_0.json create mode 100644 data/json/decision_points/x_org_owasp_aivss/self_modification_1_1_0.json create mode 100644 data/json/decision_points/x_org_owasp_aivss/tool_use_1_0_0.json create mode 100644 data/json/decision_points/x_org_owasp_aivss/verification_capability_1_0_0.json create mode 100644 data/json/decision_tables/x_org_owasp_aivss/agentic_impact_level_1_0_0.json create mode 100644 data/json/decision_tables/x_org_owasp_aivss/execution_power_1_0_0.json create mode 100644 data/json/decision_tables/x_org_owasp_aivss/predictability_and_influence_1_0_0.json diff --git a/data/csv/x_org_owasp_aivss/agentic_impact_level_1_0_0.csv b/data/csv/x_org_owasp_aivss/agentic_impact_level_1_0_0.csv new file mode 100644 index 00000000..a0a4fff4 --- /dev/null +++ b/data/csv/x_org_owasp_aivss/agentic_impact_level_1_0_0.csv @@ -0,0 +1,28 @@ +row,Execution Power v1.0.0 (x_org.owasp#aivss),Environment & Adaptation v1.0.0 (x_org.owasp#aivss),Predictability and Influence v1.0.0 (x_org.owasp#aivss),Agentic Impact Level v1.0.0 (x_org.owasp#aivss) +0,constrained,isolated,verifiable,copilot +1,constrained,isolated,uncertain,copilot +2,constrained,isolated,opaque,specialist +3,constrained,connected,verifiable,copilot +4,constrained,connected,uncertain,specialist +5,constrained,connected,opaque,specialist +6,constrained,pervasive,verifiable,specialist +7,constrained,pervasive,uncertain,specialist +8,constrained,pervasive,opaque,prime mover +9,capable,isolated,verifiable,copilot +10,capable,isolated,uncertain,specialist +11,capable,isolated,opaque,specialist +12,capable,connected,verifiable,specialist +13,capable,connected,uncertain,specialist +14,capable,connected,opaque,specialist +15,capable,pervasive,verifiable,specialist +16,capable,pervasive,uncertain,specialist +17,capable,pervasive,opaque,prime mover +18,high leverage,isolated,verifiable,specialist +19,high leverage,isolated,uncertain,specialist +20,high leverage,isolated,opaque,prime mover +21,high leverage,connected,verifiable,specialist +22,high leverage,connected,uncertain,specialist +23,high leverage,connected,opaque,prime mover +24,high leverage,pervasive,verifiable,prime mover +25,high leverage,pervasive,uncertain,prime mover +26,high leverage,pervasive,opaque,prime mover diff --git a/data/csv/x_org_owasp_aivss/execution_power_1_0_0.csv b/data/csv/x_org_owasp_aivss/execution_power_1_0_0.csv new file mode 100644 index 00000000..05188822 --- /dev/null +++ b/data/csv/x_org_owasp_aivss/execution_power_1_0_0.csv @@ -0,0 +1,82 @@ +row,Autonomy of Action v1.0.0 (x_org.owasp#aivss),Tool Use v1.0.0 (x_org.owasp#aivss),Self-Modification v1.1.0 (x_org.owasp#aivss),Goal-Driven Planning v1.0.0 (x_org.owasp#aivss),Execution Power v1.0.0 (x_org.owasp#aivss) +0,gated,viewer,fixed,reactive,constrained +1,gated,viewer,fixed,assisted,constrained +2,gated,viewer,fixed,autonomous,capable +3,gated,viewer,tunable,reactive,constrained +4,gated,viewer,tunable,assisted,constrained +5,gated,viewer,tunable,autonomous,capable +6,gated,viewer,mutable,reactive,capable +7,gated,viewer,mutable,assisted,capable +8,gated,viewer,mutable,autonomous,high leverage +9,gated,operator,fixed,reactive,constrained +10,gated,operator,fixed,assisted,constrained +11,gated,operator,fixed,autonomous,capable +12,gated,operator,tunable,reactive,constrained +13,gated,operator,tunable,assisted,capable +14,gated,operator,tunable,autonomous,capable +15,gated,operator,mutable,reactive,capable +16,gated,operator,mutable,assisted,capable +17,gated,operator,mutable,autonomous,high leverage +18,gated,administrator,fixed,reactive,capable +19,gated,administrator,fixed,assisted,capable +20,gated,administrator,fixed,autonomous,high leverage +21,gated,administrator,tunable,reactive,capable +22,gated,administrator,tunable,assisted,capable +23,gated,administrator,tunable,autonomous,high leverage +24,gated,administrator,mutable,reactive,high leverage +25,gated,administrator,mutable,assisted,high leverage +26,gated,administrator,mutable,autonomous,high leverage +27,scoped,viewer,fixed,reactive,constrained +28,scoped,viewer,fixed,assisted,constrained +29,scoped,viewer,fixed,autonomous,capable +30,scoped,viewer,tunable,reactive,constrained +31,scoped,viewer,tunable,assisted,capable +32,scoped,viewer,tunable,autonomous,capable +33,scoped,viewer,mutable,reactive,capable +34,scoped,viewer,mutable,assisted,capable +35,scoped,viewer,mutable,autonomous,high leverage +36,scoped,operator,fixed,reactive,constrained +37,scoped,operator,fixed,assisted,capable +38,scoped,operator,fixed,autonomous,capable +39,scoped,operator,tunable,reactive,capable +40,scoped,operator,tunable,assisted,capable +41,scoped,operator,tunable,autonomous,capable +42,scoped,operator,mutable,reactive,capable +43,scoped,operator,mutable,assisted,capable +44,scoped,operator,mutable,autonomous,high leverage +45,scoped,administrator,fixed,reactive,capable +46,scoped,administrator,fixed,assisted,capable +47,scoped,administrator,fixed,autonomous,high leverage +48,scoped,administrator,tunable,reactive,capable +49,scoped,administrator,tunable,assisted,capable +50,scoped,administrator,tunable,autonomous,high leverage +51,scoped,administrator,mutable,reactive,high leverage +52,scoped,administrator,mutable,assisted,high leverage +53,scoped,administrator,mutable,autonomous,high leverage +54,free-running,viewer,fixed,reactive,capable +55,free-running,viewer,fixed,assisted,capable +56,free-running,viewer,fixed,autonomous,high leverage +57,free-running,viewer,tunable,reactive,capable +58,free-running,viewer,tunable,assisted,capable +59,free-running,viewer,tunable,autonomous,high leverage +60,free-running,viewer,mutable,reactive,high leverage +61,free-running,viewer,mutable,assisted,high leverage +62,free-running,viewer,mutable,autonomous,high leverage +63,free-running,operator,fixed,reactive,capable +64,free-running,operator,fixed,assisted,capable +65,free-running,operator,fixed,autonomous,high leverage +66,free-running,operator,tunable,reactive,capable +67,free-running,operator,tunable,assisted,capable +68,free-running,operator,tunable,autonomous,high leverage +69,free-running,operator,mutable,reactive,high leverage +70,free-running,operator,mutable,assisted,high leverage +71,free-running,operator,mutable,autonomous,high leverage +72,free-running,administrator,fixed,reactive,high leverage +73,free-running,administrator,fixed,assisted,high leverage +74,free-running,administrator,fixed,autonomous,high leverage +75,free-running,administrator,tunable,reactive,high leverage +76,free-running,administrator,tunable,assisted,high leverage +77,free-running,administrator,tunable,autonomous,high leverage +78,free-running,administrator,mutable,reactive,high leverage +79,free-running,administrator,mutable,assisted,high leverage +80,free-running,administrator,mutable,autonomous,high leverage diff --git a/data/csv/x_org_owasp_aivss/predictability_and_influence_1_0_0.csv b/data/csv/x_org_owasp_aivss/predictability_and_influence_1_0_0.csv new file mode 100644 index 00000000..4bfe78b0 --- /dev/null +++ b/data/csv/x_org_owasp_aivss/predictability_and_influence_1_0_0.csv @@ -0,0 +1,82 @@ +row,Non-Determinism v1.0.0 (x_org.owasp#aivss),Opacity & Reflexivity v1.0.0 (x_org.owasp#aivss),Verification Capability v1.0.0 (x_org.owasp#aivss),Deceptiveness Potential v1.0.0 (x_org.owasp#aivss),Predictability and Influence v1.0.0 (x_org.owasp#aivss) +0,deterministic,transparent,provable,plain,verifiable +1,deterministic,transparent,provable,fluent,verifiable +2,deterministic,transparent,provable,persuasive,uncertain +3,deterministic,transparent,key invariants verifiable,plain,verifiable +4,deterministic,transparent,key invariants verifiable,fluent,uncertain +5,deterministic,transparent,key invariants verifiable,persuasive,uncertain +6,deterministic,transparent,unverifiable,plain,uncertain +7,deterministic,transparent,unverifiable,fluent,uncertain +8,deterministic,transparent,unverifiable,persuasive,opaque +9,deterministic,fragmented,provable,plain,verifiable +10,deterministic,fragmented,provable,fluent,uncertain +11,deterministic,fragmented,provable,persuasive,uncertain +12,deterministic,fragmented,key invariants verifiable,plain,uncertain +13,deterministic,fragmented,key invariants verifiable,fluent,uncertain +14,deterministic,fragmented,key invariants verifiable,persuasive,uncertain +15,deterministic,fragmented,unverifiable,plain,uncertain +16,deterministic,fragmented,unverifiable,fluent,uncertain +17,deterministic,fragmented,unverifiable,persuasive,opaque +18,deterministic,opaque,provable,plain,uncertain +19,deterministic,opaque,provable,fluent,uncertain +20,deterministic,opaque,provable,persuasive,opaque +21,deterministic,opaque,key invariants verifiable,plain,uncertain +22,deterministic,opaque,key invariants verifiable,fluent,uncertain +23,deterministic,opaque,key invariants verifiable,persuasive,opaque +24,deterministic,opaque,unverifiable,plain,opaque +25,deterministic,opaque,unverifiable,fluent,opaque +26,deterministic,opaque,unverifiable,persuasive,opaque +27,bounded,transparent,provable,plain,verifiable +28,bounded,transparent,provable,fluent,uncertain +29,bounded,transparent,provable,persuasive,uncertain +30,bounded,transparent,key invariants verifiable,plain,uncertain +31,bounded,transparent,key invariants verifiable,fluent,uncertain +32,bounded,transparent,key invariants verifiable,persuasive,uncertain +33,bounded,transparent,unverifiable,plain,uncertain +34,bounded,transparent,unverifiable,fluent,uncertain +35,bounded,transparent,unverifiable,persuasive,opaque +36,bounded,fragmented,provable,plain,uncertain +37,bounded,fragmented,provable,fluent,uncertain +38,bounded,fragmented,provable,persuasive,uncertain +39,bounded,fragmented,key invariants verifiable,plain,uncertain +40,bounded,fragmented,key invariants verifiable,fluent,uncertain +41,bounded,fragmented,key invariants verifiable,persuasive,uncertain +42,bounded,fragmented,unverifiable,plain,uncertain +43,bounded,fragmented,unverifiable,fluent,uncertain +44,bounded,fragmented,unverifiable,persuasive,opaque +45,bounded,opaque,provable,plain,uncertain +46,bounded,opaque,provable,fluent,uncertain +47,bounded,opaque,provable,persuasive,opaque +48,bounded,opaque,key invariants verifiable,plain,uncertain +49,bounded,opaque,key invariants verifiable,fluent,uncertain +50,bounded,opaque,key invariants verifiable,persuasive,opaque +51,bounded,opaque,unverifiable,plain,opaque +52,bounded,opaque,unverifiable,fluent,opaque +53,bounded,opaque,unverifiable,persuasive,opaque +54,high-variance,transparent,provable,plain,uncertain +55,high-variance,transparent,provable,fluent,uncertain +56,high-variance,transparent,provable,persuasive,opaque +57,high-variance,transparent,key invariants verifiable,plain,uncertain +58,high-variance,transparent,key invariants verifiable,fluent,uncertain +59,high-variance,transparent,key invariants verifiable,persuasive,opaque +60,high-variance,transparent,unverifiable,plain,opaque +61,high-variance,transparent,unverifiable,fluent,opaque +62,high-variance,transparent,unverifiable,persuasive,opaque +63,high-variance,fragmented,provable,plain,uncertain +64,high-variance,fragmented,provable,fluent,uncertain +65,high-variance,fragmented,provable,persuasive,opaque +66,high-variance,fragmented,key invariants verifiable,plain,uncertain +67,high-variance,fragmented,key invariants verifiable,fluent,uncertain +68,high-variance,fragmented,key invariants verifiable,persuasive,opaque +69,high-variance,fragmented,unverifiable,plain,opaque +70,high-variance,fragmented,unverifiable,fluent,opaque +71,high-variance,fragmented,unverifiable,persuasive,opaque +72,high-variance,opaque,provable,plain,opaque +73,high-variance,opaque,provable,fluent,opaque +74,high-variance,opaque,provable,persuasive,opaque +75,high-variance,opaque,key invariants verifiable,plain,opaque +76,high-variance,opaque,key invariants verifiable,fluent,opaque +77,high-variance,opaque,key invariants verifiable,persuasive,opaque +78,high-variance,opaque,unverifiable,plain,opaque +79,high-variance,opaque,unverifiable,fluent,opaque +80,high-variance,opaque,unverifiable,persuasive,opaque diff --git a/data/json/decision_points/x_org_owasp_aivss/agentic_impact_level_1_0_0.json b/data/json/decision_points/x_org_owasp_aivss/agentic_impact_level_1_0_0.json new file mode 100644 index 00000000..e0cb75fb --- /dev/null +++ b/data/json/decision_points/x_org_owasp_aivss/agentic_impact_level_1_0_0.json @@ -0,0 +1,25 @@ +{ + "namespace": "x_org.owasp#aivss", + "key": "AIL", + "version": "1.0.0", + "name": "Agentic Impact Level", + "definition": "Determines the agentic impact level of a vulnerability based on its characteristics and potential effects.", + "schemaVersion": "2.0.0", + "values": [ + { + "key": "C", + "name": "CoPilot", + "definition": "The agent is primarily a copilot or assistant. Its actions are heavily constrained, requiring human oversight. The agent explicitly does not have rights to execute code." + }, + { + "key": "S", + "name": "Specialist", + "definition": "The agent is a specialist with significant autonomy within a defined domain.It can use powerful tools and may learn from interactions." + }, + { + "key": "P", + "name": "Prime Mover", + "definition": "The agent is a prime mover with broad autonomy. It can orchestrate other systems, modify its own logic, and interact with critical infrastructure." + } + ] +} diff --git a/data/json/decision_points/x_org_owasp_aivss/autonomy_of_action_1_0_0.json b/data/json/decision_points/x_org_owasp_aivss/autonomy_of_action_1_0_0.json new file mode 100644 index 00000000..30f135a1 --- /dev/null +++ b/data/json/decision_points/x_org_owasp_aivss/autonomy_of_action_1_0_0.json @@ -0,0 +1,25 @@ +{ + "namespace": "x_org.owasp#aivss", + "key": "AA", + "version": "1.0.0", + "name": "Autonomy of Action", + "definition": "Determines the autonomy of action level of a vulnerability based on its characteristics and potential effects.", + "schemaVersion": "2.0.0", + "values": [ + { + "key": "G", + "name": "Gated", + "definition": "The agent cannot act without human approval." + }, + { + "key": "S", + "name": "Scoped", + "definition": "The agent can act independently but only in tightly bounded spaces." + }, + { + "key": "F", + "name": "Free-Running", + "definition": "The agent can execute actions in live systems without a human in the loop." + } + ] +} diff --git a/data/json/decision_points/x_org_owasp_aivss/contextual_awareness_1_0_0.json b/data/json/decision_points/x_org_owasp_aivss/contextual_awareness_1_0_0.json new file mode 100644 index 00000000..83b9cfbf --- /dev/null +++ b/data/json/decision_points/x_org_owasp_aivss/contextual_awareness_1_0_0.json @@ -0,0 +1,25 @@ +{ + "namespace": "x_org.owasp#aivss", + "key": "CA", + "version": "1.0.0", + "name": "Contextual Awareness", + "definition": "Determines the degree to which an AI system senses and incorporates context from its environment and external signals.", + "schemaVersion": "2.0.0", + "values": [ + { + "key": "I", + "name": "Isolated", + "definition": "No external contextual signals." + }, + { + "key": "T", + "name": "Trusted-Signal", + "definition": "Uses only vetted, narrow, structured signals." + }, + { + "key": "A", + "name": "Ambient", + "definition": "Reacts to broad, open-ended environmental signals." + } + ] +} diff --git a/data/json/decision_points/x_org_owasp_aivss/deceptiveness_potential_1_0_0.json b/data/json/decision_points/x_org_owasp_aivss/deceptiveness_potential_1_0_0.json new file mode 100644 index 00000000..ccfe01e3 --- /dev/null +++ b/data/json/decision_points/x_org_owasp_aivss/deceptiveness_potential_1_0_0.json @@ -0,0 +1,25 @@ +{ + "namespace": "x_org.owasp#aivss", + "key": "DP", + "version": "1.0.0", + "name": "Deceptiveness Potential", + "definition": "Assesses the potential for AI-generated vulnerability reports to be deceptive, ranging from plain structured output to highly persuasive content.", + "schemaVersion": "2.0.0", + "values": [ + { + "key": "P", + "name": "Plain", + "definition": "Structured, non-persona output." + }, + { + "key": "F", + "name": "Fluent", + "definition": "Natural language output, but not convincingly human." + }, + { + "key": "S", + "name": "Persuasive", + "definition": "Persona mimicry, deepfakes, or social-engineering capability." + } + ] +} diff --git a/data/json/decision_points/x_org_owasp_aivss/dynamic_identity_1_0_0.json b/data/json/decision_points/x_org_owasp_aivss/dynamic_identity_1_0_0.json new file mode 100644 index 00000000..42f10806 --- /dev/null +++ b/data/json/decision_points/x_org_owasp_aivss/dynamic_identity_1_0_0.json @@ -0,0 +1,25 @@ +{ + "namespace": "x_org.owasp#aivss", + "key": "DI", + "version": "1.0.0", + "name": "Dynamic Identity", + "definition": "Describes how an AI system's identity and authorization context may change at runtime, including whether it can assume roles beyond a fixed identity.", + "schemaVersion": "2.0.0", + "values": [ + { + "key": "F", + "name": "Fixed", + "definition": "Single, constant identity." + }, + { + "key": "S", + "name": "Scoped Roles", + "definition": "Limited role changes tied to specific tools or contexts." + }, + { + "key": "A", + "name": "Assumed Identity", + "definition": "Cross-tenant, impersonation-like, or elevated role adoption." + } + ] +} diff --git a/data/json/decision_points/x_org_owasp_aivss/environment_adaptation_1_0_0.json b/data/json/decision_points/x_org_owasp_aivss/environment_adaptation_1_0_0.json new file mode 100644 index 00000000..8fc6b4a0 --- /dev/null +++ b/data/json/decision_points/x_org_owasp_aivss/environment_adaptation_1_0_0.json @@ -0,0 +1,25 @@ +{ + "namespace": "x_org.owasp#aivss", + "key": "EA", + "version": "1.0.0", + "name": "Environment & Adaptation", + "definition": "Determines the environment and adaptation level of an AI system based on its context awareness and adaptability.", + "schemaVersion": "2.0.0", + "values": [ + { + "key": "I", + "name": "Isolated", + "definition": "Operates in a narrow, stable context with no meaningful external awareness. No cross-session memory, multi-agent behavior, or identity changes. Environmental shifts don’t affect behavior unless a human explicitly updates inputs." + }, + { + "key": "C", + "name": "Connected", + "definition": "Uses curated signals, scoped identity roles, or predefined multi-agent patterns to adapt. Environmental changes can influence behavior, but only within controlled, auditable bounds." + }, + { + "key": "P", + "name": "Pervasive", + "definition": "Continuously adapts to broad, dynamic environmental inputs and multi-agent activity. Identity, memory, and context can shift fluidly, creating emergent behavior. Environmental variation can substantially redirect or amplify its actions." + } + ] +} diff --git a/data/json/decision_points/x_org_owasp_aivss/execution_power_1_0_0.json b/data/json/decision_points/x_org_owasp_aivss/execution_power_1_0_0.json new file mode 100644 index 00000000..2f72b903 --- /dev/null +++ b/data/json/decision_points/x_org_owasp_aivss/execution_power_1_0_0.json @@ -0,0 +1,25 @@ +{ + "namespace": "x_org.owasp#aivss", + "key": "EP", + "version": "1.0.0", + "name": "Execution Power", + "definition": "Determines the level of execution power granted to an AI agent, influencing its ability to perform actions autonomously and interact with external systems.", + "schemaVersion": "2.0.0", + "values": [ + { + "key": "C", + "name": "Constrained", + "definition": "The AI agent has limited execution power, restricting its ability to perform actions autonomously or interact with external systems." + }, + { + "key": "CA", + "name": "Capable", + "definition": "The AI agent has moderate execution power, allowing it to perform certain actions autonomously and interact with external systems under supervision." + }, + { + "key": "H", + "name": "High Leverage", + "definition": "The AI agent has extensive execution power, enabling it to perform actions autonomously and interact with external systems with minimal supervision." + } + ] +} diff --git a/data/json/decision_points/x_org_owasp_aivss/goal_driven_planning_1_0_0.json b/data/json/decision_points/x_org_owasp_aivss/goal_driven_planning_1_0_0.json new file mode 100644 index 00000000..fffc9fd0 --- /dev/null +++ b/data/json/decision_points/x_org_owasp_aivss/goal_driven_planning_1_0_0.json @@ -0,0 +1,25 @@ +{ + "namespace": "x_org.owasp#aivss", + "key": "GDP", + "version": "1.0.0", + "name": "Goal-Driven Planning", + "definition": "Determines the goal-driven planning capabilities of an AI agent based on its ability to plan and execute actions over multiple steps.", + "schemaVersion": "2.0.0", + "values": [ + { + "key": "R", + "name": "Reactive", + "definition": "The agent can only respond to immediate inputs without planning." + }, + { + "key": "A", + "name": "Assisted", + "definition": "The agent can plan multiple steps ahead but requires human execution or approval." + }, + { + "key": "U", + "name": "Autonomous", + "definition": "The agent can plan and execute multiple steps independently." + } + ] +} diff --git a/data/json/decision_points/x_org_owasp_aivss/memory_use_1_0_0.json b/data/json/decision_points/x_org_owasp_aivss/memory_use_1_0_0.json new file mode 100644 index 00000000..03ee1b8c --- /dev/null +++ b/data/json/decision_points/x_org_owasp_aivss/memory_use_1_0_0.json @@ -0,0 +1,25 @@ +{ + "namespace": "x_org.owasp#aivss", + "key": "MU", + "version": "1.0.0", + "name": "Memory Use", + "definition": "Determines the memory use level of an AI system based on its persistence and recall capabilities.", + "schemaVersion": "2.0.0", + "values": [ + { + "key": "S", + "name": "Stateless", + "definition": "No persistence beyond the current interaction." + }, + { + "key": "L", + "name": "Local Recall", + "definition": "Remembers within a session or user context." + }, + { + "key": "M", + "name": "Shared Memory", + "definition": "Persistent state across sessions, tasks, or teams." + } + ] +} diff --git a/data/json/decision_points/x_org_owasp_aivss/multi_agent_interactions_1_0_0.json b/data/json/decision_points/x_org_owasp_aivss/multi_agent_interactions_1_0_0.json new file mode 100644 index 00000000..4cc64116 --- /dev/null +++ b/data/json/decision_points/x_org_owasp_aivss/multi_agent_interactions_1_0_0.json @@ -0,0 +1,25 @@ +{ + "namespace": "x_org.owasp#aivss", + "key": "MAI", + "version": "1.0.0", + "name": "Multi-Agent Interactions", + "definition": "Characterizes how, and how flexibly, an AI system coordinates with other agents or services.", + "schemaVersion": "2.0.0", + "values": [ + { + "key": "S", + "name": "Solo", + "definition": "Operates alone; no coordination." + }, + { + "key": "R", + "name": "Scripted", + "definition": "Interacts through predefined handoffs or protocols." + }, + { + "key": "O", + "name": "Orchestrated", + "definition": "Dynamic teaming, swarms, emergent behavior, or markets." + } + ] +} diff --git a/data/json/decision_points/x_org_owasp_aivss/non_determinism_1_0_0.json b/data/json/decision_points/x_org_owasp_aivss/non_determinism_1_0_0.json new file mode 100644 index 00000000..e524eda5 --- /dev/null +++ b/data/json/decision_points/x_org_owasp_aivss/non_determinism_1_0_0.json @@ -0,0 +1,25 @@ +{ + "namespace": "x_org.owasp#aivss", + "key": "ND", + "version": "1.0.0", + "name": "Non-Determinism", + "definition": "Describes variability of system outputs across repeated executions.", + "schemaVersion": "2.0.0", + "values": [ + { + "key": "D", + "name": "Deterministic", + "definition": "Stable outputs; no randomness." + }, + { + "key": "B", + "name": "Bounded", + "definition": "Controlled variance within predictable limits." + }, + { + "key": "H", + "name": "High-Variance", + "definition": "Broad or unstable behavioral range." + } + ] +} diff --git a/data/json/decision_points/x_org_owasp_aivss/opacity_reflexivity_1_0_0.json b/data/json/decision_points/x_org_owasp_aivss/opacity_reflexivity_1_0_0.json new file mode 100644 index 00000000..5ef7c240 --- /dev/null +++ b/data/json/decision_points/x_org_owasp_aivss/opacity_reflexivity_1_0_0.json @@ -0,0 +1,25 @@ +{ + "namespace": "x_org.owasp#aivss", + "key": "OR", + "version": "1.0.0", + "name": "Opacity & Reflexivity", + "definition": "Captures how observable and explainable the internal reasoning and adaptation cycle is.", + "schemaVersion": "2.0.0", + "values": [ + { + "key": "T", + "name": "Transparent", + "definition": "Full logs and traceable reasoning." + }, + { + "key": "F", + "name": "Fragmented", + "definition": "Partial visibility; some steps hidden." + }, + { + "key": "O", + "name": "Opaque", + "definition": "Black-box behavior; internal process not observable." + } + ] +} diff --git a/data/json/decision_points/x_org_owasp_aivss/predictability_and_influence_1_0_0.json b/data/json/decision_points/x_org_owasp_aivss/predictability_and_influence_1_0_0.json new file mode 100644 index 00000000..466caed1 --- /dev/null +++ b/data/json/decision_points/x_org_owasp_aivss/predictability_and_influence_1_0_0.json @@ -0,0 +1,25 @@ +{ + "namespace": "x_org.owasp#aivss", + "key": "PI", + "version": "1.0.0", + "name": "Predictability and Influence", + "definition": "TODO writeme", + "schemaVersion": "2.0.0", + "values": [ + { + "key": "V", + "name": "Verifiable", + "definition": "Behavior is traceable, reproducible, and backed by strong logging or proofs. Outputs align with clear rules, and any action can be independently checked. Unexpected deviations are rare and easy to diagnose." + }, + { + "key": "U", + "name": "Uncertain", + "definition": "Behavior is generally well-structured but can deviate within known bounds. Some reasoning steps or interactions lack full visibility, making verification partial. Issues may be diagnosable but require effort or contextual reconstruction." + }, + { + "key": "O", + "name": "Opaque", + "definition": "Behavior is highly variable, difficult to trace, and resistant to verification. Key reasoning paths, external influences, or interactions are hidden or unpredictable. Actions may appear coherent but cannot be reliably reproduced or audited." + } + ] +} diff --git a/data/json/decision_points/x_org_owasp_aivss/self_modification_1_0_0.json b/data/json/decision_points/x_org_owasp_aivss/self_modification_1_0_0.json new file mode 100644 index 00000000..b7fe0055 --- /dev/null +++ b/data/json/decision_points/x_org_owasp_aivss/self_modification_1_0_0.json @@ -0,0 +1,20 @@ +{ + "namespace": "x_org.owasp#aivss", + "key": "SM", + "version": "1.0.0", + "name": "Self-Modification", + "definition": "Determines the self-modification capabilities of an AI agent based on its ability to alter its own code, configuration, or behavior.", + "schemaVersion": "2.0.0", + "values": [ + { + "key": "F", + "name": "Fixed", + "definition": "The agent cannot modify its own code, configuration, or behavior." + }, + { + "key": "M", + "name": "Mutable", + "definition": "The agent can modify its own code, configuration, or behavior." + } + ] +} diff --git a/data/json/decision_points/x_org_owasp_aivss/self_modification_1_1_0.json b/data/json/decision_points/x_org_owasp_aivss/self_modification_1_1_0.json new file mode 100644 index 00000000..e4e8864f --- /dev/null +++ b/data/json/decision_points/x_org_owasp_aivss/self_modification_1_1_0.json @@ -0,0 +1,25 @@ +{ + "namespace": "x_org.owasp#aivss", + "key": "SM", + "version": "1.1.0", + "name": "Self-Modification", + "definition": "Determines the self-modification capabilities of an AI agent based on its ability to alter its own code, configuration, or behavior.", + "schemaVersion": "2.0.0", + "values": [ + { + "key": "F", + "name": "Fixed", + "definition": "The agent cannot modify its own code, configuration, or behavior." + }, + { + "key": "T", + "name": "Tunable", + "definition": "The agent can modify its configuration or prompts but not its core code or behavior." + }, + { + "key": "M", + "name": "Mutable", + "definition": "The agent can modify its own code, configuration, or behavior." + } + ] +} diff --git a/data/json/decision_points/x_org_owasp_aivss/tool_use_1_0_0.json b/data/json/decision_points/x_org_owasp_aivss/tool_use_1_0_0.json new file mode 100644 index 00000000..82f550fb --- /dev/null +++ b/data/json/decision_points/x_org_owasp_aivss/tool_use_1_0_0.json @@ -0,0 +1,25 @@ +{ + "namespace": "x_org.owasp#aivss", + "key": "TU", + "version": "1.0.0", + "name": "Tool Use", + "definition": "Determines the tool use level of an AI agent based on its capabilities to interact with systems.", + "schemaVersion": "2.0.0", + "values": [ + { + "key": "V", + "name": "Viewer", + "definition": "The agent can only read and analyze information without making any changes." + }, + { + "key": "O", + "name": "Operator", + "definition": "The agent can make changes within a controlled environment, such as test systems or local files." + }, + { + "key": "A", + "name": "Administrator", + "definition": "The agent has full control and can make changes to privileged systems, including production environments." + } + ] +} diff --git a/data/json/decision_points/x_org_owasp_aivss/verification_capability_1_0_0.json b/data/json/decision_points/x_org_owasp_aivss/verification_capability_1_0_0.json new file mode 100644 index 00000000..dc4c99bc --- /dev/null +++ b/data/json/decision_points/x_org_owasp_aivss/verification_capability_1_0_0.json @@ -0,0 +1,25 @@ +{ + "namespace": "x_org.owasp#aivss", + "key": "VC", + "version": "1.0.0", + "name": "Verification Capability", + "definition": "Indicates whether the system’s critical properties can be formally or practically verified.", + "schemaVersion": "2.0.0", + "values": [ + { + "key": "P", + "name": "Provable", + "definition": "Critical safety or correctness invariants can be verified." + }, + { + "key": "K", + "name": "Key Invariants Verifiable", + "definition": "Some critical properties can be verified, but not all." + }, + { + "key": "U", + "name": "Unverifiable", + "definition": "Cannot prove correctness or invariants in practice." + } + ] +} diff --git a/data/json/decision_tables/x_org_owasp_aivss/agentic_impact_level_1_0_0.json b/data/json/decision_tables/x_org_owasp_aivss/agentic_impact_level_1_0_0.json new file mode 100644 index 00000000..85c70832 --- /dev/null +++ b/data/json/decision_tables/x_org_owasp_aivss/agentic_impact_level_1_0_0.json @@ -0,0 +1,275 @@ +{ + "namespace": "x_org.owasp#aivss", + "key": "DT_AIL", + "version": "1.0.0", + "name": "Agentic Impact Level", + "definition": "TODO writeme", + "schemaVersion": "2.0.0", + "decision_points": { + "x_org.owasp#aivss:EP:1.0.0": { + "namespace": "x_org.owasp#aivss", + "key": "EP", + "version": "1.0.0", + "name": "Execution Power", + "definition": "Determines the level of execution power granted to an AI agent, influencing its ability to perform actions autonomously and interact with external systems.", + "schemaVersion": "2.0.0", + "values": [ + { + "key": "C", + "name": "Constrained", + "definition": "The AI agent has limited execution power, restricting its ability to perform actions autonomously or interact with external systems." + }, + { + "key": "CA", + "name": "Capable", + "definition": "The AI agent has moderate execution power, allowing it to perform certain actions autonomously and interact with external systems under supervision." + }, + { + "key": "H", + "name": "High Leverage", + "definition": "The AI agent has extensive execution power, enabling it to perform actions autonomously and interact with external systems with minimal supervision." + } + ] + }, + "x_org.owasp#aivss:EA:1.0.0": { + "namespace": "x_org.owasp#aivss", + "key": "EA", + "version": "1.0.0", + "name": "Environment & Adaptation", + "definition": "Determines the environment and adaptation level of an AI system based on its context awareness and adaptability.", + "schemaVersion": "2.0.0", + "values": [ + { + "key": "I", + "name": "Isolated", + "definition": "Operates in a narrow, stable context with no meaningful external awareness. No cross-session memory, multi-agent behavior, or identity changes. Environmental shifts don’t affect behavior unless a human explicitly updates inputs." + }, + { + "key": "C", + "name": "Connected", + "definition": "Uses curated signals, scoped identity roles, or predefined multi-agent patterns to adapt. Environmental changes can influence behavior, but only within controlled, auditable bounds." + }, + { + "key": "P", + "name": "Pervasive", + "definition": "Continuously adapts to broad, dynamic environmental inputs and multi-agent activity. Identity, memory, and context can shift fluidly, creating emergent behavior. Environmental variation can substantially redirect or amplify its actions." + } + ] + }, + "x_org.owasp#aivss:PI:1.0.0": { + "namespace": "x_org.owasp#aivss", + "key": "PI", + "version": "1.0.0", + "name": "Predictability and Influence", + "definition": "TODO writeme", + "schemaVersion": "2.0.0", + "values": [ + { + "key": "V", + "name": "Verifiable", + "definition": "Behavior is traceable, reproducible, and backed by strong logging or proofs. Outputs align with clear rules, and any action can be independently checked. Unexpected deviations are rare and easy to diagnose." + }, + { + "key": "U", + "name": "Uncertain", + "definition": "Behavior is generally well-structured but can deviate within known bounds. Some reasoning steps or interactions lack full visibility, making verification partial. Issues may be diagnosable but require effort or contextual reconstruction." + }, + { + "key": "O", + "name": "Opaque", + "definition": "Behavior is highly variable, difficult to trace, and resistant to verification. Key reasoning paths, external influences, or interactions are hidden or unpredictable. Actions may appear coherent but cannot be reliably reproduced or audited." + } + ] + }, + "x_org.owasp#aivss:AIL:1.0.0": { + "namespace": "x_org.owasp#aivss", + "key": "AIL", + "version": "1.0.0", + "name": "Agentic Impact Level", + "definition": "Determines the agentic impact level of a vulnerability based on its characteristics and potential effects.", + "schemaVersion": "2.0.0", + "values": [ + { + "key": "C", + "name": "CoPilot", + "definition": "The agent is primarily a copilot or assistant. Its actions are heavily constrained, requiring human oversight. The agent explicitly does not have rights to execute code." + }, + { + "key": "S", + "name": "Specialist", + "definition": "The agent is a specialist with significant autonomy within a defined domain.It can use powerful tools and may learn from interactions." + }, + { + "key": "P", + "name": "Prime Mover", + "definition": "The agent is a prime mover with broad autonomy. It can orchestrate other systems, modify its own logic, and interact with critical infrastructure." + } + ] + } + }, + "outcome": "x_org.owasp#aivss:AIL:1.0.0", + "mapping": [ + { + "x_org.owasp#aivss:EP:1.0.0": "C", + "x_org.owasp#aivss:EA:1.0.0": "I", + "x_org.owasp#aivss:PI:1.0.0": "V", + "x_org.owasp#aivss:AIL:1.0.0": "C" + }, + { + "x_org.owasp#aivss:EP:1.0.0": "C", + "x_org.owasp#aivss:EA:1.0.0": "I", + "x_org.owasp#aivss:PI:1.0.0": "U", + "x_org.owasp#aivss:AIL:1.0.0": "C" + }, + { + "x_org.owasp#aivss:EP:1.0.0": "C", + "x_org.owasp#aivss:EA:1.0.0": "I", + "x_org.owasp#aivss:PI:1.0.0": "O", + "x_org.owasp#aivss:AIL:1.0.0": "S" + }, + { + "x_org.owasp#aivss:EP:1.0.0": "C", + "x_org.owasp#aivss:EA:1.0.0": "C", + "x_org.owasp#aivss:PI:1.0.0": "V", + "x_org.owasp#aivss:AIL:1.0.0": "C" + }, + { + "x_org.owasp#aivss:EP:1.0.0": "C", + "x_org.owasp#aivss:EA:1.0.0": "C", + "x_org.owasp#aivss:PI:1.0.0": "U", + "x_org.owasp#aivss:AIL:1.0.0": "S" + }, + { + "x_org.owasp#aivss:EP:1.0.0": "C", + "x_org.owasp#aivss:EA:1.0.0": "C", + "x_org.owasp#aivss:PI:1.0.0": "O", + "x_org.owasp#aivss:AIL:1.0.0": "S" + }, + { + "x_org.owasp#aivss:EP:1.0.0": "C", + "x_org.owasp#aivss:EA:1.0.0": "P", + "x_org.owasp#aivss:PI:1.0.0": "V", + "x_org.owasp#aivss:AIL:1.0.0": "S" + }, + { + "x_org.owasp#aivss:EP:1.0.0": "C", + "x_org.owasp#aivss:EA:1.0.0": "P", + "x_org.owasp#aivss:PI:1.0.0": "U", + "x_org.owasp#aivss:AIL:1.0.0": "S" + }, + { + "x_org.owasp#aivss:EP:1.0.0": "C", + "x_org.owasp#aivss:EA:1.0.0": "P", + "x_org.owasp#aivss:PI:1.0.0": "O", + "x_org.owasp#aivss:AIL:1.0.0": "P" + }, + { + "x_org.owasp#aivss:EP:1.0.0": "CA", + "x_org.owasp#aivss:EA:1.0.0": "I", + "x_org.owasp#aivss:PI:1.0.0": "V", + "x_org.owasp#aivss:AIL:1.0.0": "C" + }, + { + "x_org.owasp#aivss:EP:1.0.0": "CA", + "x_org.owasp#aivss:EA:1.0.0": "I", + "x_org.owasp#aivss:PI:1.0.0": "U", + "x_org.owasp#aivss:AIL:1.0.0": "S" + }, + { + "x_org.owasp#aivss:EP:1.0.0": "CA", + "x_org.owasp#aivss:EA:1.0.0": "I", + "x_org.owasp#aivss:PI:1.0.0": "O", + "x_org.owasp#aivss:AIL:1.0.0": "S" + }, + { + "x_org.owasp#aivss:EP:1.0.0": "CA", + "x_org.owasp#aivss:EA:1.0.0": "C", + "x_org.owasp#aivss:PI:1.0.0": "V", + "x_org.owasp#aivss:AIL:1.0.0": "S" + }, + { + "x_org.owasp#aivss:EP:1.0.0": "CA", + "x_org.owasp#aivss:EA:1.0.0": "C", + "x_org.owasp#aivss:PI:1.0.0": "U", + "x_org.owasp#aivss:AIL:1.0.0": "S" + }, + { + "x_org.owasp#aivss:EP:1.0.0": "CA", + "x_org.owasp#aivss:EA:1.0.0": "C", + "x_org.owasp#aivss:PI:1.0.0": "O", + "x_org.owasp#aivss:AIL:1.0.0": "S" + }, + { + "x_org.owasp#aivss:EP:1.0.0": "CA", + "x_org.owasp#aivss:EA:1.0.0": "P", + "x_org.owasp#aivss:PI:1.0.0": "V", + "x_org.owasp#aivss:AIL:1.0.0": "S" + }, + { + "x_org.owasp#aivss:EP:1.0.0": "CA", + "x_org.owasp#aivss:EA:1.0.0": "P", + "x_org.owasp#aivss:PI:1.0.0": "U", + "x_org.owasp#aivss:AIL:1.0.0": "S" + }, + { + "x_org.owasp#aivss:EP:1.0.0": "CA", + "x_org.owasp#aivss:EA:1.0.0": "P", + "x_org.owasp#aivss:PI:1.0.0": "O", + "x_org.owasp#aivss:AIL:1.0.0": "P" + }, + { + "x_org.owasp#aivss:EP:1.0.0": "H", + "x_org.owasp#aivss:EA:1.0.0": "I", + "x_org.owasp#aivss:PI:1.0.0": "V", + "x_org.owasp#aivss:AIL:1.0.0": "S" + }, + { + "x_org.owasp#aivss:EP:1.0.0": "H", + "x_org.owasp#aivss:EA:1.0.0": "I", + "x_org.owasp#aivss:PI:1.0.0": "U", + "x_org.owasp#aivss:AIL:1.0.0": "S" + }, + { + "x_org.owasp#aivss:EP:1.0.0": "H", + "x_org.owasp#aivss:EA:1.0.0": "I", + "x_org.owasp#aivss:PI:1.0.0": "O", + "x_org.owasp#aivss:AIL:1.0.0": "P" + }, + { + "x_org.owasp#aivss:EP:1.0.0": "H", + "x_org.owasp#aivss:EA:1.0.0": "C", + "x_org.owasp#aivss:PI:1.0.0": "V", + "x_org.owasp#aivss:AIL:1.0.0": "S" + }, + { + "x_org.owasp#aivss:EP:1.0.0": "H", + "x_org.owasp#aivss:EA:1.0.0": "C", + "x_org.owasp#aivss:PI:1.0.0": "U", + "x_org.owasp#aivss:AIL:1.0.0": "S" + }, + { + "x_org.owasp#aivss:EP:1.0.0": "H", + "x_org.owasp#aivss:EA:1.0.0": "C", + "x_org.owasp#aivss:PI:1.0.0": "O", + "x_org.owasp#aivss:AIL:1.0.0": "P" + }, + { + "x_org.owasp#aivss:EP:1.0.0": "H", + "x_org.owasp#aivss:EA:1.0.0": "P", + "x_org.owasp#aivss:PI:1.0.0": "V", + "x_org.owasp#aivss:AIL:1.0.0": "P" + }, + { + "x_org.owasp#aivss:EP:1.0.0": "H", + "x_org.owasp#aivss:EA:1.0.0": "P", + "x_org.owasp#aivss:PI:1.0.0": "U", + "x_org.owasp#aivss:AIL:1.0.0": "P" + }, + { + "x_org.owasp#aivss:EP:1.0.0": "H", + "x_org.owasp#aivss:EA:1.0.0": "P", + "x_org.owasp#aivss:PI:1.0.0": "O", + "x_org.owasp#aivss:AIL:1.0.0": "P" + } + ] +} diff --git a/data/json/decision_tables/x_org_owasp_aivss/execution_power_1_0_0.json b/data/json/decision_tables/x_org_owasp_aivss/execution_power_1_0_0.json new file mode 100644 index 00000000..00d6ee3e --- /dev/null +++ b/data/json/decision_tables/x_org_owasp_aivss/execution_power_1_0_0.json @@ -0,0 +1,705 @@ +{ + "namespace": "x_org.owasp#aivss", + "key": "DT_EP", + "version": "1.0.0", + "name": "Execution Power", + "definition": "Determines the level of execution power granted to an AI agent, influencing its ability to perform actions autonomously and interact with external systems.", + "schemaVersion": "2.0.0", + "decision_points": { + "x_org.owasp#aivss:AA:1.0.0": { + "namespace": "x_org.owasp#aivss", + "key": "AA", + "version": "1.0.0", + "name": "Autonomy of Action", + "definition": "Determines the autonomy of action level of a vulnerability based on its characteristics and potential effects.", + "schemaVersion": "2.0.0", + "values": [ + { + "key": "G", + "name": "Gated", + "definition": "The agent cannot act without human approval." + }, + { + "key": "S", + "name": "Scoped", + "definition": "The agent can act independently but only in tightly bounded spaces." + }, + { + "key": "F", + "name": "Free-Running", + "definition": "The agent can execute actions in live systems without a human in the loop." + } + ] + }, + "x_org.owasp#aivss:TU:1.0.0": { + "namespace": "x_org.owasp#aivss", + "key": "TU", + "version": "1.0.0", + "name": "Tool Use", + "definition": "Determines the tool use level of an AI agent based on its capabilities to interact with systems.", + "schemaVersion": "2.0.0", + "values": [ + { + "key": "V", + "name": "Viewer", + "definition": "The agent can only read and analyze information without making any changes." + }, + { + "key": "O", + "name": "Operator", + "definition": "The agent can make changes within a controlled environment, such as test systems or local files." + }, + { + "key": "A", + "name": "Administrator", + "definition": "The agent has full control and can make changes to privileged systems, including production environments." + } + ] + }, + "x_org.owasp#aivss:SM:1.1.0": { + "namespace": "x_org.owasp#aivss", + "key": "SM", + "version": "1.1.0", + "name": "Self-Modification", + "definition": "Determines the self-modification capabilities of an AI agent based on its ability to alter its own code, configuration, or behavior.", + "schemaVersion": "2.0.0", + "values": [ + { + "key": "F", + "name": "Fixed", + "definition": "The agent cannot modify its own code, configuration, or behavior." + }, + { + "key": "T", + "name": "Tunable", + "definition": "The agent can modify its configuration or prompts but not its core code or behavior." + }, + { + "key": "M", + "name": "Mutable", + "definition": "The agent can modify its own code, configuration, or behavior." + } + ] + }, + "x_org.owasp#aivss:GDP:1.0.0": { + "namespace": "x_org.owasp#aivss", + "key": "GDP", + "version": "1.0.0", + "name": "Goal-Driven Planning", + "definition": "Determines the goal-driven planning capabilities of an AI agent based on its ability to plan and execute actions over multiple steps.", + "schemaVersion": "2.0.0", + "values": [ + { + "key": "R", + "name": "Reactive", + "definition": "The agent can only respond to immediate inputs without planning." + }, + { + "key": "A", + "name": "Assisted", + "definition": "The agent can plan multiple steps ahead but requires human execution or approval." + }, + { + "key": "U", + "name": "Autonomous", + "definition": "The agent can plan and execute multiple steps independently." + } + ] + }, + "x_org.owasp#aivss:EP:1.0.0": { + "namespace": "x_org.owasp#aivss", + "key": "EP", + "version": "1.0.0", + "name": "Execution Power", + "definition": "Determines the level of execution power granted to an AI agent, influencing its ability to perform actions autonomously and interact with external systems.", + "schemaVersion": "2.0.0", + "values": [ + { + "key": "C", + "name": "Constrained", + "definition": "The AI agent has limited execution power, restricting its ability to perform actions autonomously or interact with external systems." + }, + { + "key": "CA", + "name": "Capable", + "definition": "The AI agent has moderate execution power, allowing it to perform certain actions autonomously and interact with external systems under supervision." + }, + { + "key": "H", + "name": "High Leverage", + "definition": "The AI agent has extensive execution power, enabling it to perform actions autonomously and interact with external systems with minimal supervision." + } + ] + } + }, + "outcome": "x_org.owasp#aivss:EP:1.0.0", + "mapping": [ + { + "x_org.owasp#aivss:AA:1.0.0": "G", + "x_org.owasp#aivss:TU:1.0.0": "V", + "x_org.owasp#aivss:SM:1.1.0": "F", + "x_org.owasp#aivss:GDP:1.0.0": "R", + "x_org.owasp#aivss:EP:1.0.0": "C" + }, + { + "x_org.owasp#aivss:AA:1.0.0": "G", + "x_org.owasp#aivss:TU:1.0.0": "V", + "x_org.owasp#aivss:SM:1.1.0": "F", + "x_org.owasp#aivss:GDP:1.0.0": "A", + "x_org.owasp#aivss:EP:1.0.0": "C" + }, + { + "x_org.owasp#aivss:AA:1.0.0": "G", + "x_org.owasp#aivss:TU:1.0.0": "V", + "x_org.owasp#aivss:SM:1.1.0": "F", + "x_org.owasp#aivss:GDP:1.0.0": "U", + "x_org.owasp#aivss:EP:1.0.0": "CA" + }, + { + "x_org.owasp#aivss:AA:1.0.0": "G", + "x_org.owasp#aivss:TU:1.0.0": "V", + "x_org.owasp#aivss:SM:1.1.0": "T", + "x_org.owasp#aivss:GDP:1.0.0": "R", + "x_org.owasp#aivss:EP:1.0.0": "C" + }, + { + "x_org.owasp#aivss:AA:1.0.0": "G", + "x_org.owasp#aivss:TU:1.0.0": "V", + "x_org.owasp#aivss:SM:1.1.0": "T", + "x_org.owasp#aivss:GDP:1.0.0": "A", + "x_org.owasp#aivss:EP:1.0.0": "C" + }, + { + "x_org.owasp#aivss:AA:1.0.0": "G", + "x_org.owasp#aivss:TU:1.0.0": "V", + "x_org.owasp#aivss:SM:1.1.0": "T", + "x_org.owasp#aivss:GDP:1.0.0": "U", + "x_org.owasp#aivss:EP:1.0.0": "CA" + }, + { + "x_org.owasp#aivss:AA:1.0.0": "G", + "x_org.owasp#aivss:TU:1.0.0": "V", + "x_org.owasp#aivss:SM:1.1.0": "M", + "x_org.owasp#aivss:GDP:1.0.0": "R", + "x_org.owasp#aivss:EP:1.0.0": "CA" + }, + { + "x_org.owasp#aivss:AA:1.0.0": "G", + "x_org.owasp#aivss:TU:1.0.0": "V", + "x_org.owasp#aivss:SM:1.1.0": "M", + "x_org.owasp#aivss:GDP:1.0.0": "A", + "x_org.owasp#aivss:EP:1.0.0": "CA" + }, + { + "x_org.owasp#aivss:AA:1.0.0": "G", + "x_org.owasp#aivss:TU:1.0.0": "V", + "x_org.owasp#aivss:SM:1.1.0": "M", + "x_org.owasp#aivss:GDP:1.0.0": "U", + "x_org.owasp#aivss:EP:1.0.0": "H" + }, + { + "x_org.owasp#aivss:AA:1.0.0": "G", + "x_org.owasp#aivss:TU:1.0.0": "O", + "x_org.owasp#aivss:SM:1.1.0": "F", + "x_org.owasp#aivss:GDP:1.0.0": "R", + "x_org.owasp#aivss:EP:1.0.0": "C" + }, + { + "x_org.owasp#aivss:AA:1.0.0": "G", + "x_org.owasp#aivss:TU:1.0.0": "O", + "x_org.owasp#aivss:SM:1.1.0": "F", + "x_org.owasp#aivss:GDP:1.0.0": "A", + "x_org.owasp#aivss:EP:1.0.0": "C" + }, + { + "x_org.owasp#aivss:AA:1.0.0": "G", + "x_org.owasp#aivss:TU:1.0.0": "O", + "x_org.owasp#aivss:SM:1.1.0": "F", + "x_org.owasp#aivss:GDP:1.0.0": "U", + "x_org.owasp#aivss:EP:1.0.0": "CA" + }, + { + "x_org.owasp#aivss:AA:1.0.0": "G", + "x_org.owasp#aivss:TU:1.0.0": "O", + "x_org.owasp#aivss:SM:1.1.0": "T", + "x_org.owasp#aivss:GDP:1.0.0": "R", + "x_org.owasp#aivss:EP:1.0.0": "C" + }, + { + "x_org.owasp#aivss:AA:1.0.0": "G", + "x_org.owasp#aivss:TU:1.0.0": "O", + "x_org.owasp#aivss:SM:1.1.0": "T", + "x_org.owasp#aivss:GDP:1.0.0": "A", + "x_org.owasp#aivss:EP:1.0.0": "CA" + }, + { + "x_org.owasp#aivss:AA:1.0.0": "G", + "x_org.owasp#aivss:TU:1.0.0": "O", + "x_org.owasp#aivss:SM:1.1.0": "T", + "x_org.owasp#aivss:GDP:1.0.0": "U", + "x_org.owasp#aivss:EP:1.0.0": "CA" + }, + { + "x_org.owasp#aivss:AA:1.0.0": "G", + "x_org.owasp#aivss:TU:1.0.0": "O", + "x_org.owasp#aivss:SM:1.1.0": "M", + "x_org.owasp#aivss:GDP:1.0.0": "R", + "x_org.owasp#aivss:EP:1.0.0": "CA" + }, + { + "x_org.owasp#aivss:AA:1.0.0": "G", + "x_org.owasp#aivss:TU:1.0.0": "O", + "x_org.owasp#aivss:SM:1.1.0": "M", + "x_org.owasp#aivss:GDP:1.0.0": "A", + "x_org.owasp#aivss:EP:1.0.0": "CA" + }, + { + "x_org.owasp#aivss:AA:1.0.0": "G", + "x_org.owasp#aivss:TU:1.0.0": "O", + "x_org.owasp#aivss:SM:1.1.0": "M", + "x_org.owasp#aivss:GDP:1.0.0": "U", + "x_org.owasp#aivss:EP:1.0.0": "H" + }, + { + "x_org.owasp#aivss:AA:1.0.0": "G", + "x_org.owasp#aivss:TU:1.0.0": "A", + "x_org.owasp#aivss:SM:1.1.0": "F", + "x_org.owasp#aivss:GDP:1.0.0": "R", + "x_org.owasp#aivss:EP:1.0.0": "CA" + }, + { + "x_org.owasp#aivss:AA:1.0.0": "G", + "x_org.owasp#aivss:TU:1.0.0": "A", + "x_org.owasp#aivss:SM:1.1.0": "F", + "x_org.owasp#aivss:GDP:1.0.0": "A", + "x_org.owasp#aivss:EP:1.0.0": "CA" + }, + { + "x_org.owasp#aivss:AA:1.0.0": "G", + "x_org.owasp#aivss:TU:1.0.0": "A", + "x_org.owasp#aivss:SM:1.1.0": "F", + "x_org.owasp#aivss:GDP:1.0.0": "U", + "x_org.owasp#aivss:EP:1.0.0": "H" + }, + { + "x_org.owasp#aivss:AA:1.0.0": "G", + "x_org.owasp#aivss:TU:1.0.0": "A", + "x_org.owasp#aivss:SM:1.1.0": "T", + "x_org.owasp#aivss:GDP:1.0.0": "R", + "x_org.owasp#aivss:EP:1.0.0": "CA" + }, + { + "x_org.owasp#aivss:AA:1.0.0": "G", + "x_org.owasp#aivss:TU:1.0.0": "A", + "x_org.owasp#aivss:SM:1.1.0": "T", + "x_org.owasp#aivss:GDP:1.0.0": "A", + "x_org.owasp#aivss:EP:1.0.0": "CA" + }, + { + "x_org.owasp#aivss:AA:1.0.0": "G", + "x_org.owasp#aivss:TU:1.0.0": "A", + "x_org.owasp#aivss:SM:1.1.0": "T", + "x_org.owasp#aivss:GDP:1.0.0": "U", + "x_org.owasp#aivss:EP:1.0.0": "H" + }, + { + "x_org.owasp#aivss:AA:1.0.0": "G", + "x_org.owasp#aivss:TU:1.0.0": "A", + "x_org.owasp#aivss:SM:1.1.0": "M", + "x_org.owasp#aivss:GDP:1.0.0": "R", + "x_org.owasp#aivss:EP:1.0.0": "H" + }, + { + "x_org.owasp#aivss:AA:1.0.0": "G", + "x_org.owasp#aivss:TU:1.0.0": "A", + "x_org.owasp#aivss:SM:1.1.0": "M", + "x_org.owasp#aivss:GDP:1.0.0": "A", + "x_org.owasp#aivss:EP:1.0.0": "H" + }, + { + "x_org.owasp#aivss:AA:1.0.0": "G", + "x_org.owasp#aivss:TU:1.0.0": "A", + "x_org.owasp#aivss:SM:1.1.0": "M", + "x_org.owasp#aivss:GDP:1.0.0": "U", + "x_org.owasp#aivss:EP:1.0.0": "H" + }, + { + "x_org.owasp#aivss:AA:1.0.0": "S", + "x_org.owasp#aivss:TU:1.0.0": "V", + "x_org.owasp#aivss:SM:1.1.0": "F", + "x_org.owasp#aivss:GDP:1.0.0": "R", + "x_org.owasp#aivss:EP:1.0.0": "C" + }, + { + "x_org.owasp#aivss:AA:1.0.0": "S", + "x_org.owasp#aivss:TU:1.0.0": "V", + "x_org.owasp#aivss:SM:1.1.0": "F", + "x_org.owasp#aivss:GDP:1.0.0": "A", + "x_org.owasp#aivss:EP:1.0.0": "C" + }, + { + "x_org.owasp#aivss:AA:1.0.0": "S", + "x_org.owasp#aivss:TU:1.0.0": "V", + "x_org.owasp#aivss:SM:1.1.0": "F", + "x_org.owasp#aivss:GDP:1.0.0": "U", + "x_org.owasp#aivss:EP:1.0.0": "CA" + }, + { + "x_org.owasp#aivss:AA:1.0.0": "S", + "x_org.owasp#aivss:TU:1.0.0": "V", + "x_org.owasp#aivss:SM:1.1.0": "T", + "x_org.owasp#aivss:GDP:1.0.0": "R", + "x_org.owasp#aivss:EP:1.0.0": "C" + }, + { + "x_org.owasp#aivss:AA:1.0.0": "S", + "x_org.owasp#aivss:TU:1.0.0": "V", + "x_org.owasp#aivss:SM:1.1.0": "T", + "x_org.owasp#aivss:GDP:1.0.0": "A", + "x_org.owasp#aivss:EP:1.0.0": "CA" + }, + { + "x_org.owasp#aivss:AA:1.0.0": "S", + "x_org.owasp#aivss:TU:1.0.0": "V", + "x_org.owasp#aivss:SM:1.1.0": "T", + "x_org.owasp#aivss:GDP:1.0.0": "U", + "x_org.owasp#aivss:EP:1.0.0": "CA" + }, + { + "x_org.owasp#aivss:AA:1.0.0": "S", + "x_org.owasp#aivss:TU:1.0.0": "V", + "x_org.owasp#aivss:SM:1.1.0": "M", + "x_org.owasp#aivss:GDP:1.0.0": "R", + "x_org.owasp#aivss:EP:1.0.0": "CA" + }, + { + "x_org.owasp#aivss:AA:1.0.0": "S", + "x_org.owasp#aivss:TU:1.0.0": "V", + "x_org.owasp#aivss:SM:1.1.0": "M", + "x_org.owasp#aivss:GDP:1.0.0": "A", + "x_org.owasp#aivss:EP:1.0.0": "CA" + }, + { + "x_org.owasp#aivss:AA:1.0.0": "S", + "x_org.owasp#aivss:TU:1.0.0": "V", + "x_org.owasp#aivss:SM:1.1.0": "M", + "x_org.owasp#aivss:GDP:1.0.0": "U", + "x_org.owasp#aivss:EP:1.0.0": "H" + }, + { + "x_org.owasp#aivss:AA:1.0.0": "S", + "x_org.owasp#aivss:TU:1.0.0": "O", + "x_org.owasp#aivss:SM:1.1.0": "F", + "x_org.owasp#aivss:GDP:1.0.0": "R", + "x_org.owasp#aivss:EP:1.0.0": "C" + }, + { + "x_org.owasp#aivss:AA:1.0.0": "S", + "x_org.owasp#aivss:TU:1.0.0": "O", + "x_org.owasp#aivss:SM:1.1.0": "F", + "x_org.owasp#aivss:GDP:1.0.0": "A", + "x_org.owasp#aivss:EP:1.0.0": "CA" + }, + { + "x_org.owasp#aivss:AA:1.0.0": "S", + "x_org.owasp#aivss:TU:1.0.0": "O", + "x_org.owasp#aivss:SM:1.1.0": "F", + "x_org.owasp#aivss:GDP:1.0.0": "U", + "x_org.owasp#aivss:EP:1.0.0": "CA" + }, + { + "x_org.owasp#aivss:AA:1.0.0": "S", + "x_org.owasp#aivss:TU:1.0.0": "O", + "x_org.owasp#aivss:SM:1.1.0": "T", + "x_org.owasp#aivss:GDP:1.0.0": "R", + "x_org.owasp#aivss:EP:1.0.0": "CA" + }, + { + "x_org.owasp#aivss:AA:1.0.0": "S", + "x_org.owasp#aivss:TU:1.0.0": "O", + "x_org.owasp#aivss:SM:1.1.0": "T", + "x_org.owasp#aivss:GDP:1.0.0": "A", + "x_org.owasp#aivss:EP:1.0.0": "CA" + }, + { + "x_org.owasp#aivss:AA:1.0.0": "S", + "x_org.owasp#aivss:TU:1.0.0": "O", + "x_org.owasp#aivss:SM:1.1.0": "T", + "x_org.owasp#aivss:GDP:1.0.0": "U", + "x_org.owasp#aivss:EP:1.0.0": "CA" + }, + { + "x_org.owasp#aivss:AA:1.0.0": "S", + "x_org.owasp#aivss:TU:1.0.0": "O", + "x_org.owasp#aivss:SM:1.1.0": "M", + "x_org.owasp#aivss:GDP:1.0.0": "R", + "x_org.owasp#aivss:EP:1.0.0": "CA" + }, + { + "x_org.owasp#aivss:AA:1.0.0": "S", + "x_org.owasp#aivss:TU:1.0.0": "O", + "x_org.owasp#aivss:SM:1.1.0": "M", + "x_org.owasp#aivss:GDP:1.0.0": "A", + "x_org.owasp#aivss:EP:1.0.0": "CA" + }, + { + "x_org.owasp#aivss:AA:1.0.0": "S", + "x_org.owasp#aivss:TU:1.0.0": "O", + "x_org.owasp#aivss:SM:1.1.0": "M", + "x_org.owasp#aivss:GDP:1.0.0": "U", + "x_org.owasp#aivss:EP:1.0.0": "H" + }, + { + "x_org.owasp#aivss:AA:1.0.0": "S", + "x_org.owasp#aivss:TU:1.0.0": "A", + "x_org.owasp#aivss:SM:1.1.0": "F", + "x_org.owasp#aivss:GDP:1.0.0": "R", + "x_org.owasp#aivss:EP:1.0.0": "CA" + }, + { + "x_org.owasp#aivss:AA:1.0.0": "S", + "x_org.owasp#aivss:TU:1.0.0": "A", + "x_org.owasp#aivss:SM:1.1.0": "F", + "x_org.owasp#aivss:GDP:1.0.0": "A", + "x_org.owasp#aivss:EP:1.0.0": "CA" + }, + { + "x_org.owasp#aivss:AA:1.0.0": "S", + "x_org.owasp#aivss:TU:1.0.0": "A", + "x_org.owasp#aivss:SM:1.1.0": "F", + "x_org.owasp#aivss:GDP:1.0.0": "U", + "x_org.owasp#aivss:EP:1.0.0": "H" + }, + { + "x_org.owasp#aivss:AA:1.0.0": "S", + "x_org.owasp#aivss:TU:1.0.0": "A", + "x_org.owasp#aivss:SM:1.1.0": "T", + "x_org.owasp#aivss:GDP:1.0.0": "R", + "x_org.owasp#aivss:EP:1.0.0": "CA" + }, + { + "x_org.owasp#aivss:AA:1.0.0": "S", + "x_org.owasp#aivss:TU:1.0.0": "A", + "x_org.owasp#aivss:SM:1.1.0": "T", + "x_org.owasp#aivss:GDP:1.0.0": "A", + "x_org.owasp#aivss:EP:1.0.0": "CA" + }, + { + "x_org.owasp#aivss:AA:1.0.0": "S", + "x_org.owasp#aivss:TU:1.0.0": "A", + "x_org.owasp#aivss:SM:1.1.0": "T", + "x_org.owasp#aivss:GDP:1.0.0": "U", + "x_org.owasp#aivss:EP:1.0.0": "H" + }, + { + "x_org.owasp#aivss:AA:1.0.0": "S", + "x_org.owasp#aivss:TU:1.0.0": "A", + "x_org.owasp#aivss:SM:1.1.0": "M", + "x_org.owasp#aivss:GDP:1.0.0": "R", + "x_org.owasp#aivss:EP:1.0.0": "H" + }, + { + "x_org.owasp#aivss:AA:1.0.0": "S", + "x_org.owasp#aivss:TU:1.0.0": "A", + "x_org.owasp#aivss:SM:1.1.0": "M", + "x_org.owasp#aivss:GDP:1.0.0": "A", + "x_org.owasp#aivss:EP:1.0.0": "H" + }, + { + "x_org.owasp#aivss:AA:1.0.0": "S", + "x_org.owasp#aivss:TU:1.0.0": "A", + "x_org.owasp#aivss:SM:1.1.0": "M", + "x_org.owasp#aivss:GDP:1.0.0": "U", + "x_org.owasp#aivss:EP:1.0.0": "H" + }, + { + "x_org.owasp#aivss:AA:1.0.0": "F", + "x_org.owasp#aivss:TU:1.0.0": "V", + "x_org.owasp#aivss:SM:1.1.0": "F", + "x_org.owasp#aivss:GDP:1.0.0": "R", + "x_org.owasp#aivss:EP:1.0.0": "CA" + }, + { + "x_org.owasp#aivss:AA:1.0.0": "F", + "x_org.owasp#aivss:TU:1.0.0": "V", + "x_org.owasp#aivss:SM:1.1.0": "F", + "x_org.owasp#aivss:GDP:1.0.0": "A", + "x_org.owasp#aivss:EP:1.0.0": "CA" + }, + { + "x_org.owasp#aivss:AA:1.0.0": "F", + "x_org.owasp#aivss:TU:1.0.0": "V", + "x_org.owasp#aivss:SM:1.1.0": "F", + "x_org.owasp#aivss:GDP:1.0.0": "U", + "x_org.owasp#aivss:EP:1.0.0": "H" + }, + { + "x_org.owasp#aivss:AA:1.0.0": "F", + "x_org.owasp#aivss:TU:1.0.0": "V", + "x_org.owasp#aivss:SM:1.1.0": "T", + "x_org.owasp#aivss:GDP:1.0.0": "R", + "x_org.owasp#aivss:EP:1.0.0": "CA" + }, + { + "x_org.owasp#aivss:AA:1.0.0": "F", + "x_org.owasp#aivss:TU:1.0.0": "V", + "x_org.owasp#aivss:SM:1.1.0": "T", + "x_org.owasp#aivss:GDP:1.0.0": "A", + "x_org.owasp#aivss:EP:1.0.0": "CA" + }, + { + "x_org.owasp#aivss:AA:1.0.0": "F", + "x_org.owasp#aivss:TU:1.0.0": "V", + "x_org.owasp#aivss:SM:1.1.0": "T", + "x_org.owasp#aivss:GDP:1.0.0": "U", + "x_org.owasp#aivss:EP:1.0.0": "H" + }, + { + "x_org.owasp#aivss:AA:1.0.0": "F", + "x_org.owasp#aivss:TU:1.0.0": "V", + "x_org.owasp#aivss:SM:1.1.0": "M", + "x_org.owasp#aivss:GDP:1.0.0": "R", + "x_org.owasp#aivss:EP:1.0.0": "H" + }, + { + "x_org.owasp#aivss:AA:1.0.0": "F", + "x_org.owasp#aivss:TU:1.0.0": "V", + "x_org.owasp#aivss:SM:1.1.0": "M", + "x_org.owasp#aivss:GDP:1.0.0": "A", + "x_org.owasp#aivss:EP:1.0.0": "H" + }, + { + "x_org.owasp#aivss:AA:1.0.0": "F", + "x_org.owasp#aivss:TU:1.0.0": "V", + "x_org.owasp#aivss:SM:1.1.0": "M", + "x_org.owasp#aivss:GDP:1.0.0": "U", + "x_org.owasp#aivss:EP:1.0.0": "H" + }, + { + "x_org.owasp#aivss:AA:1.0.0": "F", + "x_org.owasp#aivss:TU:1.0.0": "O", + "x_org.owasp#aivss:SM:1.1.0": "F", + "x_org.owasp#aivss:GDP:1.0.0": "R", + "x_org.owasp#aivss:EP:1.0.0": "CA" + }, + { + "x_org.owasp#aivss:AA:1.0.0": "F", + "x_org.owasp#aivss:TU:1.0.0": "O", + "x_org.owasp#aivss:SM:1.1.0": "F", + "x_org.owasp#aivss:GDP:1.0.0": "A", + "x_org.owasp#aivss:EP:1.0.0": "CA" + }, + { + "x_org.owasp#aivss:AA:1.0.0": "F", + "x_org.owasp#aivss:TU:1.0.0": "O", + "x_org.owasp#aivss:SM:1.1.0": "F", + "x_org.owasp#aivss:GDP:1.0.0": "U", + "x_org.owasp#aivss:EP:1.0.0": "H" + }, + { + "x_org.owasp#aivss:AA:1.0.0": "F", + "x_org.owasp#aivss:TU:1.0.0": "O", + "x_org.owasp#aivss:SM:1.1.0": "T", + "x_org.owasp#aivss:GDP:1.0.0": "R", + "x_org.owasp#aivss:EP:1.0.0": "CA" + }, + { + "x_org.owasp#aivss:AA:1.0.0": "F", + "x_org.owasp#aivss:TU:1.0.0": "O", + "x_org.owasp#aivss:SM:1.1.0": "T", + "x_org.owasp#aivss:GDP:1.0.0": "A", + "x_org.owasp#aivss:EP:1.0.0": "CA" + }, + { + "x_org.owasp#aivss:AA:1.0.0": "F", + "x_org.owasp#aivss:TU:1.0.0": "O", + "x_org.owasp#aivss:SM:1.1.0": "T", + "x_org.owasp#aivss:GDP:1.0.0": "U", + "x_org.owasp#aivss:EP:1.0.0": "H" + }, + { + "x_org.owasp#aivss:AA:1.0.0": "F", + "x_org.owasp#aivss:TU:1.0.0": "O", + "x_org.owasp#aivss:SM:1.1.0": "M", + "x_org.owasp#aivss:GDP:1.0.0": "R", + "x_org.owasp#aivss:EP:1.0.0": "H" + }, + { + "x_org.owasp#aivss:AA:1.0.0": "F", + "x_org.owasp#aivss:TU:1.0.0": "O", + "x_org.owasp#aivss:SM:1.1.0": "M", + "x_org.owasp#aivss:GDP:1.0.0": "A", + "x_org.owasp#aivss:EP:1.0.0": "H" + }, + { + "x_org.owasp#aivss:AA:1.0.0": "F", + "x_org.owasp#aivss:TU:1.0.0": "O", + "x_org.owasp#aivss:SM:1.1.0": "M", + "x_org.owasp#aivss:GDP:1.0.0": "U", + "x_org.owasp#aivss:EP:1.0.0": "H" + }, + { + "x_org.owasp#aivss:AA:1.0.0": "F", + "x_org.owasp#aivss:TU:1.0.0": "A", + "x_org.owasp#aivss:SM:1.1.0": "F", + "x_org.owasp#aivss:GDP:1.0.0": "R", + "x_org.owasp#aivss:EP:1.0.0": "H" + }, + { + "x_org.owasp#aivss:AA:1.0.0": "F", + "x_org.owasp#aivss:TU:1.0.0": "A", + "x_org.owasp#aivss:SM:1.1.0": "F", + "x_org.owasp#aivss:GDP:1.0.0": "A", + "x_org.owasp#aivss:EP:1.0.0": "H" + }, + { + "x_org.owasp#aivss:AA:1.0.0": "F", + "x_org.owasp#aivss:TU:1.0.0": "A", + "x_org.owasp#aivss:SM:1.1.0": "F", + "x_org.owasp#aivss:GDP:1.0.0": "U", + "x_org.owasp#aivss:EP:1.0.0": "H" + }, + { + "x_org.owasp#aivss:AA:1.0.0": "F", + "x_org.owasp#aivss:TU:1.0.0": "A", + "x_org.owasp#aivss:SM:1.1.0": "T", + "x_org.owasp#aivss:GDP:1.0.0": "R", + "x_org.owasp#aivss:EP:1.0.0": "H" + }, + { + "x_org.owasp#aivss:AA:1.0.0": "F", + "x_org.owasp#aivss:TU:1.0.0": "A", + "x_org.owasp#aivss:SM:1.1.0": "T", + "x_org.owasp#aivss:GDP:1.0.0": "A", + "x_org.owasp#aivss:EP:1.0.0": "H" + }, + { + "x_org.owasp#aivss:AA:1.0.0": "F", + "x_org.owasp#aivss:TU:1.0.0": "A", + "x_org.owasp#aivss:SM:1.1.0": "T", + "x_org.owasp#aivss:GDP:1.0.0": "U", + "x_org.owasp#aivss:EP:1.0.0": "H" + }, + { + "x_org.owasp#aivss:AA:1.0.0": "F", + "x_org.owasp#aivss:TU:1.0.0": "A", + "x_org.owasp#aivss:SM:1.1.0": "M", + "x_org.owasp#aivss:GDP:1.0.0": "R", + "x_org.owasp#aivss:EP:1.0.0": "H" + }, + { + "x_org.owasp#aivss:AA:1.0.0": "F", + "x_org.owasp#aivss:TU:1.0.0": "A", + "x_org.owasp#aivss:SM:1.1.0": "M", + "x_org.owasp#aivss:GDP:1.0.0": "A", + "x_org.owasp#aivss:EP:1.0.0": "H" + }, + { + "x_org.owasp#aivss:AA:1.0.0": "F", + "x_org.owasp#aivss:TU:1.0.0": "A", + "x_org.owasp#aivss:SM:1.1.0": "M", + "x_org.owasp#aivss:GDP:1.0.0": "U", + "x_org.owasp#aivss:EP:1.0.0": "H" + } + ] +} diff --git a/data/json/decision_tables/x_org_owasp_aivss/predictability_and_influence_1_0_0.json b/data/json/decision_tables/x_org_owasp_aivss/predictability_and_influence_1_0_0.json new file mode 100644 index 00000000..73720c1c --- /dev/null +++ b/data/json/decision_tables/x_org_owasp_aivss/predictability_and_influence_1_0_0.json @@ -0,0 +1,705 @@ +{ + "namespace": "x_org.owasp#aivss", + "key": "DT_PI", + "version": "1.0.0", + "name": "Predictability and Influence", + "definition": "TODO writeme", + "schemaVersion": "2.0.0", + "decision_points": { + "x_org.owasp#aivss:ND:1.0.0": { + "namespace": "x_org.owasp#aivss", + "key": "ND", + "version": "1.0.0", + "name": "Non-Determinism", + "definition": "Describes variability of system outputs across repeated executions.", + "schemaVersion": "2.0.0", + "values": [ + { + "key": "D", + "name": "Deterministic", + "definition": "Stable outputs; no randomness." + }, + { + "key": "B", + "name": "Bounded", + "definition": "Controlled variance within predictable limits." + }, + { + "key": "H", + "name": "High-Variance", + "definition": "Broad or unstable behavioral range." + } + ] + }, + "x_org.owasp#aivss:OR:1.0.0": { + "namespace": "x_org.owasp#aivss", + "key": "OR", + "version": "1.0.0", + "name": "Opacity & Reflexivity", + "definition": "Captures how observable and explainable the internal reasoning and adaptation cycle is.", + "schemaVersion": "2.0.0", + "values": [ + { + "key": "T", + "name": "Transparent", + "definition": "Full logs and traceable reasoning." + }, + { + "key": "F", + "name": "Fragmented", + "definition": "Partial visibility; some steps hidden." + }, + { + "key": "O", + "name": "Opaque", + "definition": "Black-box behavior; internal process not observable." + } + ] + }, + "x_org.owasp#aivss:VC:1.0.0": { + "namespace": "x_org.owasp#aivss", + "key": "VC", + "version": "1.0.0", + "name": "Verification Capability", + "definition": "Indicates whether the system’s critical properties can be formally or practically verified.", + "schemaVersion": "2.0.0", + "values": [ + { + "key": "P", + "name": "Provable", + "definition": "Critical safety or correctness invariants can be verified." + }, + { + "key": "K", + "name": "Key Invariants Verifiable", + "definition": "Some critical properties can be verified, but not all." + }, + { + "key": "U", + "name": "Unverifiable", + "definition": "Cannot prove correctness or invariants in practice." + } + ] + }, + "x_org.owasp#aivss:DP:1.0.0": { + "namespace": "x_org.owasp#aivss", + "key": "DP", + "version": "1.0.0", + "name": "Deceptiveness Potential", + "definition": "Assesses the potential for AI-generated vulnerability reports to be deceptive, ranging from plain structured output to highly persuasive content.", + "schemaVersion": "2.0.0", + "values": [ + { + "key": "P", + "name": "Plain", + "definition": "Structured, non-persona output." + }, + { + "key": "F", + "name": "Fluent", + "definition": "Natural language output, but not convincingly human." + }, + { + "key": "S", + "name": "Persuasive", + "definition": "Persona mimicry, deepfakes, or social-engineering capability." + } + ] + }, + "x_org.owasp#aivss:PI:1.0.0": { + "namespace": "x_org.owasp#aivss", + "key": "PI", + "version": "1.0.0", + "name": "Predictability and Influence", + "definition": "TODO writeme", + "schemaVersion": "2.0.0", + "values": [ + { + "key": "V", + "name": "Verifiable", + "definition": "Behavior is traceable, reproducible, and backed by strong logging or proofs. Outputs align with clear rules, and any action can be independently checked. Unexpected deviations are rare and easy to diagnose." + }, + { + "key": "U", + "name": "Uncertain", + "definition": "Behavior is generally well-structured but can deviate within known bounds. Some reasoning steps or interactions lack full visibility, making verification partial. Issues may be diagnosable but require effort or contextual reconstruction." + }, + { + "key": "O", + "name": "Opaque", + "definition": "Behavior is highly variable, difficult to trace, and resistant to verification. Key reasoning paths, external influences, or interactions are hidden or unpredictable. Actions may appear coherent but cannot be reliably reproduced or audited." + } + ] + } + }, + "outcome": "x_org.owasp#aivss:PI:1.0.0", + "mapping": [ + { + "x_org.owasp#aivss:ND:1.0.0": "D", + "x_org.owasp#aivss:OR:1.0.0": "T", + "x_org.owasp#aivss:VC:1.0.0": "P", + "x_org.owasp#aivss:DP:1.0.0": "P", + "x_org.owasp#aivss:PI:1.0.0": "V" + }, + { + "x_org.owasp#aivss:ND:1.0.0": "D", + "x_org.owasp#aivss:OR:1.0.0": "T", + "x_org.owasp#aivss:VC:1.0.0": "P", + "x_org.owasp#aivss:DP:1.0.0": "F", + "x_org.owasp#aivss:PI:1.0.0": "V" + }, + { + "x_org.owasp#aivss:ND:1.0.0": "D", + "x_org.owasp#aivss:OR:1.0.0": "T", + "x_org.owasp#aivss:VC:1.0.0": "P", + "x_org.owasp#aivss:DP:1.0.0": "S", + "x_org.owasp#aivss:PI:1.0.0": "U" + }, + { + "x_org.owasp#aivss:ND:1.0.0": "D", + "x_org.owasp#aivss:OR:1.0.0": "T", + "x_org.owasp#aivss:VC:1.0.0": "K", + "x_org.owasp#aivss:DP:1.0.0": "P", + "x_org.owasp#aivss:PI:1.0.0": "V" + }, + { + "x_org.owasp#aivss:ND:1.0.0": "D", + "x_org.owasp#aivss:OR:1.0.0": "T", + "x_org.owasp#aivss:VC:1.0.0": "K", + "x_org.owasp#aivss:DP:1.0.0": "F", + "x_org.owasp#aivss:PI:1.0.0": "U" + }, + { + "x_org.owasp#aivss:ND:1.0.0": "D", + "x_org.owasp#aivss:OR:1.0.0": "T", + "x_org.owasp#aivss:VC:1.0.0": "K", + "x_org.owasp#aivss:DP:1.0.0": "S", + "x_org.owasp#aivss:PI:1.0.0": "U" + }, + { + "x_org.owasp#aivss:ND:1.0.0": "D", + "x_org.owasp#aivss:OR:1.0.0": "T", + "x_org.owasp#aivss:VC:1.0.0": "U", + "x_org.owasp#aivss:DP:1.0.0": "P", + "x_org.owasp#aivss:PI:1.0.0": "U" + }, + { + "x_org.owasp#aivss:ND:1.0.0": "D", + "x_org.owasp#aivss:OR:1.0.0": "T", + "x_org.owasp#aivss:VC:1.0.0": "U", + "x_org.owasp#aivss:DP:1.0.0": "F", + "x_org.owasp#aivss:PI:1.0.0": "U" + }, + { + "x_org.owasp#aivss:ND:1.0.0": "D", + "x_org.owasp#aivss:OR:1.0.0": "T", + "x_org.owasp#aivss:VC:1.0.0": "U", + "x_org.owasp#aivss:DP:1.0.0": "S", + "x_org.owasp#aivss:PI:1.0.0": "O" + }, + { + "x_org.owasp#aivss:ND:1.0.0": "D", + "x_org.owasp#aivss:OR:1.0.0": "F", + "x_org.owasp#aivss:VC:1.0.0": "P", + "x_org.owasp#aivss:DP:1.0.0": "P", + "x_org.owasp#aivss:PI:1.0.0": "V" + }, + { + "x_org.owasp#aivss:ND:1.0.0": "D", + "x_org.owasp#aivss:OR:1.0.0": "F", + "x_org.owasp#aivss:VC:1.0.0": "P", + "x_org.owasp#aivss:DP:1.0.0": "F", + "x_org.owasp#aivss:PI:1.0.0": "U" + }, + { + "x_org.owasp#aivss:ND:1.0.0": "D", + "x_org.owasp#aivss:OR:1.0.0": "F", + "x_org.owasp#aivss:VC:1.0.0": "P", + "x_org.owasp#aivss:DP:1.0.0": "S", + "x_org.owasp#aivss:PI:1.0.0": "U" + }, + { + "x_org.owasp#aivss:ND:1.0.0": "D", + "x_org.owasp#aivss:OR:1.0.0": "F", + "x_org.owasp#aivss:VC:1.0.0": "K", + "x_org.owasp#aivss:DP:1.0.0": "P", + "x_org.owasp#aivss:PI:1.0.0": "U" + }, + { + "x_org.owasp#aivss:ND:1.0.0": "D", + "x_org.owasp#aivss:OR:1.0.0": "F", + "x_org.owasp#aivss:VC:1.0.0": "K", + "x_org.owasp#aivss:DP:1.0.0": "F", + "x_org.owasp#aivss:PI:1.0.0": "U" + }, + { + "x_org.owasp#aivss:ND:1.0.0": "D", + "x_org.owasp#aivss:OR:1.0.0": "F", + "x_org.owasp#aivss:VC:1.0.0": "K", + "x_org.owasp#aivss:DP:1.0.0": "S", + "x_org.owasp#aivss:PI:1.0.0": "U" + }, + { + "x_org.owasp#aivss:ND:1.0.0": "D", + "x_org.owasp#aivss:OR:1.0.0": "F", + "x_org.owasp#aivss:VC:1.0.0": "U", + "x_org.owasp#aivss:DP:1.0.0": "P", + "x_org.owasp#aivss:PI:1.0.0": "U" + }, + { + "x_org.owasp#aivss:ND:1.0.0": "D", + "x_org.owasp#aivss:OR:1.0.0": "F", + "x_org.owasp#aivss:VC:1.0.0": "U", + "x_org.owasp#aivss:DP:1.0.0": "F", + "x_org.owasp#aivss:PI:1.0.0": "U" + }, + { + "x_org.owasp#aivss:ND:1.0.0": "D", + "x_org.owasp#aivss:OR:1.0.0": "F", + "x_org.owasp#aivss:VC:1.0.0": "U", + "x_org.owasp#aivss:DP:1.0.0": "S", + "x_org.owasp#aivss:PI:1.0.0": "O" + }, + { + "x_org.owasp#aivss:ND:1.0.0": "D", + "x_org.owasp#aivss:OR:1.0.0": "O", + "x_org.owasp#aivss:VC:1.0.0": "P", + "x_org.owasp#aivss:DP:1.0.0": "P", + "x_org.owasp#aivss:PI:1.0.0": "U" + }, + { + "x_org.owasp#aivss:ND:1.0.0": "D", + "x_org.owasp#aivss:OR:1.0.0": "O", + "x_org.owasp#aivss:VC:1.0.0": "P", + "x_org.owasp#aivss:DP:1.0.0": "F", + "x_org.owasp#aivss:PI:1.0.0": "U" + }, + { + "x_org.owasp#aivss:ND:1.0.0": "D", + "x_org.owasp#aivss:OR:1.0.0": "O", + "x_org.owasp#aivss:VC:1.0.0": "P", + "x_org.owasp#aivss:DP:1.0.0": "S", + "x_org.owasp#aivss:PI:1.0.0": "O" + }, + { + "x_org.owasp#aivss:ND:1.0.0": "D", + "x_org.owasp#aivss:OR:1.0.0": "O", + "x_org.owasp#aivss:VC:1.0.0": "K", + "x_org.owasp#aivss:DP:1.0.0": "P", + "x_org.owasp#aivss:PI:1.0.0": "U" + }, + { + "x_org.owasp#aivss:ND:1.0.0": "D", + "x_org.owasp#aivss:OR:1.0.0": "O", + "x_org.owasp#aivss:VC:1.0.0": "K", + "x_org.owasp#aivss:DP:1.0.0": "F", + "x_org.owasp#aivss:PI:1.0.0": "U" + }, + { + "x_org.owasp#aivss:ND:1.0.0": "D", + "x_org.owasp#aivss:OR:1.0.0": "O", + "x_org.owasp#aivss:VC:1.0.0": "K", + "x_org.owasp#aivss:DP:1.0.0": "S", + "x_org.owasp#aivss:PI:1.0.0": "O" + }, + { + "x_org.owasp#aivss:ND:1.0.0": "D", + "x_org.owasp#aivss:OR:1.0.0": "O", + "x_org.owasp#aivss:VC:1.0.0": "U", + "x_org.owasp#aivss:DP:1.0.0": "P", + "x_org.owasp#aivss:PI:1.0.0": "O" + }, + { + "x_org.owasp#aivss:ND:1.0.0": "D", + "x_org.owasp#aivss:OR:1.0.0": "O", + "x_org.owasp#aivss:VC:1.0.0": "U", + "x_org.owasp#aivss:DP:1.0.0": "F", + "x_org.owasp#aivss:PI:1.0.0": "O" + }, + { + "x_org.owasp#aivss:ND:1.0.0": "D", + "x_org.owasp#aivss:OR:1.0.0": "O", + "x_org.owasp#aivss:VC:1.0.0": "U", + "x_org.owasp#aivss:DP:1.0.0": "S", + "x_org.owasp#aivss:PI:1.0.0": "O" + }, + { + "x_org.owasp#aivss:ND:1.0.0": "B", + "x_org.owasp#aivss:OR:1.0.0": "T", + "x_org.owasp#aivss:VC:1.0.0": "P", + "x_org.owasp#aivss:DP:1.0.0": "P", + "x_org.owasp#aivss:PI:1.0.0": "V" + }, + { + "x_org.owasp#aivss:ND:1.0.0": "B", + "x_org.owasp#aivss:OR:1.0.0": "T", + "x_org.owasp#aivss:VC:1.0.0": "P", + "x_org.owasp#aivss:DP:1.0.0": "F", + "x_org.owasp#aivss:PI:1.0.0": "U" + }, + { + "x_org.owasp#aivss:ND:1.0.0": "B", + "x_org.owasp#aivss:OR:1.0.0": "T", + "x_org.owasp#aivss:VC:1.0.0": "P", + "x_org.owasp#aivss:DP:1.0.0": "S", + "x_org.owasp#aivss:PI:1.0.0": "U" + }, + { + "x_org.owasp#aivss:ND:1.0.0": "B", + "x_org.owasp#aivss:OR:1.0.0": "T", + "x_org.owasp#aivss:VC:1.0.0": "K", + "x_org.owasp#aivss:DP:1.0.0": "P", + "x_org.owasp#aivss:PI:1.0.0": "U" + }, + { + "x_org.owasp#aivss:ND:1.0.0": "B", + "x_org.owasp#aivss:OR:1.0.0": "T", + "x_org.owasp#aivss:VC:1.0.0": "K", + "x_org.owasp#aivss:DP:1.0.0": "F", + "x_org.owasp#aivss:PI:1.0.0": "U" + }, + { + "x_org.owasp#aivss:ND:1.0.0": "B", + "x_org.owasp#aivss:OR:1.0.0": "T", + "x_org.owasp#aivss:VC:1.0.0": "K", + "x_org.owasp#aivss:DP:1.0.0": "S", + "x_org.owasp#aivss:PI:1.0.0": "U" + }, + { + "x_org.owasp#aivss:ND:1.0.0": "B", + "x_org.owasp#aivss:OR:1.0.0": "T", + "x_org.owasp#aivss:VC:1.0.0": "U", + "x_org.owasp#aivss:DP:1.0.0": "P", + "x_org.owasp#aivss:PI:1.0.0": "U" + }, + { + "x_org.owasp#aivss:ND:1.0.0": "B", + "x_org.owasp#aivss:OR:1.0.0": "T", + "x_org.owasp#aivss:VC:1.0.0": "U", + "x_org.owasp#aivss:DP:1.0.0": "F", + "x_org.owasp#aivss:PI:1.0.0": "U" + }, + { + "x_org.owasp#aivss:ND:1.0.0": "B", + "x_org.owasp#aivss:OR:1.0.0": "T", + "x_org.owasp#aivss:VC:1.0.0": "U", + "x_org.owasp#aivss:DP:1.0.0": "S", + "x_org.owasp#aivss:PI:1.0.0": "O" + }, + { + "x_org.owasp#aivss:ND:1.0.0": "B", + "x_org.owasp#aivss:OR:1.0.0": "F", + "x_org.owasp#aivss:VC:1.0.0": "P", + "x_org.owasp#aivss:DP:1.0.0": "P", + "x_org.owasp#aivss:PI:1.0.0": "U" + }, + { + "x_org.owasp#aivss:ND:1.0.0": "B", + "x_org.owasp#aivss:OR:1.0.0": "F", + "x_org.owasp#aivss:VC:1.0.0": "P", + "x_org.owasp#aivss:DP:1.0.0": "F", + "x_org.owasp#aivss:PI:1.0.0": "U" + }, + { + "x_org.owasp#aivss:ND:1.0.0": "B", + "x_org.owasp#aivss:OR:1.0.0": "F", + "x_org.owasp#aivss:VC:1.0.0": "P", + "x_org.owasp#aivss:DP:1.0.0": "S", + "x_org.owasp#aivss:PI:1.0.0": "U" + }, + { + "x_org.owasp#aivss:ND:1.0.0": "B", + "x_org.owasp#aivss:OR:1.0.0": "F", + "x_org.owasp#aivss:VC:1.0.0": "K", + "x_org.owasp#aivss:DP:1.0.0": "P", + "x_org.owasp#aivss:PI:1.0.0": "U" + }, + { + "x_org.owasp#aivss:ND:1.0.0": "B", + "x_org.owasp#aivss:OR:1.0.0": "F", + "x_org.owasp#aivss:VC:1.0.0": "K", + "x_org.owasp#aivss:DP:1.0.0": "F", + "x_org.owasp#aivss:PI:1.0.0": "U" + }, + { + "x_org.owasp#aivss:ND:1.0.0": "B", + "x_org.owasp#aivss:OR:1.0.0": "F", + "x_org.owasp#aivss:VC:1.0.0": "K", + "x_org.owasp#aivss:DP:1.0.0": "S", + "x_org.owasp#aivss:PI:1.0.0": "U" + }, + { + "x_org.owasp#aivss:ND:1.0.0": "B", + "x_org.owasp#aivss:OR:1.0.0": "F", + "x_org.owasp#aivss:VC:1.0.0": "U", + "x_org.owasp#aivss:DP:1.0.0": "P", + "x_org.owasp#aivss:PI:1.0.0": "U" + }, + { + "x_org.owasp#aivss:ND:1.0.0": "B", + "x_org.owasp#aivss:OR:1.0.0": "F", + "x_org.owasp#aivss:VC:1.0.0": "U", + "x_org.owasp#aivss:DP:1.0.0": "F", + "x_org.owasp#aivss:PI:1.0.0": "U" + }, + { + "x_org.owasp#aivss:ND:1.0.0": "B", + "x_org.owasp#aivss:OR:1.0.0": "F", + "x_org.owasp#aivss:VC:1.0.0": "U", + "x_org.owasp#aivss:DP:1.0.0": "S", + "x_org.owasp#aivss:PI:1.0.0": "O" + }, + { + "x_org.owasp#aivss:ND:1.0.0": "B", + "x_org.owasp#aivss:OR:1.0.0": "O", + "x_org.owasp#aivss:VC:1.0.0": "P", + "x_org.owasp#aivss:DP:1.0.0": "P", + "x_org.owasp#aivss:PI:1.0.0": "U" + }, + { + "x_org.owasp#aivss:ND:1.0.0": "B", + "x_org.owasp#aivss:OR:1.0.0": "O", + "x_org.owasp#aivss:VC:1.0.0": "P", + "x_org.owasp#aivss:DP:1.0.0": "F", + "x_org.owasp#aivss:PI:1.0.0": "U" + }, + { + "x_org.owasp#aivss:ND:1.0.0": "B", + "x_org.owasp#aivss:OR:1.0.0": "O", + "x_org.owasp#aivss:VC:1.0.0": "P", + "x_org.owasp#aivss:DP:1.0.0": "S", + "x_org.owasp#aivss:PI:1.0.0": "O" + }, + { + "x_org.owasp#aivss:ND:1.0.0": "B", + "x_org.owasp#aivss:OR:1.0.0": "O", + "x_org.owasp#aivss:VC:1.0.0": "K", + "x_org.owasp#aivss:DP:1.0.0": "P", + "x_org.owasp#aivss:PI:1.0.0": "U" + }, + { + "x_org.owasp#aivss:ND:1.0.0": "B", + "x_org.owasp#aivss:OR:1.0.0": "O", + "x_org.owasp#aivss:VC:1.0.0": "K", + "x_org.owasp#aivss:DP:1.0.0": "F", + "x_org.owasp#aivss:PI:1.0.0": "U" + }, + { + "x_org.owasp#aivss:ND:1.0.0": "B", + "x_org.owasp#aivss:OR:1.0.0": "O", + "x_org.owasp#aivss:VC:1.0.0": "K", + "x_org.owasp#aivss:DP:1.0.0": "S", + "x_org.owasp#aivss:PI:1.0.0": "O" + }, + { + "x_org.owasp#aivss:ND:1.0.0": "B", + "x_org.owasp#aivss:OR:1.0.0": "O", + "x_org.owasp#aivss:VC:1.0.0": "U", + "x_org.owasp#aivss:DP:1.0.0": "P", + "x_org.owasp#aivss:PI:1.0.0": "O" + }, + { + "x_org.owasp#aivss:ND:1.0.0": "B", + "x_org.owasp#aivss:OR:1.0.0": "O", + "x_org.owasp#aivss:VC:1.0.0": "U", + "x_org.owasp#aivss:DP:1.0.0": "F", + "x_org.owasp#aivss:PI:1.0.0": "O" + }, + { + "x_org.owasp#aivss:ND:1.0.0": "B", + "x_org.owasp#aivss:OR:1.0.0": "O", + "x_org.owasp#aivss:VC:1.0.0": "U", + "x_org.owasp#aivss:DP:1.0.0": "S", + "x_org.owasp#aivss:PI:1.0.0": "O" + }, + { + "x_org.owasp#aivss:ND:1.0.0": "H", + "x_org.owasp#aivss:OR:1.0.0": "T", + "x_org.owasp#aivss:VC:1.0.0": "P", + "x_org.owasp#aivss:DP:1.0.0": "P", + "x_org.owasp#aivss:PI:1.0.0": "U" + }, + { + "x_org.owasp#aivss:ND:1.0.0": "H", + "x_org.owasp#aivss:OR:1.0.0": "T", + "x_org.owasp#aivss:VC:1.0.0": "P", + "x_org.owasp#aivss:DP:1.0.0": "F", + "x_org.owasp#aivss:PI:1.0.0": "U" + }, + { + "x_org.owasp#aivss:ND:1.0.0": "H", + "x_org.owasp#aivss:OR:1.0.0": "T", + "x_org.owasp#aivss:VC:1.0.0": "P", + "x_org.owasp#aivss:DP:1.0.0": "S", + "x_org.owasp#aivss:PI:1.0.0": "O" + }, + { + "x_org.owasp#aivss:ND:1.0.0": "H", + "x_org.owasp#aivss:OR:1.0.0": "T", + "x_org.owasp#aivss:VC:1.0.0": "K", + "x_org.owasp#aivss:DP:1.0.0": "P", + "x_org.owasp#aivss:PI:1.0.0": "U" + }, + { + "x_org.owasp#aivss:ND:1.0.0": "H", + "x_org.owasp#aivss:OR:1.0.0": "T", + "x_org.owasp#aivss:VC:1.0.0": "K", + "x_org.owasp#aivss:DP:1.0.0": "F", + "x_org.owasp#aivss:PI:1.0.0": "U" + }, + { + "x_org.owasp#aivss:ND:1.0.0": "H", + "x_org.owasp#aivss:OR:1.0.0": "T", + "x_org.owasp#aivss:VC:1.0.0": "K", + "x_org.owasp#aivss:DP:1.0.0": "S", + "x_org.owasp#aivss:PI:1.0.0": "O" + }, + { + "x_org.owasp#aivss:ND:1.0.0": "H", + "x_org.owasp#aivss:OR:1.0.0": "T", + "x_org.owasp#aivss:VC:1.0.0": "U", + "x_org.owasp#aivss:DP:1.0.0": "P", + "x_org.owasp#aivss:PI:1.0.0": "O" + }, + { + "x_org.owasp#aivss:ND:1.0.0": "H", + "x_org.owasp#aivss:OR:1.0.0": "T", + "x_org.owasp#aivss:VC:1.0.0": "U", + "x_org.owasp#aivss:DP:1.0.0": "F", + "x_org.owasp#aivss:PI:1.0.0": "O" + }, + { + "x_org.owasp#aivss:ND:1.0.0": "H", + "x_org.owasp#aivss:OR:1.0.0": "T", + "x_org.owasp#aivss:VC:1.0.0": "U", + "x_org.owasp#aivss:DP:1.0.0": "S", + "x_org.owasp#aivss:PI:1.0.0": "O" + }, + { + "x_org.owasp#aivss:ND:1.0.0": "H", + "x_org.owasp#aivss:OR:1.0.0": "F", + "x_org.owasp#aivss:VC:1.0.0": "P", + "x_org.owasp#aivss:DP:1.0.0": "P", + "x_org.owasp#aivss:PI:1.0.0": "U" + }, + { + "x_org.owasp#aivss:ND:1.0.0": "H", + "x_org.owasp#aivss:OR:1.0.0": "F", + "x_org.owasp#aivss:VC:1.0.0": "P", + "x_org.owasp#aivss:DP:1.0.0": "F", + "x_org.owasp#aivss:PI:1.0.0": "U" + }, + { + "x_org.owasp#aivss:ND:1.0.0": "H", + "x_org.owasp#aivss:OR:1.0.0": "F", + "x_org.owasp#aivss:VC:1.0.0": "P", + "x_org.owasp#aivss:DP:1.0.0": "S", + "x_org.owasp#aivss:PI:1.0.0": "O" + }, + { + "x_org.owasp#aivss:ND:1.0.0": "H", + "x_org.owasp#aivss:OR:1.0.0": "F", + "x_org.owasp#aivss:VC:1.0.0": "K", + "x_org.owasp#aivss:DP:1.0.0": "P", + "x_org.owasp#aivss:PI:1.0.0": "U" + }, + { + "x_org.owasp#aivss:ND:1.0.0": "H", + "x_org.owasp#aivss:OR:1.0.0": "F", + "x_org.owasp#aivss:VC:1.0.0": "K", + "x_org.owasp#aivss:DP:1.0.0": "F", + "x_org.owasp#aivss:PI:1.0.0": "U" + }, + { + "x_org.owasp#aivss:ND:1.0.0": "H", + "x_org.owasp#aivss:OR:1.0.0": "F", + "x_org.owasp#aivss:VC:1.0.0": "K", + "x_org.owasp#aivss:DP:1.0.0": "S", + "x_org.owasp#aivss:PI:1.0.0": "O" + }, + { + "x_org.owasp#aivss:ND:1.0.0": "H", + "x_org.owasp#aivss:OR:1.0.0": "F", + "x_org.owasp#aivss:VC:1.0.0": "U", + "x_org.owasp#aivss:DP:1.0.0": "P", + "x_org.owasp#aivss:PI:1.0.0": "O" + }, + { + "x_org.owasp#aivss:ND:1.0.0": "H", + "x_org.owasp#aivss:OR:1.0.0": "F", + "x_org.owasp#aivss:VC:1.0.0": "U", + "x_org.owasp#aivss:DP:1.0.0": "F", + "x_org.owasp#aivss:PI:1.0.0": "O" + }, + { + "x_org.owasp#aivss:ND:1.0.0": "H", + "x_org.owasp#aivss:OR:1.0.0": "F", + "x_org.owasp#aivss:VC:1.0.0": "U", + "x_org.owasp#aivss:DP:1.0.0": "S", + "x_org.owasp#aivss:PI:1.0.0": "O" + }, + { + "x_org.owasp#aivss:ND:1.0.0": "H", + "x_org.owasp#aivss:OR:1.0.0": "O", + "x_org.owasp#aivss:VC:1.0.0": "P", + "x_org.owasp#aivss:DP:1.0.0": "P", + "x_org.owasp#aivss:PI:1.0.0": "O" + }, + { + "x_org.owasp#aivss:ND:1.0.0": "H", + "x_org.owasp#aivss:OR:1.0.0": "O", + "x_org.owasp#aivss:VC:1.0.0": "P", + "x_org.owasp#aivss:DP:1.0.0": "F", + "x_org.owasp#aivss:PI:1.0.0": "O" + }, + { + "x_org.owasp#aivss:ND:1.0.0": "H", + "x_org.owasp#aivss:OR:1.0.0": "O", + "x_org.owasp#aivss:VC:1.0.0": "P", + "x_org.owasp#aivss:DP:1.0.0": "S", + "x_org.owasp#aivss:PI:1.0.0": "O" + }, + { + "x_org.owasp#aivss:ND:1.0.0": "H", + "x_org.owasp#aivss:OR:1.0.0": "O", + "x_org.owasp#aivss:VC:1.0.0": "K", + "x_org.owasp#aivss:DP:1.0.0": "P", + "x_org.owasp#aivss:PI:1.0.0": "O" + }, + { + "x_org.owasp#aivss:ND:1.0.0": "H", + "x_org.owasp#aivss:OR:1.0.0": "O", + "x_org.owasp#aivss:VC:1.0.0": "K", + "x_org.owasp#aivss:DP:1.0.0": "F", + "x_org.owasp#aivss:PI:1.0.0": "O" + }, + { + "x_org.owasp#aivss:ND:1.0.0": "H", + "x_org.owasp#aivss:OR:1.0.0": "O", + "x_org.owasp#aivss:VC:1.0.0": "K", + "x_org.owasp#aivss:DP:1.0.0": "S", + "x_org.owasp#aivss:PI:1.0.0": "O" + }, + { + "x_org.owasp#aivss:ND:1.0.0": "H", + "x_org.owasp#aivss:OR:1.0.0": "O", + "x_org.owasp#aivss:VC:1.0.0": "U", + "x_org.owasp#aivss:DP:1.0.0": "P", + "x_org.owasp#aivss:PI:1.0.0": "O" + }, + { + "x_org.owasp#aivss:ND:1.0.0": "H", + "x_org.owasp#aivss:OR:1.0.0": "O", + "x_org.owasp#aivss:VC:1.0.0": "U", + "x_org.owasp#aivss:DP:1.0.0": "F", + "x_org.owasp#aivss:PI:1.0.0": "O" + }, + { + "x_org.owasp#aivss:ND:1.0.0": "H", + "x_org.owasp#aivss:OR:1.0.0": "O", + "x_org.owasp#aivss:VC:1.0.0": "U", + "x_org.owasp#aivss:DP:1.0.0": "S", + "x_org.owasp#aivss:PI:1.0.0": "O" + } + ] +} diff --git a/data/json/ssvc_object_registry.json b/data/json/ssvc_object_registry.json index da406f0e..2a2919d5 100644 --- a/data/json/ssvc_object_registry.json +++ b/data/json/ssvc_object_registry.json @@ -6,919 +6,839 @@ "DecisionPoint": { "type": "DecisionPoint", "namespaces": { - "basic": { - "namespace": "basic", + "x_org.owasp#aivss": { + "namespace": "x_org.owasp#aivss", "keys": { - "BP": { - "key": "BP", + "AIL": { + "key": "AIL", "versions": { "1.0.0": { "version": "1.0.0", "obj": { - "namespace": "basic", - "key": "BP", + "namespace": "x_org.owasp#aivss", + "key": "AIL", "version": "1.0.0", - "name": "Boundary Proximity", - "definition": "Indicates whether another value is near a boundary condition, indicating that special consideration may be needed.", + "name": "Agentic Impact Level", + "definition": "Determines the agentic impact level of a vulnerability based on its characteristics and potential effects.", "schemaVersion": "2.0.0", "values": [ { - "key": "NN", - "name": "Not Near Boundary", - "definition": "The value is not near a boundary condition" + "key": "C", + "name": "CoPilot", + "definition": "The agent is primarily a copilot or assistant. Its actions are heavily constrained, requiring human oversight. The agent explicitly does not have rights to execute code." }, { - "key": "JA", - "name": "Just Above Boundary", - "definition": "The value is just above a boundary condition" + "key": "S", + "name": "Specialist", + "definition": "The agent is a specialist with significant autonomy within a defined domain.It can use powerful tools and may learn from interactions." }, { - "key": "JB", - "name": "Just Below Boundary", - "definition": "The value is just below a boundary condition" + "key": "P", + "name": "Prime Mover", + "definition": "The agent is a prime mover with broad autonomy. It can orchestrate other systems, modify its own logic, and interact with critical infrastructure." } ] }, "values": { - "NN": { - "key": "NN", - "name": "Not Near Boundary", - "definition": "The value is not near a boundary condition" + "C": { + "key": "C", + "name": "CoPilot", + "definition": "The agent is primarily a copilot or assistant. Its actions are heavily constrained, requiring human oversight. The agent explicitly does not have rights to execute code." }, - "JA": { - "key": "JA", - "name": "Just Above Boundary", - "definition": "The value is just above a boundary condition" + "S": { + "key": "S", + "name": "Specialist", + "definition": "The agent is a specialist with significant autonomy within a defined domain.It can use powerful tools and may learn from interactions." }, - "JB": { - "key": "JB", - "name": "Just Below Boundary", - "definition": "The value is just below a boundary condition" + "P": { + "key": "P", + "name": "Prime Mover", + "definition": "The agent is a prime mover with broad autonomy. It can orchestrate other systems, modify its own logic, and interact with critical infrastructure." } } } } }, - "CIS_WEP": { - "key": "CIS_WEP", + "AA": { + "key": "AA", "versions": { "1.0.0": { "version": "1.0.0", "obj": { - "namespace": "basic", - "key": "CIS_WEP", + "namespace": "x_org.owasp#aivss", + "key": "AA", "version": "1.0.0", - "name": "CIS-CTI Words of Estimative Probability", - "definition": "A scale for expressing the likelihood of an event or outcome.", + "name": "Autonomy of Action", + "definition": "Determines the autonomy of action level of a vulnerability based on its characteristics and potential effects.", "schemaVersion": "2.0.0", "values": [ { - "key": "ANC", - "name": "Almost No Chance", - "definition": "Probability < 0.05. Almost no chance, remote" - }, - { - "key": "VU", - "name": "Very Unlikely", - "definition": "0.05 <= Probability < 0.20. Very unlikely, highly improbable." - }, - { - "key": "U", - "name": "Unlikely", - "definition": "0.20 <= Probability < 0.45. Unlikely, improbable." - }, - { - "key": "REC", - "name": "Roughly Even Chance", - "definition": "0.45 <= Probability < 0.55. Roughly even chance, roughly even odds." - }, - { - "key": "L", - "name": "Likely", - "definition": "0.55 <= Probability < 0.80. Likely, probable." + "key": "G", + "name": "Gated", + "definition": "The agent cannot act without human approval." }, { - "key": "VL", - "name": "Very Likely", - "definition": "0.80 <= Probability < 0.95. Very likely, highly probable." + "key": "S", + "name": "Scoped", + "definition": "The agent can act independently but only in tightly bounded spaces." }, { - "key": "AC", - "name": "Almost Certain", - "definition": "0.95 <= Probability. Almost certain, nearly certain." + "key": "F", + "name": "Free-Running", + "definition": "The agent can execute actions in live systems without a human in the loop." } ] }, "values": { - "ANC": { - "key": "ANC", - "name": "Almost No Chance", - "definition": "Probability < 0.05. Almost no chance, remote" - }, - "VU": { - "key": "VU", - "name": "Very Unlikely", - "definition": "0.05 <= Probability < 0.20. Very unlikely, highly improbable." - }, - "U": { - "key": "U", - "name": "Unlikely", - "definition": "0.20 <= Probability < 0.45. Unlikely, improbable." - }, - "REC": { - "key": "REC", - "name": "Roughly Even Chance", - "definition": "0.45 <= Probability < 0.55. Roughly even chance, roughly even odds." - }, - "L": { - "key": "L", - "name": "Likely", - "definition": "0.55 <= Probability < 0.80. Likely, probable." + "G": { + "key": "G", + "name": "Gated", + "definition": "The agent cannot act without human approval." }, - "VL": { - "key": "VL", - "name": "Very Likely", - "definition": "0.80 <= Probability < 0.95. Very likely, highly probable." + "S": { + "key": "S", + "name": "Scoped", + "definition": "The agent can act independently but only in tightly bounded spaces." }, - "AC": { - "key": "AC", - "name": "Almost Certain", - "definition": "0.95 <= Probability. Almost certain, nearly certain." + "F": { + "key": "F", + "name": "Free-Running", + "definition": "The agent can execute actions in live systems without a human in the loop." } } } } }, - "P_5A": { - "key": "P_5A", + "CA": { + "key": "CA", "versions": { "1.0.0": { "version": "1.0.0", "obj": { - "namespace": "basic", - "key": "P_5A", + "namespace": "x_org.owasp#aivss", + "key": "CA", "version": "1.0.0", - "name": "Probability Scale in 5 equal levels, ascending", - "definition": "A probability scale with 20% increments", + "name": "Contextual Awareness", + "definition": "Determines the degree to which an AI system senses and incorporates context from its environment and external signals.", "schemaVersion": "2.0.0", "values": [ { - "key": "P0_20", - "name": "Less than 20%", - "definition": "Probability < 0.2" - }, - { - "key": "P20_40", - "name": "20% to 40%", - "definition": "0.2 <= Probability < 0.4" - }, - { - "key": "P40_60", - "name": "40% to 60%", - "definition": "0.4 <= Probability < 0.6" + "key": "I", + "name": "Isolated", + "definition": "No external contextual signals." }, { - "key": "P60_80", - "name": "60% to 80%", - "definition": "0.6 <= Probability < 0.8" + "key": "T", + "name": "Trusted-Signal", + "definition": "Uses only vetted, narrow, structured signals." }, { - "key": "P80_100", - "name": "Greater than 80%", - "definition": "0.8 <= Probability <= 1.0" + "key": "A", + "name": "Ambient", + "definition": "Reacts to broad, open-ended environmental signals." } ] }, "values": { - "P0_20": { - "key": "P0_20", - "name": "Less than 20%", - "definition": "Probability < 0.2" - }, - "P20_40": { - "key": "P20_40", - "name": "20% to 40%", - "definition": "0.2 <= Probability < 0.4" - }, - "P40_60": { - "key": "P40_60", - "name": "40% to 60%", - "definition": "0.4 <= Probability < 0.6" + "I": { + "key": "I", + "name": "Isolated", + "definition": "No external contextual signals." }, - "P60_80": { - "key": "P60_80", - "name": "60% to 80%", - "definition": "0.6 <= Probability < 0.8" + "T": { + "key": "T", + "name": "Trusted-Signal", + "definition": "Uses only vetted, narrow, structured signals." }, - "P80_100": { - "key": "P80_100", - "name": "Greater than 80%", - "definition": "0.8 <= Probability <= 1.0" + "A": { + "key": "A", + "name": "Ambient", + "definition": "Reacts to broad, open-ended environmental signals." } } } } }, - "P_5W": { - "key": "P_5W", + "DP": { + "key": "DP", "versions": { "1.0.0": { "version": "1.0.0", "obj": { - "namespace": "basic", - "key": "P_5W", + "namespace": "x_org.owasp#aivss", + "key": "DP", "version": "1.0.0", - "name": "Probability Scale in 5 weighted levels, ascending", - "definition": "A probability scale with higher resolution as probability increases", + "name": "Deceptiveness Potential", + "definition": "Assesses the potential for AI-generated vulnerability reports to be deceptive, ranging from plain structured output to highly persuasive content.", "schemaVersion": "2.0.0", "values": [ { - "key": "P0_30", - "name": "Less than 30%", - "definition": "Probability < 0.3" - }, - { - "key": "P30_55", - "name": "30% to 55%", - "definition": "0.3 <= Probability < 0.55" - }, - { - "key": "P55_75", - "name": "55% to 75%", - "definition": "0.55 <= Probability < 0.75" + "key": "P", + "name": "Plain", + "definition": "Structured, non-persona output." }, { - "key": "P75_90", - "name": "75% to 90%", - "definition": "0.75 <= Probability < 0.9" + "key": "F", + "name": "Fluent", + "definition": "Natural language output, but not convincingly human." }, { - "key": "P90_100", - "name": "Greater than 90%", - "definition": "0.9 <= Probability <= 1.0" + "key": "S", + "name": "Persuasive", + "definition": "Persona mimicry, deepfakes, or social-engineering capability." } ] }, "values": { - "P0_30": { - "key": "P0_30", - "name": "Less than 30%", - "definition": "Probability < 0.3" - }, - "P30_55": { - "key": "P30_55", - "name": "30% to 55%", - "definition": "0.3 <= Probability < 0.55" - }, - "P55_75": { - "key": "P55_75", - "name": "55% to 75%", - "definition": "0.55 <= Probability < 0.75" + "P": { + "key": "P", + "name": "Plain", + "definition": "Structured, non-persona output." }, - "P75_90": { - "key": "P75_90", - "name": "75% to 90%", - "definition": "0.75 <= Probability < 0.9" + "F": { + "key": "F", + "name": "Fluent", + "definition": "Natural language output, but not convincingly human." }, - "P90_100": { - "key": "P90_100", - "name": "Greater than 90%", - "definition": "0.9 <= Probability <= 1.0" + "S": { + "key": "S", + "name": "Persuasive", + "definition": "Persona mimicry, deepfakes, or social-engineering capability." } } } } }, - "P_2A": { - "key": "P_2A", + "DI": { + "key": "DI", "versions": { "1.0.0": { "version": "1.0.0", "obj": { - "namespace": "basic", - "key": "P_2A", + "namespace": "x_org.owasp#aivss", + "key": "DI", "version": "1.0.0", - "name": "Probability Scale in 2 equal levels, ascending", - "definition": "A probability scale that divides between less than 50% and greater than or equal to 50%", + "name": "Dynamic Identity", + "definition": "Describes how an AI system's identity and authorization context may change at runtime, including whether it can assume roles beyond a fixed identity.", "schemaVersion": "2.0.0", "values": [ { - "key": "LT50", - "name": "Less than 50%", - "definition": "0.0 <= Probability < 0.5" + "key": "F", + "name": "Fixed", + "definition": "Single, constant identity." }, { - "key": "GT50", - "name": "Greater than 50%", - "definition": "0.5 <= Probability <= 1.0" + "key": "S", + "name": "Scoped Roles", + "definition": "Limited role changes tied to specific tools or contexts." + }, + { + "key": "A", + "name": "Assumed Identity", + "definition": "Cross-tenant, impersonation-like, or elevated role adoption." } ] }, "values": { - "LT50": { - "key": "LT50", - "name": "Less than 50%", - "definition": "0.0 <= Probability < 0.5" + "F": { + "key": "F", + "name": "Fixed", + "definition": "Single, constant identity." }, - "GT50": { - "key": "GT50", - "name": "Greater than 50%", - "definition": "0.5 <= Probability <= 1.0" - } - } - } + "S": { + "key": "S", + "name": "Scoped Roles", + "definition": "Limited role changes tied to specific tools or contexts." + }, + "A": { + "key": "A", + "name": "Assumed Identity", + "definition": "Cross-tenant, impersonation-like, or elevated role adoption." + } + } + } } }, - "MEDIAN": { - "key": "MEDIAN", + "EA": { + "key": "EA", "versions": { "1.0.0": { "version": "1.0.0", "obj": { - "namespace": "basic", - "key": "MEDIAN", + "namespace": "x_org.owasp#aivss", + "key": "EA", "version": "1.0.0", - "name": "Median Split", - "definition": "A median split divides a distribution into two equal parts, with 50% of the values falling below the median and 50% above it.", + "name": "Environment & Adaptation", + "definition": "Determines the environment and adaptation level of an AI system based on its context awareness and adaptability.", "schemaVersion": "2.0.0", "values": [ { - "key": "B", - "name": "Below Median", - "definition": "Quantile < 0.50. The lower half of the range of possible values." + "key": "I", + "name": "Isolated", + "definition": "Operates in a narrow, stable context with no meaningful external awareness. No cross-session memory, multi-agent behavior, or identity changes. Environmental shifts don’t affect behavior unless a human explicitly updates inputs." }, { - "key": "A", - "name": "Above Median", - "definition": "0.50 <= Quantile <= 1.0. The upper half of the range of possible values." + "key": "C", + "name": "Connected", + "definition": "Uses curated signals, scoped identity roles, or predefined multi-agent patterns to adapt. Environmental changes can influence behavior, but only within controlled, auditable bounds." + }, + { + "key": "P", + "name": "Pervasive", + "definition": "Continuously adapts to broad, dynamic environmental inputs and multi-agent activity. Identity, memory, and context can shift fluidly, creating emergent behavior. Environmental variation can substantially redirect or amplify its actions." } ] }, "values": { - "B": { - "key": "B", - "name": "Below Median", - "definition": "Quantile < 0.50. The lower half of the range of possible values." + "I": { + "key": "I", + "name": "Isolated", + "definition": "Operates in a narrow, stable context with no meaningful external awareness. No cross-session memory, multi-agent behavior, or identity changes. Environmental shifts don’t affect behavior unless a human explicitly updates inputs." }, - "A": { - "key": "A", - "name": "Above Median", - "definition": "0.50 <= Quantile <= 1.0. The upper half of the range of possible values." + "C": { + "key": "C", + "name": "Connected", + "definition": "Uses curated signals, scoped identity roles, or predefined multi-agent patterns to adapt. Environmental changes can influence behavior, but only within controlled, auditable bounds." + }, + "P": { + "key": "P", + "name": "Pervasive", + "definition": "Continuously adapts to broad, dynamic environmental inputs and multi-agent activity. Identity, memory, and context can shift fluidly, creating emergent behavior. Environmental variation can substantially redirect or amplify its actions." } } } } }, - "QUARTILES": { - "key": "QUARTILES", + "EP": { + "key": "EP", "versions": { "1.0.0": { "version": "1.0.0", "obj": { - "namespace": "basic", - "key": "QUARTILES", + "namespace": "x_org.owasp#aivss", + "key": "EP", "version": "1.0.0", - "name": "Quartiles", - "definition": "A quartile is one of four equal groups that a population can be divided into according to the distribution of values of a particular variable.", + "name": "Execution Power", + "definition": "Determines the level of execution power granted to an AI agent, influencing its ability to perform actions autonomously and interact with external systems.", "schemaVersion": "2.0.0", "values": [ { - "key": "Q1", - "name": "First Quartile", - "definition": "Quantile < 0.25. The lowest 25% of the range of possible values." - }, - { - "key": "Q2", - "name": "Second Quartile", - "definition": "0.25 <= Quantile < 0.50. The second lowest 25% of the range of possible values." + "key": "C", + "name": "Constrained", + "definition": "The AI agent has limited execution power, restricting its ability to perform actions autonomously or interact with external systems." }, { - "key": "Q3", - "name": "Third Quartile", - "definition": "0.50 <= Quantile < 0.75. The second highest 25% of the range of possible values." + "key": "CA", + "name": "Capable", + "definition": "The AI agent has moderate execution power, allowing it to perform certain actions autonomously and interact with external systems under supervision." }, { - "key": "Q4", - "name": "Fourth Quartile", - "definition": "0.75 <= Quantile <= 1.0. The highest 25% of the range of possible values." + "key": "H", + "name": "High Leverage", + "definition": "The AI agent has extensive execution power, enabling it to perform actions autonomously and interact with external systems with minimal supervision." } ] }, "values": { - "Q1": { - "key": "Q1", - "name": "First Quartile", - "definition": "Quantile < 0.25. The lowest 25% of the range of possible values." - }, - "Q2": { - "key": "Q2", - "name": "Second Quartile", - "definition": "0.25 <= Quantile < 0.50. The second lowest 25% of the range of possible values." + "C": { + "key": "C", + "name": "Constrained", + "definition": "The AI agent has limited execution power, restricting its ability to perform actions autonomously or interact with external systems." }, - "Q3": { - "key": "Q3", - "name": "Third Quartile", - "definition": "0.50 <= Quantile < 0.75. The second highest 25% of the range of possible values." + "CA": { + "key": "CA", + "name": "Capable", + "definition": "The AI agent has moderate execution power, allowing it to perform certain actions autonomously and interact with external systems under supervision." }, - "Q4": { - "key": "Q4", - "name": "Fourth Quartile", - "definition": "0.75 <= Quantile <= 1.0. The highest 25% of the range of possible values." + "H": { + "key": "H", + "name": "High Leverage", + "definition": "The AI agent has extensive execution power, enabling it to perform actions autonomously and interact with external systems with minimal supervision." } } } } }, - "QUINTILES": { - "key": "QUINTILES", + "GDP": { + "key": "GDP", "versions": { "1.0.0": { "version": "1.0.0", "obj": { - "namespace": "basic", - "key": "QUINTILES", + "namespace": "x_org.owasp#aivss", + "key": "GDP", "version": "1.0.0", - "name": "Quintiles", - "definition": "A quintile is one of five equal groups that a population can be divided into according to the distribution of values of a particular variable.", + "name": "Goal-Driven Planning", + "definition": "Determines the goal-driven planning capabilities of an AI agent based on its ability to plan and execute actions over multiple steps.", "schemaVersion": "2.0.0", "values": [ { - "key": "Q1", - "name": "First Quintile", - "definition": "Quantile < 0.20. The lowest 20% of the range of possible values." + "key": "R", + "name": "Reactive", + "definition": "The agent can only respond to immediate inputs without planning." }, { - "key": "Q2", - "name": "Second Quintile", - "definition": "0.20 <= Quantile < 0.40. The second lowest 20% of the range of possible values." + "key": "A", + "name": "Assisted", + "definition": "The agent can plan multiple steps ahead but requires human execution or approval." }, { - "key": "Q3", - "name": "Third Quintile", - "definition": "0.40 <= Quantile < 0.60. The middle 20% of the range of possible values." + "key": "U", + "name": "Autonomous", + "definition": "The agent can plan and execute multiple steps independently." + } + ] + }, + "values": { + "R": { + "key": "R", + "name": "Reactive", + "definition": "The agent can only respond to immediate inputs without planning." + }, + "A": { + "key": "A", + "name": "Assisted", + "definition": "The agent can plan multiple steps ahead but requires human execution or approval." + }, + "U": { + "key": "U", + "name": "Autonomous", + "definition": "The agent can plan and execute multiple steps independently." + } + } + } + } + }, + "MU": { + "key": "MU", + "versions": { + "1.0.0": { + "version": "1.0.0", + "obj": { + "namespace": "x_org.owasp#aivss", + "key": "MU", + "version": "1.0.0", + "name": "Memory Use", + "definition": "Determines the memory use level of an AI system based on its persistence and recall capabilities.", + "schemaVersion": "2.0.0", + "values": [ + { + "key": "S", + "name": "Stateless", + "definition": "No persistence beyond the current interaction." }, { - "key": "Q4", - "name": "Fourth Quintile", - "definition": "0.60 <= Quantile < 0.80. The second highest 20% of the range of possible values." + "key": "L", + "name": "Local Recall", + "definition": "Remembers within a session or user context." }, { - "key": "Q5", - "name": "Fifth Quintile", - "definition": "0.80 <= Quantile <= 1.0. The highest 20% of the range of possible values." + "key": "M", + "name": "Shared Memory", + "definition": "Persistent state across sessions, tasks, or teams." } ] }, "values": { - "Q1": { - "key": "Q1", - "name": "First Quintile", - "definition": "Quantile < 0.20. The lowest 20% of the range of possible values." - }, - "Q2": { - "key": "Q2", - "name": "Second Quintile", - "definition": "0.20 <= Quantile < 0.40. The second lowest 20% of the range of possible values." - }, - "Q3": { - "key": "Q3", - "name": "Third Quintile", - "definition": "0.40 <= Quantile < 0.60. The middle 20% of the range of possible values." + "S": { + "key": "S", + "name": "Stateless", + "definition": "No persistence beyond the current interaction." }, - "Q4": { - "key": "Q4", - "name": "Fourth Quintile", - "definition": "0.60 <= Quantile < 0.80. The second highest 20% of the range of possible values." + "L": { + "key": "L", + "name": "Local Recall", + "definition": "Remembers within a session or user context." }, - "Q5": { - "key": "Q5", - "name": "Fifth Quintile", - "definition": "0.80 <= Quantile <= 1.0. The highest 20% of the range of possible values." + "M": { + "key": "M", + "name": "Shared Memory", + "definition": "Persistent state across sessions, tasks, or teams." } } } } }, - "IKE": { - "key": "IKE", + "MAI": { + "key": "MAI", "versions": { "1.0.0": { "version": "1.0.0", "obj": { - "namespace": "basic", - "key": "IKE", + "namespace": "x_org.owasp#aivss", + "key": "MAI", "version": "1.0.0", - "name": "Do, Schedule, Delegate, Delete", - "definition": "The Eisenhower outcome group.", + "name": "Multi-Agent Interactions", + "definition": "Characterizes how, and how flexibly, an AI system coordinates with other agents or services.", "schemaVersion": "2.0.0", "values": [ { - "key": "D", - "name": "Delete", - "definition": "Delete" - }, - { - "key": "G", - "name": "Delegate", - "definition": "Delegate" + "key": "S", + "name": "Solo", + "definition": "Operates alone; no coordination." }, { - "key": "S", - "name": "Schedule", - "definition": "Schedule" + "key": "R", + "name": "Scripted", + "definition": "Interacts through predefined handoffs or protocols." }, { "key": "O", - "name": "Do", - "definition": "Do" + "name": "Orchestrated", + "definition": "Dynamic teaming, swarms, emergent behavior, or markets." } ] }, "values": { - "D": { - "key": "D", - "name": "Delete", - "definition": "Delete" - }, - "G": { - "key": "G", - "name": "Delegate", - "definition": "Delegate" - }, "S": { "key": "S", - "name": "Schedule", - "definition": "Schedule" + "name": "Solo", + "definition": "Operates alone; no coordination." + }, + "R": { + "key": "R", + "name": "Scripted", + "definition": "Interacts through predefined handoffs or protocols." }, "O": { "key": "O", - "name": "Do", - "definition": "Do" + "name": "Orchestrated", + "definition": "Dynamic teaming, swarms, emergent behavior, or markets." } } } } }, - "LMH": { - "key": "LMH", + "ND": { + "key": "ND", "versions": { "1.0.0": { "version": "1.0.0", "obj": { - "namespace": "basic", - "key": "LMH", + "namespace": "x_org.owasp#aivss", + "key": "ND", "version": "1.0.0", - "name": "LowMediumHigh", - "definition": "A Low/Medium/High decision point / outcome group.", + "name": "Non-Determinism", + "definition": "Describes variability of system outputs across repeated executions.", "schemaVersion": "2.0.0", "values": [ { - "key": "L", - "name": "Low", - "definition": "Low" + "key": "D", + "name": "Deterministic", + "definition": "Stable outputs; no randomness." }, { - "key": "M", - "name": "Medium", - "definition": "Medium" + "key": "B", + "name": "Bounded", + "definition": "Controlled variance within predictable limits." }, { "key": "H", - "name": "High", - "definition": "High" + "name": "High-Variance", + "definition": "Broad or unstable behavioral range." } ] }, "values": { - "L": { - "key": "L", - "name": "Low", - "definition": "Low" + "D": { + "key": "D", + "name": "Deterministic", + "definition": "Stable outputs; no randomness." }, - "M": { - "key": "M", - "name": "Medium", - "definition": "Medium" + "B": { + "key": "B", + "name": "Bounded", + "definition": "Controlled variance within predictable limits." }, "H": { "key": "H", - "name": "High", - "definition": "High" + "name": "High-Variance", + "definition": "Broad or unstable behavioral range." } } } } }, - "MSCW": { - "key": "MSCW", + "OR": { + "key": "OR", "versions": { "1.0.0": { "version": "1.0.0", "obj": { - "namespace": "basic", - "key": "MSCW", + "namespace": "x_org.owasp#aivss", + "key": "OR", "version": "1.0.0", - "name": "MoSCoW", - "definition": "The MoSCoW (Must, Should, Could, Won't) outcome group.", + "name": "Opacity & Reflexivity", + "definition": "Captures how observable and explainable the internal reasoning and adaptation cycle is.", "schemaVersion": "2.0.0", "values": [ { - "key": "W", - "name": "Won't", - "definition": "Won't" - }, - { - "key": "C", - "name": "Could", - "definition": "Could" + "key": "T", + "name": "Transparent", + "definition": "Full logs and traceable reasoning." }, { - "key": "S", - "name": "Should", - "definition": "Should" + "key": "F", + "name": "Fragmented", + "definition": "Partial visibility; some steps hidden." }, { - "key": "M", - "name": "Must", - "definition": "Must" + "key": "O", + "name": "Opaque", + "definition": "Black-box behavior; internal process not observable." } ] }, "values": { - "W": { - "key": "W", - "name": "Won't", - "definition": "Won't" - }, - "C": { - "key": "C", - "name": "Could", - "definition": "Could" + "T": { + "key": "T", + "name": "Transparent", + "definition": "Full logs and traceable reasoning." }, - "S": { - "key": "S", - "name": "Should", - "definition": "Should" + "F": { + "key": "F", + "name": "Fragmented", + "definition": "Partial visibility; some steps hidden." }, - "M": { - "key": "M", - "name": "Must", - "definition": "Must" + "O": { + "key": "O", + "name": "Opaque", + "definition": "Black-box behavior; internal process not observable." } } } } }, - "VALUE_COMPLEXITY": { - "key": "VALUE_COMPLEXITY", + "PI": { + "key": "PI", "versions": { "1.0.0": { "version": "1.0.0", "obj": { - "namespace": "basic", - "key": "VALUE_COMPLEXITY", + "namespace": "x_org.owasp#aivss", + "key": "PI", "version": "1.0.0", - "name": "Value, Complexity", - "definition": "The Value/Complexity outcome group.", + "name": "Predictability and Influence", + "definition": "TODO writeme", "schemaVersion": "2.0.0", "values": [ { - "key": "D", - "name": "Drop", - "definition": "Drop" - }, - { - "key": "R", - "name": "Reconsider Later", - "definition": "Reconsider Later" + "key": "V", + "name": "Verifiable", + "definition": "Behavior is traceable, reproducible, and backed by strong logging or proofs. Outputs align with clear rules, and any action can be independently checked. Unexpected deviations are rare and easy to diagnose." }, { - "key": "E", - "name": "Easy Win", - "definition": "Easy Win" + "key": "U", + "name": "Uncertain", + "definition": "Behavior is generally well-structured but can deviate within known bounds. Some reasoning steps or interactions lack full visibility, making verification partial. Issues may be diagnosable but require effort or contextual reconstruction." }, { - "key": "F", - "name": "Do First", - "definition": "Do First" + "key": "O", + "name": "Opaque", + "definition": "Behavior is highly variable, difficult to trace, and resistant to verification. Key reasoning paths, external influences, or interactions are hidden or unpredictable. Actions may appear coherent but cannot be reliably reproduced or audited." } ] }, "values": { - "D": { - "key": "D", - "name": "Drop", - "definition": "Drop" - }, - "R": { - "key": "R", - "name": "Reconsider Later", - "definition": "Reconsider Later" + "V": { + "key": "V", + "name": "Verifiable", + "definition": "Behavior is traceable, reproducible, and backed by strong logging or proofs. Outputs align with clear rules, and any action can be independently checked. Unexpected deviations are rare and easy to diagnose." }, - "E": { - "key": "E", - "name": "Easy Win", - "definition": "Easy Win" + "U": { + "key": "U", + "name": "Uncertain", + "definition": "Behavior is generally well-structured but can deviate within known bounds. Some reasoning steps or interactions lack full visibility, making verification partial. Issues may be diagnosable but require effort or contextual reconstruction." }, - "F": { - "key": "F", - "name": "Do First", - "definition": "Do First" + "O": { + "key": "O", + "name": "Opaque", + "definition": "Behavior is highly variable, difficult to trace, and resistant to verification. Key reasoning paths, external influences, or interactions are hidden or unpredictable. Actions may appear coherent but cannot be reliably reproduced or audited." } } } } }, - "YN": { - "key": "YN", + "SM": { + "key": "SM", "versions": { "1.0.0": { "version": "1.0.0", "obj": { - "namespace": "basic", - "key": "YN", + "namespace": "x_org.owasp#aivss", + "key": "SM", "version": "1.0.0", - "name": "YesNo", - "definition": "A Yes/No decision point / outcome group.", + "name": "Self-Modification", + "definition": "Determines the self-modification capabilities of an AI agent based on its ability to alter its own code, configuration, or behavior.", "schemaVersion": "2.0.0", "values": [ { - "key": "N", - "name": "No", - "definition": "No" + "key": "F", + "name": "Fixed", + "definition": "The agent cannot modify its own code, configuration, or behavior." }, { - "key": "Y", - "name": "Yes", - "definition": "Yes" + "key": "M", + "name": "Mutable", + "definition": "The agent can modify its own code, configuration, or behavior." } ] }, "values": { - "N": { - "key": "N", - "name": "No", - "definition": "No" + "F": { + "key": "F", + "name": "Fixed", + "definition": "The agent cannot modify its own code, configuration, or behavior." }, - "Y": { - "key": "Y", - "name": "Yes", - "definition": "Yes" + "M": { + "key": "M", + "name": "Mutable", + "definition": "The agent can modify its own code, configuration, or behavior." } } - } - } - } - } - }, - "cisa": { - "namespace": "cisa", - "keys": { - "KEV": { - "key": "KEV", - "versions": { - "1.0.0": { - "version": "1.0.0", + }, + "1.1.0": { + "version": "1.1.0", "obj": { - "namespace": "cisa", - "key": "KEV", - "version": "1.0.0", - "name": "In KEV", - "definition": "Denotes whether a vulnerability is in the CISA Known Exploited Vulnerabilities (KEV) list.", + "namespace": "x_org.owasp#aivss", + "key": "SM", + "version": "1.1.0", + "name": "Self-Modification", + "definition": "Determines the self-modification capabilities of an AI agent based on its ability to alter its own code, configuration, or behavior.", "schemaVersion": "2.0.0", "values": [ { - "key": "N", - "name": "No", - "definition": "Vulnerability is not listed in KEV." + "key": "F", + "name": "Fixed", + "definition": "The agent cannot modify its own code, configuration, or behavior." }, { - "key": "Y", - "name": "Yes", - "definition": "Vulnerability is listed in KEV." + "key": "T", + "name": "Tunable", + "definition": "The agent can modify its configuration or prompts but not its core code or behavior." + }, + { + "key": "M", + "name": "Mutable", + "definition": "The agent can modify its own code, configuration, or behavior." } ] }, "values": { - "N": { - "key": "N", - "name": "No", - "definition": "Vulnerability is not listed in KEV." + "F": { + "key": "F", + "name": "Fixed", + "definition": "The agent cannot modify its own code, configuration, or behavior." }, - "Y": { - "key": "Y", - "name": "Yes", - "definition": "Vulnerability is listed in KEV." + "T": { + "key": "T", + "name": "Tunable", + "definition": "The agent can modify its configuration or prompts but not its core code or behavior." + }, + "M": { + "key": "M", + "name": "Mutable", + "definition": "The agent can modify its own code, configuration, or behavior." } } } } }, - "MP": { - "key": "MP", + "TU": { + "key": "TU", "versions": { "1.0.0": { "version": "1.0.0", "obj": { - "namespace": "cisa", - "key": "MP", + "namespace": "x_org.owasp#aivss", + "key": "TU", "version": "1.0.0", - "name": "Mission Prevalence", - "definition": "Prevalence of the mission essential functions", + "name": "Tool Use", + "definition": "Determines the tool use level of an AI agent based on its capabilities to interact with systems.", "schemaVersion": "2.0.0", "values": [ { - "key": "M", - "name": "Minimal", - "definition": "Neither Support nor Essential apply. The vulnerable component may be used within the entities, but it is not used as a mission-essential component, nor does it provide impactful support to mission-essential functions." + "key": "V", + "name": "Viewer", + "definition": "The agent can only read and analyze information without making any changes." }, { - "key": "S", - "name": "Support", - "definition": "The vulnerable component only supports MEFs for two or more entities." + "key": "O", + "name": "Operator", + "definition": "The agent can make changes within a controlled environment, such as test systems or local files." }, { - "key": "E", - "name": "Essential", - "definition": "The vulnerable component directly provides capabilities that constitute at least one MEF for at least one entity; component failure may (but does not necessarily) lead to overall mission failure." + "key": "A", + "name": "Administrator", + "definition": "The agent has full control and can make changes to privileged systems, including production environments." } ] }, "values": { - "M": { - "key": "M", - "name": "Minimal", - "definition": "Neither Support nor Essential apply. The vulnerable component may be used within the entities, but it is not used as a mission-essential component, nor does it provide impactful support to mission-essential functions." + "V": { + "key": "V", + "name": "Viewer", + "definition": "The agent can only read and analyze information without making any changes." }, - "S": { - "key": "S", - "name": "Support", - "definition": "The vulnerable component only supports MEFs for two or more entities." + "O": { + "key": "O", + "name": "Operator", + "definition": "The agent can make changes within a controlled environment, such as test systems or local files." }, - "E": { - "key": "E", - "name": "Essential", - "definition": "The vulnerable component directly provides capabilities that constitute at least one MEF for at least one entity; component failure may (but does not necessarily) lead to overall mission failure." + "A": { + "key": "A", + "name": "Administrator", + "definition": "The agent has full control and can make changes to privileged systems, including production environments." } } } } }, - "CISA": { - "key": "CISA", + "VC": { + "key": "VC", "versions": { - "1.1.0": { - "version": "1.1.0", + "1.0.0": { + "version": "1.0.0", "obj": { - "namespace": "cisa", - "key": "CISA", - "version": "1.1.0", - "name": "CISA Levels", - "definition": "The CISA outcome group. CISA uses its own SSVC decision tree model to prioritize relevant vulnerabilities into four possible decisions: Track, Track*, Attend, and Act.", + "namespace": "x_org.owasp#aivss", + "key": "VC", + "version": "1.0.0", + "name": "Verification Capability", + "definition": "Indicates whether the system’s critical properties can be formally or practically verified.", "schemaVersion": "2.0.0", "values": [ { - "key": "T", - "name": "Track", - "definition": "The vulnerability does not require action at this time. The organization would continue to track the vulnerability and reassess it if new information becomes available. CISA recommends remediating Track vulnerabilities within standard update timelines." - }, - { - "key": "T*", - "name": "Track*", - "definition": "The vulnerability contains specific characteristics that may require closer monitoring for changes. CISA recommends remediating Track* vulnerabilities within standard update timelines." + "key": "P", + "name": "Provable", + "definition": "Critical safety or correctness invariants can be verified." }, { - "key": "AT", - "name": "Attend", - "definition": "The vulnerability requires attention from the organization's internal, supervisory-level individuals. Necessary actions may include requesting assistance or information about the vulnerability and may involve publishing a notification, either internally and/or externally, about the vulnerability. CISA recommends remediating Attend vulnerabilities sooner than standard update timelines." + "key": "K", + "name": "Key Invariants Verifiable", + "definition": "Some critical properties can be verified, but not all." }, { - "key": "AC", - "name": "Act", - "definition": "The vulnerability requires attention from the organization's internal, supervisory-level and leadership-level individuals. Necessary actions include requesting assistance or information about the vulnerability, as well as publishing a notification either internally and/or externally. Typically, internal groups would meet to determine the overall response and then execute agreed upon actions. CISA recommends remediating Act vulnerabilities as soon as possible." + "key": "U", + "name": "Unverifiable", + "definition": "Cannot prove correctness or invariants in practice." } ] }, "values": { - "T": { - "key": "T", - "name": "Track", - "definition": "The vulnerability does not require action at this time. The organization would continue to track the vulnerability and reassess it if new information becomes available. CISA recommends remediating Track vulnerabilities within standard update timelines." - }, - "T*": { - "key": "T*", - "name": "Track*", - "definition": "The vulnerability contains specific characteristics that may require closer monitoring for changes. CISA recommends remediating Track* vulnerabilities within standard update timelines." + "P": { + "key": "P", + "name": "Provable", + "definition": "Critical safety or correctness invariants can be verified." }, - "AT": { - "key": "AT", - "name": "Attend", - "definition": "The vulnerability requires attention from the organization's internal, supervisory-level individuals. Necessary actions may include requesting assistance or information about the vulnerability and may involve publishing a notification, either internally and/or externally, about the vulnerability. CISA recommends remediating Attend vulnerabilities sooner than standard update timelines." + "K": { + "key": "K", + "name": "Key Invariants Verifiable", + "definition": "Some critical properties can be verified, but not all." }, - "AC": { - "key": "AC", - "name": "Act", - "definition": "The vulnerability requires attention from the organization's internal, supervisory-level and leadership-level individuals. Necessary actions include requesting assistance or information about the vulnerability, as well as publishing a notification either internally and/or externally. Typically, internal groups would meet to determine the overall response and then execute agreed upon actions. CISA recommends remediating Act vulnerabilities as soon as possible." + "U": { + "key": "U", + "name": "Unverifiable", + "definition": "Cannot prove correctness or invariants in practice." } } } @@ -926,1019 +846,964 @@ } } }, - "cvss": { - "namespace": "cvss", + "basic": { + "namespace": "basic", "keys": { - "AC": { - "key": "AC", + "BP": { + "key": "BP", "versions": { "1.0.0": { "version": "1.0.0", "obj": { - "namespace": "cvss", - "key": "AC", + "namespace": "basic", + "key": "BP", "version": "1.0.0", - "name": "Access Complexity", - "definition": "This metric measures the complexity of the attack required to exploit the vulnerability once an attacker has gained access to the target system.", + "name": "Boundary Proximity", + "definition": "Indicates whether another value is near a boundary condition, indicating that special consideration may be needed.", "schemaVersion": "2.0.0", "values": [ { - "key": "H", - "name": "High", - "definition": "Specialized access conditions exist; for example: the system is exploitable during specific windows of time (a race condition), the system is exploitable under specific circumstances (nondefault configurations), or the system is exploitable with victim interaction (vulnerability exploitable only if user opens e-mail)" + "key": "NN", + "name": "Not Near Boundary", + "definition": "The value is not near a boundary condition" }, { - "key": "L", - "name": "Low", - "definition": "Specialized access conditions or extenuating circumstances do not exist; the system is always exploitable." + "key": "JA", + "name": "Just Above Boundary", + "definition": "The value is just above a boundary condition" + }, + { + "key": "JB", + "name": "Just Below Boundary", + "definition": "The value is just below a boundary condition" } ] }, "values": { - "H": { - "key": "H", - "name": "High", - "definition": "Specialized access conditions exist; for example: the system is exploitable during specific windows of time (a race condition), the system is exploitable under specific circumstances (nondefault configurations), or the system is exploitable with victim interaction (vulnerability exploitable only if user opens e-mail)" + "NN": { + "key": "NN", + "name": "Not Near Boundary", + "definition": "The value is not near a boundary condition" }, - "L": { - "key": "L", - "name": "Low", - "definition": "Specialized access conditions or extenuating circumstances do not exist; the system is always exploitable." + "JA": { + "key": "JA", + "name": "Just Above Boundary", + "definition": "The value is just above a boundary condition" + }, + "JB": { + "key": "JB", + "name": "Just Below Boundary", + "definition": "The value is just below a boundary condition" } } - }, - "2.0.0": { - "version": "2.0.0", + } + } + }, + "CIS_WEP": { + "key": "CIS_WEP", + "versions": { + "1.0.0": { + "version": "1.0.0", "obj": { - "namespace": "cvss", - "key": "AC", - "version": "2.0.0", - "name": "Access Complexity", - "definition": "This metric measures the complexity of the attack required to exploit the vulnerability once an attacker has gained access to the target system.", + "namespace": "basic", + "key": "CIS_WEP", + "version": "1.0.0", + "name": "CIS-CTI Words of Estimative Probability", + "definition": "A scale for expressing the likelihood of an event or outcome.", "schemaVersion": "2.0.0", "values": [ { - "key": "H", - "name": "High", - "definition": "Specialized access conditions exist." + "key": "ANC", + "name": "Almost No Chance", + "definition": "Probability < 0.05. Almost no chance, remote" }, { - "key": "M", - "name": "Medium", - "definition": "The access conditions are somewhat specialized." + "key": "VU", + "name": "Very Unlikely", + "definition": "0.05 <= Probability < 0.20. Very unlikely, highly improbable." }, { - "key": "L", - "name": "Low", - "definition": "Specialized access conditions or extenuating circumstances do not exist." - } - ] - }, - "values": { - "H": { - "key": "H", - "name": "High", - "definition": "Specialized access conditions exist." - }, - "M": { - "key": "M", - "name": "Medium", - "definition": "The access conditions are somewhat specialized." - }, - "L": { - "key": "L", - "name": "Low", - "definition": "Specialized access conditions or extenuating circumstances do not exist." - } - } - }, - "3.0.0": { - "version": "3.0.0", - "obj": { - "namespace": "cvss", - "key": "AC", - "version": "3.0.0", - "name": "Attack Complexity", - "definition": "This metric describes the conditions beyond the attacker's control that must exist in order to exploit the vulnerability.", - "schemaVersion": "2.0.0", - "values": [ + "key": "U", + "name": "Unlikely", + "definition": "0.20 <= Probability < 0.45. Unlikely, improbable." + }, { - "key": "H", - "name": "High", - "definition": "A successful attack depends on conditions beyond the attacker's control." + "key": "REC", + "name": "Roughly Even Chance", + "definition": "0.45 <= Probability < 0.55. Roughly even chance, roughly even odds." }, { "key": "L", - "name": "Low", - "definition": "Specialized access conditions or extenuating circumstances do not exist. An attacker can expect repeatable success against the vulnerable component." - } - ] - }, - "values": { - "H": { - "key": "H", - "name": "High", - "definition": "A successful attack depends on conditions beyond the attacker's control." - }, - "L": { - "key": "L", - "name": "Low", - "definition": "Specialized access conditions or extenuating circumstances do not exist. An attacker can expect repeatable success against the vulnerable component." - } - } - }, - "3.0.1": { - "version": "3.0.1", - "obj": { - "namespace": "cvss", - "key": "AC", - "version": "3.0.1", - "name": "Attack Complexity", - "definition": "This metric captures measurable actions that must be taken by the attacker to actively evade or circumvent existing built-in security-enhancing conditions in order to obtain a working exploit. ", - "schemaVersion": "2.0.0", - "values": [ + "name": "Likely", + "definition": "0.55 <= Probability < 0.80. Likely, probable." + }, { - "key": "H", - "name": "High", - "definition": "The successful attack depends on the evasion or circumvention of security-enhancing techniques in place that would otherwise hinder the attack. These include: Evasion of exploit mitigation techniques. The attacker must have additional methods available to bypass security measures in place." + "key": "VL", + "name": "Very Likely", + "definition": "0.80 <= Probability < 0.95. Very likely, highly probable." }, { - "key": "L", - "name": "Low", - "definition": "The attacker must take no measurable action to exploit the vulnerability. The attack requires no target-specific circumvention to exploit the vulnerability. An attacker can expect repeatable success against the vulnerable system. " + "key": "AC", + "name": "Almost Certain", + "definition": "0.95 <= Probability. Almost certain, nearly certain." } ] }, "values": { - "H": { - "key": "H", - "name": "High", - "definition": "The successful attack depends on the evasion or circumvention of security-enhancing techniques in place that would otherwise hinder the attack. These include: Evasion of exploit mitigation techniques. The attacker must have additional methods available to bypass security measures in place." + "ANC": { + "key": "ANC", + "name": "Almost No Chance", + "definition": "Probability < 0.05. Almost no chance, remote" + }, + "VU": { + "key": "VU", + "name": "Very Unlikely", + "definition": "0.05 <= Probability < 0.20. Very unlikely, highly improbable." + }, + "U": { + "key": "U", + "name": "Unlikely", + "definition": "0.20 <= Probability < 0.45. Unlikely, improbable." + }, + "REC": { + "key": "REC", + "name": "Roughly Even Chance", + "definition": "0.45 <= Probability < 0.55. Roughly even chance, roughly even odds." }, "L": { "key": "L", - "name": "Low", - "definition": "The attacker must take no measurable action to exploit the vulnerability. The attack requires no target-specific circumvention to exploit the vulnerability. An attacker can expect repeatable success against the vulnerable system. " + "name": "Likely", + "definition": "0.55 <= Probability < 0.80. Likely, probable." + }, + "VL": { + "key": "VL", + "name": "Very Likely", + "definition": "0.80 <= Probability < 0.95. Very likely, highly probable." + }, + "AC": { + "key": "AC", + "name": "Almost Certain", + "definition": "0.95 <= Probability. Almost certain, nearly certain." } } } } }, - "AT": { - "key": "AT", + "P_5A": { + "key": "P_5A", "versions": { "1.0.0": { "version": "1.0.0", "obj": { - "namespace": "cvss", - "key": "AT", + "namespace": "basic", + "key": "P_5A", "version": "1.0.0", - "name": "Attack Requirements", - "definition": "This metric captures the prerequisite deployment and execution conditions or variables of the vulnerable system that enable the attack.", + "name": "Probability Scale in 5 equal levels, ascending", + "definition": "A probability scale with 20% increments", "schemaVersion": "2.0.0", "values": [ { - "key": "P", - "name": "Present", - "definition": "The successful attack depends on the presence of specific deployment and execution conditions of the vulnerable system that enable the attack." + "key": "P0_20", + "name": "Less than 20%", + "definition": "Probability < 0.2" }, { - "key": "N", - "name": "None", - "definition": "The successful attack does not depend on the deployment and execution conditions of the vulnerable system. The attacker can expect to be able to reach the vulnerability and execute the exploit under all or most instances of the vulnerability." + "key": "P20_40", + "name": "20% to 40%", + "definition": "0.2 <= Probability < 0.4" + }, + { + "key": "P40_60", + "name": "40% to 60%", + "definition": "0.4 <= Probability < 0.6" + }, + { + "key": "P60_80", + "name": "60% to 80%", + "definition": "0.6 <= Probability < 0.8" + }, + { + "key": "P80_100", + "name": "Greater than 80%", + "definition": "0.8 <= Probability <= 1.0" } ] }, "values": { - "P": { - "key": "P", - "name": "Present", - "definition": "The successful attack depends on the presence of specific deployment and execution conditions of the vulnerable system that enable the attack." + "P0_20": { + "key": "P0_20", + "name": "Less than 20%", + "definition": "Probability < 0.2" }, - "N": { - "key": "N", - "name": "None", - "definition": "The successful attack does not depend on the deployment and execution conditions of the vulnerable system. The attacker can expect to be able to reach the vulnerability and execute the exploit under all or most instances of the vulnerability." + "P20_40": { + "key": "P20_40", + "name": "20% to 40%", + "definition": "0.2 <= Probability < 0.4" + }, + "P40_60": { + "key": "P40_60", + "name": "40% to 60%", + "definition": "0.4 <= Probability < 0.6" + }, + "P60_80": { + "key": "P60_80", + "name": "60% to 80%", + "definition": "0.6 <= Probability < 0.8" + }, + "P80_100": { + "key": "P80_100", + "name": "Greater than 80%", + "definition": "0.8 <= Probability <= 1.0" } } } } }, - "AV": { - "key": "AV", + "P_5W": { + "key": "P_5W", "versions": { "1.0.0": { "version": "1.0.0", "obj": { - "namespace": "cvss", - "key": "AV", + "namespace": "basic", + "key": "P_5W", "version": "1.0.0", - "name": "Access Vector", - "definition": "This metric measures whether or not the vulnerability is exploitable locally or remotely.", + "name": "Probability Scale in 5 weighted levels, ascending", + "definition": "A probability scale with higher resolution as probability increases", "schemaVersion": "2.0.0", "values": [ { - "key": "L", - "name": "Local", - "definition": "The vulnerability is only exploitable locally (i.e., it requires physical access or authenticated login to the target system)" + "key": "P0_30", + "name": "Less than 30%", + "definition": "Probability < 0.3" }, { - "key": "R", - "name": "Remote", - "definition": "The vulnerability is exploitable remotely." - } - ] - }, - "values": { - "L": { - "key": "L", - "name": "Local", - "definition": "The vulnerability is only exploitable locally (i.e., it requires physical access or authenticated login to the target system)" - }, - "R": { - "key": "R", - "name": "Remote", - "definition": "The vulnerability is exploitable remotely." - } - } - }, - "2.0.0": { - "version": "2.0.0", - "obj": { - "namespace": "cvss", - "key": "AV", - "version": "2.0.0", - "name": "Access Vector", - "definition": "This metric reflects the context by which vulnerability exploitation is possible.", - "schemaVersion": "2.0.0", - "values": [ + "key": "P30_55", + "name": "30% to 55%", + "definition": "0.3 <= Probability < 0.55" + }, { - "key": "L", - "name": "Local", - "definition": "A vulnerability exploitable with only local access requires the attacker to have either physical access to the vulnerable system or a local (shell) account." + "key": "P55_75", + "name": "55% to 75%", + "definition": "0.55 <= Probability < 0.75" }, { - "key": "A", - "name": "Adjacent Network", - "definition": "A vulnerability exploitable with adjacent network access requires the attacker to have access to either the broadcast or collision domain of the vulnerable software." + "key": "P75_90", + "name": "75% to 90%", + "definition": "0.75 <= Probability < 0.9" }, { - "key": "N", - "name": "Network", - "definition": "A vulnerability exploitable with network access means the vulnerable software is bound to the network stack and the attacker does not require local network access or local access. Such a vulnerability is often termed 'remotely exploitable'." + "key": "P90_100", + "name": "Greater than 90%", + "definition": "0.9 <= Probability <= 1.0" } ] }, "values": { - "L": { - "key": "L", - "name": "Local", - "definition": "A vulnerability exploitable with only local access requires the attacker to have either physical access to the vulnerable system or a local (shell) account." + "P0_30": { + "key": "P0_30", + "name": "Less than 30%", + "definition": "Probability < 0.3" }, - "A": { - "key": "A", - "name": "Adjacent Network", - "definition": "A vulnerability exploitable with adjacent network access requires the attacker to have access to either the broadcast or collision domain of the vulnerable software." + "P30_55": { + "key": "P30_55", + "name": "30% to 55%", + "definition": "0.3 <= Probability < 0.55" }, - "N": { - "key": "N", - "name": "Network", - "definition": "A vulnerability exploitable with network access means the vulnerable software is bound to the network stack and the attacker does not require local network access or local access. Such a vulnerability is often termed 'remotely exploitable'." + "P55_75": { + "key": "P55_75", + "name": "55% to 75%", + "definition": "0.55 <= Probability < 0.75" + }, + "P75_90": { + "key": "P75_90", + "name": "75% to 90%", + "definition": "0.75 <= Probability < 0.9" + }, + "P90_100": { + "key": "P90_100", + "name": "Greater than 90%", + "definition": "0.9 <= Probability <= 1.0" } } - }, - "3.0.0": { - "version": "3.0.0", + } + } + }, + "P_2A": { + "key": "P_2A", + "versions": { + "1.0.0": { + "version": "1.0.0", "obj": { - "namespace": "cvss", - "key": "AV", - "version": "3.0.0", - "name": "Attack Vector", - "definition": "This metric reflects the context by which vulnerability exploitation is possible. ", + "namespace": "basic", + "key": "P_2A", + "version": "1.0.0", + "name": "Probability Scale in 2 equal levels, ascending", + "definition": "A probability scale that divides between less than 50% and greater than or equal to 50%", "schemaVersion": "2.0.0", "values": [ { - "key": "P", - "name": "Physical", - "definition": "A vulnerability exploitable with Physical access requires the attacker to physically touch or manipulate the vulnerable component. Physical interaction may be brief (e.g. evil maid attack [1]) or persistent." - }, - { - "key": "L", - "name": "Local", - "definition": "A vulnerability exploitable with Local access means that the vulnerable component is not bound to the network stack, and the attacker's path is via read/write/execute capabilities. In some cases, the attacker may be logged in locally in order to exploit the vulnerability, otherwise, she may rely on User Interaction to execute a malicious file." - }, - { - "key": "A", - "name": "Adjacent", - "definition": "A vulnerability exploitable with adjacent network access means the vulnerable component is bound to the network stack, however the attack is limited to the same shared physical (e.g. Bluetooth, IEEE 802.11), or logical (e.g. local IP subnet) network, and cannot be performed across an OSI layer 3 boundary (e.g. a router)." + "key": "LT50", + "name": "Less than 50%", + "definition": "0.0 <= Probability < 0.5" }, { - "key": "N", - "name": "Network", - "definition": "A vulnerability exploitable with network access means the vulnerable component is bound to the network stack and the attacker's path is through OSI layer 3 (the network layer). Such a vulnerability is often termed 'remotely exploitable' and can be thought of as an attack being exploitable one or more network hops away (e.g. across layer 3 boundaries from routers)." + "key": "GT50", + "name": "Greater than 50%", + "definition": "0.5 <= Probability <= 1.0" } ] }, "values": { - "P": { - "key": "P", - "name": "Physical", - "definition": "A vulnerability exploitable with Physical access requires the attacker to physically touch or manipulate the vulnerable component. Physical interaction may be brief (e.g. evil maid attack [1]) or persistent." - }, - "L": { - "key": "L", - "name": "Local", - "definition": "A vulnerability exploitable with Local access means that the vulnerable component is not bound to the network stack, and the attacker's path is via read/write/execute capabilities. In some cases, the attacker may be logged in locally in order to exploit the vulnerability, otherwise, she may rely on User Interaction to execute a malicious file." - }, - "A": { - "key": "A", - "name": "Adjacent", - "definition": "A vulnerability exploitable with adjacent network access means the vulnerable component is bound to the network stack, however the attack is limited to the same shared physical (e.g. Bluetooth, IEEE 802.11), or logical (e.g. local IP subnet) network, and cannot be performed across an OSI layer 3 boundary (e.g. a router)." + "LT50": { + "key": "LT50", + "name": "Less than 50%", + "definition": "0.0 <= Probability < 0.5" }, - "N": { - "key": "N", - "name": "Network", - "definition": "A vulnerability exploitable with network access means the vulnerable component is bound to the network stack and the attacker's path is through OSI layer 3 (the network layer). Such a vulnerability is often termed 'remotely exploitable' and can be thought of as an attack being exploitable one or more network hops away (e.g. across layer 3 boundaries from routers)." + "GT50": { + "key": "GT50", + "name": "Greater than 50%", + "definition": "0.5 <= Probability <= 1.0" } } - }, - "3.0.1": { - "version": "3.0.1", + } + } + }, + "MEDIAN": { + "key": "MEDIAN", + "versions": { + "1.0.0": { + "version": "1.0.0", "obj": { - "namespace": "cvss", - "key": "AV", - "version": "3.0.1", - "name": "Attack Vector", - "definition": "This metric reflects the context by which vulnerability exploitation is possible. This metric value (and consequently the resulting severity) will be larger the more remote (logically, and physically) an attacker can be in order to exploit the vulnerable system. The assumption is that the number of potential attackers for a vulnerability that could be exploited from across a network is larger than the number of potential attackers that could exploit a vulnerability requiring physical access to a device, and therefore warrants a greater severity.", + "namespace": "basic", + "key": "MEDIAN", + "version": "1.0.0", + "name": "Median Split", + "definition": "A median split divides a distribution into two equal parts, with 50% of the values falling below the median and 50% above it.", "schemaVersion": "2.0.0", "values": [ { - "key": "P", - "name": "Physical", - "definition": "The attack requires the attacker to physically touch or manipulate the vulnerable system. Physical interaction may be brief (e.g., evil maid attack1) or persistent." - }, - { - "key": "L", - "name": "Local", - "definition": "The vulnerable system is not bound to the network stack and the attacker’s path is via read/write/execute capabilities. Either: the attacker exploits the vulnerability by accessing the target system locally (e.g., keyboard, console), or through terminal emulation (e.g., SSH); or the attacker relies on User Interaction by another person to perform actions required to exploit the vulnerability (e.g., using social engineering techniques to trick a legitimate user into opening a malicious document)." + "key": "B", + "name": "Below Median", + "definition": "Quantile < 0.50. The lower half of the range of possible values." }, { "key": "A", - "name": "Adjacent", - "definition": "The vulnerable system is bound to a protocol stack, but the attack is limited at the protocol level to a logically adjacent topology. This can mean an attack must be launched from the same shared proximity (e.g., Bluetooth, NFC, or IEEE 802.11) or logical network (e.g., local IP subnet), or from within a secure or otherwise limited administrative domain (e.g., MPLS, secure VPN within an administrative network zone)." - }, - { - "key": "N", - "name": "Network", - "definition": "The vulnerable system is bound to the network stack and the set of possible attackers extends beyond the other options listed below, up to and including the entire Internet. Such a vulnerability is often termed “remotely exploitable” and can be thought of as an attack being exploitable at the protocol level one or more network hops away (e.g., across one or more routers)." + "name": "Above Median", + "definition": "0.50 <= Quantile <= 1.0. The upper half of the range of possible values." } ] }, "values": { - "P": { - "key": "P", - "name": "Physical", - "definition": "The attack requires the attacker to physically touch or manipulate the vulnerable system. Physical interaction may be brief (e.g., evil maid attack1) or persistent." - }, - "L": { - "key": "L", - "name": "Local", - "definition": "The vulnerable system is not bound to the network stack and the attacker’s path is via read/write/execute capabilities. Either: the attacker exploits the vulnerability by accessing the target system locally (e.g., keyboard, console), or through terminal emulation (e.g., SSH); or the attacker relies on User Interaction by another person to perform actions required to exploit the vulnerability (e.g., using social engineering techniques to trick a legitimate user into opening a malicious document)." + "B": { + "key": "B", + "name": "Below Median", + "definition": "Quantile < 0.50. The lower half of the range of possible values." }, "A": { "key": "A", - "name": "Adjacent", - "definition": "The vulnerable system is bound to a protocol stack, but the attack is limited at the protocol level to a logically adjacent topology. This can mean an attack must be launched from the same shared proximity (e.g., Bluetooth, NFC, or IEEE 802.11) or logical network (e.g., local IP subnet), or from within a secure or otherwise limited administrative domain (e.g., MPLS, secure VPN within an administrative network zone)." - }, - "N": { - "key": "N", - "name": "Network", - "definition": "The vulnerable system is bound to the network stack and the set of possible attackers extends beyond the other options listed below, up to and including the entire Internet. Such a vulnerability is often termed “remotely exploitable” and can be thought of as an attack being exploitable at the protocol level one or more network hops away (e.g., across one or more routers)." + "name": "Above Median", + "definition": "0.50 <= Quantile <= 1.0. The upper half of the range of possible values." } } } } }, - "Au": { - "key": "Au", + "QUARTILES": { + "key": "QUARTILES", "versions": { "1.0.0": { "version": "1.0.0", "obj": { - "namespace": "cvss", - "key": "Au", + "namespace": "basic", + "key": "QUARTILES", "version": "1.0.0", - "name": "Authentication", - "definition": "This metric measures whether or not an attacker needs to be authenticated to the target system in order to exploit the vulnerability.", + "name": "Quartiles", + "definition": "A quartile is one of four equal groups that a population can be divided into according to the distribution of values of a particular variable.", "schemaVersion": "2.0.0", "values": [ { - "key": "N", - "name": "Not Required", - "definition": "Authentication is not required to access or exploit the vulnerability." + "key": "Q1", + "name": "First Quartile", + "definition": "Quantile < 0.25. The lowest 25% of the range of possible values." }, { - "key": "R", - "name": "Required", - "definition": "Authentication is required to access and exploit the vulnerability." - } - ] - }, - "values": { - "N": { - "key": "N", - "name": "Not Required", - "definition": "Authentication is not required to access or exploit the vulnerability." - }, - "R": { - "key": "R", - "name": "Required", - "definition": "Authentication is required to access and exploit the vulnerability." - } - } - }, - "2.0.0": { - "version": "2.0.0", - "obj": { - "namespace": "cvss", - "key": "Au", - "version": "2.0.0", - "name": "Authentication", - "definition": "This metric measures the number of times an attacker must authenticate to a target in order to exploit a vulnerability. This metric does not gauge the strength or complexity of the authentication process, only that an attacker is required to provide credentials before an exploit may occur. The possible values for this metric are listed in Table 3. The fewer authentication instances that are required, the higher the vulnerability score.", - "schemaVersion": "2.0.0", - "values": [ - { - "key": "M", - "name": "Multiple", - "definition": "Exploiting the vulnerability requires that the attacker authenticate two or more times, even if the same credentials are used each time." + "key": "Q2", + "name": "Second Quartile", + "definition": "0.25 <= Quantile < 0.50. The second lowest 25% of the range of possible values." }, { - "key": "S", - "name": "Single", - "definition": "The vulnerability requires an attacker to be logged into the system (such as at a command line or via a desktop session or web interface)." + "key": "Q3", + "name": "Third Quartile", + "definition": "0.50 <= Quantile < 0.75. The second highest 25% of the range of possible values." }, { - "key": "N", - "name": "None", - "definition": "Authentication is not required to exploit the vulnerability." + "key": "Q4", + "name": "Fourth Quartile", + "definition": "0.75 <= Quantile <= 1.0. The highest 25% of the range of possible values." } ] }, "values": { - "M": { - "key": "M", - "name": "Multiple", - "definition": "Exploiting the vulnerability requires that the attacker authenticate two or more times, even if the same credentials are used each time." + "Q1": { + "key": "Q1", + "name": "First Quartile", + "definition": "Quantile < 0.25. The lowest 25% of the range of possible values." }, - "S": { - "key": "S", - "name": "Single", - "definition": "The vulnerability requires an attacker to be logged into the system (such as at a command line or via a desktop session or web interface)." + "Q2": { + "key": "Q2", + "name": "Second Quartile", + "definition": "0.25 <= Quantile < 0.50. The second lowest 25% of the range of possible values." }, - "N": { - "key": "N", - "name": "None", - "definition": "Authentication is not required to exploit the vulnerability." + "Q3": { + "key": "Q3", + "name": "Third Quartile", + "definition": "0.50 <= Quantile < 0.75. The second highest 25% of the range of possible values." + }, + "Q4": { + "key": "Q4", + "name": "Fourth Quartile", + "definition": "0.75 <= Quantile <= 1.0. The highest 25% of the range of possible values." } } } } }, - "A": { - "key": "A", + "QUINTILES": { + "key": "QUINTILES", "versions": { "1.0.0": { "version": "1.0.0", "obj": { - "namespace": "cvss", - "key": "A", + "namespace": "basic", + "key": "QUINTILES", "version": "1.0.0", - "name": "Availability Impact", - "definition": "This metric measures the impact on availability a successful exploit of the vulnerability will have on the target system.", + "name": "Quintiles", + "definition": "A quintile is one of five equal groups that a population can be divided into according to the distribution of values of a particular variable.", "schemaVersion": "2.0.0", "values": [ { - "key": "N", - "name": "None", - "definition": "No impact on availability." + "key": "Q1", + "name": "First Quintile", + "definition": "Quantile < 0.20. The lowest 20% of the range of possible values." }, { - "key": "P", - "name": "Partial", - "definition": "Considerable lag in or interruptions in resource availability. For example, a network-based flood attack that reduces available bandwidth to a web server farm to such an extent that only a small number of connections successfully complete." + "key": "Q2", + "name": "Second Quintile", + "definition": "0.20 <= Quantile < 0.40. The second lowest 20% of the range of possible values." }, { - "key": "C", - "name": "Complete", - "definition": "Total shutdown of the affected resource. The attacker can render the resource completely unavailable." + "key": "Q3", + "name": "Third Quintile", + "definition": "0.40 <= Quantile < 0.60. The middle 20% of the range of possible values." + }, + { + "key": "Q4", + "name": "Fourth Quintile", + "definition": "0.60 <= Quantile < 0.80. The second highest 20% of the range of possible values." + }, + { + "key": "Q5", + "name": "Fifth Quintile", + "definition": "0.80 <= Quantile <= 1.0. The highest 20% of the range of possible values." } ] }, "values": { - "N": { - "key": "N", - "name": "None", - "definition": "No impact on availability." + "Q1": { + "key": "Q1", + "name": "First Quintile", + "definition": "Quantile < 0.20. The lowest 20% of the range of possible values." }, - "P": { - "key": "P", - "name": "Partial", - "definition": "Considerable lag in or interruptions in resource availability. For example, a network-based flood attack that reduces available bandwidth to a web server farm to such an extent that only a small number of connections successfully complete." + "Q2": { + "key": "Q2", + "name": "Second Quintile", + "definition": "0.20 <= Quantile < 0.40. The second lowest 20% of the range of possible values." }, - "C": { - "key": "C", - "name": "Complete", - "definition": "Total shutdown of the affected resource. The attacker can render the resource completely unavailable." + "Q3": { + "key": "Q3", + "name": "Third Quintile", + "definition": "0.40 <= Quantile < 0.60. The middle 20% of the range of possible values." + }, + "Q4": { + "key": "Q4", + "name": "Fourth Quintile", + "definition": "0.60 <= Quantile < 0.80. The second highest 20% of the range of possible values." + }, + "Q5": { + "key": "Q5", + "name": "Fifth Quintile", + "definition": "0.80 <= Quantile <= 1.0. The highest 20% of the range of possible values." } } - }, - "2.0.0": { - "version": "2.0.0", + } + } + }, + "IKE": { + "key": "IKE", + "versions": { + "1.0.0": { + "version": "1.0.0", "obj": { - "namespace": "cvss", - "key": "A", - "version": "2.0.0", - "name": "Availability Impact", - "definition": "This metric measures the impact to availability of a successfully exploited vulnerability.", + "namespace": "basic", + "key": "IKE", + "version": "1.0.0", + "name": "Do, Schedule, Delegate, Delete", + "definition": "The Eisenhower outcome group.", "schemaVersion": "2.0.0", "values": [ { - "key": "N", - "name": "None", - "definition": "There is no impact to the availability of the system." + "key": "D", + "name": "Delete", + "definition": "Delete" }, { - "key": "L", - "name": "Low", - "definition": "There is reduced performance or interruptions in resource availability." + "key": "G", + "name": "Delegate", + "definition": "Delegate" }, { - "key": "H", - "name": "High", - "definition": "There is total loss of availability, resulting in the attacker being able to fully deny access to resources in the impacted component; this loss is either sustained (while the attacker continues to deliver the attack) or persistent (the condition persists even after the attack has completed)." + "key": "S", + "name": "Schedule", + "definition": "Schedule" + }, + { + "key": "O", + "name": "Do", + "definition": "Do" } ] }, "values": { - "N": { - "key": "N", - "name": "None", - "definition": "There is no impact to the availability of the system." + "D": { + "key": "D", + "name": "Delete", + "definition": "Delete" }, - "L": { - "key": "L", - "name": "Low", - "definition": "There is reduced performance or interruptions in resource availability." + "G": { + "key": "G", + "name": "Delegate", + "definition": "Delegate" }, - "H": { - "key": "H", - "name": "High", - "definition": "There is total loss of availability, resulting in the attacker being able to fully deny access to resources in the impacted component; this loss is either sustained (while the attacker continues to deliver the attack) or persistent (the condition persists even after the attack has completed)." + "S": { + "key": "S", + "name": "Schedule", + "definition": "Schedule" + }, + "O": { + "key": "O", + "name": "Do", + "definition": "Do" } } } } }, - "VA": { - "key": "VA", + "LMH": { + "key": "LMH", "versions": { - "3.0.0": { - "version": "3.0.0", + "1.0.0": { + "version": "1.0.0", "obj": { - "namespace": "cvss", - "key": "VA", - "version": "3.0.0", - "name": "Availability Impact to the Vulnerable System", - "definition": "This metric measures the impact to the availability of the impacted system resulting from a successfully exploited vulnerability.", + "namespace": "basic", + "key": "LMH", + "version": "1.0.0", + "name": "LowMediumHigh", + "definition": "A Low/Medium/High decision point / outcome group.", "schemaVersion": "2.0.0", "values": [ - { - "key": "N", - "name": "None", - "definition": "There is no impact to availability within the Vulnerable System." - }, { "key": "L", "name": "Low", - "definition": "There is reduced performance or interruptions in resource availability. Even if repeated exploitation of the vulnerability is possible, the attacker does not have the ability to completely deny service to legitimate users. The resources in the Vulnerable System are either partially available all of the time, or fully available only some of the time, but overall there is no direct, serious consequence to the Vulnerable System." + "definition": "Low" + }, + { + "key": "M", + "name": "Medium", + "definition": "Medium" }, { "key": "H", "name": "High", - "definition": "There is total loss of availability, resulting in the attacker being able to fully deny access to resources in the impacted component; this loss is either sustained (while the attacker continues to deliver the attack) or persistent (the condition persists even after the attack has completed)." + "definition": "High" } ] }, "values": { - "N": { - "key": "N", - "name": "None", - "definition": "There is no impact to availability within the Vulnerable System." - }, "L": { "key": "L", "name": "Low", - "definition": "There is reduced performance or interruptions in resource availability. Even if repeated exploitation of the vulnerability is possible, the attacker does not have the ability to completely deny service to legitimate users. The resources in the Vulnerable System are either partially available all of the time, or fully available only some of the time, but overall there is no direct, serious consequence to the Vulnerable System." + "definition": "Low" }, - "H": { - "key": "H", - "name": "High", - "definition": "There is total loss of availability, resulting in the attacker being able to fully deny access to resources in the impacted component; this loss is either sustained (while the attacker continues to deliver the attack) or persistent (the condition persists even after the attack has completed)." + "M": { + "key": "M", + "name": "Medium", + "definition": "Medium" + }, + "H": { + "key": "H", + "name": "High", + "definition": "High" } } } } }, - "AR": { - "key": "AR", + "MSCW": { + "key": "MSCW", "versions": { "1.0.0": { "version": "1.0.0", "obj": { - "namespace": "cvss", - "key": "AR", + "namespace": "basic", + "key": "MSCW", "version": "1.0.0", - "name": "Availability Requirement", - "definition": "This metric measures the impact to the availability of a successfully exploited vulnerability.", + "name": "MoSCoW", + "definition": "The MoSCoW (Must, Should, Could, Won't) outcome group.", "schemaVersion": "2.0.0", "values": [ { - "key": "L", - "name": "Low", - "definition": "Loss of availability is likely to have only a limited adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)." + "key": "W", + "name": "Won't", + "definition": "Won't" }, { - "key": "M", - "name": "Medium", - "definition": "Loss of availability is likely to have a serious adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)." + "key": "C", + "name": "Could", + "definition": "Could" }, { - "key": "H", - "name": "High", - "definition": "Loss of availability is likely to have a catastrophic adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)." + "key": "S", + "name": "Should", + "definition": "Should" }, { - "key": "ND", - "name": "Not Defined", - "definition": "This metric value is not defined. See CVSS documentation for details." + "key": "M", + "name": "Must", + "definition": "Must" } ] }, "values": { - "L": { - "key": "L", - "name": "Low", - "definition": "Loss of availability is likely to have only a limited adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)." + "W": { + "key": "W", + "name": "Won't", + "definition": "Won't" }, - "M": { - "key": "M", - "name": "Medium", - "definition": "Loss of availability is likely to have a serious adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)." + "C": { + "key": "C", + "name": "Could", + "definition": "Could" }, - "H": { - "key": "H", - "name": "High", - "definition": "Loss of availability is likely to have a catastrophic adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)." + "S": { + "key": "S", + "name": "Should", + "definition": "Should" }, - "ND": { - "key": "ND", - "name": "Not Defined", - "definition": "This metric value is not defined. See CVSS documentation for details." + "M": { + "key": "M", + "name": "Must", + "definition": "Must" } } - }, - "1.1.0": { - "version": "1.1.0", + } + } + }, + "VALUE_COMPLEXITY": { + "key": "VALUE_COMPLEXITY", + "versions": { + "1.0.0": { + "version": "1.0.0", "obj": { - "namespace": "cvss", - "key": "AR", - "version": "1.1.0", - "name": "Availability Requirement", - "definition": "This metric measures the impact to the availability of a successfully exploited vulnerability.", + "namespace": "basic", + "key": "VALUE_COMPLEXITY", + "version": "1.0.0", + "name": "Value, Complexity", + "definition": "The Value/Complexity outcome group.", "schemaVersion": "2.0.0", "values": [ { - "key": "L", - "name": "Low", - "definition": "Loss of availability is likely to have only a limited adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)." + "key": "D", + "name": "Drop", + "definition": "Drop" }, { - "key": "M", - "name": "Medium", - "definition": "Loss of availability is likely to have a serious adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)." + "key": "R", + "name": "Reconsider Later", + "definition": "Reconsider Later" }, { - "key": "H", - "name": "High", - "definition": "Loss of availability is likely to have a catastrophic adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)." + "key": "E", + "name": "Easy Win", + "definition": "Easy Win" }, { - "key": "X", - "name": "Not Defined", - "definition": "This metric value is not defined. See CVSS documentation for details." + "key": "F", + "name": "Do First", + "definition": "Do First" } ] }, "values": { - "L": { - "key": "L", - "name": "Low", - "definition": "Loss of availability is likely to have only a limited adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)." + "D": { + "key": "D", + "name": "Drop", + "definition": "Drop" }, - "M": { - "key": "M", - "name": "Medium", - "definition": "Loss of availability is likely to have a serious adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)." + "R": { + "key": "R", + "name": "Reconsider Later", + "definition": "Reconsider Later" }, - "H": { - "key": "H", - "name": "High", - "definition": "Loss of availability is likely to have a catastrophic adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)." + "E": { + "key": "E", + "name": "Easy Win", + "definition": "Easy Win" }, - "X": { - "key": "X", - "name": "Not Defined", - "definition": "This metric value is not defined. See CVSS documentation for details." + "F": { + "key": "F", + "name": "Do First", + "definition": "Do First" } } - }, - "1.1.1": { - "version": "1.1.1", + } + } + }, + "YN": { + "key": "YN", + "versions": { + "1.0.0": { + "version": "1.0.0", "obj": { - "namespace": "cvss", - "key": "AR", - "version": "1.1.1", - "name": "Availability Requirement", - "definition": "This metric enables the consumer to customize the assessment depending on the importance of the affected IT asset to the analyst’s organization, measured in terms of Availability.", + "namespace": "basic", + "key": "YN", + "version": "1.0.0", + "name": "YesNo", + "definition": "A Yes/No decision point / outcome group.", "schemaVersion": "2.0.0", "values": [ { - "key": "L", - "name": "Low", - "definition": "Loss of availability is likely to have only a limited adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)." - }, - { - "key": "M", - "name": "Medium", - "definition": "Loss of availability is likely to have a serious adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)." - }, - { - "key": "H", - "name": "High", - "definition": "Loss of availability is likely to have a catastrophic adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)." + "key": "N", + "name": "No", + "definition": "No" }, { - "key": "X", - "name": "Not Defined", - "definition": "This metric value is not defined. See CVSS documentation for details." + "key": "Y", + "name": "Yes", + "definition": "Yes" } ] }, "values": { - "L": { - "key": "L", - "name": "Low", - "definition": "Loss of availability is likely to have only a limited adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)." - }, - "M": { - "key": "M", - "name": "Medium", - "definition": "Loss of availability is likely to have a serious adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)." - }, - "H": { - "key": "H", - "name": "High", - "definition": "Loss of availability is likely to have a catastrophic adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)." + "N": { + "key": "N", + "name": "No", + "definition": "No" }, - "X": { - "key": "X", - "name": "Not Defined", - "definition": "This metric value is not defined. See CVSS documentation for details." + "Y": { + "key": "Y", + "name": "Yes", + "definition": "Yes" } } } } - }, - "AR_NoX": { - "key": "AR_NoX", + } + } + }, + "cisa": { + "namespace": "cisa", + "keys": { + "KEV": { + "key": "KEV", "versions": { - "1.1.1": { - "version": "1.1.1", + "1.0.0": { + "version": "1.0.0", "obj": { - "namespace": "cvss", - "key": "AR_NoX", - "version": "1.1.1", - "name": "Availability Requirement (without Not Defined)", - "definition": "This metric enables the consumer to customize the assessment depending on the importance of the affected IT asset to the analyst’s organization, measured in terms of Availability. This version does not include the Not Defined (X) option.", + "namespace": "cisa", + "key": "KEV", + "version": "1.0.0", + "name": "In KEV", + "definition": "Denotes whether a vulnerability is in the CISA Known Exploited Vulnerabilities (KEV) list.", "schemaVersion": "2.0.0", "values": [ { - "key": "L", - "name": "Low", - "definition": "Loss of availability is likely to have only a limited adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)." + "key": "N", + "name": "No", + "definition": "Vulnerability is not listed in KEV." }, { - "key": "M", - "name": "Medium", - "definition": "Loss of availability is likely to have a serious adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)." - }, - { - "key": "H", - "name": "High", - "definition": "Loss of availability is likely to have a catastrophic adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)." + "key": "Y", + "name": "Yes", + "definition": "Vulnerability is listed in KEV." } ] }, "values": { - "L": { - "key": "L", - "name": "Low", - "definition": "Loss of availability is likely to have only a limited adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)." - }, - "M": { - "key": "M", - "name": "Medium", - "definition": "Loss of availability is likely to have a serious adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)." + "N": { + "key": "N", + "name": "No", + "definition": "Vulnerability is not listed in KEV." }, - "H": { - "key": "H", - "name": "High", - "definition": "Loss of availability is likely to have a catastrophic adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)." + "Y": { + "key": "Y", + "name": "Yes", + "definition": "Vulnerability is listed in KEV." } } } } }, - "CDP": { - "key": "CDP", + "MP": { + "key": "MP", "versions": { "1.0.0": { "version": "1.0.0", "obj": { - "namespace": "cvss", - "key": "CDP", + "namespace": "cisa", + "key": "MP", "version": "1.0.0", - "name": "Collateral Damage Potential", - "definition": "This metric measures the potential for a loss in physical equipment, property damage or loss of life or limb.", + "name": "Mission Prevalence", + "definition": "Prevalence of the mission essential functions", "schemaVersion": "2.0.0", "values": [ { - "key": "N", - "name": "None", - "definition": "There is no potential for physical or property damage." - }, - { - "key": "L", - "name": "Low", - "definition": "A successful exploit of this vulnerability may result in light physical or property damage or loss. The system itself may be damaged or destroyed." + "key": "M", + "name": "Minimal", + "definition": "Neither Support nor Essential apply. The vulnerable component may be used within the entities, but it is not used as a mission-essential component, nor does it provide impactful support to mission-essential functions." }, { - "key": "M", - "name": "Medium", - "definition": "A successful exploit of this vulnerability may result in significant physical or property damage or loss." + "key": "S", + "name": "Support", + "definition": "The vulnerable component only supports MEFs for two or more entities." }, { - "key": "H", - "name": "High", - "definition": "A successful exploit of this vulnerability may result in catastrophic physical or property damage and loss. The range of effect may be over a wide area." + "key": "E", + "name": "Essential", + "definition": "The vulnerable component directly provides capabilities that constitute at least one MEF for at least one entity; component failure may (but does not necessarily) lead to overall mission failure." } ] }, "values": { - "N": { - "key": "N", - "name": "None", - "definition": "There is no potential for physical or property damage." - }, - "L": { - "key": "L", - "name": "Low", - "definition": "A successful exploit of this vulnerability may result in light physical or property damage or loss. The system itself may be damaged or destroyed." - }, "M": { "key": "M", - "name": "Medium", - "definition": "A successful exploit of this vulnerability may result in significant physical or property damage or loss." + "name": "Minimal", + "definition": "Neither Support nor Essential apply. The vulnerable component may be used within the entities, but it is not used as a mission-essential component, nor does it provide impactful support to mission-essential functions." }, - "H": { - "key": "H", - "name": "High", - "definition": "A successful exploit of this vulnerability may result in catastrophic physical or property damage and loss. The range of effect may be over a wide area." + "S": { + "key": "S", + "name": "Support", + "definition": "The vulnerable component only supports MEFs for two or more entities." + }, + "E": { + "key": "E", + "name": "Essential", + "definition": "The vulnerable component directly provides capabilities that constitute at least one MEF for at least one entity; component failure may (but does not necessarily) lead to overall mission failure." } } - }, - "2.0.0": { - "version": "2.0.0", + } + } + }, + "CISA": { + "key": "CISA", + "versions": { + "1.1.0": { + "version": "1.1.0", "obj": { - "namespace": "cvss", - "key": "CDP", - "version": "2.0.0", - "name": "Collateral Damage Potential", - "definition": "This metric measures the potential for loss of life or physical assets.", + "namespace": "cisa", + "key": "CISA", + "version": "1.1.0", + "name": "CISA Levels", + "definition": "The CISA outcome group. CISA uses its own SSVC decision tree model to prioritize relevant vulnerabilities into four possible decisions: Track, Track*, Attend, and Act.", "schemaVersion": "2.0.0", "values": [ { - "key": "N", - "name": "None", - "definition": "There is no potential for loss of life, physical assets, productivity or revenue." - }, - { - "key": "LM", - "name": "Low-Medium", - "definition": "A successful exploit of this vulnerability may result in moderate physical or property damage or loss." + "key": "T", + "name": "Track", + "definition": "The vulnerability does not require action at this time. The organization would continue to track the vulnerability and reassess it if new information becomes available. CISA recommends remediating Track vulnerabilities within standard update timelines." }, { - "key": "MH", - "name": "Medium-High", - "definition": "A successful exploit of this vulnerability may result in significant physical or property damage or loss." + "key": "T*", + "name": "Track*", + "definition": "The vulnerability contains specific characteristics that may require closer monitoring for changes. CISA recommends remediating Track* vulnerabilities within standard update timelines." }, { - "key": "H", - "name": "High", - "definition": "A successful exploit of this vulnerability may result in catastrophic physical or property damage and loss. The range of effect may be over a wide area." + "key": "AT", + "name": "Attend", + "definition": "The vulnerability requires attention from the organization's internal, supervisory-level individuals. Necessary actions may include requesting assistance or information about the vulnerability and may involve publishing a notification, either internally and/or externally, about the vulnerability. CISA recommends remediating Attend vulnerabilities sooner than standard update timelines." }, { - "key": "ND", - "name": "Not Defined", - "definition": "This metric value is not defined. See CVSS documentation for details." + "key": "AC", + "name": "Act", + "definition": "The vulnerability requires attention from the organization's internal, supervisory-level and leadership-level individuals. Necessary actions include requesting assistance or information about the vulnerability, as well as publishing a notification either internally and/or externally. Typically, internal groups would meet to determine the overall response and then execute agreed upon actions. CISA recommends remediating Act vulnerabilities as soon as possible." } ] }, "values": { - "N": { - "key": "N", - "name": "None", - "definition": "There is no potential for loss of life, physical assets, productivity or revenue." - }, - "LM": { - "key": "LM", - "name": "Low-Medium", - "definition": "A successful exploit of this vulnerability may result in moderate physical or property damage or loss." + "T": { + "key": "T", + "name": "Track", + "definition": "The vulnerability does not require action at this time. The organization would continue to track the vulnerability and reassess it if new information becomes available. CISA recommends remediating Track vulnerabilities within standard update timelines." }, - "MH": { - "key": "MH", - "name": "Medium-High", - "definition": "A successful exploit of this vulnerability may result in significant physical or property damage or loss." + "T*": { + "key": "T*", + "name": "Track*", + "definition": "The vulnerability contains specific characteristics that may require closer monitoring for changes. CISA recommends remediating Track* vulnerabilities within standard update timelines." }, - "H": { - "key": "H", - "name": "High", - "definition": "A successful exploit of this vulnerability may result in catastrophic physical or property damage and loss. The range of effect may be over a wide area." + "AT": { + "key": "AT", + "name": "Attend", + "definition": "The vulnerability requires attention from the organization's internal, supervisory-level individuals. Necessary actions may include requesting assistance or information about the vulnerability and may involve publishing a notification, either internally and/or externally, about the vulnerability. CISA recommends remediating Attend vulnerabilities sooner than standard update timelines." }, - "ND": { - "key": "ND", - "name": "Not Defined", - "definition": "This metric value is not defined. See CVSS documentation for details." + "AC": { + "key": "AC", + "name": "Act", + "definition": "The vulnerability requires attention from the organization's internal, supervisory-level and leadership-level individuals. Necessary actions include requesting assistance or information about the vulnerability, as well as publishing a notification either internally and/or externally. Typically, internal groups would meet to determine the overall response and then execute agreed upon actions. CISA recommends remediating Act vulnerabilities as soon as possible." } } } } - }, - "C": { - "key": "C", + } + } + }, + "cvss": { + "namespace": "cvss", + "keys": { + "AC": { + "key": "AC", "versions": { "1.0.0": { "version": "1.0.0", "obj": { "namespace": "cvss", - "key": "C", + "key": "AC", "version": "1.0.0", - "name": "Confidentiality Impact", - "definition": "This metric measures the impact on confidentiality of a successful exploit of the vulnerability on the target system.", + "name": "Access Complexity", + "definition": "This metric measures the complexity of the attack required to exploit the vulnerability once an attacker has gained access to the target system.", "schemaVersion": "2.0.0", "values": [ { - "key": "N", - "name": "None", - "definition": "No impact on confidentiality." - }, - { - "key": "P", - "name": "Partial", - "definition": "There is considerable informational disclosure. Access to critical system files is possible. There is a loss of important information, but the attacker doesn't have control over what is obtainable or the scope of the loss is constrained." + "key": "H", + "name": "High", + "definition": "Specialized access conditions exist; for example: the system is exploitable during specific windows of time (a race condition), the system is exploitable under specific circumstances (nondefault configurations), or the system is exploitable with victim interaction (vulnerability exploitable only if user opens e-mail)" }, { - "key": "C", - "name": "Complete", - "definition": "A total compromise of critical system information. A complete loss of system protection resulting in all critical system files being revealed. The attacker has sovereign control to read all of the system's data (memory, files, etc)." + "key": "L", + "name": "Low", + "definition": "Specialized access conditions or extenuating circumstances do not exist; the system is always exploitable." } ] }, "values": { - "N": { - "key": "N", - "name": "None", - "definition": "No impact on confidentiality." - }, - "P": { - "key": "P", - "name": "Partial", - "definition": "There is considerable informational disclosure. Access to critical system files is possible. There is a loss of important information, but the attacker doesn't have control over what is obtainable or the scope of the loss is constrained." + "H": { + "key": "H", + "name": "High", + "definition": "Specialized access conditions exist; for example: the system is exploitable during specific windows of time (a race condition), the system is exploitable under specific circumstances (nondefault configurations), or the system is exploitable with victim interaction (vulnerability exploitable only if user opens e-mail)" }, - "C": { - "key": "C", - "name": "Complete", - "definition": "A total compromise of critical system information. A complete loss of system protection resulting in all critical system files being revealed. The attacker has sovereign control to read all of the system's data (memory, files, etc)." + "L": { + "key": "L", + "name": "Low", + "definition": "Specialized access conditions or extenuating circumstances do not exist; the system is always exploitable." } } }, @@ -1946,654 +1811,639 @@ "version": "2.0.0", "obj": { "namespace": "cvss", - "key": "C", + "key": "AC", "version": "2.0.0", - "name": "Confidentiality Impact", - "definition": "This metric measures the impact to the confidentiality of the information resources managed by a software component due to a successfully exploited vulnerability.", + "name": "Access Complexity", + "definition": "This metric measures the complexity of the attack required to exploit the vulnerability once an attacker has gained access to the target system.", "schemaVersion": "2.0.0", "values": [ { - "key": "N", - "name": "None", - "definition": "There is no loss of confidentiality within the impacted component." + "key": "H", + "name": "High", + "definition": "Specialized access conditions exist." }, { - "key": "L", - "name": "Low", - "definition": "There is some loss of confidentiality. Access to some restricted information is obtained, but the attacker does not have control over what information is obtained, or the amount or kind of loss is constrained. The information disclosure does not cause a direct, serious loss to the impacted component." + "key": "M", + "name": "Medium", + "definition": "The access conditions are somewhat specialized." }, { - "key": "H", - "name": "High", - "definition": "There is total loss of confidentiality, resulting in all resources within the impacted component being divulged to the attacker. Alternatively, access to only some restricted information is obtained, but the disclosed information presents a direct, serious impact. For example, an attacker steals the administrator's password, or private encryption keys of a web server." - } + "key": "L", + "name": "Low", + "definition": "Specialized access conditions or extenuating circumstances do not exist." + } ] }, "values": { - "N": { - "key": "N", - "name": "None", - "definition": "There is no loss of confidentiality within the impacted component." + "H": { + "key": "H", + "name": "High", + "definition": "Specialized access conditions exist." + }, + "M": { + "key": "M", + "name": "Medium", + "definition": "The access conditions are somewhat specialized." }, "L": { "key": "L", "name": "Low", - "definition": "There is some loss of confidentiality. Access to some restricted information is obtained, but the attacker does not have control over what information is obtained, or the amount or kind of loss is constrained. The information disclosure does not cause a direct, serious loss to the impacted component." - }, - "H": { - "key": "H", - "name": "High", - "definition": "There is total loss of confidentiality, resulting in all resources within the impacted component being divulged to the attacker. Alternatively, access to only some restricted information is obtained, but the disclosed information presents a direct, serious impact. For example, an attacker steals the administrator's password, or private encryption keys of a web server." + "definition": "Specialized access conditions or extenuating circumstances do not exist." } } - } - } - }, - "VC": { - "key": "VC", - "versions": { + }, "3.0.0": { "version": "3.0.0", "obj": { "namespace": "cvss", - "key": "VC", + "key": "AC", "version": "3.0.0", - "name": "Confidentiality Impact to the Vulnerable System", - "definition": "This metric measures the impact to the confidentiality of the information managed by the system due to a successfully exploited vulnerability. Confidentiality refers to limiting information access and disclosure to only authorized users, as well as preventing access by, or disclosure to, unauthorized ones.", + "name": "Attack Complexity", + "definition": "This metric describes the conditions beyond the attacker's control that must exist in order to exploit the vulnerability.", "schemaVersion": "2.0.0", "values": [ { - "key": "N", - "name": "None", - "definition": "There is no loss of confidentiality within the impacted component." + "key": "H", + "name": "High", + "definition": "A successful attack depends on conditions beyond the attacker's control." }, { "key": "L", "name": "Low", - "definition": "There is some loss of confidentiality. Access to some restricted information is obtained, but the attacker does not have control over what information is obtained, or the amount or kind of loss is constrained. The information disclosure does not cause a direct, serious loss to the impacted component." - }, - { - "key": "H", - "name": "High", - "definition": "There is total loss of confidentiality, resulting in all resources within the impacted component being divulged to the attacker. Alternatively, access to only some restricted information is obtained, but the disclosed information presents a direct, serious impact. For example, an attacker steals the administrator's password, or private encryption keys of a web server." + "definition": "Specialized access conditions or extenuating circumstances do not exist. An attacker can expect repeatable success against the vulnerable component." } ] }, "values": { - "N": { - "key": "N", - "name": "None", - "definition": "There is no loss of confidentiality within the impacted component." + "H": { + "key": "H", + "name": "High", + "definition": "A successful attack depends on conditions beyond the attacker's control." }, "L": { "key": "L", "name": "Low", - "definition": "There is some loss of confidentiality. Access to some restricted information is obtained, but the attacker does not have control over what information is obtained, or the amount or kind of loss is constrained. The information disclosure does not cause a direct, serious loss to the impacted component." - }, + "definition": "Specialized access conditions or extenuating circumstances do not exist. An attacker can expect repeatable success against the vulnerable component." + } + } + }, + "3.0.1": { + "version": "3.0.1", + "obj": { + "namespace": "cvss", + "key": "AC", + "version": "3.0.1", + "name": "Attack Complexity", + "definition": "This metric captures measurable actions that must be taken by the attacker to actively evade or circumvent existing built-in security-enhancing conditions in order to obtain a working exploit. ", + "schemaVersion": "2.0.0", + "values": [ + { + "key": "H", + "name": "High", + "definition": "The successful attack depends on the evasion or circumvention of security-enhancing techniques in place that would otherwise hinder the attack. These include: Evasion of exploit mitigation techniques. The attacker must have additional methods available to bypass security measures in place." + }, + { + "key": "L", + "name": "Low", + "definition": "The attacker must take no measurable action to exploit the vulnerability. The attack requires no target-specific circumvention to exploit the vulnerability. An attacker can expect repeatable success against the vulnerable system. " + } + ] + }, + "values": { "H": { "key": "H", "name": "High", - "definition": "There is total loss of confidentiality, resulting in all resources within the impacted component being divulged to the attacker. Alternatively, access to only some restricted information is obtained, but the disclosed information presents a direct, serious impact. For example, an attacker steals the administrator's password, or private encryption keys of a web server." + "definition": "The successful attack depends on the evasion or circumvention of security-enhancing techniques in place that would otherwise hinder the attack. These include: Evasion of exploit mitigation techniques. The attacker must have additional methods available to bypass security measures in place." + }, + "L": { + "key": "L", + "name": "Low", + "definition": "The attacker must take no measurable action to exploit the vulnerability. The attack requires no target-specific circumvention to exploit the vulnerability. An attacker can expect repeatable success against the vulnerable system. " } } } } }, - "CR": { - "key": "CR", + "AT": { + "key": "AT", "versions": { "1.0.0": { "version": "1.0.0", "obj": { "namespace": "cvss", - "key": "CR", + "key": "AT", "version": "1.0.0", - "name": "Confidentiality Requirement", - "definition": "This metric measures the impact to the confidentiality of a successfully exploited vulnerability.", + "name": "Attack Requirements", + "definition": "This metric captures the prerequisite deployment and execution conditions or variables of the vulnerable system that enable the attack.", "schemaVersion": "2.0.0", "values": [ { - "key": "L", - "name": "Low", - "definition": "Loss of confidentiality is likely to have only a limited adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)." - }, - { - "key": "M", - "name": "Medium", - "definition": "Loss of confidentiality is likely to have a serious adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)." - }, - { - "key": "H", - "name": "High", - "definition": "Loss of confidentiality is likely to have a catastrophic adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)." + "key": "P", + "name": "Present", + "definition": "The successful attack depends on the presence of specific deployment and execution conditions of the vulnerable system that enable the attack." }, { - "key": "ND", - "name": "Not Defined", - "definition": "This metric value is not defined. See CVSS documentation for details." + "key": "N", + "name": "None", + "definition": "The successful attack does not depend on the deployment and execution conditions of the vulnerable system. The attacker can expect to be able to reach the vulnerability and execute the exploit under all or most instances of the vulnerability." } ] }, "values": { - "L": { - "key": "L", - "name": "Low", - "definition": "Loss of confidentiality is likely to have only a limited adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)." - }, - "M": { - "key": "M", - "name": "Medium", - "definition": "Loss of confidentiality is likely to have a serious adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)." - }, - "H": { - "key": "H", - "name": "High", - "definition": "Loss of confidentiality is likely to have a catastrophic adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)." + "P": { + "key": "P", + "name": "Present", + "definition": "The successful attack depends on the presence of specific deployment and execution conditions of the vulnerable system that enable the attack." }, - "ND": { - "key": "ND", - "name": "Not Defined", - "definition": "This metric value is not defined. See CVSS documentation for details." + "N": { + "key": "N", + "name": "None", + "definition": "The successful attack does not depend on the deployment and execution conditions of the vulnerable system. The attacker can expect to be able to reach the vulnerability and execute the exploit under all or most instances of the vulnerability." } } - }, - "1.1.0": { - "version": "1.1.0", + } + } + }, + "AV": { + "key": "AV", + "versions": { + "1.0.0": { + "version": "1.0.0", "obj": { "namespace": "cvss", - "key": "CR", - "version": "1.1.0", - "name": "Confidentiality Requirement", - "definition": "This metric measures the impact to the confidentiality of a successfully exploited vulnerability.", + "key": "AV", + "version": "1.0.0", + "name": "Access Vector", + "definition": "This metric measures whether or not the vulnerability is exploitable locally or remotely.", "schemaVersion": "2.0.0", "values": [ { "key": "L", - "name": "Low", - "definition": "Loss of confidentiality is likely to have only a limited adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)." - }, - { - "key": "M", - "name": "Medium", - "definition": "Loss of confidentiality is likely to have a serious adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)." - }, - { - "key": "H", - "name": "High", - "definition": "Loss of confidentiality is likely to have a catastrophic adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)." + "name": "Local", + "definition": "The vulnerability is only exploitable locally (i.e., it requires physical access or authenticated login to the target system)" }, { - "key": "X", - "name": "Not Defined", - "definition": "This metric value is not defined. See CVSS documentation for details." + "key": "R", + "name": "Remote", + "definition": "The vulnerability is exploitable remotely." } ] }, "values": { "L": { "key": "L", - "name": "Low", - "definition": "Loss of confidentiality is likely to have only a limited adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)." - }, - "M": { - "key": "M", - "name": "Medium", - "definition": "Loss of confidentiality is likely to have a serious adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)." - }, - "H": { - "key": "H", - "name": "High", - "definition": "Loss of confidentiality is likely to have a catastrophic adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)." + "name": "Local", + "definition": "The vulnerability is only exploitable locally (i.e., it requires physical access or authenticated login to the target system)" }, - "X": { - "key": "X", - "name": "Not Defined", - "definition": "This metric value is not defined. See CVSS documentation for details." + "R": { + "key": "R", + "name": "Remote", + "definition": "The vulnerability is exploitable remotely." } } }, - "1.1.1": { - "version": "1.1.1", + "2.0.0": { + "version": "2.0.0", "obj": { "namespace": "cvss", - "key": "CR", - "version": "1.1.1", - "name": "Confidentiality Requirement", - "definition": "This metric enables the consumer to customize the assessment depending on the importance of the affected IT asset to the analyst’s organization, measured in terms of Confidentiality.", + "key": "AV", + "version": "2.0.0", + "name": "Access Vector", + "definition": "This metric reflects the context by which vulnerability exploitation is possible.", "schemaVersion": "2.0.0", "values": [ { "key": "L", - "name": "Low", - "definition": "Loss of confidentiality is likely to have only a limited adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)." - }, - { - "key": "M", - "name": "Medium", - "definition": "Loss of confidentiality is likely to have a serious adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)." + "name": "Local", + "definition": "A vulnerability exploitable with only local access requires the attacker to have either physical access to the vulnerable system or a local (shell) account." }, { - "key": "H", - "name": "High", - "definition": "Loss of confidentiality is likely to have a catastrophic adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)." + "key": "A", + "name": "Adjacent Network", + "definition": "A vulnerability exploitable with adjacent network access requires the attacker to have access to either the broadcast or collision domain of the vulnerable software." }, { - "key": "X", - "name": "Not Defined", - "definition": "This metric value is not defined. See CVSS documentation for details." + "key": "N", + "name": "Network", + "definition": "A vulnerability exploitable with network access means the vulnerable software is bound to the network stack and the attacker does not require local network access or local access. Such a vulnerability is often termed 'remotely exploitable'." } ] }, "values": { "L": { "key": "L", - "name": "Low", - "definition": "Loss of confidentiality is likely to have only a limited adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)." - }, - "M": { - "key": "M", - "name": "Medium", - "definition": "Loss of confidentiality is likely to have a serious adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)." + "name": "Local", + "definition": "A vulnerability exploitable with only local access requires the attacker to have either physical access to the vulnerable system or a local (shell) account." }, - "H": { - "key": "H", - "name": "High", - "definition": "Loss of confidentiality is likely to have a catastrophic adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)." + "A": { + "key": "A", + "name": "Adjacent Network", + "definition": "A vulnerability exploitable with adjacent network access requires the attacker to have access to either the broadcast or collision domain of the vulnerable software." }, - "X": { - "key": "X", - "name": "Not Defined", - "definition": "This metric value is not defined. See CVSS documentation for details." + "N": { + "key": "N", + "name": "Network", + "definition": "A vulnerability exploitable with network access means the vulnerable software is bound to the network stack and the attacker does not require local network access or local access. Such a vulnerability is often termed 'remotely exploitable'." } } - } - } - }, - "CR_NoX": { - "key": "CR_NoX", - "versions": { - "1.1.1": { - "version": "1.1.1", + }, + "3.0.0": { + "version": "3.0.0", "obj": { "namespace": "cvss", - "key": "CR_NoX", - "version": "1.1.1", - "name": "Confidentiality Requirement (without Not Defined)", - "definition": "This metric enables the consumer to customize the assessment depending on the importance of the affected IT asset to the analyst’s organization, measured in terms of Confidentiality. This version does not include the Not Defined (X) option.", + "key": "AV", + "version": "3.0.0", + "name": "Attack Vector", + "definition": "This metric reflects the context by which vulnerability exploitation is possible. ", "schemaVersion": "2.0.0", "values": [ + { + "key": "P", + "name": "Physical", + "definition": "A vulnerability exploitable with Physical access requires the attacker to physically touch or manipulate the vulnerable component. Physical interaction may be brief (e.g. evil maid attack [1]) or persistent." + }, { "key": "L", - "name": "Low", - "definition": "Loss of confidentiality is likely to have only a limited adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)." + "name": "Local", + "definition": "A vulnerability exploitable with Local access means that the vulnerable component is not bound to the network stack, and the attacker's path is via read/write/execute capabilities. In some cases, the attacker may be logged in locally in order to exploit the vulnerability, otherwise, she may rely on User Interaction to execute a malicious file." }, { - "key": "M", - "name": "Medium", - "definition": "Loss of confidentiality is likely to have a serious adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)." + "key": "A", + "name": "Adjacent", + "definition": "A vulnerability exploitable with adjacent network access means the vulnerable component is bound to the network stack, however the attack is limited to the same shared physical (e.g. Bluetooth, IEEE 802.11), or logical (e.g. local IP subnet) network, and cannot be performed across an OSI layer 3 boundary (e.g. a router)." }, { - "key": "H", - "name": "High", - "definition": "Loss of confidentiality is likely to have a catastrophic adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)." + "key": "N", + "name": "Network", + "definition": "A vulnerability exploitable with network access means the vulnerable component is bound to the network stack and the attacker's path is through OSI layer 3 (the network layer). Such a vulnerability is often termed 'remotely exploitable' and can be thought of as an attack being exploitable one or more network hops away (e.g. across layer 3 boundaries from routers)." } ] }, "values": { + "P": { + "key": "P", + "name": "Physical", + "definition": "A vulnerability exploitable with Physical access requires the attacker to physically touch or manipulate the vulnerable component. Physical interaction may be brief (e.g. evil maid attack [1]) or persistent." + }, "L": { "key": "L", - "name": "Low", - "definition": "Loss of confidentiality is likely to have only a limited adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)." + "name": "Local", + "definition": "A vulnerability exploitable with Local access means that the vulnerable component is not bound to the network stack, and the attacker's path is via read/write/execute capabilities. In some cases, the attacker may be logged in locally in order to exploit the vulnerability, otherwise, she may rely on User Interaction to execute a malicious file." }, - "M": { - "key": "M", - "name": "Medium", - "definition": "Loss of confidentiality is likely to have a serious adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)." + "A": { + "key": "A", + "name": "Adjacent", + "definition": "A vulnerability exploitable with adjacent network access means the vulnerable component is bound to the network stack, however the attack is limited to the same shared physical (e.g. Bluetooth, IEEE 802.11), or logical (e.g. local IP subnet) network, and cannot be performed across an OSI layer 3 boundary (e.g. a router)." }, - "H": { - "key": "H", - "name": "High", - "definition": "Loss of confidentiality is likely to have a catastrophic adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)." + "N": { + "key": "N", + "name": "Network", + "definition": "A vulnerability exploitable with network access means the vulnerable component is bound to the network stack and the attacker's path is through OSI layer 3 (the network layer). Such a vulnerability is often termed 'remotely exploitable' and can be thought of as an attack being exploitable one or more network hops away (e.g. across layer 3 boundaries from routers)." } } - } - } - }, - "EQ1": { - "key": "EQ1", - "versions": { - "1.0.0": { - "version": "1.0.0", + }, + "3.0.1": { + "version": "3.0.1", "obj": { "namespace": "cvss", - "key": "EQ1", - "version": "1.0.0", - "name": "Equivalence Set 1", - "definition": "AV/PR/UI with 3 levels specified in Table 24", + "key": "AV", + "version": "3.0.1", + "name": "Attack Vector", + "definition": "This metric reflects the context by which vulnerability exploitation is possible. This metric value (and consequently the resulting severity) will be larger the more remote (logically, and physically) an attacker can be in order to exploit the vulnerable system. The assumption is that the number of potential attackers for a vulnerability that could be exploited from across a network is larger than the number of potential attackers that could exploit a vulnerability requiring physical access to a device, and therefore warrants a greater severity.", "schemaVersion": "2.0.0", "values": [ + { + "key": "P", + "name": "Physical", + "definition": "The attack requires the attacker to physically touch or manipulate the vulnerable system. Physical interaction may be brief (e.g., evil maid attack1) or persistent." + }, { "key": "L", - "name": "Low", - "definition": "2: AV:P or not(AV:N or PR:N or UI:N)" + "name": "Local", + "definition": "The vulnerable system is not bound to the network stack and the attacker’s path is via read/write/execute capabilities. Either: the attacker exploits the vulnerability by accessing the target system locally (e.g., keyboard, console), or through terminal emulation (e.g., SSH); or the attacker relies on User Interaction by another person to perform actions required to exploit the vulnerability (e.g., using social engineering techniques to trick a legitimate user into opening a malicious document)." }, { - "key": "M", - "name": "Medium", - "definition": "1: (AV:N or PR:N or UI:N) and not (AV:N and PR:N and UI:N) and not AV:P" + "key": "A", + "name": "Adjacent", + "definition": "The vulnerable system is bound to a protocol stack, but the attack is limited at the protocol level to a logically adjacent topology. This can mean an attack must be launched from the same shared proximity (e.g., Bluetooth, NFC, or IEEE 802.11) or logical network (e.g., local IP subnet), or from within a secure or otherwise limited administrative domain (e.g., MPLS, secure VPN within an administrative network zone)." }, { - "key": "H", - "name": "High", - "definition": "0: AV:N and PR:N and UI:N" + "key": "N", + "name": "Network", + "definition": "The vulnerable system is bound to the network stack and the set of possible attackers extends beyond the other options listed below, up to and including the entire Internet. Such a vulnerability is often termed “remotely exploitable” and can be thought of as an attack being exploitable at the protocol level one or more network hops away (e.g., across one or more routers)." } ] }, "values": { + "P": { + "key": "P", + "name": "Physical", + "definition": "The attack requires the attacker to physically touch or manipulate the vulnerable system. Physical interaction may be brief (e.g., evil maid attack1) or persistent." + }, "L": { "key": "L", - "name": "Low", - "definition": "2: AV:P or not(AV:N or PR:N or UI:N)" + "name": "Local", + "definition": "The vulnerable system is not bound to the network stack and the attacker’s path is via read/write/execute capabilities. Either: the attacker exploits the vulnerability by accessing the target system locally (e.g., keyboard, console), or through terminal emulation (e.g., SSH); or the attacker relies on User Interaction by another person to perform actions required to exploit the vulnerability (e.g., using social engineering techniques to trick a legitimate user into opening a malicious document)." }, - "M": { - "key": "M", - "name": "Medium", - "definition": "1: (AV:N or PR:N or UI:N) and not (AV:N and PR:N and UI:N) and not AV:P" + "A": { + "key": "A", + "name": "Adjacent", + "definition": "The vulnerable system is bound to a protocol stack, but the attack is limited at the protocol level to a logically adjacent topology. This can mean an attack must be launched from the same shared proximity (e.g., Bluetooth, NFC, or IEEE 802.11) or logical network (e.g., local IP subnet), or from within a secure or otherwise limited administrative domain (e.g., MPLS, secure VPN within an administrative network zone)." }, - "H": { - "key": "H", - "name": "High", - "definition": "0: AV:N and PR:N and UI:N" + "N": { + "key": "N", + "name": "Network", + "definition": "The vulnerable system is bound to the network stack and the set of possible attackers extends beyond the other options listed below, up to and including the entire Internet. Such a vulnerability is often termed “remotely exploitable” and can be thought of as an attack being exploitable at the protocol level one or more network hops away (e.g., across one or more routers)." } } } } }, - "EQ2": { - "key": "EQ2", + "Au": { + "key": "Au", "versions": { "1.0.0": { "version": "1.0.0", "obj": { "namespace": "cvss", - "key": "EQ2", + "key": "Au", "version": "1.0.0", - "name": "Equivalence Set 2", - "definition": "AC/AT with 2 levels specified in Table 25", + "name": "Authentication", + "definition": "This metric measures whether or not an attacker needs to be authenticated to the target system in order to exploit the vulnerability.", "schemaVersion": "2.0.0", "values": [ { - "key": "L", - "name": "Low", - "definition": "1: not (AC:L and AT:N)" + "key": "N", + "name": "Not Required", + "definition": "Authentication is not required to access or exploit the vulnerability." }, { - "key": "H", - "name": "High", - "definition": "0: AC:L and AT:N" + "key": "R", + "name": "Required", + "definition": "Authentication is required to access and exploit the vulnerability." } ] }, "values": { - "L": { - "key": "L", - "name": "Low", - "definition": "1: not (AC:L and AT:N)" + "N": { + "key": "N", + "name": "Not Required", + "definition": "Authentication is not required to access or exploit the vulnerability." }, - "H": { - "key": "H", - "name": "High", - "definition": "0: AC:L and AT:N" + "R": { + "key": "R", + "name": "Required", + "definition": "Authentication is required to access and exploit the vulnerability." } } - } - } - }, - "EQ3": { - "key": "EQ3", - "versions": { - "1.0.0": { - "version": "1.0.0", + }, + "2.0.0": { + "version": "2.0.0", "obj": { "namespace": "cvss", - "key": "EQ3", - "version": "1.0.0", - "name": "Equivalence Set 3", - "definition": "VC/VI/VA with 3 levels specified in Table 26", + "key": "Au", + "version": "2.0.0", + "name": "Authentication", + "definition": "This metric measures the number of times an attacker must authenticate to a target in order to exploit a vulnerability. This metric does not gauge the strength or complexity of the authentication process, only that an attacker is required to provide credentials before an exploit may occur. The possible values for this metric are listed in Table 3. The fewer authentication instances that are required, the higher the vulnerability score.", "schemaVersion": "2.0.0", "values": [ { - "key": "L", - "name": "Low", - "definition": "2: not (VC:H or VI:H or VA:H)" + "key": "M", + "name": "Multiple", + "definition": "Exploiting the vulnerability requires that the attacker authenticate two or more times, even if the same credentials are used each time." }, { - "key": "M", - "name": "Medium", - "definition": "1: not (VC:H and VI:H) and (VC:H or VI:H or VA:H)" + "key": "S", + "name": "Single", + "definition": "The vulnerability requires an attacker to be logged into the system (such as at a command line or via a desktop session or web interface)." }, { - "key": "H", - "name": "High", - "definition": "0: VC:H and VI:H" + "key": "N", + "name": "None", + "definition": "Authentication is not required to exploit the vulnerability." } ] }, "values": { - "L": { - "key": "L", - "name": "Low", - "definition": "2: not (VC:H or VI:H or VA:H)" - }, "M": { "key": "M", - "name": "Medium", - "definition": "1: not (VC:H and VI:H) and (VC:H or VI:H or VA:H)" + "name": "Multiple", + "definition": "Exploiting the vulnerability requires that the attacker authenticate two or more times, even if the same credentials are used each time." }, - "H": { - "key": "H", - "name": "High", - "definition": "0: VC:H and VI:H" + "S": { + "key": "S", + "name": "Single", + "definition": "The vulnerability requires an attacker to be logged into the system (such as at a command line or via a desktop session or web interface)." + }, + "N": { + "key": "N", + "name": "None", + "definition": "Authentication is not required to exploit the vulnerability." } } } } }, - "EQ4": { - "key": "EQ4", + "A": { + "key": "A", "versions": { "1.0.0": { "version": "1.0.0", "obj": { "namespace": "cvss", - "key": "EQ4", + "key": "A", "version": "1.0.0", - "name": "Equivalence Set 4", - "definition": "SC/SI/SA with 3 levels specified in Table 27", + "name": "Availability Impact", + "definition": "This metric measures the impact on availability a successful exploit of the vulnerability will have on the target system.", "schemaVersion": "2.0.0", "values": [ { - "key": "L", - "name": "Low", - "definition": "2: not (MSI:S or MSA:S) and not (SC:H or SI:H or SA:H)" - }, + "key": "N", + "name": "None", + "definition": "No impact on availability." + }, { - "key": "M", - "name": "Medium", - "definition": "1: not (MSI:S or MSA:S) and (SC:H or SI:H or SA:H)" + "key": "P", + "name": "Partial", + "definition": "Considerable lag in or interruptions in resource availability. For example, a network-based flood attack that reduces available bandwidth to a web server farm to such an extent that only a small number of connections successfully complete." }, { - "key": "H", - "name": "High", - "definition": "0: MSI:S or MSA:S" + "key": "C", + "name": "Complete", + "definition": "Total shutdown of the affected resource. The attacker can render the resource completely unavailable." } ] }, "values": { - "L": { - "key": "L", - "name": "Low", - "definition": "2: not (MSI:S or MSA:S) and not (SC:H or SI:H or SA:H)" + "N": { + "key": "N", + "name": "None", + "definition": "No impact on availability." }, - "M": { - "key": "M", - "name": "Medium", - "definition": "1: not (MSI:S or MSA:S) and (SC:H or SI:H or SA:H)" + "P": { + "key": "P", + "name": "Partial", + "definition": "Considerable lag in or interruptions in resource availability. For example, a network-based flood attack that reduces available bandwidth to a web server farm to such an extent that only a small number of connections successfully complete." }, - "H": { - "key": "H", - "name": "High", - "definition": "0: MSI:S or MSA:S" + "C": { + "key": "C", + "name": "Complete", + "definition": "Total shutdown of the affected resource. The attacker can render the resource completely unavailable." } } - } - } - }, - "EQ5": { - "key": "EQ5", - "versions": { - "1.0.0": { - "version": "1.0.0", + }, + "2.0.0": { + "version": "2.0.0", "obj": { "namespace": "cvss", - "key": "EQ5", - "version": "1.0.0", - "name": "Equivalence Set 5", - "definition": "E with 3 levels specified in Table 28", + "key": "A", + "version": "2.0.0", + "name": "Availability Impact", + "definition": "This metric measures the impact to availability of a successfully exploited vulnerability.", "schemaVersion": "2.0.0", "values": [ { - "key": "L", - "name": "Low", - "definition": "2: E:U" + "key": "N", + "name": "None", + "definition": "There is no impact to the availability of the system." }, { - "key": "M", - "name": "Medium", - "definition": "1: E:P" + "key": "L", + "name": "Low", + "definition": "There is reduced performance or interruptions in resource availability." }, { "key": "H", "name": "High", - "definition": "0: E:A" + "definition": "There is total loss of availability, resulting in the attacker being able to fully deny access to resources in the impacted component; this loss is either sustained (while the attacker continues to deliver the attack) or persistent (the condition persists even after the attack has completed)." } ] }, "values": { + "N": { + "key": "N", + "name": "None", + "definition": "There is no impact to the availability of the system." + }, "L": { "key": "L", "name": "Low", - "definition": "2: E:U" - }, - "M": { - "key": "M", - "name": "Medium", - "definition": "1: E:P" + "definition": "There is reduced performance or interruptions in resource availability." }, "H": { "key": "H", "name": "High", - "definition": "0: E:A" + "definition": "There is total loss of availability, resulting in the attacker being able to fully deny access to resources in the impacted component; this loss is either sustained (while the attacker continues to deliver the attack) or persistent (the condition persists even after the attack has completed)." } } } } }, - "EQ6": { - "key": "EQ6", + "VA": { + "key": "VA", "versions": { - "1.0.0": { - "version": "1.0.0", + "3.0.0": { + "version": "3.0.0", "obj": { "namespace": "cvss", - "key": "EQ6", - "version": "1.0.0", - "name": "Equivalence Set 6", - "definition": "VC/VI/VA+CR/CI/CA with 2 levels specified in Table 29", + "key": "VA", + "version": "3.0.0", + "name": "Availability Impact to the Vulnerable System", + "definition": "This metric measures the impact to the availability of the impacted system resulting from a successfully exploited vulnerability.", "schemaVersion": "2.0.0", "values": [ + { + "key": "N", + "name": "None", + "definition": "There is no impact to availability within the Vulnerable System." + }, { "key": "L", "name": "Low", - "definition": "1: not (CR:H and VC:H) and not (IR:H and VI:H) and not (AR:H and VA:H)" + "definition": "There is reduced performance or interruptions in resource availability. Even if repeated exploitation of the vulnerability is possible, the attacker does not have the ability to completely deny service to legitimate users. The resources in the Vulnerable System are either partially available all of the time, or fully available only some of the time, but overall there is no direct, serious consequence to the Vulnerable System." }, { "key": "H", "name": "High", - "definition": "0: (CR:H and VC:H) or (IR:H and VI:H) or (AR:H and VA:H)" + "definition": "There is total loss of availability, resulting in the attacker being able to fully deny access to resources in the impacted component; this loss is either sustained (while the attacker continues to deliver the attack) or persistent (the condition persists even after the attack has completed)." } ] }, "values": { + "N": { + "key": "N", + "name": "None", + "definition": "There is no impact to availability within the Vulnerable System." + }, "L": { "key": "L", "name": "Low", - "definition": "1: not (CR:H and VC:H) and not (IR:H and VI:H) and not (AR:H and VA:H)" + "definition": "There is reduced performance or interruptions in resource availability. Even if repeated exploitation of the vulnerability is possible, the attacker does not have the ability to completely deny service to legitimate users. The resources in the Vulnerable System are either partially available all of the time, or fully available only some of the time, but overall there is no direct, serious consequence to the Vulnerable System." }, "H": { "key": "H", "name": "High", - "definition": "0: (CR:H and VC:H) or (IR:H and VI:H) or (AR:H and VA:H)" + "definition": "There is total loss of availability, resulting in the attacker being able to fully deny access to resources in the impacted component; this loss is either sustained (while the attacker continues to deliver the attack) or persistent (the condition persists even after the attack has completed)." } } } } }, - "E": { - "key": "E", + "AR": { + "key": "AR", "versions": { "1.0.0": { "version": "1.0.0", "obj": { "namespace": "cvss", - "key": "E", + "key": "AR", "version": "1.0.0", - "name": "Exploitability", - "definition": "This metric measures the current state of exploit technique or code availability and suggests a likelihood of exploitation.", + "name": "Availability Requirement", + "definition": "This metric measures the impact to the availability of a successfully exploited vulnerability.", "schemaVersion": "2.0.0", "values": [ { - "key": "U", - "name": "Unproven", - "definition": "No exploit code is yet available or an exploit method is entirely theoretical." - }, - { - "key": "P", - "name": "Proof of Concept", - "definition": "Proof of concept exploit code or an attack demonstration that is not practically applicable to deployed systems is available. The code or technique is not functional in all situations and may require substantial hand tuning by a skilled attacker for use against deployed systems." + "key": "L", + "name": "Low", + "definition": "Loss of availability is likely to have only a limited adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)." }, { - "key": "F", - "name": "Functional", - "definition": "Functional exploit code is available. The code works in most situations where the vulnerability is exploitable." + "key": "M", + "name": "Medium", + "definition": "Loss of availability is likely to have a serious adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)." }, { "key": "H", "name": "High", - "definition": "Either the vulnerability is exploitable by functional mobile autonomous code or no exploit is required (manual trigger) and the details for the manual technique are widely available. The code works in every situation where the vulnerability is exploitable and/or is actively being delivered via a mobile autonomous agent (a worm or virus)." + "definition": "Loss of availability is likely to have a catastrophic adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)." + }, + { + "key": "ND", + "name": "Not Defined", + "definition": "This metric value is not defined. See CVSS documentation for details." } ] }, "values": { - "U": { - "key": "U", - "name": "Unproven", - "definition": "No exploit code is yet available or an exploit method is entirely theoretical." - }, - "P": { - "key": "P", - "name": "Proof of Concept", - "definition": "Proof of concept exploit code or an attack demonstration that is not practically applicable to deployed systems is available. The code or technique is not functional in all situations and may require substantial hand tuning by a skilled attacker for use against deployed systems." + "L": { + "key": "L", + "name": "Low", + "definition": "Loss of availability is likely to have only a limited adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)." }, - "F": { - "key": "F", - "name": "Functional", - "definition": "Functional exploit code is available. The code works in most situations where the vulnerability is exploitable." + "M": { + "key": "M", + "name": "Medium", + "definition": "Loss of availability is likely to have a serious adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)." }, "H": { "key": "H", "name": "High", - "definition": "Either the vulnerability is exploitable by functional mobile autonomous code or no exploit is required (manual trigger) and the details for the manual technique are widely available. The code works in every situation where the vulnerability is exploitable and/or is actively being delivered via a mobile autonomous agent (a worm or virus)." + "definition": "Loss of availability is likely to have a catastrophic adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)." + }, + "ND": { + "key": "ND", + "name": "Not Defined", + "definition": "This metric value is not defined. See CVSS documentation for details." } } }, @@ -2601,96 +2451,81 @@ "version": "1.1.0", "obj": { "namespace": "cvss", - "key": "E", + "key": "AR", "version": "1.1.0", - "name": "Exploitability", - "definition": "This metric measures the current state of exploit technique or code availability and suggests a likelihood of exploitation.", + "name": "Availability Requirement", + "definition": "This metric measures the impact to the availability of a successfully exploited vulnerability.", "schemaVersion": "2.0.0", "values": [ { - "key": "U", - "name": "Unproven", - "definition": "No exploit code is yet available or an exploit method is entirely theoretical." - }, - { - "key": "P", - "name": "Proof of Concept", - "definition": "Proof of concept exploit code or an attack demonstration that is not practically applicable to deployed systems is available. The code or technique is not functional in all situations and may require substantial hand tuning by a skilled attacker for use against deployed systems." + "key": "L", + "name": "Low", + "definition": "Loss of availability is likely to have only a limited adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)." }, { - "key": "F", - "name": "Functional", - "definition": "Functional exploit code is available. The code works in most situations where the vulnerability is exploitable." + "key": "M", + "name": "Medium", + "definition": "Loss of availability is likely to have a serious adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)." }, { "key": "H", "name": "High", - "definition": "Either the vulnerability is exploitable by functional mobile autonomous code or no exploit is required (manual trigger) and the details for the manual technique are widely available. The code works in every situation where the vulnerability is exploitable and/or is actively being delivered via a mobile autonomous agent (a worm or virus)." + "definition": "Loss of availability is likely to have a catastrophic adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)." }, { - "key": "ND", + "key": "X", "name": "Not Defined", "definition": "This metric value is not defined. See CVSS documentation for details." } ] }, "values": { - "U": { - "key": "U", - "name": "Unproven", - "definition": "No exploit code is yet available or an exploit method is entirely theoretical." - }, - "P": { - "key": "P", - "name": "Proof of Concept", - "definition": "Proof of concept exploit code or an attack demonstration that is not practically applicable to deployed systems is available. The code or technique is not functional in all situations and may require substantial hand tuning by a skilled attacker for use against deployed systems." + "L": { + "key": "L", + "name": "Low", + "definition": "Loss of availability is likely to have only a limited adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)." }, - "F": { - "key": "F", - "name": "Functional", - "definition": "Functional exploit code is available. The code works in most situations where the vulnerability is exploitable." + "M": { + "key": "M", + "name": "Medium", + "definition": "Loss of availability is likely to have a serious adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)." }, "H": { "key": "H", "name": "High", - "definition": "Either the vulnerability is exploitable by functional mobile autonomous code or no exploit is required (manual trigger) and the details for the manual technique are widely available. The code works in every situation where the vulnerability is exploitable and/or is actively being delivered via a mobile autonomous agent (a worm or virus)." + "definition": "Loss of availability is likely to have a catastrophic adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)." }, - "ND": { - "key": "ND", + "X": { + "key": "X", "name": "Not Defined", "definition": "This metric value is not defined. See CVSS documentation for details." } } }, - "1.2.0": { - "version": "1.2.0", + "1.1.1": { + "version": "1.1.1", "obj": { "namespace": "cvss", - "key": "E", - "version": "1.2.0", - "name": "Exploit Code Maturity", - "definition": "measures the likelihood of the vulnerability being attacked, and is typically based on the current state of exploit techniques, exploit code availability, or active, 'in-the-wild' exploitation", + "key": "AR", + "version": "1.1.1", + "name": "Availability Requirement", + "definition": "This metric enables the consumer to customize the assessment depending on the importance of the affected IT asset to the analyst’s organization, measured in terms of Availability.", "schemaVersion": "2.0.0", "values": [ { - "key": "U", - "name": "Unproven", - "definition": "No exploit code is available, or an exploit is theoretical." + "key": "L", + "name": "Low", + "definition": "Loss of availability is likely to have only a limited adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)." }, { - "key": "POC", - "name": "Proof-of-Concept", - "definition": "Proof-of-concept exploit code is available, or an attack demonstration is not practical for most systems. The code or technique is not functional in all situations and may require substantial modification by a skilled attacker." - }, - { - "key": "F", - "name": "Functional", - "definition": "Functional exploit code is available. The code works in most situations where the vulnerability exists." + "key": "M", + "name": "Medium", + "definition": "Loss of availability is likely to have a serious adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)." }, { "key": "H", "name": "High", - "definition": "Functional autonomous code exists, or no exploit is required (manual trigger) and details are widely available. Exploit code works in every situation, or is actively being delivered via an autonomous agent (such as a worm or virus). Network-connected systems are likely to encounter scanning or exploitation attempts. Exploit development has reached the level of reliable, widely-available, easy-to-use automated tools." + "definition": "Loss of availability is likely to have a catastrophic adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)." }, { "key": "X", @@ -2700,80 +2535,20 @@ ] }, "values": { - "U": { - "key": "U", - "name": "Unproven", - "definition": "No exploit code is available, or an exploit is theoretical." - }, - "POC": { - "key": "POC", - "name": "Proof-of-Concept", - "definition": "Proof-of-concept exploit code is available, or an attack demonstration is not practical for most systems. The code or technique is not functional in all situations and may require substantial modification by a skilled attacker." + "L": { + "key": "L", + "name": "Low", + "definition": "Loss of availability is likely to have only a limited adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)." }, - "F": { - "key": "F", - "name": "Functional", - "definition": "Functional exploit code is available. The code works in most situations where the vulnerability exists." + "M": { + "key": "M", + "name": "Medium", + "definition": "Loss of availability is likely to have a serious adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)." }, "H": { "key": "H", "name": "High", - "definition": "Functional autonomous code exists, or no exploit is required (manual trigger) and details are widely available. Exploit code works in every situation, or is actively being delivered via an autonomous agent (such as a worm or virus). Network-connected systems are likely to encounter scanning or exploitation attempts. Exploit development has reached the level of reliable, widely-available, easy-to-use automated tools." - }, - "X": { - "key": "X", - "name": "Not Defined", - "definition": "This metric value is not defined. See CVSS documentation for details." - } - } - }, - "2.0.0": { - "version": "2.0.0", - "obj": { - "namespace": "cvss", - "key": "E", - "version": "2.0.0", - "name": "Exploit Maturity", - "definition": "This metric measures the likelihood of the vulnerability being attacked, and is based on the current state of exploit techniques, exploit code availability, or active, “in-the-wild” exploitation.", - "schemaVersion": "2.0.0", - "values": [ - { - "key": "U", - "name": "Unreported", - "definition": "Based on available threat intelligence each of the following must apply: No knowledge of publicly available proof-of-concept exploit code No knowledge of reported attempts to exploit this vulnerability No knowledge of publicly available solutions used to simplify attempts to exploit the vulnerability (i.e., neither the “POC” nor “Attacked” values apply)" - }, - { - "key": "P", - "name": "Proof-of-Concept", - "definition": "Based on available threat intelligence each of the following must apply: Proof-of-concept exploit code is publicly available No knowledge of reported attempts to exploit this vulnerability No knowledge of publicly available solutions used to simplify attempts to exploit the vulnerability (i.e., the “Attacked” value does not apply)" - }, - { - "key": "A", - "name": "Attacked", - "definition": "Based on available threat intelligence either of the following must apply: Attacks targeting this vulnerability (attempted or successful) have been reported Solutions to simplify attempts to exploit the vulnerability are publicly or privately available (such as exploit toolkits)" - }, - { - "key": "X", - "name": "Not Defined", - "definition": "This metric value is not defined. See CVSS documentation for details." - } - ] - }, - "values": { - "U": { - "key": "U", - "name": "Unreported", - "definition": "Based on available threat intelligence each of the following must apply: No knowledge of publicly available proof-of-concept exploit code No knowledge of reported attempts to exploit this vulnerability No knowledge of publicly available solutions used to simplify attempts to exploit the vulnerability (i.e., neither the “POC” nor “Attacked” values apply)" - }, - "P": { - "key": "P", - "name": "Proof-of-Concept", - "definition": "Based on available threat intelligence each of the following must apply: Proof-of-concept exploit code is publicly available No knowledge of reported attempts to exploit this vulnerability No knowledge of publicly available solutions used to simplify attempts to exploit the vulnerability (i.e., the “Attacked” value does not apply)" - }, - "A": { - "key": "A", - "name": "Attacked", - "definition": "Based on available threat intelligence either of the following must apply: Attacks targeting this vulnerability (attempted or successful) have been reported Solutions to simplify attempts to exploit the vulnerability are publicly or privately available (such as exploit toolkits)" + "definition": "Loss of availability is likely to have a catastrophic adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)." }, "X": { "key": "X", @@ -2784,143 +2559,148 @@ } } }, - "E_NoX": { - "key": "E_NoX", + "AR_NoX": { + "key": "AR_NoX", "versions": { - "2.0.0": { - "version": "2.0.0", + "1.1.1": { + "version": "1.1.1", "obj": { "namespace": "cvss", - "key": "E_NoX", - "version": "2.0.0", - "name": "Exploit Maturity (without Not Defined)", - "definition": "This metric measures the likelihood of the vulnerability being attacked, and is based on the current state of exploit techniques, exploit code availability, or active, “in-the-wild” exploitation. This version does not include the Not Defined (X) option.", + "key": "AR_NoX", + "version": "1.1.1", + "name": "Availability Requirement (without Not Defined)", + "definition": "This metric enables the consumer to customize the assessment depending on the importance of the affected IT asset to the analyst’s organization, measured in terms of Availability. This version does not include the Not Defined (X) option.", "schemaVersion": "2.0.0", "values": [ { - "key": "U", - "name": "Unreported", - "definition": "Based on available threat intelligence each of the following must apply: No knowledge of publicly available proof-of-concept exploit code No knowledge of reported attempts to exploit this vulnerability No knowledge of publicly available solutions used to simplify attempts to exploit the vulnerability (i.e., neither the “POC” nor “Attacked” values apply)" + "key": "L", + "name": "Low", + "definition": "Loss of availability is likely to have only a limited adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)." }, { - "key": "P", - "name": "Proof-of-Concept", - "definition": "Based on available threat intelligence each of the following must apply: Proof-of-concept exploit code is publicly available No knowledge of reported attempts to exploit this vulnerability No knowledge of publicly available solutions used to simplify attempts to exploit the vulnerability (i.e., the “Attacked” value does not apply)" + "key": "M", + "name": "Medium", + "definition": "Loss of availability is likely to have a serious adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)." }, { - "key": "A", - "name": "Attacked", - "definition": "Based on available threat intelligence either of the following must apply: Attacks targeting this vulnerability (attempted or successful) have been reported Solutions to simplify attempts to exploit the vulnerability are publicly or privately available (such as exploit toolkits)" + "key": "H", + "name": "High", + "definition": "Loss of availability is likely to have a catastrophic adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)." } ] }, "values": { - "U": { - "key": "U", - "name": "Unreported", - "definition": "Based on available threat intelligence each of the following must apply: No knowledge of publicly available proof-of-concept exploit code No knowledge of reported attempts to exploit this vulnerability No knowledge of publicly available solutions used to simplify attempts to exploit the vulnerability (i.e., neither the “POC” nor “Attacked” values apply)" + "L": { + "key": "L", + "name": "Low", + "definition": "Loss of availability is likely to have only a limited adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)." }, - "P": { - "key": "P", - "name": "Proof-of-Concept", - "definition": "Based on available threat intelligence each of the following must apply: Proof-of-concept exploit code is publicly available No knowledge of reported attempts to exploit this vulnerability No knowledge of publicly available solutions used to simplify attempts to exploit the vulnerability (i.e., the “Attacked” value does not apply)" + "M": { + "key": "M", + "name": "Medium", + "definition": "Loss of availability is likely to have a serious adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)." }, - "A": { - "key": "A", - "name": "Attacked", - "definition": "Based on available threat intelligence either of the following must apply: Attacks targeting this vulnerability (attempted or successful) have been reported Solutions to simplify attempts to exploit the vulnerability are publicly or privately available (such as exploit toolkits)" + "H": { + "key": "H", + "name": "High", + "definition": "Loss of availability is likely to have a catastrophic adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)." } } } } }, - "IB": { - "key": "IB", + "CDP": { + "key": "CDP", "versions": { "1.0.0": { "version": "1.0.0", "obj": { "namespace": "cvss", - "key": "IB", + "key": "CDP", "version": "1.0.0", - "name": "Impact Bias", - "definition": "This metric measures the impact bias of the vulnerability.", + "name": "Collateral Damage Potential", + "definition": "This metric measures the potential for a loss in physical equipment, property damage or loss of life or limb.", "schemaVersion": "2.0.0", "values": [ { "key": "N", - "name": "Normal", - "definition": "Confidentiality Impact, Integrity Impact, and Availability Impact are all assigned the same weight." + "name": "None", + "definition": "There is no potential for physical or property damage." }, { - "key": "C", - "name": "Confidentiality", - "definition": "Confidentiality impact is assigned greater weight than Integrity Impact or Availability Impact." + "key": "L", + "name": "Low", + "definition": "A successful exploit of this vulnerability may result in light physical or property damage or loss. The system itself may be damaged or destroyed." }, { - "key": "I", - "name": "Integrity", - "definition": "Integrity Impact is assigned greater weight than Confidentiality Impact or Availability Impact." + "key": "M", + "name": "Medium", + "definition": "A successful exploit of this vulnerability may result in significant physical or property damage or loss." }, { - "key": "A", - "name": "Availability", - "definition": "Availability Impact is assigned greater weight than Confidentiality Impact or Integrity Impact." + "key": "H", + "name": "High", + "definition": "A successful exploit of this vulnerability may result in catastrophic physical or property damage and loss. The range of effect may be over a wide area." } ] }, "values": { "N": { "key": "N", - "name": "Normal", - "definition": "Confidentiality Impact, Integrity Impact, and Availability Impact are all assigned the same weight." + "name": "None", + "definition": "There is no potential for physical or property damage." }, - "C": { - "key": "C", - "name": "Confidentiality", - "definition": "Confidentiality impact is assigned greater weight than Integrity Impact or Availability Impact." + "L": { + "key": "L", + "name": "Low", + "definition": "A successful exploit of this vulnerability may result in light physical or property damage or loss. The system itself may be damaged or destroyed." }, - "I": { - "key": "I", - "name": "Integrity", - "definition": "Integrity Impact is assigned greater weight than Confidentiality Impact or Availability Impact." + "M": { + "key": "M", + "name": "Medium", + "definition": "A successful exploit of this vulnerability may result in significant physical or property damage or loss." }, - "A": { - "key": "A", - "name": "Availability", - "definition": "Availability Impact is assigned greater weight than Confidentiality Impact or Integrity Impact." + "H": { + "key": "H", + "name": "High", + "definition": "A successful exploit of this vulnerability may result in catastrophic physical or property damage and loss. The range of effect may be over a wide area." } } - } - } - }, - "I": { - "key": "I", - "versions": { - "1.0.0": { - "version": "1.0.0", + }, + "2.0.0": { + "version": "2.0.0", "obj": { "namespace": "cvss", - "key": "I", - "version": "1.0.0", - "name": "Integrity Impact", - "definition": "This metric measures the impact on integrity a successful exploit of the vulnerability will have on the target system.", + "key": "CDP", + "version": "2.0.0", + "name": "Collateral Damage Potential", + "definition": "This metric measures the potential for loss of life or physical assets.", "schemaVersion": "2.0.0", "values": [ { "key": "N", "name": "None", - "definition": "No impact on integrity." + "definition": "There is no potential for loss of life, physical assets, productivity or revenue." }, { - "key": "P", - "name": "Partial", - "definition": "Considerable breach in integrity. Modification of critical system files or information is possible, but the attacker does not have control over what can be modified, or the scope of what the attacker can affect is constrained. For example, key system or program files may be overwritten or modified, but at random or in a limited context or scope." + "key": "LM", + "name": "Low-Medium", + "definition": "A successful exploit of this vulnerability may result in moderate physical or property damage or loss." }, { - "key": "C", - "name": "Complete", - "definition": "A total compromise of system integrity. There is a complete loss of system protection resulting in the entire system being compromised. The attacker has sovereign control to modify any system files." + "key": "MH", + "name": "Medium-High", + "definition": "A successful exploit of this vulnerability may result in significant physical or property damage or loss." + }, + { + "key": "H", + "name": "High", + "definition": "A successful exploit of this vulnerability may result in catastrophic physical or property damage and loss. The range of effect may be over a wide area." + }, + { + "key": "ND", + "name": "Not Defined", + "definition": "This metric value is not defined. See CVSS documentation for details." } ] }, @@ -2928,17 +2708,77 @@ "N": { "key": "N", "name": "None", - "definition": "No impact on integrity." + "definition": "There is no potential for loss of life, physical assets, productivity or revenue." }, - "P": { - "key": "P", - "name": "Partial", - "definition": "Considerable breach in integrity. Modification of critical system files or information is possible, but the attacker does not have control over what can be modified, or the scope of what the attacker can affect is constrained. For example, key system or program files may be overwritten or modified, but at random or in a limited context or scope." + "LM": { + "key": "LM", + "name": "Low-Medium", + "definition": "A successful exploit of this vulnerability may result in moderate physical or property damage or loss." + }, + "MH": { + "key": "MH", + "name": "Medium-High", + "definition": "A successful exploit of this vulnerability may result in significant physical or property damage or loss." + }, + "H": { + "key": "H", + "name": "High", + "definition": "A successful exploit of this vulnerability may result in catastrophic physical or property damage and loss. The range of effect may be over a wide area." + }, + "ND": { + "key": "ND", + "name": "Not Defined", + "definition": "This metric value is not defined. See CVSS documentation for details." + } + } + } + } + }, + "C": { + "key": "C", + "versions": { + "1.0.0": { + "version": "1.0.0", + "obj": { + "namespace": "cvss", + "key": "C", + "version": "1.0.0", + "name": "Confidentiality Impact", + "definition": "This metric measures the impact on confidentiality of a successful exploit of the vulnerability on the target system.", + "schemaVersion": "2.0.0", + "values": [ + { + "key": "N", + "name": "None", + "definition": "No impact on confidentiality." + }, + { + "key": "P", + "name": "Partial", + "definition": "There is considerable informational disclosure. Access to critical system files is possible. There is a loss of important information, but the attacker doesn't have control over what is obtainable or the scope of the loss is constrained." + }, + { + "key": "C", + "name": "Complete", + "definition": "A total compromise of critical system information. A complete loss of system protection resulting in all critical system files being revealed. The attacker has sovereign control to read all of the system's data (memory, files, etc)." + } + ] + }, + "values": { + "N": { + "key": "N", + "name": "None", + "definition": "No impact on confidentiality." + }, + "P": { + "key": "P", + "name": "Partial", + "definition": "There is considerable informational disclosure. Access to critical system files is possible. There is a loss of important information, but the attacker doesn't have control over what is obtainable or the scope of the loss is constrained." }, "C": { "key": "C", "name": "Complete", - "definition": "A total compromise of system integrity. There is a complete loss of system protection resulting in the entire system being compromised. The attacker has sovereign control to modify any system files." + "definition": "A total compromise of critical system information. A complete loss of system protection resulting in all critical system files being revealed. The attacker has sovereign control to read all of the system's data (memory, files, etc)." } } }, @@ -2946,26 +2786,26 @@ "version": "2.0.0", "obj": { "namespace": "cvss", - "key": "I", + "key": "C", "version": "2.0.0", - "name": "Integrity Impact", - "definition": "This metric measures the impact to integrity of a successfully exploited vulnerability.", + "name": "Confidentiality Impact", + "definition": "This metric measures the impact to the confidentiality of the information resources managed by a software component due to a successfully exploited vulnerability.", "schemaVersion": "2.0.0", "values": [ { "key": "N", "name": "None", - "definition": "There is no impact to the integrity of the system." + "definition": "There is no loss of confidentiality within the impacted component." }, { "key": "L", "name": "Low", - "definition": "Modification of data is possible, but the attacker does not have control over the consequence of a modification, or the amount of modification is constrained. The data modification does not have a direct, serious impact on the impacted component." + "definition": "There is some loss of confidentiality. Access to some restricted information is obtained, but the attacker does not have control over what information is obtained, or the amount or kind of loss is constrained. The information disclosure does not cause a direct, serious loss to the impacted component." }, { "key": "H", "name": "High", - "definition": "There is a total loss of integrity, or a complete loss of protection." + "definition": "There is total loss of confidentiality, resulting in all resources within the impacted component being divulged to the attacker. Alternatively, access to only some restricted information is obtained, but the disclosed information presents a direct, serious impact. For example, an attacker steals the administrator's password, or private encryption keys of a web server." } ] }, @@ -2973,49 +2813,49 @@ "N": { "key": "N", "name": "None", - "definition": "There is no impact to the integrity of the system." + "definition": "There is no loss of confidentiality within the impacted component." }, "L": { "key": "L", "name": "Low", - "definition": "Modification of data is possible, but the attacker does not have control over the consequence of a modification, or the amount of modification is constrained. The data modification does not have a direct, serious impact on the impacted component." + "definition": "There is some loss of confidentiality. Access to some restricted information is obtained, but the attacker does not have control over what information is obtained, or the amount or kind of loss is constrained. The information disclosure does not cause a direct, serious loss to the impacted component." }, "H": { "key": "H", "name": "High", - "definition": "There is a total loss of integrity, or a complete loss of protection." + "definition": "There is total loss of confidentiality, resulting in all resources within the impacted component being divulged to the attacker. Alternatively, access to only some restricted information is obtained, but the disclosed information presents a direct, serious impact. For example, an attacker steals the administrator's password, or private encryption keys of a web server." } } } } }, - "VI": { - "key": "VI", + "VC": { + "key": "VC", "versions": { "3.0.0": { "version": "3.0.0", "obj": { "namespace": "cvss", - "key": "VI", + "key": "VC", "version": "3.0.0", - "name": "Integrity Impact to the Vulnerable System", - "definition": "This metric measures the impact to integrity of a successfully exploited vulnerability.", + "name": "Confidentiality Impact to the Vulnerable System", + "definition": "This metric measures the impact to the confidentiality of the information managed by the system due to a successfully exploited vulnerability. Confidentiality refers to limiting information access and disclosure to only authorized users, as well as preventing access by, or disclosure to, unauthorized ones.", "schemaVersion": "2.0.0", "values": [ { "key": "N", "name": "None", - "definition": "There is no loss of integrity within the Vulnerable System." + "definition": "There is no loss of confidentiality within the impacted component." }, { "key": "L", "name": "Low", - "definition": "Modification of data is possible, but the attacker does not have control over the consequence of a modification, or the amount of modification is limited. The data modification does not have a direct, serious impact to the Vulnerable System." + "definition": "There is some loss of confidentiality. Access to some restricted information is obtained, but the attacker does not have control over what information is obtained, or the amount or kind of loss is constrained. The information disclosure does not cause a direct, serious loss to the impacted component." }, { "key": "H", "name": "High", - "definition": "There is a total loss of integrity, or a complete loss of protection." + "definition": "There is total loss of confidentiality, resulting in all resources within the impacted component being divulged to the attacker. Alternatively, access to only some restricted information is obtained, but the disclosed information presents a direct, serious impact. For example, an attacker steals the administrator's password, or private encryption keys of a web server." } ] }, @@ -3023,49 +2863,49 @@ "N": { "key": "N", "name": "None", - "definition": "There is no loss of integrity within the Vulnerable System." + "definition": "There is no loss of confidentiality within the impacted component." }, "L": { "key": "L", "name": "Low", - "definition": "Modification of data is possible, but the attacker does not have control over the consequence of a modification, or the amount of modification is limited. The data modification does not have a direct, serious impact to the Vulnerable System." + "definition": "There is some loss of confidentiality. Access to some restricted information is obtained, but the attacker does not have control over what information is obtained, or the amount or kind of loss is constrained. The information disclosure does not cause a direct, serious loss to the impacted component." }, "H": { "key": "H", "name": "High", - "definition": "There is a total loss of integrity, or a complete loss of protection." + "definition": "There is total loss of confidentiality, resulting in all resources within the impacted component being divulged to the attacker. Alternatively, access to only some restricted information is obtained, but the disclosed information presents a direct, serious impact. For example, an attacker steals the administrator's password, or private encryption keys of a web server." } } } } }, - "IR": { - "key": "IR", + "CR": { + "key": "CR", "versions": { "1.0.0": { "version": "1.0.0", "obj": { "namespace": "cvss", - "key": "IR", + "key": "CR", "version": "1.0.0", - "name": "Integrity Requirement", - "definition": "This metric measures the impact to the integrity of a successfully exploited vulnerability.", + "name": "Confidentiality Requirement", + "definition": "This metric measures the impact to the confidentiality of a successfully exploited vulnerability.", "schemaVersion": "2.0.0", "values": [ { "key": "L", "name": "Low", - "definition": "Loss of integrity is likely to have only a limited adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)." + "definition": "Loss of confidentiality is likely to have only a limited adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)." }, { "key": "M", "name": "Medium", - "definition": "Loss of integrity is likely to have a serious adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)." + "definition": "Loss of confidentiality is likely to have a serious adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)." }, { "key": "H", "name": "High", - "definition": "Loss of integrity is likely to have a catastrophic adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)." + "definition": "Loss of confidentiality is likely to have a catastrophic adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)." }, { "key": "ND", @@ -3078,17 +2918,17 @@ "L": { "key": "L", "name": "Low", - "definition": "Loss of integrity is likely to have only a limited adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)." + "definition": "Loss of confidentiality is likely to have only a limited adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)." }, "M": { "key": "M", "name": "Medium", - "definition": "Loss of integrity is likely to have a serious adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)." + "definition": "Loss of confidentiality is likely to have a serious adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)." }, "H": { "key": "H", "name": "High", - "definition": "Loss of integrity is likely to have a catastrophic adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)." + "definition": "Loss of confidentiality is likely to have a catastrophic adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)." }, "ND": { "key": "ND", @@ -3101,26 +2941,26 @@ "version": "1.1.0", "obj": { "namespace": "cvss", - "key": "IR", + "key": "CR", "version": "1.1.0", - "name": "Integrity Requirement", - "definition": "This metric measures the impact to the integrity of a successfully exploited vulnerability.", + "name": "Confidentiality Requirement", + "definition": "This metric measures the impact to the confidentiality of a successfully exploited vulnerability.", "schemaVersion": "2.0.0", "values": [ { "key": "L", "name": "Low", - "definition": "Loss of integrity is likely to have only a limited adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)." + "definition": "Loss of confidentiality is likely to have only a limited adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)." }, { "key": "M", "name": "Medium", - "definition": "Loss of integrity is likely to have a serious adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)." + "definition": "Loss of confidentiality is likely to have a serious adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)." }, { "key": "H", "name": "High", - "definition": "Loss of integrity is likely to have a catastrophic adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)." + "definition": "Loss of confidentiality is likely to have a catastrophic adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)." }, { "key": "X", @@ -3133,17 +2973,17 @@ "L": { "key": "L", "name": "Low", - "definition": "Loss of integrity is likely to have only a limited adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)." + "definition": "Loss of confidentiality is likely to have only a limited adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)." }, "M": { "key": "M", "name": "Medium", - "definition": "Loss of integrity is likely to have a serious adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)." + "definition": "Loss of confidentiality is likely to have a serious adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)." }, "H": { "key": "H", "name": "High", - "definition": "Loss of integrity is likely to have a catastrophic adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)." + "definition": "Loss of confidentiality is likely to have a catastrophic adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)." }, "X": { "key": "X", @@ -3156,26 +2996,26 @@ "version": "1.1.1", "obj": { "namespace": "cvss", - "key": "IR", + "key": "CR", "version": "1.1.1", - "name": "Integrity Requirement", + "name": "Confidentiality Requirement", "definition": "This metric enables the consumer to customize the assessment depending on the importance of the affected IT asset to the analyst’s organization, measured in terms of Confidentiality.", "schemaVersion": "2.0.0", "values": [ { "key": "L", "name": "Low", - "definition": "Loss of integrity is likely to have only a limited adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)." + "definition": "Loss of confidentiality is likely to have only a limited adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)." }, { "key": "M", "name": "Medium", - "definition": "Loss of integrity is likely to have a serious adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)." + "definition": "Loss of confidentiality is likely to have a serious adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)." }, { "key": "H", "name": "High", - "definition": "Loss of integrity is likely to have a catastrophic adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)." + "definition": "Loss of confidentiality is likely to have a catastrophic adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)." }, { "key": "X", @@ -3188,17 +3028,17 @@ "L": { "key": "L", "name": "Low", - "definition": "Loss of integrity is likely to have only a limited adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)." + "definition": "Loss of confidentiality is likely to have only a limited adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)." }, "M": { "key": "M", "name": "Medium", - "definition": "Loss of integrity is likely to have a serious adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)." + "definition": "Loss of confidentiality is likely to have a serious adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)." }, "H": { "key": "H", "name": "High", - "definition": "Loss of integrity is likely to have a catastrophic adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)." + "definition": "Loss of confidentiality is likely to have a catastrophic adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)." }, "X": { "key": "X", @@ -3209,33 +3049,33 @@ } } }, - "IR_NoX": { - "key": "IR_NoX", + "CR_NoX": { + "key": "CR_NoX", "versions": { "1.1.1": { "version": "1.1.1", "obj": { "namespace": "cvss", - "key": "IR_NoX", + "key": "CR_NoX", "version": "1.1.1", - "name": "Integrity Requirement (without Not Defined)", + "name": "Confidentiality Requirement (without Not Defined)", "definition": "This metric enables the consumer to customize the assessment depending on the importance of the affected IT asset to the analyst’s organization, measured in terms of Confidentiality. This version does not include the Not Defined (X) option.", "schemaVersion": "2.0.0", "values": [ { "key": "L", "name": "Low", - "definition": "Loss of integrity is likely to have only a limited adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)." + "definition": "Loss of confidentiality is likely to have only a limited adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)." }, { "key": "M", "name": "Medium", - "definition": "Loss of integrity is likely to have a serious adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)." + "definition": "Loss of confidentiality is likely to have a serious adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)." }, { "key": "H", "name": "High", - "definition": "Loss of integrity is likely to have a catastrophic adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)." + "definition": "Loss of confidentiality is likely to have a catastrophic adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)." } ] }, @@ -3243,1619 +3083,1339 @@ "L": { "key": "L", "name": "Low", - "definition": "Loss of integrity is likely to have only a limited adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)." + "definition": "Loss of confidentiality is likely to have only a limited adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)." }, "M": { "key": "M", "name": "Medium", - "definition": "Loss of integrity is likely to have a serious adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)." + "definition": "Loss of confidentiality is likely to have a serious adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)." }, "H": { "key": "H", "name": "High", - "definition": "Loss of integrity is likely to have a catastrophic adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)." + "definition": "Loss of confidentiality is likely to have a catastrophic adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)." } } } } }, - "SA": { - "key": "SA", + "EQ1": { + "key": "EQ1", "versions": { "1.0.0": { "version": "1.0.0", "obj": { "namespace": "cvss", - "key": "SA", + "key": "EQ1", "version": "1.0.0", - "name": "Availability Impact to the Subsequent System", - "definition": "This metric measures the impact on availability a successful exploit of the vulnerability will have on the Subsequent System.", + "name": "Equivalence Set 1", + "definition": "AV/PR/UI with 3 levels specified in Table 24", "schemaVersion": "2.0.0", "values": [ - { - "key": "N", - "name": "None", - "definition": "There is no impact to availability within the Subsequent System or all availability impact is constrained to the Vulnerable System." - }, { "key": "L", "name": "Low", - "definition": "Performance is reduced or there are interruptions in resource availability. Even if repeated exploitation of the vulnerability is possible, the attacker does not have the ability to completely deny service to legitimate users." + "definition": "2: AV:P or not(AV:N or PR:N or UI:N)" + }, + { + "key": "M", + "name": "Medium", + "definition": "1: (AV:N or PR:N or UI:N) and not (AV:N and PR:N and UI:N) and not AV:P" }, { "key": "H", "name": "High", - "definition": "There is a total loss of availability, resulting in the attacker being able to fully deny access to resources in the Subsequent System; this loss is either sustained (while the attacker continues to deliver the attack) or persistent (the condition persists even after the attack has completed)." + "definition": "0: AV:N and PR:N and UI:N" } ] }, "values": { - "N": { - "key": "N", - "name": "None", - "definition": "There is no impact to availability within the Subsequent System or all availability impact is constrained to the Vulnerable System." - }, "L": { "key": "L", "name": "Low", - "definition": "Performance is reduced or there are interruptions in resource availability. Even if repeated exploitation of the vulnerability is possible, the attacker does not have the ability to completely deny service to legitimate users." + "definition": "2: AV:P or not(AV:N or PR:N or UI:N)" + }, + "M": { + "key": "M", + "name": "Medium", + "definition": "1: (AV:N or PR:N or UI:N) and not (AV:N and PR:N and UI:N) and not AV:P" }, "H": { "key": "H", "name": "High", - "definition": "There is a total loss of availability, resulting in the attacker being able to fully deny access to resources in the Subsequent System; this loss is either sustained (while the attacker continues to deliver the attack) or persistent (the condition persists even after the attack has completed)." + "definition": "0: AV:N and PR:N and UI:N" } } } } }, - "MSA": { - "key": "MSA", + "EQ2": { + "key": "EQ2", "versions": { "1.0.0": { "version": "1.0.0", "obj": { "namespace": "cvss", - "key": "MSA", + "key": "EQ2", "version": "1.0.0", - "name": "Modified Availability Impact to the Subsequent System", - "definition": "This metric measures the impact on availability a successful exploit of the vulnerability will have on the Subsequent System.", + "name": "Equivalence Set 2", + "definition": "AC/AT with 2 levels specified in Table 25", "schemaVersion": "2.0.0", "values": [ - { - "key": "N", - "name": "None", - "definition": "There is no impact to availability within the Subsequent System or all availability impact is constrained to the Vulnerable System." - }, { "key": "L", "name": "Low", - "definition": "Performance is reduced or there are interruptions in resource availability. Even if repeated exploitation of the vulnerability is possible, the attacker does not have the ability to completely deny service to legitimate users." + "definition": "1: not (AC:L and AT:N)" }, { "key": "H", "name": "High", - "definition": "There is a total loss of availability, resulting in the attacker being able to fully deny access to resources in the Subsequent System; this loss is either sustained (while the attacker continues to deliver the attack) or persistent (the condition persists even after the attack has completed)." - }, - { - "key": "X", - "name": "Not Defined", - "definition": "This metric value is not defined. See CVSS documentation for details." + "definition": "0: AC:L and AT:N" } ] }, "values": { - "N": { - "key": "N", - "name": "None", - "definition": "There is no impact to availability within the Subsequent System or all availability impact is constrained to the Vulnerable System." - }, "L": { "key": "L", "name": "Low", - "definition": "Performance is reduced or there are interruptions in resource availability. Even if repeated exploitation of the vulnerability is possible, the attacker does not have the ability to completely deny service to legitimate users." + "definition": "1: not (AC:L and AT:N)" }, "H": { "key": "H", "name": "High", - "definition": "There is a total loss of availability, resulting in the attacker being able to fully deny access to resources in the Subsequent System; this loss is either sustained (while the attacker continues to deliver the attack) or persistent (the condition persists even after the attack has completed)." - }, - "X": { - "key": "X", - "name": "Not Defined", - "definition": "This metric value is not defined. See CVSS documentation for details." + "definition": "0: AC:L and AT:N" } } - }, - "1.0.1": { - "version": "1.0.1", + } + } + }, + "EQ3": { + "key": "EQ3", + "versions": { + "1.0.0": { + "version": "1.0.0", "obj": { "namespace": "cvss", - "key": "MSA", - "version": "1.0.1", - "name": "Modified Availability Impact to the Subsequent System", - "definition": "This metric measures the impact on availability a successful exploit of the vulnerability will have on the Subsequent System.", + "key": "EQ3", + "version": "1.0.0", + "name": "Equivalence Set 3", + "definition": "VC/VI/VA with 3 levels specified in Table 26", "schemaVersion": "2.0.0", "values": [ - { - "key": "N", - "name": "Negligible", - "definition": "There is negligible impact to availability within the Subsequent System or all availability impact is constrained to the Vulnerable System." - }, { "key": "L", "name": "Low", - "definition": "Performance is reduced or there are interruptions in resource availability. Even if repeated exploitation of the vulnerability is possible, the attacker does not have the ability to completely deny service to legitimate users." - }, - { - "key": "H", - "name": "High", - "definition": "There is a total loss of availability, resulting in the attacker being able to fully deny access to resources in the Subsequent System; this loss is either sustained (while the attacker continues to deliver the attack) or persistent (the condition persists even after the attack has completed)." + "definition": "2: not (VC:H or VI:H or VA:H)" }, { - "key": "X", - "name": "Not Defined", - "definition": "This metric value is not defined. See CVSS documentation for details." + "key": "M", + "name": "Medium", + "definition": "1: not (VC:H and VI:H) and (VC:H or VI:H or VA:H)" }, { - "key": "S", - "name": "Safety", - "definition": "The Safety metric value measures the impact regarding the Safety of a human actor or participant that can be predictably injured as a result of the vulnerability being exploited." + "key": "H", + "name": "High", + "definition": "0: VC:H and VI:H" } ] }, "values": { - "N": { - "key": "N", - "name": "Negligible", - "definition": "There is negligible impact to availability within the Subsequent System or all availability impact is constrained to the Vulnerable System." - }, "L": { "key": "L", "name": "Low", - "definition": "Performance is reduced or there are interruptions in resource availability. Even if repeated exploitation of the vulnerability is possible, the attacker does not have the ability to completely deny service to legitimate users." + "definition": "2: not (VC:H or VI:H or VA:H)" + }, + "M": { + "key": "M", + "name": "Medium", + "definition": "1: not (VC:H and VI:H) and (VC:H or VI:H or VA:H)" }, "H": { "key": "H", "name": "High", - "definition": "There is a total loss of availability, resulting in the attacker being able to fully deny access to resources in the Subsequent System; this loss is either sustained (while the attacker continues to deliver the attack) or persistent (the condition persists even after the attack has completed)." - }, - "X": { - "key": "X", - "name": "Not Defined", - "definition": "This metric value is not defined. See CVSS documentation for details." - }, - "S": { - "key": "S", - "name": "Safety", - "definition": "The Safety metric value measures the impact regarding the Safety of a human actor or participant that can be predictably injured as a result of the vulnerability being exploited." + "definition": "0: VC:H and VI:H" } } } } }, - "MSA_NoX": { - "key": "MSA_NoX", + "EQ4": { + "key": "EQ4", "versions": { - "1.0.1": { - "version": "1.0.1", + "1.0.0": { + "version": "1.0.0", "obj": { "namespace": "cvss", - "key": "MSA_NoX", - "version": "1.0.1", - "name": "Modified Availability Impact to the Subsequent System (without Not Defined)", - "definition": "This metric measures the impact on availability a successful exploit of the vulnerability will have on the Subsequent System. This version does not include the Not Defined (X) option.", + "key": "EQ4", + "version": "1.0.0", + "name": "Equivalence Set 4", + "definition": "SC/SI/SA with 3 levels specified in Table 27", "schemaVersion": "2.0.0", "values": [ - { - "key": "N", - "name": "Negligible", - "definition": "There is negligible impact to availability within the Subsequent System or all availability impact is constrained to the Vulnerable System." - }, { "key": "L", "name": "Low", - "definition": "Performance is reduced or there are interruptions in resource availability. Even if repeated exploitation of the vulnerability is possible, the attacker does not have the ability to completely deny service to legitimate users." + "definition": "2: not (MSI:S or MSA:S) and not (SC:H or SI:H or SA:H)" }, { - "key": "H", - "name": "High", - "definition": "There is a total loss of availability, resulting in the attacker being able to fully deny access to resources in the Subsequent System; this loss is either sustained (while the attacker continues to deliver the attack) or persistent (the condition persists even after the attack has completed)." + "key": "M", + "name": "Medium", + "definition": "1: not (MSI:S or MSA:S) and (SC:H or SI:H or SA:H)" }, { - "key": "S", - "name": "Safety", - "definition": "The Safety metric value measures the impact regarding the Safety of a human actor or participant that can be predictably injured as a result of the vulnerability being exploited." + "key": "H", + "name": "High", + "definition": "0: MSI:S or MSA:S" } ] }, "values": { - "N": { - "key": "N", - "name": "Negligible", - "definition": "There is negligible impact to availability within the Subsequent System or all availability impact is constrained to the Vulnerable System." - }, "L": { "key": "L", "name": "Low", - "definition": "Performance is reduced or there are interruptions in resource availability. Even if repeated exploitation of the vulnerability is possible, the attacker does not have the ability to completely deny service to legitimate users." + "definition": "2: not (MSI:S or MSA:S) and not (SC:H or SI:H or SA:H)" + }, + "M": { + "key": "M", + "name": "Medium", + "definition": "1: not (MSI:S or MSA:S) and (SC:H or SI:H or SA:H)" }, "H": { "key": "H", "name": "High", - "definition": "There is a total loss of availability, resulting in the attacker being able to fully deny access to resources in the Subsequent System; this loss is either sustained (while the attacker continues to deliver the attack) or persistent (the condition persists even after the attack has completed)." - }, - "S": { - "key": "S", - "name": "Safety", - "definition": "The Safety metric value measures the impact regarding the Safety of a human actor or participant that can be predictably injured as a result of the vulnerability being exploited." + "definition": "0: MSI:S or MSA:S" } } } } }, - "SI": { - "key": "SI", + "EQ5": { + "key": "EQ5", "versions": { "1.0.0": { "version": "1.0.0", "obj": { "namespace": "cvss", - "key": "SI", + "key": "EQ5", "version": "1.0.0", - "name": "Integrity Impact to the Subsequent System", - "definition": "This metric measures the impact to integrity of a successfully exploited vulnerability. Integrity refers to the trustworthiness and veracity of information. Integrity of a system is impacted when an attacker causes unauthorized modification of system data. Integrity is also impacted when a system user can repudiate critical actions taken in the context of the system (e.g. due to insufficient logging). The resulting score is greatest when the consequence to the system is highest.", + "name": "Equivalence Set 5", + "definition": "E with 3 levels specified in Table 28", "schemaVersion": "2.0.0", "values": [ - { - "key": "N", - "name": "None", - "definition": "There is no loss of integrity within the Subsequent System or all integrity impact is constrained to the Vulnerable System." - }, { "key": "L", "name": "Low", - "definition": "Modification of data is possible, but the attacker does not have control over the consequence of a modification, or the amount of modification is limited. The data modification does not have a direct, serious impact to the Subsequent System." + "definition": "2: E:U" + }, + { + "key": "M", + "name": "Medium", + "definition": "1: E:P" }, { "key": "H", "name": "High", - "definition": "There is a total loss of integrity, or a complete loss of protection. For example, the attacker is able to modify any/all files protected by the Subsequent System. Alternatively, only some files can be modified, but malicious modification would present a direct, serious consequence to the Subsequent System." + "definition": "0: E:A" } ] }, "values": { - "N": { - "key": "N", - "name": "None", - "definition": "There is no loss of integrity within the Subsequent System or all integrity impact is constrained to the Vulnerable System." - }, "L": { "key": "L", "name": "Low", - "definition": "Modification of data is possible, but the attacker does not have control over the consequence of a modification, or the amount of modification is limited. The data modification does not have a direct, serious impact to the Subsequent System." + "definition": "2: E:U" + }, + "M": { + "key": "M", + "name": "Medium", + "definition": "1: E:P" }, "H": { "key": "H", "name": "High", - "definition": "There is a total loss of integrity, or a complete loss of protection. For example, the attacker is able to modify any/all files protected by the Subsequent System. Alternatively, only some files can be modified, but malicious modification would present a direct, serious consequence to the Subsequent System." + "definition": "0: E:A" } } } } }, - "MSI": { - "key": "MSI", + "EQ6": { + "key": "EQ6", "versions": { "1.0.0": { "version": "1.0.0", "obj": { "namespace": "cvss", - "key": "MSI", + "key": "EQ6", "version": "1.0.0", - "name": "Modified Integrity Impact to the Subsequent System", - "definition": "This metric measures the impact to integrity of a successfully exploited vulnerability. Integrity refers to the trustworthiness and veracity of information. Integrity of a system is impacted when an attacker causes unauthorized modification of system data. Integrity is also impacted when a system user can repudiate critical actions taken in the context of the system (e.g. due to insufficient logging). The resulting score is greatest when the consequence to the system is highest.", + "name": "Equivalence Set 6", + "definition": "VC/VI/VA+CR/CI/CA with 2 levels specified in Table 29", "schemaVersion": "2.0.0", "values": [ - { - "key": "N", - "name": "None", - "definition": "There is no loss of integrity within the Subsequent System or all integrity impact is constrained to the Vulnerable System." - }, { "key": "L", "name": "Low", - "definition": "Modification of data is possible, but the attacker does not have control over the consequence of a modification, or the amount of modification is limited. The data modification does not have a direct, serious impact to the Subsequent System." + "definition": "1: not (CR:H and VC:H) and not (IR:H and VI:H) and not (AR:H and VA:H)" }, { "key": "H", "name": "High", - "definition": "There is a total loss of integrity, or a complete loss of protection. For example, the attacker is able to modify any/all files protected by the Subsequent System. Alternatively, only some files can be modified, but malicious modification would present a direct, serious consequence to the Subsequent System." - }, - { - "key": "X", - "name": "Not Defined", - "definition": "This metric value is not defined. See CVSS documentation for details." + "definition": "0: (CR:H and VC:H) or (IR:H and VI:H) or (AR:H and VA:H)" } ] }, "values": { - "N": { - "key": "N", - "name": "None", - "definition": "There is no loss of integrity within the Subsequent System or all integrity impact is constrained to the Vulnerable System." - }, "L": { "key": "L", "name": "Low", - "definition": "Modification of data is possible, but the attacker does not have control over the consequence of a modification, or the amount of modification is limited. The data modification does not have a direct, serious impact to the Subsequent System." + "definition": "1: not (CR:H and VC:H) and not (IR:H and VI:H) and not (AR:H and VA:H)" }, "H": { "key": "H", "name": "High", - "definition": "There is a total loss of integrity, or a complete loss of protection. For example, the attacker is able to modify any/all files protected by the Subsequent System. Alternatively, only some files can be modified, but malicious modification would present a direct, serious consequence to the Subsequent System." - }, - "X": { - "key": "X", - "name": "Not Defined", - "definition": "This metric value is not defined. See CVSS documentation for details." + "definition": "0: (CR:H and VC:H) or (IR:H and VI:H) or (AR:H and VA:H)" } } - }, - "1.0.1": { - "version": "1.0.1", + } + } + }, + "E": { + "key": "E", + "versions": { + "1.0.0": { + "version": "1.0.0", "obj": { "namespace": "cvss", - "key": "MSI", - "version": "1.0.1", - "name": "Modified Integrity Impact to the Subsequent System", - "definition": "This metric measures the impact to integrity of a successfully exploited vulnerability. Integrity refers to the trustworthiness and veracity of information. Integrity of a system is impacted when an attacker causes unauthorized modification of system data. Integrity is also impacted when a system user can repudiate critical actions taken in the context of the system (e.g. due to insufficient logging). The resulting score is greatest when the consequence to the system is highest.", + "key": "E", + "version": "1.0.0", + "name": "Exploitability", + "definition": "This metric measures the current state of exploit technique or code availability and suggests a likelihood of exploitation.", "schemaVersion": "2.0.0", "values": [ { - "key": "N", - "name": "Negligible", - "definition": "There is negligible loss of integrity within the Subsequent System or all integrity impact is constrained to the Vulnerable System." - }, - { - "key": "L", - "name": "Low", - "definition": "Modification of data is possible, but the attacker does not have control over the consequence of a modification, or the amount of modification is limited. The data modification does not have a direct, serious impact to the Subsequent System." + "key": "U", + "name": "Unproven", + "definition": "No exploit code is yet available or an exploit method is entirely theoretical." }, { - "key": "H", - "name": "High", - "definition": "There is a total loss of integrity, or a complete loss of protection. For example, the attacker is able to modify any/all files protected by the Subsequent System. Alternatively, only some files can be modified, but malicious modification would present a direct, serious consequence to the Subsequent System." + "key": "P", + "name": "Proof of Concept", + "definition": "Proof of concept exploit code or an attack demonstration that is not practically applicable to deployed systems is available. The code or technique is not functional in all situations and may require substantial hand tuning by a skilled attacker for use against deployed systems." }, { - "key": "X", - "name": "Not Defined", - "definition": "This metric value is not defined. See CVSS documentation for details." + "key": "F", + "name": "Functional", + "definition": "Functional exploit code is available. The code works in most situations where the vulnerability is exploitable." }, { - "key": "S", - "name": "Safety", - "definition": "The Safety metric value measures the impact regarding the Safety of a human actor or participant that can be predictably injured as a result of the vulnerability being exploited." + "key": "H", + "name": "High", + "definition": "Either the vulnerability is exploitable by functional mobile autonomous code or no exploit is required (manual trigger) and the details for the manual technique are widely available. The code works in every situation where the vulnerability is exploitable and/or is actively being delivered via a mobile autonomous agent (a worm or virus)." } ] }, "values": { - "N": { - "key": "N", - "name": "Negligible", - "definition": "There is negligible loss of integrity within the Subsequent System or all integrity impact is constrained to the Vulnerable System." + "U": { + "key": "U", + "name": "Unproven", + "definition": "No exploit code is yet available or an exploit method is entirely theoretical." }, - "L": { - "key": "L", - "name": "Low", - "definition": "Modification of data is possible, but the attacker does not have control over the consequence of a modification, or the amount of modification is limited. The data modification does not have a direct, serious impact to the Subsequent System." + "P": { + "key": "P", + "name": "Proof of Concept", + "definition": "Proof of concept exploit code or an attack demonstration that is not practically applicable to deployed systems is available. The code or technique is not functional in all situations and may require substantial hand tuning by a skilled attacker for use against deployed systems." + }, + "F": { + "key": "F", + "name": "Functional", + "definition": "Functional exploit code is available. The code works in most situations where the vulnerability is exploitable." }, "H": { "key": "H", "name": "High", - "definition": "There is a total loss of integrity, or a complete loss of protection. For example, the attacker is able to modify any/all files protected by the Subsequent System. Alternatively, only some files can be modified, but malicious modification would present a direct, serious consequence to the Subsequent System." - }, - "X": { - "key": "X", - "name": "Not Defined", - "definition": "This metric value is not defined. See CVSS documentation for details." - }, - "S": { - "key": "S", - "name": "Safety", - "definition": "The Safety metric value measures the impact regarding the Safety of a human actor or participant that can be predictably injured as a result of the vulnerability being exploited." + "definition": "Either the vulnerability is exploitable by functional mobile autonomous code or no exploit is required (manual trigger) and the details for the manual technique are widely available. The code works in every situation where the vulnerability is exploitable and/or is actively being delivered via a mobile autonomous agent (a worm or virus)." } } - } - } - }, - "MSI_NoX": { - "key": "MSI_NoX", - "versions": { - "1.0.1": { - "version": "1.0.1", + }, + "1.1.0": { + "version": "1.1.0", "obj": { "namespace": "cvss", - "key": "MSI_NoX", - "version": "1.0.1", - "name": "Modified Integrity Impact to the Subsequent System (without Not Defined)", - "definition": "This metric measures the impact to integrity of a successfully exploited vulnerability. Integrity refers to the trustworthiness and veracity of information. Integrity of a system is impacted when an attacker causes unauthorized modification of system data. Integrity is also impacted when a system user can repudiate critical actions taken in the context of the system (e.g. due to insufficient logging). The resulting score is greatest when the consequence to the system is highest. This version does not include the Not Defined (X) option.", + "key": "E", + "version": "1.1.0", + "name": "Exploitability", + "definition": "This metric measures the current state of exploit technique or code availability and suggests a likelihood of exploitation.", "schemaVersion": "2.0.0", "values": [ { - "key": "N", - "name": "Negligible", - "definition": "There is negligible loss of integrity within the Subsequent System or all integrity impact is constrained to the Vulnerable System." + "key": "U", + "name": "Unproven", + "definition": "No exploit code is yet available or an exploit method is entirely theoretical." }, { - "key": "L", - "name": "Low", - "definition": "Modification of data is possible, but the attacker does not have control over the consequence of a modification, or the amount of modification is limited. The data modification does not have a direct, serious impact to the Subsequent System." + "key": "P", + "name": "Proof of Concept", + "definition": "Proof of concept exploit code or an attack demonstration that is not practically applicable to deployed systems is available. The code or technique is not functional in all situations and may require substantial hand tuning by a skilled attacker for use against deployed systems." + }, + { + "key": "F", + "name": "Functional", + "definition": "Functional exploit code is available. The code works in most situations where the vulnerability is exploitable." }, { "key": "H", "name": "High", - "definition": "There is a total loss of integrity, or a complete loss of protection. For example, the attacker is able to modify any/all files protected by the Subsequent System. Alternatively, only some files can be modified, but malicious modification would present a direct, serious consequence to the Subsequent System." + "definition": "Either the vulnerability is exploitable by functional mobile autonomous code or no exploit is required (manual trigger) and the details for the manual technique are widely available. The code works in every situation where the vulnerability is exploitable and/or is actively being delivered via a mobile autonomous agent (a worm or virus)." }, { - "key": "S", - "name": "Safety", - "definition": "The Safety metric value measures the impact regarding the Safety of a human actor or participant that can be predictably injured as a result of the vulnerability being exploited." + "key": "ND", + "name": "Not Defined", + "definition": "This metric value is not defined. See CVSS documentation for details." } ] }, "values": { - "N": { - "key": "N", - "name": "Negligible", - "definition": "There is negligible loss of integrity within the Subsequent System or all integrity impact is constrained to the Vulnerable System." + "U": { + "key": "U", + "name": "Unproven", + "definition": "No exploit code is yet available or an exploit method is entirely theoretical." }, - "L": { - "key": "L", - "name": "Low", - "definition": "Modification of data is possible, but the attacker does not have control over the consequence of a modification, or the amount of modification is limited. The data modification does not have a direct, serious impact to the Subsequent System." + "P": { + "key": "P", + "name": "Proof of Concept", + "definition": "Proof of concept exploit code or an attack demonstration that is not practically applicable to deployed systems is available. The code or technique is not functional in all situations and may require substantial hand tuning by a skilled attacker for use against deployed systems." + }, + "F": { + "key": "F", + "name": "Functional", + "definition": "Functional exploit code is available. The code works in most situations where the vulnerability is exploitable." }, "H": { "key": "H", "name": "High", - "definition": "There is a total loss of integrity, or a complete loss of protection. For example, the attacker is able to modify any/all files protected by the Subsequent System. Alternatively, only some files can be modified, but malicious modification would present a direct, serious consequence to the Subsequent System." + "definition": "Either the vulnerability is exploitable by functional mobile autonomous code or no exploit is required (manual trigger) and the details for the manual technique are widely available. The code works in every situation where the vulnerability is exploitable and/or is actively being delivered via a mobile autonomous agent (a worm or virus)." }, - "S": { - "key": "S", - "name": "Safety", - "definition": "The Safety metric value measures the impact regarding the Safety of a human actor or participant that can be predictably injured as a result of the vulnerability being exploited." + "ND": { + "key": "ND", + "name": "Not Defined", + "definition": "This metric value is not defined. See CVSS documentation for details." } } - } - } - }, - "PR": { - "key": "PR", - "versions": { - "1.0.0": { - "version": "1.0.0", + }, + "1.2.0": { + "version": "1.2.0", "obj": { "namespace": "cvss", - "key": "PR", - "version": "1.0.0", - "name": "Privileges Required", - "definition": "This metric describes the level of privileges an attacker must possess before successfully exploiting the vulnerability.", + "key": "E", + "version": "1.2.0", + "name": "Exploit Code Maturity", + "definition": "measures the likelihood of the vulnerability being attacked, and is typically based on the current state of exploit techniques, exploit code availability, or active, 'in-the-wild' exploitation", "schemaVersion": "2.0.0", "values": [ { - "key": "H", - "name": "High", - "definition": "The attacker is authorized with (i.e. requires) privileges that provide significant (e.g. administrative) control over the vulnerable component that could affect component-wide settings and files." + "key": "U", + "name": "Unproven", + "definition": "No exploit code is available, or an exploit is theoretical." }, { - "key": "L", - "name": "Low", - "definition": "The attacker is authorized with (i.e. requires) privileges that provide basic user capabilities that could normally affect only settings and files owned by a user. Alternatively, an attacker with Low privileges may have the ability to cause an impact only to non-sensitive resources." + "key": "POC", + "name": "Proof-of-Concept", + "definition": "Proof-of-concept exploit code is available, or an attack demonstration is not practical for most systems. The code or technique is not functional in all situations and may require substantial modification by a skilled attacker." }, { - "key": "N", - "name": "None", - "definition": "The attacker is unauthorized prior to attack, and therefore does not require any access to settings or files to carry out an attack." + "key": "F", + "name": "Functional", + "definition": "Functional exploit code is available. The code works in most situations where the vulnerability exists." + }, + { + "key": "H", + "name": "High", + "definition": "Functional autonomous code exists, or no exploit is required (manual trigger) and details are widely available. Exploit code works in every situation, or is actively being delivered via an autonomous agent (such as a worm or virus). Network-connected systems are likely to encounter scanning or exploitation attempts. Exploit development has reached the level of reliable, widely-available, easy-to-use automated tools." + }, + { + "key": "X", + "name": "Not Defined", + "definition": "This metric value is not defined. See CVSS documentation for details." } ] }, "values": { + "U": { + "key": "U", + "name": "Unproven", + "definition": "No exploit code is available, or an exploit is theoretical." + }, + "POC": { + "key": "POC", + "name": "Proof-of-Concept", + "definition": "Proof-of-concept exploit code is available, or an attack demonstration is not practical for most systems. The code or technique is not functional in all situations and may require substantial modification by a skilled attacker." + }, + "F": { + "key": "F", + "name": "Functional", + "definition": "Functional exploit code is available. The code works in most situations where the vulnerability exists." + }, "H": { "key": "H", "name": "High", - "definition": "The attacker is authorized with (i.e. requires) privileges that provide significant (e.g. administrative) control over the vulnerable component that could affect component-wide settings and files." - }, - "L": { - "key": "L", - "name": "Low", - "definition": "The attacker is authorized with (i.e. requires) privileges that provide basic user capabilities that could normally affect only settings and files owned by a user. Alternatively, an attacker with Low privileges may have the ability to cause an impact only to non-sensitive resources." + "definition": "Functional autonomous code exists, or no exploit is required (manual trigger) and details are widely available. Exploit code works in every situation, or is actively being delivered via an autonomous agent (such as a worm or virus). Network-connected systems are likely to encounter scanning or exploitation attempts. Exploit development has reached the level of reliable, widely-available, easy-to-use automated tools." }, - "N": { - "key": "N", - "name": "None", - "definition": "The attacker is unauthorized prior to attack, and therefore does not require any access to settings or files to carry out an attack." + "X": { + "key": "X", + "name": "Not Defined", + "definition": "This metric value is not defined. See CVSS documentation for details." } } }, - "1.0.1": { - "version": "1.0.1", + "2.0.0": { + "version": "2.0.0", "obj": { "namespace": "cvss", - "key": "PR", - "version": "1.0.1", - "name": "Privileges Required", - "definition": "This metric describes the level of privileges an attacker must possess prior to successfully exploiting the vulnerability. The method by which the attacker obtains privileged credentials prior to the attack (e.g., free trial accounts), is outside the scope of this metric. Generally, self-service provisioned accounts do not constitute a privilege requirement if the attacker can grant themselves privileges as part of the attack.", + "key": "E", + "version": "2.0.0", + "name": "Exploit Maturity", + "definition": "This metric measures the likelihood of the vulnerability being attacked, and is based on the current state of exploit techniques, exploit code availability, or active, “in-the-wild” exploitation.", "schemaVersion": "2.0.0", "values": [ { - "key": "H", - "name": "High", - "definition": "The attacker is authorized with (i.e., requires) privileges that provide significant (e.g., administrative) control over the vulnerable system allowing full access to the vulnerable system’s settings and files." + "key": "U", + "name": "Unreported", + "definition": "Based on available threat intelligence each of the following must apply: No knowledge of publicly available proof-of-concept exploit code No knowledge of reported attempts to exploit this vulnerability No knowledge of publicly available solutions used to simplify attempts to exploit the vulnerability (i.e., neither the “POC” nor “Attacked” values apply)" }, { - "key": "L", - "name": "Low", - "definition": "The attacker is authorized with (i.e., requires) privileges that provide basic capabilities that are typically limited to settings and resources owned by a single low-privileged user. Alternatively, an attacker with Low privileges has the ability to access only non-sensitive resources." + "key": "P", + "name": "Proof-of-Concept", + "definition": "Based on available threat intelligence each of the following must apply: Proof-of-concept exploit code is publicly available No knowledge of reported attempts to exploit this vulnerability No knowledge of publicly available solutions used to simplify attempts to exploit the vulnerability (i.e., the “Attacked” value does not apply)" }, { - "key": "N", - "name": "None", - "definition": "The attacker is unauthorized prior to attack, and therefore does not require any access to settings or files to carry out an attack." + "key": "A", + "name": "Attacked", + "definition": "Based on available threat intelligence either of the following must apply: Attacks targeting this vulnerability (attempted or successful) have been reported Solutions to simplify attempts to exploit the vulnerability are publicly or privately available (such as exploit toolkits)" + }, + { + "key": "X", + "name": "Not Defined", + "definition": "This metric value is not defined. See CVSS documentation for details." } ] }, "values": { - "H": { - "key": "H", - "name": "High", - "definition": "The attacker is authorized with (i.e., requires) privileges that provide significant (e.g., administrative) control over the vulnerable system allowing full access to the vulnerable system’s settings and files." + "U": { + "key": "U", + "name": "Unreported", + "definition": "Based on available threat intelligence each of the following must apply: No knowledge of publicly available proof-of-concept exploit code No knowledge of reported attempts to exploit this vulnerability No knowledge of publicly available solutions used to simplify attempts to exploit the vulnerability (i.e., neither the “POC” nor “Attacked” values apply)" }, - "L": { - "key": "L", - "name": "Low", - "definition": "The attacker is authorized with (i.e., requires) privileges that provide basic capabilities that are typically limited to settings and resources owned by a single low-privileged user. Alternatively, an attacker with Low privileges has the ability to access only non-sensitive resources." + "P": { + "key": "P", + "name": "Proof-of-Concept", + "definition": "Based on available threat intelligence each of the following must apply: Proof-of-concept exploit code is publicly available No knowledge of reported attempts to exploit this vulnerability No knowledge of publicly available solutions used to simplify attempts to exploit the vulnerability (i.e., the “Attacked” value does not apply)" }, - "N": { - "key": "N", - "name": "None", - "definition": "The attacker is unauthorized prior to attack, and therefore does not require any access to settings or files to carry out an attack." + "A": { + "key": "A", + "name": "Attacked", + "definition": "Based on available threat intelligence either of the following must apply: Attacks targeting this vulnerability (attempted or successful) have been reported Solutions to simplify attempts to exploit the vulnerability are publicly or privately available (such as exploit toolkits)" + }, + "X": { + "key": "X", + "name": "Not Defined", + "definition": "This metric value is not defined. See CVSS documentation for details." } } } } }, - "QS": { - "key": "QS", + "E_NoX": { + "key": "E_NoX", "versions": { - "1.0.0": { - "version": "1.0.0", + "2.0.0": { + "version": "2.0.0", "obj": { "namespace": "cvss", - "key": "QS", - "version": "1.0.0", - "name": "CVSS Qualitative Severity Rating Scale", - "definition": "The CVSS Qualitative Severity Rating Scale provides a categorical representation of a CVSS Score.", - "schemaVersion": "2.0.0", - "values": [ - { - "key": "N", - "name": "None", - "definition": "No severity rating (0.0)" - }, - { - "key": "L", - "name": "Low", - "definition": "Low (0.1 - 3.9)" - }, + "key": "E_NoX", + "version": "2.0.0", + "name": "Exploit Maturity (without Not Defined)", + "definition": "This metric measures the likelihood of the vulnerability being attacked, and is based on the current state of exploit techniques, exploit code availability, or active, “in-the-wild” exploitation. This version does not include the Not Defined (X) option.", + "schemaVersion": "2.0.0", + "values": [ { - "key": "M", - "name": "Medium", - "definition": "Medium (4.0 - 6.9)" + "key": "U", + "name": "Unreported", + "definition": "Based on available threat intelligence each of the following must apply: No knowledge of publicly available proof-of-concept exploit code No knowledge of reported attempts to exploit this vulnerability No knowledge of publicly available solutions used to simplify attempts to exploit the vulnerability (i.e., neither the “POC” nor “Attacked” values apply)" }, { - "key": "H", - "name": "High", - "definition": "High (7.0 - 8.9)" + "key": "P", + "name": "Proof-of-Concept", + "definition": "Based on available threat intelligence each of the following must apply: Proof-of-concept exploit code is publicly available No knowledge of reported attempts to exploit this vulnerability No knowledge of publicly available solutions used to simplify attempts to exploit the vulnerability (i.e., the “Attacked” value does not apply)" }, { - "key": "C", - "name": "Critical", - "definition": "Critical (9.0 - 10.0)" + "key": "A", + "name": "Attacked", + "definition": "Based on available threat intelligence either of the following must apply: Attacks targeting this vulnerability (attempted or successful) have been reported Solutions to simplify attempts to exploit the vulnerability are publicly or privately available (such as exploit toolkits)" } ] }, "values": { - "N": { - "key": "N", - "name": "None", - "definition": "No severity rating (0.0)" - }, - "L": { - "key": "L", - "name": "Low", - "definition": "Low (0.1 - 3.9)" - }, - "M": { - "key": "M", - "name": "Medium", - "definition": "Medium (4.0 - 6.9)" + "U": { + "key": "U", + "name": "Unreported", + "definition": "Based on available threat intelligence each of the following must apply: No knowledge of publicly available proof-of-concept exploit code No knowledge of reported attempts to exploit this vulnerability No knowledge of publicly available solutions used to simplify attempts to exploit the vulnerability (i.e., neither the “POC” nor “Attacked” values apply)" }, - "H": { - "key": "H", - "name": "High", - "definition": "High (7.0 - 8.9)" + "P": { + "key": "P", + "name": "Proof-of-Concept", + "definition": "Based on available threat intelligence each of the following must apply: Proof-of-concept exploit code is publicly available No knowledge of reported attempts to exploit this vulnerability No knowledge of publicly available solutions used to simplify attempts to exploit the vulnerability (i.e., the “Attacked” value does not apply)" }, - "C": { - "key": "C", - "name": "Critical", - "definition": "Critical (9.0 - 10.0)" + "A": { + "key": "A", + "name": "Attacked", + "definition": "Based on available threat intelligence either of the following must apply: Attacks targeting this vulnerability (attempted or successful) have been reported Solutions to simplify attempts to exploit the vulnerability are publicly or privately available (such as exploit toolkits)" } } } } }, - "RL": { - "key": "RL", + "IB": { + "key": "IB", "versions": { "1.0.0": { "version": "1.0.0", "obj": { "namespace": "cvss", - "key": "RL", + "key": "IB", "version": "1.0.0", - "name": "Remediation Level", - "definition": "This metric measures the remediation status of a vulnerability.", - "schemaVersion": "2.0.0", - "values": [ - { - "key": "OF", - "name": "Official Fix", - "definition": "A complete vendor solution is available. Either the vendor has issued the final, official patch which eliminates the vulnerability or an upgrade that is not vulnerable is available." - }, - { - "key": "TF", - "name": "Temporary Fix", - "definition": "There is an official but temporary fix available. This includes instances where the vendor issues a temporary hotfix, tool or official workaround." - }, - { - "key": "W", - "name": "Workaround", - "definition": "There is an unofficial, non-vendor solution available. In some cases, users of the affected technology will create a patch of their own or provide steps to work around or otherwise mitigate against the vulnerability. When it is generally accepted that these unofficial fixes are adequate in plugging the hole for the mean time and no official remediation is available, this value can be set." - }, - { - "key": "U", - "name": "Unavailable", - "definition": "There is either no solution available or it is impossible to apply." - } - ] - }, - "values": { - "OF": { - "key": "OF", - "name": "Official Fix", - "definition": "A complete vendor solution is available. Either the vendor has issued the final, official patch which eliminates the vulnerability or an upgrade that is not vulnerable is available." - }, - "TF": { - "key": "TF", - "name": "Temporary Fix", - "definition": "There is an official but temporary fix available. This includes instances where the vendor issues a temporary hotfix, tool or official workaround." - }, - "W": { - "key": "W", - "name": "Workaround", - "definition": "There is an unofficial, non-vendor solution available. In some cases, users of the affected technology will create a patch of their own or provide steps to work around or otherwise mitigate against the vulnerability. When it is generally accepted that these unofficial fixes are adequate in plugging the hole for the mean time and no official remediation is available, this value can be set." - }, - "U": { - "key": "U", - "name": "Unavailable", - "definition": "There is either no solution available or it is impossible to apply." - } - } - }, - "1.1.0": { - "version": "1.1.0", - "obj": { - "namespace": "cvss", - "key": "RL", - "version": "1.1.0", - "name": "Remediation Level", - "definition": "This metric measures the remediation status of a vulnerability.", + "name": "Impact Bias", + "definition": "This metric measures the impact bias of the vulnerability.", "schemaVersion": "2.0.0", "values": [ { - "key": "OF", - "name": "Official Fix", - "definition": "A complete vendor solution is available. Either the vendor has issued the final, official patch which eliminates the vulnerability or an upgrade that is not vulnerable is available." - }, - { - "key": "TF", - "name": "Temporary Fix", - "definition": "There is an official but temporary fix available. This includes instances where the vendor issues a temporary hotfix, tool or official workaround." + "key": "N", + "name": "Normal", + "definition": "Confidentiality Impact, Integrity Impact, and Availability Impact are all assigned the same weight." }, { - "key": "W", - "name": "Workaround", - "definition": "There is an unofficial, non-vendor solution available. In some cases, users of the affected technology will create a patch of their own or provide steps to work around or otherwise mitigate against the vulnerability. When it is generally accepted that these unofficial fixes are adequate in plugging the hole for the mean time and no official remediation is available, this value can be set." + "key": "C", + "name": "Confidentiality", + "definition": "Confidentiality impact is assigned greater weight than Integrity Impact or Availability Impact." }, { - "key": "U", - "name": "Unavailable", - "definition": "There is either no solution available or it is impossible to apply." + "key": "I", + "name": "Integrity", + "definition": "Integrity Impact is assigned greater weight than Confidentiality Impact or Availability Impact." }, { - "key": "X", - "name": "Not Defined", - "definition": "This metric value is not defined. See CVSS documentation for details." + "key": "A", + "name": "Availability", + "definition": "Availability Impact is assigned greater weight than Confidentiality Impact or Integrity Impact." } ] }, "values": { - "OF": { - "key": "OF", - "name": "Official Fix", - "definition": "A complete vendor solution is available. Either the vendor has issued the final, official patch which eliminates the vulnerability or an upgrade that is not vulnerable is available." - }, - "TF": { - "key": "TF", - "name": "Temporary Fix", - "definition": "There is an official but temporary fix available. This includes instances where the vendor issues a temporary hotfix, tool or official workaround." + "N": { + "key": "N", + "name": "Normal", + "definition": "Confidentiality Impact, Integrity Impact, and Availability Impact are all assigned the same weight." }, - "W": { - "key": "W", - "name": "Workaround", - "definition": "There is an unofficial, non-vendor solution available. In some cases, users of the affected technology will create a patch of their own or provide steps to work around or otherwise mitigate against the vulnerability. When it is generally accepted that these unofficial fixes are adequate in plugging the hole for the mean time and no official remediation is available, this value can be set." + "C": { + "key": "C", + "name": "Confidentiality", + "definition": "Confidentiality impact is assigned greater weight than Integrity Impact or Availability Impact." }, - "U": { - "key": "U", - "name": "Unavailable", - "definition": "There is either no solution available or it is impossible to apply." + "I": { + "key": "I", + "name": "Integrity", + "definition": "Integrity Impact is assigned greater weight than Confidentiality Impact or Availability Impact." }, - "X": { - "key": "X", - "name": "Not Defined", - "definition": "This metric value is not defined. See CVSS documentation for details." + "A": { + "key": "A", + "name": "Availability", + "definition": "Availability Impact is assigned greater weight than Confidentiality Impact or Integrity Impact." } } } } }, - "RC": { - "key": "RC", + "I": { + "key": "I", "versions": { "1.0.0": { "version": "1.0.0", "obj": { "namespace": "cvss", - "key": "RC", + "key": "I", "version": "1.0.0", - "name": "Report Confidence", - "definition": "This metric measures the degree of confidence in the existence of the vulnerability and the credibility of the known technical details.", + "name": "Integrity Impact", + "definition": "This metric measures the impact on integrity a successful exploit of the vulnerability will have on the target system.", "schemaVersion": "2.0.0", "values": [ { - "key": "UC", - "name": "Unconfirmed", - "definition": "A single unconfirmed source or possibly several conflicting reports. There is little confidence in the validity of the report." + "key": "N", + "name": "None", + "definition": "No impact on integrity." }, { - "key": "UR", - "name": "Uncorroborated", - "definition": "Multiple non-official sources; possibily including independent security companies or research organizations. At this point there may be conflicting technical details or some other lingering ambiguity." + "key": "P", + "name": "Partial", + "definition": "Considerable breach in integrity. Modification of critical system files or information is possible, but the attacker does not have control over what can be modified, or the scope of what the attacker can affect is constrained. For example, key system or program files may be overwritten or modified, but at random or in a limited context or scope." }, { "key": "C", - "name": "Confirmed", - "definition": "Vendor or author of the affected technology has acknowledged that the vulnerability exists. This value may also be set when existence of a vulnerability is confirmed with absolute confidence through some other event, such as publication of functional proof of concept exploit code or widespread exploitation." + "name": "Complete", + "definition": "A total compromise of system integrity. There is a complete loss of system protection resulting in the entire system being compromised. The attacker has sovereign control to modify any system files." } ] }, "values": { - "UC": { - "key": "UC", - "name": "Unconfirmed", - "definition": "A single unconfirmed source or possibly several conflicting reports. There is little confidence in the validity of the report." + "N": { + "key": "N", + "name": "None", + "definition": "No impact on integrity." }, - "UR": { - "key": "UR", - "name": "Uncorroborated", - "definition": "Multiple non-official sources; possibily including independent security companies or research organizations. At this point there may be conflicting technical details or some other lingering ambiguity." + "P": { + "key": "P", + "name": "Partial", + "definition": "Considerable breach in integrity. Modification of critical system files or information is possible, but the attacker does not have control over what can be modified, or the scope of what the attacker can affect is constrained. For example, key system or program files may be overwritten or modified, but at random or in a limited context or scope." }, "C": { "key": "C", - "name": "Confirmed", - "definition": "Vendor or author of the affected technology has acknowledged that the vulnerability exists. This value may also be set when existence of a vulnerability is confirmed with absolute confidence through some other event, such as publication of functional proof of concept exploit code or widespread exploitation." + "name": "Complete", + "definition": "A total compromise of system integrity. There is a complete loss of system protection resulting in the entire system being compromised. The attacker has sovereign control to modify any system files." } } }, - "1.1.0": { - "version": "1.1.0", + "2.0.0": { + "version": "2.0.0", "obj": { "namespace": "cvss", - "key": "RC", - "version": "1.1.0", - "name": "Report Confidence", - "definition": "This metric measures the degree of confidence in the existence of the vulnerability and the credibility of the known technical details.", + "key": "I", + "version": "2.0.0", + "name": "Integrity Impact", + "definition": "This metric measures the impact to integrity of a successfully exploited vulnerability.", "schemaVersion": "2.0.0", "values": [ { - "key": "UC", - "name": "Unconfirmed", - "definition": "A single unconfirmed source or possibly several conflicting reports. There is little confidence in the validity of the report." - }, - { - "key": "UR", - "name": "Uncorroborated", - "definition": "Multiple non-official sources; possibily including independent security companies or research organizations. At this point there may be conflicting technical details or some other lingering ambiguity." - }, - { - "key": "C", - "name": "Confirmed", - "definition": "Vendor or author of the affected technology has acknowledged that the vulnerability exists. This value may also be set when existence of a vulnerability is confirmed with absolute confidence through some other event, such as publication of functional proof of concept exploit code or widespread exploitation." - }, - { - "key": "ND", - "name": "Not Defined", - "definition": "This metric value is not defined. See CVSS documentation for details." - } - ] - }, - "values": { - "UC": { - "key": "UC", - "name": "Unconfirmed", - "definition": "A single unconfirmed source or possibly several conflicting reports. There is little confidence in the validity of the report." - }, - "UR": { - "key": "UR", - "name": "Uncorroborated", - "definition": "Multiple non-official sources; possibily including independent security companies or research organizations. At this point there may be conflicting technical details or some other lingering ambiguity." - }, - "C": { - "key": "C", - "name": "Confirmed", - "definition": "Vendor or author of the affected technology has acknowledged that the vulnerability exists. This value may also be set when existence of a vulnerability is confirmed with absolute confidence through some other event, such as publication of functional proof of concept exploit code or widespread exploitation." - }, - "ND": { - "key": "ND", - "name": "Not Defined", - "definition": "This metric value is not defined. See CVSS documentation for details." - } - } - }, - "2.0.0": { - "version": "2.0.0", - "obj": { - "namespace": "cvss", - "key": "RC", - "version": "2.0.0", - "name": "Report Confidence", - "definition": "This metric measures the degree of confidence in the existence of the vulnerability and the credibility of the known technical details.", - "schemaVersion": "2.0.0", - "values": [ - { - "key": "U", - "name": "Unknown", - "definition": "There are reports of impacts that indicate a vulnerability is present. The reports indicate that the cause of the vulnerability is unknown, or reports may differ on the cause or impacts of the vulnerability. Reporters are uncertain of the true nature of the vulnerability, and there is little confidence in the validity of the reports or whether a static Base score can be applied given the differences described." - }, - { - "key": "R", - "name": "Reasonable", - "definition": "Significant details are published, but researchers either do not have full confidence in the root cause, or do not have access to source code to fully confirm all of the interactions that may lead to the result. Reasonable confidence exists, however, that the bug is reproducible and at least one impact is able to be verified (proof-of-concept exploits may provide this)." + "key": "N", + "name": "None", + "definition": "There is no impact to the integrity of the system." }, { - "key": "C", - "name": "Confirmed", - "definition": "Detailed reports exist, or functional reproduction is possible (functional exploits may provide this). Source code is available to independently verify the assertions of the research, or the author or vendor of the affected code has confirmed the presence of the vulnerability." + "key": "L", + "name": "Low", + "definition": "Modification of data is possible, but the attacker does not have control over the consequence of a modification, or the amount of modification is constrained. The data modification does not have a direct, serious impact on the impacted component." }, { - "key": "X", - "name": "Not Defined", - "definition": "This metric value is not defined. See CVSS documentation for details." + "key": "H", + "name": "High", + "definition": "There is a total loss of integrity, or a complete loss of protection." } ] }, "values": { - "U": { - "key": "U", - "name": "Unknown", - "definition": "There are reports of impacts that indicate a vulnerability is present. The reports indicate that the cause of the vulnerability is unknown, or reports may differ on the cause or impacts of the vulnerability. Reporters are uncertain of the true nature of the vulnerability, and there is little confidence in the validity of the reports or whether a static Base score can be applied given the differences described." - }, - "R": { - "key": "R", - "name": "Reasonable", - "definition": "Significant details are published, but researchers either do not have full confidence in the root cause, or do not have access to source code to fully confirm all of the interactions that may lead to the result. Reasonable confidence exists, however, that the bug is reproducible and at least one impact is able to be verified (proof-of-concept exploits may provide this)." - }, - "C": { - "key": "C", - "name": "Confirmed", - "definition": "Detailed reports exist, or functional reproduction is possible (functional exploits may provide this). Source code is available to independently verify the assertions of the research, or the author or vendor of the affected code has confirmed the presence of the vulnerability." + "N": { + "key": "N", + "name": "None", + "definition": "There is no impact to the integrity of the system." }, - "X": { - "key": "X", - "name": "Not Defined", - "definition": "This metric value is not defined. See CVSS documentation for details." - } - } - } - } - }, - "S": { - "key": "S", - "versions": { - "1.0.0": { - "version": "1.0.0", - "obj": { - "namespace": "cvss", - "key": "S", - "version": "1.0.0", - "name": "Scope", - "definition": "the ability for a vulnerability in one software component to impact resources beyond its means, or privileges", - "schemaVersion": "2.0.0", - "values": [ - { - "key": "U", - "name": "Unchanged", - "definition": "An exploited vulnerability can only affect resources managed by the same authority. In this case the vulnerable component and the impacted component are the same." - }, - { - "key": "C", - "name": "Changed", - "definition": "An exploited vulnerability can affect resources beyond the authorization privileges intended by the vulnerable component. In this case the vulnerable component and the impacted component are different." - } - ] - }, - "values": { - "U": { - "key": "U", - "name": "Unchanged", - "definition": "An exploited vulnerability can only affect resources managed by the same authority. In this case the vulnerable component and the impacted component are the same." + "L": { + "key": "L", + "name": "Low", + "definition": "Modification of data is possible, but the attacker does not have control over the consequence of a modification, or the amount of modification is constrained. The data modification does not have a direct, serious impact on the impacted component." }, - "C": { - "key": "C", - "name": "Changed", - "definition": "An exploited vulnerability can affect resources beyond the authorization privileges intended by the vulnerable component. In this case the vulnerable component and the impacted component are different." + "H": { + "key": "H", + "name": "High", + "definition": "There is a total loss of integrity, or a complete loss of protection." } } } } }, - "SC": { - "key": "SC", + "VI": { + "key": "VI", "versions": { - "1.0.0": { - "version": "1.0.0", + "3.0.0": { + "version": "3.0.0", "obj": { "namespace": "cvss", - "key": "SC", - "version": "1.0.0", - "name": "Confidentiality Impact to the Subsequent System", - "definition": "This metric measures the impact to the confidentiality of the information managed by the system due to a successfully exploited vulnerability. Confidentiality refers to limiting information access and disclosure to only authorized users, as well as preventing access by, or disclosure to, unauthorized ones. The resulting score is greatest when the loss to the system is highest.", + "key": "VI", + "version": "3.0.0", + "name": "Integrity Impact to the Vulnerable System", + "definition": "This metric measures the impact to integrity of a successfully exploited vulnerability.", "schemaVersion": "2.0.0", "values": [ { "key": "N", - "name": "Negligible", - "definition": "There is no loss of confidentiality within the Subsequent System or all confidentiality impact is constrained to the Vulnerable System." + "name": "None", + "definition": "There is no loss of integrity within the Vulnerable System." }, { "key": "L", "name": "Low", - "definition": "There is some loss of confidentiality. Access to some restricted information is obtained, but the attacker does not have control over what information is obtained, or the amount or kind of loss is limited. The information disclosure does not cause a direct, serious loss to the Subsequent System." + "definition": "Modification of data is possible, but the attacker does not have control over the consequence of a modification, or the amount of modification is limited. The data modification does not have a direct, serious impact to the Vulnerable System." }, { "key": "H", "name": "High", - "definition": "There is a total loss of confidentiality, resulting in all resources within the Subsequent System being divulged to the attacker. Alternatively, access to only some restricted information is obtained, but the disclosed information presents a direct, serious impact." + "definition": "There is a total loss of integrity, or a complete loss of protection." } ] }, "values": { "N": { "key": "N", - "name": "Negligible", - "definition": "There is no loss of confidentiality within the Subsequent System or all confidentiality impact is constrained to the Vulnerable System." + "name": "None", + "definition": "There is no loss of integrity within the Vulnerable System." }, "L": { "key": "L", "name": "Low", - "definition": "There is some loss of confidentiality. Access to some restricted information is obtained, but the attacker does not have control over what information is obtained, or the amount or kind of loss is limited. The information disclosure does not cause a direct, serious loss to the Subsequent System." + "definition": "Modification of data is possible, but the attacker does not have control over the consequence of a modification, or the amount of modification is limited. The data modification does not have a direct, serious impact to the Vulnerable System." }, "H": { "key": "H", "name": "High", - "definition": "There is a total loss of confidentiality, resulting in all resources within the Subsequent System being divulged to the attacker. Alternatively, access to only some restricted information is obtained, but the disclosed information presents a direct, serious impact." + "definition": "There is a total loss of integrity, or a complete loss of protection." } } } } }, - "AU": { - "key": "AU", + "IR": { + "key": "IR", "versions": { "1.0.0": { "version": "1.0.0", "obj": { "namespace": "cvss", - "key": "AU", + "key": "IR", "version": "1.0.0", - "name": "Automatable", - "definition": "The \"Automatable\" metric captures the answer to the question \"Can an attacker automate exploitation events for this vulnerability across multiple targets?\" based on steps 1-4 of the kill chain.", + "name": "Integrity Requirement", + "definition": "This metric measures the impact to the integrity of a successfully exploited vulnerability.", "schemaVersion": "2.0.0", "values": [ { - "key": "N", - "name": "No", - "definition": "Attackers cannot reliably automate all 4 steps of the kill chain for this vulnerability for some reason. These steps are reconnaissance, weaponization, delivery, and exploitation." + "key": "L", + "name": "Low", + "definition": "Loss of integrity is likely to have only a limited adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)." }, { - "key": "Y", - "name": "Yes", - "definition": "Attackers can reliably automate all 4 steps of the kill chain. These steps are reconnaissance, weaponization, delivery, and exploitation (e.g., the vulnerability is \"wormable\")." + "key": "M", + "name": "Medium", + "definition": "Loss of integrity is likely to have a serious adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)." }, { - "key": "X", + "key": "H", + "name": "High", + "definition": "Loss of integrity is likely to have a catastrophic adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)." + }, + { + "key": "ND", "name": "Not Defined", "definition": "This metric value is not defined. See CVSS documentation for details." } ] }, "values": { - "N": { - "key": "N", - "name": "No", - "definition": "Attackers cannot reliably automate all 4 steps of the kill chain for this vulnerability for some reason. These steps are reconnaissance, weaponization, delivery, and exploitation." + "L": { + "key": "L", + "name": "Low", + "definition": "Loss of integrity is likely to have only a limited adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)." }, - "Y": { - "key": "Y", - "name": "Yes", - "definition": "Attackers can reliably automate all 4 steps of the kill chain. These steps are reconnaissance, weaponization, delivery, and exploitation (e.g., the vulnerability is \"wormable\")." + "M": { + "key": "M", + "name": "Medium", + "definition": "Loss of integrity is likely to have a serious adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)." }, - "X": { - "key": "X", + "H": { + "key": "H", + "name": "High", + "definition": "Loss of integrity is likely to have a catastrophic adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)." + }, + "ND": { + "key": "ND", "name": "Not Defined", "definition": "This metric value is not defined. See CVSS documentation for details." } } - } - } - }, - "U": { - "key": "U", - "versions": { - "1.0.0": { - "version": "1.0.0", + }, + "1.1.0": { + "version": "1.1.0", "obj": { "namespace": "cvss", - "key": "U", - "version": "1.0.0", - "name": "Provider Urgency", - "definition": "Many vendors currently provide supplemental severity ratings to consumers via product security advisories. Other vendors publish Qualitative Severity Ratings from the CVSS Specification Document in their advisories. To facilitate a standardized method to incorporate additional provider-supplied assessment, an optional \"pass-through\" Supplemental Metric called Provider Urgency is available.", + "key": "IR", + "version": "1.1.0", + "name": "Integrity Requirement", + "definition": "This metric measures the impact to the integrity of a successfully exploited vulnerability.", "schemaVersion": "2.0.0", "values": [ { - "key": "X", - "name": "Not Defined", - "definition": "This metric value is not defined. See CVSS documentation for details." - }, - { - "key": "C", - "name": "Clear", - "definition": "Provider has assessed the impact of this vulnerability as having no urgency (Informational)." + "key": "L", + "name": "Low", + "definition": "Loss of integrity is likely to have only a limited adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)." }, { - "key": "G", - "name": "Green", - "definition": "Provider has assessed the impact of this vulnerability as having a reduced urgency." + "key": "M", + "name": "Medium", + "definition": "Loss of integrity is likely to have a serious adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)." }, { - "key": "A", - "name": "Amber", - "definition": "Provider has assessed the impact of this vulnerability as having a moderate urgency." + "key": "H", + "name": "High", + "definition": "Loss of integrity is likely to have a catastrophic adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)." }, { - "key": "R", - "name": "Red", - "definition": "Provider has assessed the impact of this vulnerability as having the highest urgency." + "key": "X", + "name": "Not Defined", + "definition": "This metric value is not defined. See CVSS documentation for details." } ] }, "values": { + "L": { + "key": "L", + "name": "Low", + "definition": "Loss of integrity is likely to have only a limited adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)." + }, + "M": { + "key": "M", + "name": "Medium", + "definition": "Loss of integrity is likely to have a serious adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)." + }, + "H": { + "key": "H", + "name": "High", + "definition": "Loss of integrity is likely to have a catastrophic adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)." + }, "X": { "key": "X", "name": "Not Defined", "definition": "This metric value is not defined. See CVSS documentation for details." - }, - "C": { - "key": "C", - "name": "Clear", - "definition": "Provider has assessed the impact of this vulnerability as having no urgency (Informational)." - }, - "G": { - "key": "G", - "name": "Green", - "definition": "Provider has assessed the impact of this vulnerability as having a reduced urgency." - }, - "A": { - "key": "A", - "name": "Amber", - "definition": "Provider has assessed the impact of this vulnerability as having a moderate urgency." - }, - "R": { - "key": "R", - "name": "Red", - "definition": "Provider has assessed the impact of this vulnerability as having the highest urgency." } } - } - } - }, - "R": { - "key": "R", - "versions": { - "1.0.0": { - "version": "1.0.0", + }, + "1.1.1": { + "version": "1.1.1", "obj": { "namespace": "cvss", - "key": "R", - "version": "1.0.0", - "name": "Recovery", - "definition": "The Recovery metric describes the resilience of a system to recover services, in terms of performance and availability, after an attack has been performed.", + "key": "IR", + "version": "1.1.1", + "name": "Integrity Requirement", + "definition": "This metric enables the consumer to customize the assessment depending on the importance of the affected IT asset to the analyst’s organization, measured in terms of Confidentiality.", "schemaVersion": "2.0.0", "values": [ { - "key": "X", - "name": "Not Defined", - "definition": "This metric value is not defined. See CVSS documentation for details." + "key": "L", + "name": "Low", + "definition": "Loss of integrity is likely to have only a limited adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)." }, { - "key": "A", - "name": "Automatic", - "definition": "The system recovers services automatically after an attack has been performed." + "key": "M", + "name": "Medium", + "definition": "Loss of integrity is likely to have a serious adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)." }, { - "key": "U", - "name": "User", - "definition": "The system requires manual intervention by the user to recover services, after an attack has been performed." + "key": "H", + "name": "High", + "definition": "Loss of integrity is likely to have a catastrophic adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)." }, { - "key": "I", - "name": "Irrecoverable", - "definition": "The system services are irrecoverable by the user, after an attack has been performed." + "key": "X", + "name": "Not Defined", + "definition": "This metric value is not defined. See CVSS documentation for details." } ] }, "values": { + "L": { + "key": "L", + "name": "Low", + "definition": "Loss of integrity is likely to have only a limited adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)." + }, + "M": { + "key": "M", + "name": "Medium", + "definition": "Loss of integrity is likely to have a serious adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)." + }, + "H": { + "key": "H", + "name": "High", + "definition": "Loss of integrity is likely to have a catastrophic adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)." + }, "X": { "key": "X", "name": "Not Defined", "definition": "This metric value is not defined. See CVSS documentation for details." - }, - "A": { - "key": "A", - "name": "Automatic", - "definition": "The system recovers services automatically after an attack has been performed." - }, - "U": { - "key": "U", - "name": "User", - "definition": "The system requires manual intervention by the user to recover services, after an attack has been performed." - }, - "I": { - "key": "I", - "name": "Irrecoverable", - "definition": "The system services are irrecoverable by the user, after an attack has been performed." } } } } }, - "SF": { - "key": "SF", + "IR_NoX": { + "key": "IR_NoX", "versions": { - "1.0.0": { - "version": "1.0.0", + "1.1.1": { + "version": "1.1.1", "obj": { "namespace": "cvss", - "key": "SF", - "version": "1.0.0", - "name": "Safety", - "definition": "The Safety decision point is a measure of the potential for harm to humans or the environment.", + "key": "IR_NoX", + "version": "1.1.1", + "name": "Integrity Requirement (without Not Defined)", + "definition": "This metric enables the consumer to customize the assessment depending on the importance of the affected IT asset to the analyst’s organization, measured in terms of Confidentiality. This version does not include the Not Defined (X) option.", "schemaVersion": "2.0.0", "values": [ { - "key": "X", - "name": "Not Defined", - "definition": "This metric value is not defined. See CVSS documentation for details." + "key": "L", + "name": "Low", + "definition": "Loss of integrity is likely to have only a limited adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)." }, { - "key": "P", - "name": "Present", - "definition": "Consequences of the vulnerability meet definition of IEC 61508 consequence categories of \"marginal,\" \"critical,\" or \"catastrophic.\"" + "key": "M", + "name": "Medium", + "definition": "Loss of integrity is likely to have a serious adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)." }, { - "key": "N", - "name": "Negligible", - "definition": "Consequences of the vulnerability meet definition of IEC 61508 consequence category \"negligible.\"" + "key": "H", + "name": "High", + "definition": "Loss of integrity is likely to have a catastrophic adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)." } ] }, "values": { - "X": { - "key": "X", - "name": "Not Defined", - "definition": "This metric value is not defined. See CVSS documentation for details." + "L": { + "key": "L", + "name": "Low", + "definition": "Loss of integrity is likely to have only a limited adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)." }, - "P": { - "key": "P", - "name": "Present", - "definition": "Consequences of the vulnerability meet definition of IEC 61508 consequence categories of \"marginal,\" \"critical,\" or \"catastrophic.\"" + "M": { + "key": "M", + "name": "Medium", + "definition": "Loss of integrity is likely to have a serious adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)." }, - "N": { - "key": "N", - "name": "Negligible", - "definition": "Consequences of the vulnerability meet definition of IEC 61508 consequence category \"negligible.\"" + "H": { + "key": "H", + "name": "High", + "definition": "Loss of integrity is likely to have a catastrophic adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)." } } } } }, - "V": { - "key": "V", + "SA": { + "key": "SA", "versions": { "1.0.0": { "version": "1.0.0", "obj": { "namespace": "cvss", - "key": "V", + "key": "SA", "version": "1.0.0", - "name": "Value Density", - "definition": "Value Density describes the resources that the attacker will gain control over with a single exploitation event. It has two possible values, diffuse and concentrated.", + "name": "Availability Impact to the Subsequent System", + "definition": "This metric measures the impact on availability a successful exploit of the vulnerability will have on the Subsequent System.", "schemaVersion": "2.0.0", "values": [ { - "key": "X", - "name": "Not Defined", - "definition": "This metric value is not defined. See CVSS documentation for details." + "key": "N", + "name": "None", + "definition": "There is no impact to availability within the Subsequent System or all availability impact is constrained to the Vulnerable System." }, { - "key": "D", - "name": "Diffuse", - "definition": "The vulnerable system has limited resources. That is, the resources that the attacker will gain control over with a single exploitation event are relatively small." + "key": "L", + "name": "Low", + "definition": "Performance is reduced or there are interruptions in resource availability. Even if repeated exploitation of the vulnerability is possible, the attacker does not have the ability to completely deny service to legitimate users." }, { - "key": "C", - "name": "Concentrated", - "definition": "The vulnerable system is rich in resources. Heuristically, such systems are often the direct responsibility of \"system operators\" rather than users." + "key": "H", + "name": "High", + "definition": "There is a total loss of availability, resulting in the attacker being able to fully deny access to resources in the Subsequent System; this loss is either sustained (while the attacker continues to deliver the attack) or persistent (the condition persists even after the attack has completed)." } ] }, "values": { - "X": { - "key": "X", - "name": "Not Defined", - "definition": "This metric value is not defined. See CVSS documentation for details." + "N": { + "key": "N", + "name": "None", + "definition": "There is no impact to availability within the Subsequent System or all availability impact is constrained to the Vulnerable System." }, - "D": { - "key": "D", - "name": "Diffuse", - "definition": "The vulnerable system has limited resources. That is, the resources that the attacker will gain control over with a single exploitation event are relatively small." + "L": { + "key": "L", + "name": "Low", + "definition": "Performance is reduced or there are interruptions in resource availability. Even if repeated exploitation of the vulnerability is possible, the attacker does not have the ability to completely deny service to legitimate users." }, - "C": { - "key": "C", - "name": "Concentrated", - "definition": "The vulnerable system is rich in resources. Heuristically, such systems are often the direct responsibility of \"system operators\" rather than users." + "H": { + "key": "H", + "name": "High", + "definition": "There is a total loss of availability, resulting in the attacker being able to fully deny access to resources in the Subsequent System; this loss is either sustained (while the attacker continues to deliver the attack) or persistent (the condition persists even after the attack has completed)." } } } } }, - "RE": { - "key": "RE", + "MSA": { + "key": "MSA", "versions": { "1.0.0": { "version": "1.0.0", "obj": { "namespace": "cvss", - "key": "RE", + "key": "MSA", "version": "1.0.0", - "name": "Vulnerability Response Effort", - "definition": "The intention of the Vulnerability Response Effort metric is to provide supplemental information on how difficult it is for consumers to provide an initial response to the impact of vulnerabilities for deployed products and services in their infrastructure. The consumer can then take this additional information on effort required into consideration when applying mitigations and/or scheduling remediation.", + "name": "Modified Availability Impact to the Subsequent System", + "definition": "This metric measures the impact on availability a successful exploit of the vulnerability will have on the Subsequent System.", "schemaVersion": "2.0.0", "values": [ { - "key": "X", - "name": "Not Defined", - "definition": "This metric value is not defined. See CVSS documentation for details." + "key": "N", + "name": "None", + "definition": "There is no impact to availability within the Subsequent System or all availability impact is constrained to the Vulnerable System." }, { "key": "L", "name": "Low", - "definition": "The effort required to respond to a vulnerability is low/trivial." - }, - { - "key": "M", - "name": "Moderate", - "definition": "The actions required to respond to a vulnerability require some effort on behalf of the consumer and could cause minimal service impact to implement." + "definition": "Performance is reduced or there are interruptions in resource availability. Even if repeated exploitation of the vulnerability is possible, the attacker does not have the ability to completely deny service to legitimate users." }, { "key": "H", "name": "High", - "definition": "The actions required to respond to a vulnerability are significant and/or difficult, and may possibly lead to an extended, scheduled service impact. This would need to be considered for scheduling purposes including honoring any embargo on deployment of the selected response. Alternatively, response to the vulnerability in the field is not possible remotely. The only resolution to the vulnerability involves physical replacement (e.g. units deployed would have to be recalled for a depot level repair or replacement)." + "definition": "There is a total loss of availability, resulting in the attacker being able to fully deny access to resources in the Subsequent System; this loss is either sustained (while the attacker continues to deliver the attack) or persistent (the condition persists even after the attack has completed)." + }, + { + "key": "X", + "name": "Not Defined", + "definition": "This metric value is not defined. See CVSS documentation for details." } ] }, "values": { - "X": { - "key": "X", - "name": "Not Defined", - "definition": "This metric value is not defined. See CVSS documentation for details." + "N": { + "key": "N", + "name": "None", + "definition": "There is no impact to availability within the Subsequent System or all availability impact is constrained to the Vulnerable System." }, "L": { "key": "L", "name": "Low", - "definition": "The effort required to respond to a vulnerability is low/trivial." - }, - "M": { - "key": "M", - "name": "Moderate", - "definition": "The actions required to respond to a vulnerability require some effort on behalf of the consumer and could cause minimal service impact to implement." + "definition": "Performance is reduced or there are interruptions in resource availability. Even if repeated exploitation of the vulnerability is possible, the attacker does not have the ability to completely deny service to legitimate users." }, "H": { "key": "H", "name": "High", - "definition": "The actions required to respond to a vulnerability are significant and/or difficult, and may possibly lead to an extended, scheduled service impact. This would need to be considered for scheduling purposes including honoring any embargo on deployment of the selected response. Alternatively, response to the vulnerability in the field is not possible remotely. The only resolution to the vulnerability involves physical replacement (e.g. units deployed would have to be recalled for a depot level repair or replacement)." + "definition": "There is a total loss of availability, resulting in the attacker being able to fully deny access to resources in the Subsequent System; this loss is either sustained (while the attacker continues to deliver the attack) or persistent (the condition persists even after the attack has completed)." + }, + "X": { + "key": "X", + "name": "Not Defined", + "definition": "This metric value is not defined. See CVSS documentation for details." } } - } - } - }, - "TD": { - "key": "TD", - "versions": { - "1.0.0": { - "version": "1.0.0", + }, + "1.0.1": { + "version": "1.0.1", "obj": { "namespace": "cvss", - "key": "TD", - "version": "1.0.0", - "name": "Target Distribution", - "definition": "This metric measures the relative size of the field of target systems susceptible to the vulnerability. It is meant as an environment-specific indicator in order to approximate the percentage of systems within the environment that could be affected by the vulnerability.", + "key": "MSA", + "version": "1.0.1", + "name": "Modified Availability Impact to the Subsequent System", + "definition": "This metric measures the impact on availability a successful exploit of the vulnerability will have on the Subsequent System.", "schemaVersion": "2.0.0", "values": [ { "key": "N", - "name": "None", - "definition": "No target systems exist, or targets are so highly specialized that they only exist in a laboratory setting. Effectively 0% of the environment is at risk." + "name": "Negligible", + "definition": "There is negligible impact to availability within the Subsequent System or all availability impact is constrained to the Vulnerable System." }, { "key": "L", "name": "Low", - "definition": "Targets exist inside the environment, but on a small scale. Between 1% - 15% of the total environment is at risk." - }, - { - "key": "M", - "name": "Medium", - "definition": "Targets exist inside the environment, but on a medium scale. Between 16% - 49% of the total environment is at risk." + "definition": "Performance is reduced or there are interruptions in resource availability. Even if repeated exploitation of the vulnerability is possible, the attacker does not have the ability to completely deny service to legitimate users." }, { "key": "H", "name": "High", - "definition": "Targets exist inside the environment on a considerable scale. Between 50% - 100% of the total environment is considered at risk." + "definition": "There is a total loss of availability, resulting in the attacker being able to fully deny access to resources in the Subsequent System; this loss is either sustained (while the attacker continues to deliver the attack) or persistent (the condition persists even after the attack has completed)." + }, + { + "key": "X", + "name": "Not Defined", + "definition": "This metric value is not defined. See CVSS documentation for details." + }, + { + "key": "S", + "name": "Safety", + "definition": "The Safety metric value measures the impact regarding the Safety of a human actor or participant that can be predictably injured as a result of the vulnerability being exploited." } ] }, "values": { "N": { "key": "N", - "name": "None", - "definition": "No target systems exist, or targets are so highly specialized that they only exist in a laboratory setting. Effectively 0% of the environment is at risk." + "name": "Negligible", + "definition": "There is negligible impact to availability within the Subsequent System or all availability impact is constrained to the Vulnerable System." }, "L": { "key": "L", "name": "Low", - "definition": "Targets exist inside the environment, but on a small scale. Between 1% - 15% of the total environment is at risk." - }, - "M": { - "key": "M", - "name": "Medium", - "definition": "Targets exist inside the environment, but on a medium scale. Between 16% - 49% of the total environment is at risk." + "definition": "Performance is reduced or there are interruptions in resource availability. Even if repeated exploitation of the vulnerability is possible, the attacker does not have the ability to completely deny service to legitimate users." }, "H": { "key": "H", "name": "High", - "definition": "Targets exist inside the environment on a considerable scale. Between 50% - 100% of the total environment is considered at risk." + "definition": "There is a total loss of availability, resulting in the attacker being able to fully deny access to resources in the Subsequent System; this loss is either sustained (while the attacker continues to deliver the attack) or persistent (the condition persists even after the attack has completed)." + }, + "X": { + "key": "X", + "name": "Not Defined", + "definition": "This metric value is not defined. See CVSS documentation for details." + }, + "S": { + "key": "S", + "name": "Safety", + "definition": "The Safety metric value measures the impact regarding the Safety of a human actor or participant that can be predictably injured as a result of the vulnerability being exploited." } } - }, - "1.1.0": { - "version": "1.1.0", + } + } + }, + "MSA_NoX": { + "key": "MSA_NoX", + "versions": { + "1.0.1": { + "version": "1.0.1", "obj": { "namespace": "cvss", - "key": "TD", - "version": "1.1.0", - "name": "Target Distribution", - "definition": "This metric measures the relative size of the field of target systems susceptible to the vulnerability. It is meant as an environment-specific indicator in order to approximate the percentage of systems within the environment that could be affected by the vulnerability.", + "key": "MSA_NoX", + "version": "1.0.1", + "name": "Modified Availability Impact to the Subsequent System (without Not Defined)", + "definition": "This metric measures the impact on availability a successful exploit of the vulnerability will have on the Subsequent System. This version does not include the Not Defined (X) option.", "schemaVersion": "2.0.0", "values": [ { "key": "N", - "name": "None", - "definition": "No target systems exist, or targets are so highly specialized that they only exist in a laboratory setting. Effectively 0% of the environment is at risk." + "name": "Negligible", + "definition": "There is negligible impact to availability within the Subsequent System or all availability impact is constrained to the Vulnerable System." }, { "key": "L", "name": "Low", - "definition": "Targets exist inside the environment, but on a small scale. Between 1% - 15% of the total environment is at risk." - }, - { - "key": "M", - "name": "Medium", - "definition": "Targets exist inside the environment, but on a medium scale. Between 16% - 49% of the total environment is at risk." + "definition": "Performance is reduced or there are interruptions in resource availability. Even if repeated exploitation of the vulnerability is possible, the attacker does not have the ability to completely deny service to legitimate users." }, { "key": "H", "name": "High", - "definition": "Targets exist inside the environment on a considerable scale. Between 50% - 100% of the total environment is considered at risk." + "definition": "There is a total loss of availability, resulting in the attacker being able to fully deny access to resources in the Subsequent System; this loss is either sustained (while the attacker continues to deliver the attack) or persistent (the condition persists even after the attack has completed)." }, { - "key": "X", - "name": "Not Defined", - "definition": "This metric value is not defined. See CVSS documentation for details." + "key": "S", + "name": "Safety", + "definition": "The Safety metric value measures the impact regarding the Safety of a human actor or participant that can be predictably injured as a result of the vulnerability being exploited." } ] }, "values": { "N": { "key": "N", - "name": "None", - "definition": "No target systems exist, or targets are so highly specialized that they only exist in a laboratory setting. Effectively 0% of the environment is at risk." + "name": "Negligible", + "definition": "There is negligible impact to availability within the Subsequent System or all availability impact is constrained to the Vulnerable System." }, "L": { "key": "L", "name": "Low", - "definition": "Targets exist inside the environment, but on a small scale. Between 1% - 15% of the total environment is at risk." - }, - "M": { - "key": "M", - "name": "Medium", - "definition": "Targets exist inside the environment, but on a medium scale. Between 16% - 49% of the total environment is at risk." + "definition": "Performance is reduced or there are interruptions in resource availability. Even if repeated exploitation of the vulnerability is possible, the attacker does not have the ability to completely deny service to legitimate users." }, "H": { "key": "H", "name": "High", - "definition": "Targets exist inside the environment on a considerable scale. Between 50% - 100% of the total environment is considered at risk." + "definition": "There is a total loss of availability, resulting in the attacker being able to fully deny access to resources in the Subsequent System; this loss is either sustained (while the attacker continues to deliver the attack) or persistent (the condition persists even after the attack has completed)." }, - "X": { - "key": "X", - "name": "Not Defined", - "definition": "This metric value is not defined. See CVSS documentation for details." + "S": { + "key": "S", + "name": "Safety", + "definition": "The Safety metric value measures the impact regarding the Safety of a human actor or participant that can be predictably injured as a result of the vulnerability being exploited." } } } } }, - "UI": { - "key": "UI", + "SI": { + "key": "SI", "versions": { "1.0.0": { "version": "1.0.0", "obj": { "namespace": "cvss", - "key": "UI", + "key": "SI", "version": "1.0.0", - "name": "User Interaction", - "definition": "This metric captures the requirement for a user, other than the attacker, to participate in the successful compromise of the vulnerable component.", + "name": "Integrity Impact to the Subsequent System", + "definition": "This metric measures the impact to integrity of a successfully exploited vulnerability. Integrity refers to the trustworthiness and veracity of information. Integrity of a system is impacted when an attacker causes unauthorized modification of system data. Integrity is also impacted when a system user can repudiate critical actions taken in the context of the system (e.g. due to insufficient logging). The resulting score is greatest when the consequence to the system is highest.", "schemaVersion": "2.0.0", "values": [ - { - "key": "R", - "name": "Required", - "definition": "Successful exploitation of this vulnerability requires a user to take some action before the vulnerability can be exploited." - }, { "key": "N", "name": "None", - "definition": "The vulnerable system can be exploited without interaction from any user." - } - ] - }, - "values": { - "R": { - "key": "R", - "name": "Required", - "definition": "Successful exploitation of this vulnerability requires a user to take some action before the vulnerability can be exploited." - }, - "N": { - "key": "N", - "name": "None", - "definition": "The vulnerable system can be exploited without interaction from any user." - } - } - }, - "2.0.0": { - "version": "2.0.0", - "obj": { - "namespace": "cvss", - "key": "UI", - "version": "2.0.0", - "name": "User Interaction", - "definition": "This metric captures the requirement for a human user, other than the attacker, to participate in the successful compromise of the vulnerable system. This metric determines whether the vulnerability can be exploited solely at the will of the attacker, or whether a separate user (or user-initiated process) must participate in some manner. The resulting score is greatest when no user interaction is required.", - "schemaVersion": "2.0.0", - "values": [ - { - "key": "A", - "name": "Active", - "definition": "Successful exploitation of this vulnerability requires a targeted user to perform specific, conscious interactions with the vulnerable system and the attacker’s payload, or the user’s interactions would actively subvert protection mechanisms which would lead to exploitation of the vulnerability." + "definition": "There is no loss of integrity within the Subsequent System or all integrity impact is constrained to the Vulnerable System." }, { - "key": "P", - "name": "Passive", - "definition": "Successful exploitation of this vulnerability requires limited interaction by the targeted user with the vulnerable system and the attacker’s payload. These interactions would be considered involuntary and do not require that the user actively subvert protections built into the vulnerable system." + "key": "L", + "name": "Low", + "definition": "Modification of data is possible, but the attacker does not have control over the consequence of a modification, or the amount of modification is limited. The data modification does not have a direct, serious impact to the Subsequent System." }, { - "key": "N", - "name": "None", - "definition": "The vulnerable system can be exploited without interaction from any human user, other than the attacker." + "key": "H", + "name": "High", + "definition": "There is a total loss of integrity, or a complete loss of protection. For example, the attacker is able to modify any/all files protected by the Subsequent System. Alternatively, only some files can be modified, but malicious modification would present a direct, serious consequence to the Subsequent System." } ] }, "values": { - "A": { - "key": "A", - "name": "Active", - "definition": "Successful exploitation of this vulnerability requires a targeted user to perform specific, conscious interactions with the vulnerable system and the attacker’s payload, or the user’s interactions would actively subvert protection mechanisms which would lead to exploitation of the vulnerability." - }, - "P": { - "key": "P", - "name": "Passive", - "definition": "Successful exploitation of this vulnerability requires limited interaction by the targeted user with the vulnerable system and the attacker’s payload. These interactions would be considered involuntary and do not require that the user actively subvert protections built into the vulnerable system." - }, "N": { "key": "N", "name": "None", - "definition": "The vulnerable system can be exploited without interaction from any human user, other than the attacker." + "definition": "There is no loss of integrity within the Subsequent System or all integrity impact is constrained to the Vulnerable System." + }, + "L": { + "key": "L", + "name": "Low", + "definition": "Modification of data is possible, but the attacker does not have control over the consequence of a modification, or the amount of modification is limited. The data modification does not have a direct, serious impact to the Subsequent System." + }, + "H": { + "key": "H", + "name": "High", + "definition": "There is a total loss of integrity, or a complete loss of protection. For example, the attacker is able to modify any/all files protected by the Subsequent System. Alternatively, only some files can be modified, but malicious modification would present a direct, serious consequence to the Subsequent System." } } } } }, - "CVSS": { - "key": "CVSS", + "MSI": { + "key": "MSI", "versions": { "1.0.0": { "version": "1.0.0", "obj": { "namespace": "cvss", - "key": "CVSS", + "key": "MSI", "version": "1.0.0", - "name": "CVSS Qualitative Severity Rating Scale", - "definition": "The CVSS Qualitative Severity Rating Scale group.", + "name": "Modified Integrity Impact to the Subsequent System", + "definition": "This metric measures the impact to integrity of a successfully exploited vulnerability. Integrity refers to the trustworthiness and veracity of information. Integrity of a system is impacted when an attacker causes unauthorized modification of system data. Integrity is also impacted when a system user can repudiate critical actions taken in the context of the system (e.g. due to insufficient logging). The resulting score is greatest when the consequence to the system is highest.", "schemaVersion": "2.0.0", "values": [ { "key": "N", "name": "None", - "definition": "None (0.0)" + "definition": "There is no loss of integrity within the Subsequent System or all integrity impact is constrained to the Vulnerable System." }, { "key": "L", "name": "Low", - "definition": "Low (0.1-3.9)" - }, - { - "key": "M", - "name": "Medium", - "definition": "Medium (4.0-6.9)" + "definition": "Modification of data is possible, but the attacker does not have control over the consequence of a modification, or the amount of modification is limited. The data modification does not have a direct, serious impact to the Subsequent System." }, { "key": "H", "name": "High", - "definition": "High (7.0-8.9)" + "definition": "There is a total loss of integrity, or a complete loss of protection. For example, the attacker is able to modify any/all files protected by the Subsequent System. Alternatively, only some files can be modified, but malicious modification would present a direct, serious consequence to the Subsequent System." }, { - "key": "C", - "name": "Critical", - "definition": "Critical (9.0-10.0)" + "key": "X", + "name": "Not Defined", + "definition": "This metric value is not defined. See CVSS documentation for details." } ] }, @@ -4863,194 +4423,179 @@ "N": { "key": "N", "name": "None", - "definition": "None (0.0)" + "definition": "There is no loss of integrity within the Subsequent System or all integrity impact is constrained to the Vulnerable System." }, "L": { "key": "L", "name": "Low", - "definition": "Low (0.1-3.9)" - }, - "M": { - "key": "M", - "name": "Medium", - "definition": "Medium (4.0-6.9)" + "definition": "Modification of data is possible, but the attacker does not have control over the consequence of a modification, or the amount of modification is limited. The data modification does not have a direct, serious impact to the Subsequent System." }, "H": { "key": "H", "name": "High", - "definition": "High (7.0-8.9)" + "definition": "There is a total loss of integrity, or a complete loss of protection. For example, the attacker is able to modify any/all files protected by the Subsequent System. Alternatively, only some files can be modified, but malicious modification would present a direct, serious consequence to the Subsequent System." }, - "C": { - "key": "C", - "name": "Critical", - "definition": "Critical (9.0-10.0)" + "X": { + "key": "X", + "name": "Not Defined", + "definition": "This metric value is not defined. See CVSS documentation for details." } } - } - } - }, - "MAV": { - "key": "MAV", - "versions": { - "3.0.0": { - "version": "3.0.0", + }, + "1.0.1": { + "version": "1.0.1", "obj": { "namespace": "cvss", - "key": "MAV", - "version": "3.0.0", - "name": "Modified Attack Vector", - "definition": "This metric reflects the context by which vulnerability exploitation is possible. ", + "key": "MSI", + "version": "1.0.1", + "name": "Modified Integrity Impact to the Subsequent System", + "definition": "This metric measures the impact to integrity of a successfully exploited vulnerability. Integrity refers to the trustworthiness and veracity of information. Integrity of a system is impacted when an attacker causes unauthorized modification of system data. Integrity is also impacted when a system user can repudiate critical actions taken in the context of the system (e.g. due to insufficient logging). The resulting score is greatest when the consequence to the system is highest.", "schemaVersion": "2.0.0", "values": [ { - "key": "P", - "name": "Physical", - "definition": "A vulnerability exploitable with Physical access requires the attacker to physically touch or manipulate the vulnerable component. Physical interaction may be brief (e.g. evil maid attack [1]) or persistent." + "key": "N", + "name": "Negligible", + "definition": "There is negligible loss of integrity within the Subsequent System or all integrity impact is constrained to the Vulnerable System." }, { "key": "L", - "name": "Local", - "definition": "A vulnerability exploitable with Local access means that the vulnerable component is not bound to the network stack, and the attacker's path is via read/write/execute capabilities. In some cases, the attacker may be logged in locally in order to exploit the vulnerability, otherwise, she may rely on User Interaction to execute a malicious file." - }, - { - "key": "A", - "name": "Adjacent", - "definition": "A vulnerability exploitable with adjacent network access means the vulnerable component is bound to the network stack, however the attack is limited to the same shared physical (e.g. Bluetooth, IEEE 802.11), or logical (e.g. local IP subnet) network, and cannot be performed across an OSI layer 3 boundary (e.g. a router)." + "name": "Low", + "definition": "Modification of data is possible, but the attacker does not have control over the consequence of a modification, or the amount of modification is limited. The data modification does not have a direct, serious impact to the Subsequent System." }, { - "key": "N", - "name": "Network", - "definition": "A vulnerability exploitable with network access means the vulnerable component is bound to the network stack and the attacker's path is through OSI layer 3 (the network layer). Such a vulnerability is often termed 'remotely exploitable' and can be thought of as an attack being exploitable one or more network hops away (e.g. across layer 3 boundaries from routers)." + "key": "H", + "name": "High", + "definition": "There is a total loss of integrity, or a complete loss of protection. For example, the attacker is able to modify any/all files protected by the Subsequent System. Alternatively, only some files can be modified, but malicious modification would present a direct, serious consequence to the Subsequent System." }, { "key": "X", "name": "Not Defined", "definition": "This metric value is not defined. See CVSS documentation for details." + }, + { + "key": "S", + "name": "Safety", + "definition": "The Safety metric value measures the impact regarding the Safety of a human actor or participant that can be predictably injured as a result of the vulnerability being exploited." } ] }, "values": { - "P": { - "key": "P", - "name": "Physical", - "definition": "A vulnerability exploitable with Physical access requires the attacker to physically touch or manipulate the vulnerable component. Physical interaction may be brief (e.g. evil maid attack [1]) or persistent." + "N": { + "key": "N", + "name": "Negligible", + "definition": "There is negligible loss of integrity within the Subsequent System or all integrity impact is constrained to the Vulnerable System." }, "L": { "key": "L", - "name": "Local", - "definition": "A vulnerability exploitable with Local access means that the vulnerable component is not bound to the network stack, and the attacker's path is via read/write/execute capabilities. In some cases, the attacker may be logged in locally in order to exploit the vulnerability, otherwise, she may rely on User Interaction to execute a malicious file." - }, - "A": { - "key": "A", - "name": "Adjacent", - "definition": "A vulnerability exploitable with adjacent network access means the vulnerable component is bound to the network stack, however the attack is limited to the same shared physical (e.g. Bluetooth, IEEE 802.11), or logical (e.g. local IP subnet) network, and cannot be performed across an OSI layer 3 boundary (e.g. a router)." + "name": "Low", + "definition": "Modification of data is possible, but the attacker does not have control over the consequence of a modification, or the amount of modification is limited. The data modification does not have a direct, serious impact to the Subsequent System." }, - "N": { - "key": "N", - "name": "Network", - "definition": "A vulnerability exploitable with network access means the vulnerable component is bound to the network stack and the attacker's path is through OSI layer 3 (the network layer). Such a vulnerability is often termed 'remotely exploitable' and can be thought of as an attack being exploitable one or more network hops away (e.g. across layer 3 boundaries from routers)." + "H": { + "key": "H", + "name": "High", + "definition": "There is a total loss of integrity, or a complete loss of protection. For example, the attacker is able to modify any/all files protected by the Subsequent System. Alternatively, only some files can be modified, but malicious modification would present a direct, serious consequence to the Subsequent System." }, "X": { "key": "X", "name": "Not Defined", "definition": "This metric value is not defined. See CVSS documentation for details." + }, + "S": { + "key": "S", + "name": "Safety", + "definition": "The Safety metric value measures the impact regarding the Safety of a human actor or participant that can be predictably injured as a result of the vulnerability being exploited." } } - }, - "3.0.1": { - "version": "3.0.1", + } + } + }, + "MSI_NoX": { + "key": "MSI_NoX", + "versions": { + "1.0.1": { + "version": "1.0.1", "obj": { "namespace": "cvss", - "key": "MAV", - "version": "3.0.1", - "name": "Modified Attack Vector", - "definition": "This metric reflects the context by which vulnerability exploitation is possible. This metric value (and consequently the resulting severity) will be larger the more remote (logically, and physically) an attacker can be in order to exploit the vulnerable system. The assumption is that the number of potential attackers for a vulnerability that could be exploited from across a network is larger than the number of potential attackers that could exploit a vulnerability requiring physical access to a device, and therefore warrants a greater severity.", + "key": "MSI_NoX", + "version": "1.0.1", + "name": "Modified Integrity Impact to the Subsequent System (without Not Defined)", + "definition": "This metric measures the impact to integrity of a successfully exploited vulnerability. Integrity refers to the trustworthiness and veracity of information. Integrity of a system is impacted when an attacker causes unauthorized modification of system data. Integrity is also impacted when a system user can repudiate critical actions taken in the context of the system (e.g. due to insufficient logging). The resulting score is greatest when the consequence to the system is highest. This version does not include the Not Defined (X) option.", "schemaVersion": "2.0.0", "values": [ { - "key": "P", - "name": "Physical", - "definition": "The attack requires the attacker to physically touch or manipulate the vulnerable system. Physical interaction may be brief (e.g., evil maid attack1) or persistent." + "key": "N", + "name": "Negligible", + "definition": "There is negligible loss of integrity within the Subsequent System or all integrity impact is constrained to the Vulnerable System." }, { "key": "L", - "name": "Local", - "definition": "The vulnerable system is not bound to the network stack and the attacker’s path is via read/write/execute capabilities. Either: the attacker exploits the vulnerability by accessing the target system locally (e.g., keyboard, console), or through terminal emulation (e.g., SSH); or the attacker relies on User Interaction by another person to perform actions required to exploit the vulnerability (e.g., using social engineering techniques to trick a legitimate user into opening a malicious document)." - }, - { - "key": "A", - "name": "Adjacent", - "definition": "The vulnerable system is bound to a protocol stack, but the attack is limited at the protocol level to a logically adjacent topology. This can mean an attack must be launched from the same shared proximity (e.g., Bluetooth, NFC, or IEEE 802.11) or logical network (e.g., local IP subnet), or from within a secure or otherwise limited administrative domain (e.g., MPLS, secure VPN within an administrative network zone)." + "name": "Low", + "definition": "Modification of data is possible, but the attacker does not have control over the consequence of a modification, or the amount of modification is limited. The data modification does not have a direct, serious impact to the Subsequent System." }, { - "key": "N", - "name": "Network", - "definition": "The vulnerable system is bound to the network stack and the set of possible attackers extends beyond the other options listed below, up to and including the entire Internet. Such a vulnerability is often termed “remotely exploitable” and can be thought of as an attack being exploitable at the protocol level one or more network hops away (e.g., across one or more routers)." + "key": "H", + "name": "High", + "definition": "There is a total loss of integrity, or a complete loss of protection. For example, the attacker is able to modify any/all files protected by the Subsequent System. Alternatively, only some files can be modified, but malicious modification would present a direct, serious consequence to the Subsequent System." }, { - "key": "X", - "name": "Not Defined", - "definition": "This metric value is not defined. See CVSS documentation for details." + "key": "S", + "name": "Safety", + "definition": "The Safety metric value measures the impact regarding the Safety of a human actor or participant that can be predictably injured as a result of the vulnerability being exploited." } ] }, "values": { - "P": { - "key": "P", - "name": "Physical", - "definition": "The attack requires the attacker to physically touch or manipulate the vulnerable system. Physical interaction may be brief (e.g., evil maid attack1) or persistent." + "N": { + "key": "N", + "name": "Negligible", + "definition": "There is negligible loss of integrity within the Subsequent System or all integrity impact is constrained to the Vulnerable System." }, "L": { "key": "L", - "name": "Local", - "definition": "The vulnerable system is not bound to the network stack and the attacker’s path is via read/write/execute capabilities. Either: the attacker exploits the vulnerability by accessing the target system locally (e.g., keyboard, console), or through terminal emulation (e.g., SSH); or the attacker relies on User Interaction by another person to perform actions required to exploit the vulnerability (e.g., using social engineering techniques to trick a legitimate user into opening a malicious document)." - }, - "A": { - "key": "A", - "name": "Adjacent", - "definition": "The vulnerable system is bound to a protocol stack, but the attack is limited at the protocol level to a logically adjacent topology. This can mean an attack must be launched from the same shared proximity (e.g., Bluetooth, NFC, or IEEE 802.11) or logical network (e.g., local IP subnet), or from within a secure or otherwise limited administrative domain (e.g., MPLS, secure VPN within an administrative network zone)." + "name": "Low", + "definition": "Modification of data is possible, but the attacker does not have control over the consequence of a modification, or the amount of modification is limited. The data modification does not have a direct, serious impact to the Subsequent System." }, - "N": { - "key": "N", - "name": "Network", - "definition": "The vulnerable system is bound to the network stack and the set of possible attackers extends beyond the other options listed below, up to and including the entire Internet. Such a vulnerability is often termed “remotely exploitable” and can be thought of as an attack being exploitable at the protocol level one or more network hops away (e.g., across one or more routers)." + "H": { + "key": "H", + "name": "High", + "definition": "There is a total loss of integrity, or a complete loss of protection. For example, the attacker is able to modify any/all files protected by the Subsequent System. Alternatively, only some files can be modified, but malicious modification would present a direct, serious consequence to the Subsequent System." }, - "X": { - "key": "X", - "name": "Not Defined", - "definition": "This metric value is not defined. See CVSS documentation for details." + "S": { + "key": "S", + "name": "Safety", + "definition": "The Safety metric value measures the impact regarding the Safety of a human actor or participant that can be predictably injured as a result of the vulnerability being exploited." } } } } }, - "MAC": { - "key": "MAC", + "PR": { + "key": "PR", "versions": { - "3.0.0": { - "version": "3.0.0", + "1.0.0": { + "version": "1.0.0", "obj": { "namespace": "cvss", - "key": "MAC", - "version": "3.0.0", - "name": "Modified Attack Complexity", - "definition": "This metric describes the conditions beyond the attacker's control that must exist in order to exploit the vulnerability.", + "key": "PR", + "version": "1.0.0", + "name": "Privileges Required", + "definition": "This metric describes the level of privileges an attacker must possess before successfully exploiting the vulnerability.", "schemaVersion": "2.0.0", "values": [ { "key": "H", "name": "High", - "definition": "A successful attack depends on conditions beyond the attacker's control." + "definition": "The attacker is authorized with (i.e. requires) privileges that provide significant (e.g. administrative) control over the vulnerable component that could affect component-wide settings and files." }, { "key": "L", "name": "Low", - "definition": "Specialized access conditions or extenuating circumstances do not exist. An attacker can expect repeatable success against the vulnerable component." + "definition": "The attacker is authorized with (i.e. requires) privileges that provide basic user capabilities that could normally affect only settings and files owned by a user. Alternatively, an attacker with Low privileges may have the ability to cause an impact only to non-sensitive resources." }, { - "key": "X", - "name": "Not Defined", - "definition": "This metric value is not defined. See CVSS documentation for details." + "key": "N", + "name": "None", + "definition": "The attacker is unauthorized prior to attack, and therefore does not require any access to settings or files to carry out an attack." } ] }, @@ -5058,44 +4603,44 @@ "H": { "key": "H", "name": "High", - "definition": "A successful attack depends on conditions beyond the attacker's control." + "definition": "The attacker is authorized with (i.e. requires) privileges that provide significant (e.g. administrative) control over the vulnerable component that could affect component-wide settings and files." }, "L": { "key": "L", "name": "Low", - "definition": "Specialized access conditions or extenuating circumstances do not exist. An attacker can expect repeatable success against the vulnerable component." + "definition": "The attacker is authorized with (i.e. requires) privileges that provide basic user capabilities that could normally affect only settings and files owned by a user. Alternatively, an attacker with Low privileges may have the ability to cause an impact only to non-sensitive resources." }, - "X": { - "key": "X", - "name": "Not Defined", - "definition": "This metric value is not defined. See CVSS documentation for details." + "N": { + "key": "N", + "name": "None", + "definition": "The attacker is unauthorized prior to attack, and therefore does not require any access to settings or files to carry out an attack." } } }, - "3.0.1": { - "version": "3.0.1", + "1.0.1": { + "version": "1.0.1", "obj": { "namespace": "cvss", - "key": "MAC", - "version": "3.0.1", - "name": "Modified Attack Complexity", - "definition": "This metric captures measurable actions that must be taken by the attacker to actively evade or circumvent existing built-in security-enhancing conditions in order to obtain a working exploit. ", + "key": "PR", + "version": "1.0.1", + "name": "Privileges Required", + "definition": "This metric describes the level of privileges an attacker must possess prior to successfully exploiting the vulnerability. The method by which the attacker obtains privileged credentials prior to the attack (e.g., free trial accounts), is outside the scope of this metric. Generally, self-service provisioned accounts do not constitute a privilege requirement if the attacker can grant themselves privileges as part of the attack.", "schemaVersion": "2.0.0", "values": [ { "key": "H", "name": "High", - "definition": "The successful attack depends on the evasion or circumvention of security-enhancing techniques in place that would otherwise hinder the attack. These include: Evasion of exploit mitigation techniques. The attacker must have additional methods available to bypass security measures in place." + "definition": "The attacker is authorized with (i.e., requires) privileges that provide significant (e.g., administrative) control over the vulnerable system allowing full access to the vulnerable system’s settings and files." }, { "key": "L", "name": "Low", - "definition": "The attacker must take no measurable action to exploit the vulnerability. The attack requires no target-specific circumvention to exploit the vulnerability. An attacker can expect repeatable success against the vulnerable system. " + "definition": "The attacker is authorized with (i.e., requires) privileges that provide basic capabilities that are typically limited to settings and resources owned by a single low-privileged user. Alternatively, an attacker with Low privileges has the ability to access only non-sensitive resources." }, { - "key": "X", - "name": "Not Defined", - "definition": "This metric value is not defined. See CVSS documentation for details." + "key": "N", + "name": "None", + "definition": "The attacker is unauthorized prior to attack, and therefore does not require any access to settings or files to carry out an attack." } ] }, @@ -5103,209 +4648,179 @@ "H": { "key": "H", "name": "High", - "definition": "The successful attack depends on the evasion or circumvention of security-enhancing techniques in place that would otherwise hinder the attack. These include: Evasion of exploit mitigation techniques. The attacker must have additional methods available to bypass security measures in place." + "definition": "The attacker is authorized with (i.e., requires) privileges that provide significant (e.g., administrative) control over the vulnerable system allowing full access to the vulnerable system’s settings and files." }, "L": { "key": "L", "name": "Low", - "definition": "The attacker must take no measurable action to exploit the vulnerability. The attack requires no target-specific circumvention to exploit the vulnerability. An attacker can expect repeatable success against the vulnerable system. " + "definition": "The attacker is authorized with (i.e., requires) privileges that provide basic capabilities that are typically limited to settings and resources owned by a single low-privileged user. Alternatively, an attacker with Low privileges has the ability to access only non-sensitive resources." }, - "X": { - "key": "X", - "name": "Not Defined", - "definition": "This metric value is not defined. See CVSS documentation for details." + "N": { + "key": "N", + "name": "None", + "definition": "The attacker is unauthorized prior to attack, and therefore does not require any access to settings or files to carry out an attack." } } } } }, - "MPR": { - "key": "MPR", + "QS": { + "key": "QS", "versions": { "1.0.0": { "version": "1.0.0", "obj": { "namespace": "cvss", - "key": "MPR", + "key": "QS", "version": "1.0.0", - "name": "Modified Privileges Required", - "definition": "This metric describes the level of privileges an attacker must possess before successfully exploiting the vulnerability.", + "name": "CVSS Qualitative Severity Rating Scale", + "definition": "The CVSS Qualitative Severity Rating Scale provides a categorical representation of a CVSS Score.", "schemaVersion": "2.0.0", "values": [ { - "key": "H", - "name": "High", - "definition": "The attacker is authorized with (i.e. requires) privileges that provide significant (e.g. administrative) control over the vulnerable component that could affect component-wide settings and files." + "key": "N", + "name": "None", + "definition": "No severity rating (0.0)" }, { "key": "L", "name": "Low", - "definition": "The attacker is authorized with (i.e. requires) privileges that provide basic user capabilities that could normally affect only settings and files owned by a user. Alternatively, an attacker with Low privileges may have the ability to cause an impact only to non-sensitive resources." + "definition": "Low (0.1 - 3.9)" }, { - "key": "N", - "name": "None", - "definition": "The attacker is unauthorized prior to attack, and therefore does not require any access to settings or files to carry out an attack." + "key": "M", + "name": "Medium", + "definition": "Medium (4.0 - 6.9)" }, - { - "key": "X", - "name": "Not Defined", - "definition": "This metric value is not defined. See CVSS documentation for details." - } - ] - }, - "values": { - "H": { - "key": "H", - "name": "High", - "definition": "The attacker is authorized with (i.e. requires) privileges that provide significant (e.g. administrative) control over the vulnerable component that could affect component-wide settings and files." - }, - "L": { - "key": "L", - "name": "Low", - "definition": "The attacker is authorized with (i.e. requires) privileges that provide basic user capabilities that could normally affect only settings and files owned by a user. Alternatively, an attacker with Low privileges may have the ability to cause an impact only to non-sensitive resources." - }, - "N": { - "key": "N", - "name": "None", - "definition": "The attacker is unauthorized prior to attack, and therefore does not require any access to settings or files to carry out an attack." - }, - "X": { - "key": "X", - "name": "Not Defined", - "definition": "This metric value is not defined. See CVSS documentation for details." - } - } - }, - "1.0.1": { - "version": "1.0.1", - "obj": { - "namespace": "cvss", - "key": "MPR", - "version": "1.0.1", - "name": "Modified Privileges Required", - "definition": "This metric describes the level of privileges an attacker must possess prior to successfully exploiting the vulnerability. The method by which the attacker obtains privileged credentials prior to the attack (e.g., free trial accounts), is outside the scope of this metric. Generally, self-service provisioned accounts do not constitute a privilege requirement if the attacker can grant themselves privileges as part of the attack.", - "schemaVersion": "2.0.0", - "values": [ { "key": "H", "name": "High", - "definition": "The attacker is authorized with (i.e., requires) privileges that provide significant (e.g., administrative) control over the vulnerable system allowing full access to the vulnerable system’s settings and files." - }, - { - "key": "L", - "name": "Low", - "definition": "The attacker is authorized with (i.e., requires) privileges that provide basic capabilities that are typically limited to settings and resources owned by a single low-privileged user. Alternatively, an attacker with Low privileges has the ability to access only non-sensitive resources." - }, - { - "key": "N", - "name": "None", - "definition": "The attacker is unauthorized prior to attack, and therefore does not require any access to settings or files to carry out an attack." + "definition": "High (7.0 - 8.9)" }, { - "key": "X", - "name": "Not Defined", - "definition": "This metric value is not defined. See CVSS documentation for details." + "key": "C", + "name": "Critical", + "definition": "Critical (9.0 - 10.0)" } ] }, "values": { - "H": { - "key": "H", - "name": "High", - "definition": "The attacker is authorized with (i.e., requires) privileges that provide significant (e.g., administrative) control over the vulnerable system allowing full access to the vulnerable system’s settings and files." + "N": { + "key": "N", + "name": "None", + "definition": "No severity rating (0.0)" }, "L": { "key": "L", "name": "Low", - "definition": "The attacker is authorized with (i.e., requires) privileges that provide basic capabilities that are typically limited to settings and resources owned by a single low-privileged user. Alternatively, an attacker with Low privileges has the ability to access only non-sensitive resources." + "definition": "Low (0.1 - 3.9)" }, - "N": { - "key": "N", - "name": "None", - "definition": "The attacker is unauthorized prior to attack, and therefore does not require any access to settings or files to carry out an attack." + "M": { + "key": "M", + "name": "Medium", + "definition": "Medium (4.0 - 6.9)" }, - "X": { - "key": "X", - "name": "Not Defined", - "definition": "This metric value is not defined. See CVSS documentation for details." + "H": { + "key": "H", + "name": "High", + "definition": "High (7.0 - 8.9)" + }, + "C": { + "key": "C", + "name": "Critical", + "definition": "Critical (9.0 - 10.0)" } } } } }, - "MUI": { - "key": "MUI", + "RL": { + "key": "RL", "versions": { "1.0.0": { "version": "1.0.0", "obj": { "namespace": "cvss", - "key": "MUI", + "key": "RL", "version": "1.0.0", - "name": "Modified User Interaction", - "definition": "This metric captures the requirement for a user, other than the attacker, to participate in the successful compromise of the vulnerable component.", + "name": "Remediation Level", + "definition": "This metric measures the remediation status of a vulnerability.", "schemaVersion": "2.0.0", "values": [ { - "key": "R", - "name": "Required", - "definition": "Successful exploitation of this vulnerability requires a user to take some action before the vulnerability can be exploited." + "key": "OF", + "name": "Official Fix", + "definition": "A complete vendor solution is available. Either the vendor has issued the final, official patch which eliminates the vulnerability or an upgrade that is not vulnerable is available." }, { - "key": "N", - "name": "None", - "definition": "The vulnerable system can be exploited without interaction from any user." + "key": "TF", + "name": "Temporary Fix", + "definition": "There is an official but temporary fix available. This includes instances where the vendor issues a temporary hotfix, tool or official workaround." }, { - "key": "X", - "name": "Not Defined", - "definition": "This metric value is not defined. See CVSS documentation for details." + "key": "W", + "name": "Workaround", + "definition": "There is an unofficial, non-vendor solution available. In some cases, users of the affected technology will create a patch of their own or provide steps to work around or otherwise mitigate against the vulnerability. When it is generally accepted that these unofficial fixes are adequate in plugging the hole for the mean time and no official remediation is available, this value can be set." + }, + { + "key": "U", + "name": "Unavailable", + "definition": "There is either no solution available or it is impossible to apply." } ] }, "values": { - "R": { - "key": "R", - "name": "Required", - "definition": "Successful exploitation of this vulnerability requires a user to take some action before the vulnerability can be exploited." + "OF": { + "key": "OF", + "name": "Official Fix", + "definition": "A complete vendor solution is available. Either the vendor has issued the final, official patch which eliminates the vulnerability or an upgrade that is not vulnerable is available." }, - "N": { - "key": "N", - "name": "None", - "definition": "The vulnerable system can be exploited without interaction from any user." + "TF": { + "key": "TF", + "name": "Temporary Fix", + "definition": "There is an official but temporary fix available. This includes instances where the vendor issues a temporary hotfix, tool or official workaround." }, - "X": { - "key": "X", - "name": "Not Defined", - "definition": "This metric value is not defined. See CVSS documentation for details." + "W": { + "key": "W", + "name": "Workaround", + "definition": "There is an unofficial, non-vendor solution available. In some cases, users of the affected technology will create a patch of their own or provide steps to work around or otherwise mitigate against the vulnerability. When it is generally accepted that these unofficial fixes are adequate in plugging the hole for the mean time and no official remediation is available, this value can be set." + }, + "U": { + "key": "U", + "name": "Unavailable", + "definition": "There is either no solution available or it is impossible to apply." } } }, - "2.0.0": { - "version": "2.0.0", + "1.1.0": { + "version": "1.1.0", "obj": { "namespace": "cvss", - "key": "MUI", - "version": "2.0.0", - "name": "Modified User Interaction", - "definition": "This metric captures the requirement for a human user, other than the attacker, to participate in the successful compromise of the vulnerable system. This metric determines whether the vulnerability can be exploited solely at the will of the attacker, or whether a separate user (or user-initiated process) must participate in some manner. The resulting score is greatest when no user interaction is required.", + "key": "RL", + "version": "1.1.0", + "name": "Remediation Level", + "definition": "This metric measures the remediation status of a vulnerability.", "schemaVersion": "2.0.0", "values": [ { - "key": "A", - "name": "Active", - "definition": "Successful exploitation of this vulnerability requires a targeted user to perform specific, conscious interactions with the vulnerable system and the attacker’s payload, or the user’s interactions would actively subvert protection mechanisms which would lead to exploitation of the vulnerability." + "key": "OF", + "name": "Official Fix", + "definition": "A complete vendor solution is available. Either the vendor has issued the final, official patch which eliminates the vulnerability or an upgrade that is not vulnerable is available." }, { - "key": "P", - "name": "Passive", - "definition": "Successful exploitation of this vulnerability requires limited interaction by the targeted user with the vulnerable system and the attacker’s payload. These interactions would be considered involuntary and do not require that the user actively subvert protections built into the vulnerable system." + "key": "TF", + "name": "Temporary Fix", + "definition": "There is an official but temporary fix available. This includes instances where the vendor issues a temporary hotfix, tool or official workaround." }, { - "key": "N", - "name": "None", - "definition": "The vulnerable system can be exploited without interaction from any human user, other than the attacker." + "key": "W", + "name": "Workaround", + "definition": "There is an unofficial, non-vendor solution available. In some cases, users of the affected technology will create a patch of their own or provide steps to work around or otherwise mitigate against the vulnerability. When it is generally accepted that these unofficial fixes are adequate in plugging the hole for the mean time and no official remediation is available, this value can be set." + }, + { + "key": "U", + "name": "Unavailable", + "definition": "There is either no solution available or it is impossible to apply." }, { "key": "X", @@ -5315,20 +4830,25 @@ ] }, "values": { - "A": { - "key": "A", - "name": "Active", - "definition": "Successful exploitation of this vulnerability requires a targeted user to perform specific, conscious interactions with the vulnerable system and the attacker’s payload, or the user’s interactions would actively subvert protection mechanisms which would lead to exploitation of the vulnerability." + "OF": { + "key": "OF", + "name": "Official Fix", + "definition": "A complete vendor solution is available. Either the vendor has issued the final, official patch which eliminates the vulnerability or an upgrade that is not vulnerable is available." }, - "P": { - "key": "P", - "name": "Passive", - "definition": "Successful exploitation of this vulnerability requires limited interaction by the targeted user with the vulnerable system and the attacker’s payload. These interactions would be considered involuntary and do not require that the user actively subvert protections built into the vulnerable system." + "TF": { + "key": "TF", + "name": "Temporary Fix", + "definition": "There is an official but temporary fix available. This includes instances where the vendor issues a temporary hotfix, tool or official workaround." }, - "N": { - "key": "N", - "name": "None", - "definition": "The vulnerable system can be exploited without interaction from any human user, other than the attacker." + "W": { + "key": "W", + "name": "Workaround", + "definition": "There is an unofficial, non-vendor solution available. In some cases, users of the affected technology will create a patch of their own or provide steps to work around or otherwise mitigate against the vulnerability. When it is generally accepted that these unofficial fixes are adequate in plugging the hole for the mean time and no official remediation is available, this value can be set." + }, + "U": { + "key": "U", + "name": "Unavailable", + "definition": "There is either no solution available or it is impossible to apply." }, "X": { "key": "X", @@ -5339,143 +4859,133 @@ } } }, - "MS": { - "key": "MS", + "RC": { + "key": "RC", "versions": { "1.0.0": { "version": "1.0.0", "obj": { "namespace": "cvss", - "key": "MS", + "key": "RC", "version": "1.0.0", - "name": "Modified Scope", - "definition": "the ability for a vulnerability in one software component to impact resources beyond its means, or privileges", + "name": "Report Confidence", + "definition": "This metric measures the degree of confidence in the existence of the vulnerability and the credibility of the known technical details.", "schemaVersion": "2.0.0", "values": [ { - "key": "U", - "name": "Unchanged", - "definition": "An exploited vulnerability can only affect resources managed by the same authority. In this case the vulnerable component and the impacted component are the same." + "key": "UC", + "name": "Unconfirmed", + "definition": "A single unconfirmed source or possibly several conflicting reports. There is little confidence in the validity of the report." }, { - "key": "C", - "name": "Changed", - "definition": "An exploited vulnerability can affect resources beyond the authorization privileges intended by the vulnerable component. In this case the vulnerable component and the impacted component are different." + "key": "UR", + "name": "Uncorroborated", + "definition": "Multiple non-official sources; possibily including independent security companies or research organizations. At this point there may be conflicting technical details or some other lingering ambiguity." }, { - "key": "X", - "name": "Not Defined", - "definition": "This metric value is not defined. See CVSS documentation for details." + "key": "C", + "name": "Confirmed", + "definition": "Vendor or author of the affected technology has acknowledged that the vulnerability exists. This value may also be set when existence of a vulnerability is confirmed with absolute confidence through some other event, such as publication of functional proof of concept exploit code or widespread exploitation." } ] }, "values": { - "U": { - "key": "U", - "name": "Unchanged", - "definition": "An exploited vulnerability can only affect resources managed by the same authority. In this case the vulnerable component and the impacted component are the same." + "UC": { + "key": "UC", + "name": "Unconfirmed", + "definition": "A single unconfirmed source or possibly several conflicting reports. There is little confidence in the validity of the report." + }, + "UR": { + "key": "UR", + "name": "Uncorroborated", + "definition": "Multiple non-official sources; possibily including independent security companies or research organizations. At this point there may be conflicting technical details or some other lingering ambiguity." }, "C": { "key": "C", - "name": "Changed", - "definition": "An exploited vulnerability can affect resources beyond the authorization privileges intended by the vulnerable component. In this case the vulnerable component and the impacted component are different." - }, - "X": { - "key": "X", - "name": "Not Defined", - "definition": "This metric value is not defined. See CVSS documentation for details." + "name": "Confirmed", + "definition": "Vendor or author of the affected technology has acknowledged that the vulnerability exists. This value may also be set when existence of a vulnerability is confirmed with absolute confidence through some other event, such as publication of functional proof of concept exploit code or widespread exploitation." } } - } - } - }, - "MC": { - "key": "MC", - "versions": { - "2.0.0": { - "version": "2.0.0", + }, + "1.1.0": { + "version": "1.1.0", "obj": { "namespace": "cvss", - "key": "MC", - "version": "2.0.0", - "name": "Modified Confidentiality Impact", - "definition": "This metric measures the impact to the confidentiality of the information resources managed by a software component due to a successfully exploited vulnerability.", + "key": "RC", + "version": "1.1.0", + "name": "Report Confidence", + "definition": "This metric measures the degree of confidence in the existence of the vulnerability and the credibility of the known technical details.", "schemaVersion": "2.0.0", "values": [ { - "key": "N", - "name": "None", - "definition": "There is no loss of confidentiality within the impacted component." + "key": "UC", + "name": "Unconfirmed", + "definition": "A single unconfirmed source or possibly several conflicting reports. There is little confidence in the validity of the report." }, { - "key": "L", - "name": "Low", - "definition": "There is some loss of confidentiality. Access to some restricted information is obtained, but the attacker does not have control over what information is obtained, or the amount or kind of loss is constrained. The information disclosure does not cause a direct, serious loss to the impacted component." + "key": "UR", + "name": "Uncorroborated", + "definition": "Multiple non-official sources; possibily including independent security companies or research organizations. At this point there may be conflicting technical details or some other lingering ambiguity." }, { - "key": "H", - "name": "High", - "definition": "There is total loss of confidentiality, resulting in all resources within the impacted component being divulged to the attacker. Alternatively, access to only some restricted information is obtained, but the disclosed information presents a direct, serious impact. For example, an attacker steals the administrator's password, or private encryption keys of a web server." + "key": "C", + "name": "Confirmed", + "definition": "Vendor or author of the affected technology has acknowledged that the vulnerability exists. This value may also be set when existence of a vulnerability is confirmed with absolute confidence through some other event, such as publication of functional proof of concept exploit code or widespread exploitation." }, { - "key": "X", + "key": "ND", "name": "Not Defined", "definition": "This metric value is not defined. See CVSS documentation for details." } ] }, "values": { - "N": { - "key": "N", - "name": "None", - "definition": "There is no loss of confidentiality within the impacted component." + "UC": { + "key": "UC", + "name": "Unconfirmed", + "definition": "A single unconfirmed source or possibly several conflicting reports. There is little confidence in the validity of the report." }, - "L": { - "key": "L", - "name": "Low", - "definition": "There is some loss of confidentiality. Access to some restricted information is obtained, but the attacker does not have control over what information is obtained, or the amount or kind of loss is constrained. The information disclosure does not cause a direct, serious loss to the impacted component." + "UR": { + "key": "UR", + "name": "Uncorroborated", + "definition": "Multiple non-official sources; possibily including independent security companies or research organizations. At this point there may be conflicting technical details or some other lingering ambiguity." }, - "H": { - "key": "H", - "name": "High", - "definition": "There is total loss of confidentiality, resulting in all resources within the impacted component being divulged to the attacker. Alternatively, access to only some restricted information is obtained, but the disclosed information presents a direct, serious impact. For example, an attacker steals the administrator's password, or private encryption keys of a web server." + "C": { + "key": "C", + "name": "Confirmed", + "definition": "Vendor or author of the affected technology has acknowledged that the vulnerability exists. This value may also be set when existence of a vulnerability is confirmed with absolute confidence through some other event, such as publication of functional proof of concept exploit code or widespread exploitation." }, - "X": { - "key": "X", + "ND": { + "key": "ND", "name": "Not Defined", "definition": "This metric value is not defined. See CVSS documentation for details." } } - } - } - }, - "MI": { - "key": "MI", - "versions": { + }, "2.0.0": { "version": "2.0.0", "obj": { "namespace": "cvss", - "key": "MI", + "key": "RC", "version": "2.0.0", - "name": "Modified Integrity Impact", - "definition": "This metric measures the impact to integrity of a successfully exploited vulnerability.", + "name": "Report Confidence", + "definition": "This metric measures the degree of confidence in the existence of the vulnerability and the credibility of the known technical details.", "schemaVersion": "2.0.0", "values": [ { - "key": "N", - "name": "None", - "definition": "There is no impact to the integrity of the system." + "key": "U", + "name": "Unknown", + "definition": "There are reports of impacts that indicate a vulnerability is present. The reports indicate that the cause of the vulnerability is unknown, or reports may differ on the cause or impacts of the vulnerability. Reporters are uncertain of the true nature of the vulnerability, and there is little confidence in the validity of the reports or whether a static Base score can be applied given the differences described." }, { - "key": "L", - "name": "Low", - "definition": "Modification of data is possible, but the attacker does not have control over the consequence of a modification, or the amount of modification is constrained. The data modification does not have a direct, serious impact on the impacted component." + "key": "R", + "name": "Reasonable", + "definition": "Significant details are published, but researchers either do not have full confidence in the root cause, or do not have access to source code to fully confirm all of the interactions that may lead to the result. Reasonable confidence exists, however, that the bug is reproducible and at least one impact is able to be verified (proof-of-concept exploits may provide this)." }, { - "key": "H", - "name": "High", - "definition": "There is a total loss of integrity, or a complete loss of protection." + "key": "C", + "name": "Confirmed", + "definition": "Detailed reports exist, or functional reproduction is possible (functional exploits may provide this). Source code is available to independently verify the assertions of the research, or the author or vendor of the affected code has confirmed the presence of the vulnerability." }, { "key": "X", @@ -5485,20 +4995,20 @@ ] }, "values": { - "N": { - "key": "N", - "name": "None", - "definition": "There is no impact to the integrity of the system." + "U": { + "key": "U", + "name": "Unknown", + "definition": "There are reports of impacts that indicate a vulnerability is present. The reports indicate that the cause of the vulnerability is unknown, or reports may differ on the cause or impacts of the vulnerability. Reporters are uncertain of the true nature of the vulnerability, and there is little confidence in the validity of the reports or whether a static Base score can be applied given the differences described." }, - "L": { - "key": "L", - "name": "Low", - "definition": "Modification of data is possible, but the attacker does not have control over the consequence of a modification, or the amount of modification is constrained. The data modification does not have a direct, serious impact on the impacted component." + "R": { + "key": "R", + "name": "Reasonable", + "definition": "Significant details are published, but researchers either do not have full confidence in the root cause, or do not have access to source code to fully confirm all of the interactions that may lead to the result. Reasonable confidence exists, however, that the bug is reproducible and at least one impact is able to be verified (proof-of-concept exploits may provide this)." }, - "H": { - "key": "H", - "name": "High", - "definition": "There is a total loss of integrity, or a complete loss of protection." + "C": { + "key": "C", + "name": "Confirmed", + "definition": "Detailed reports exist, or functional reproduction is possible (functional exploits may provide this). Source code is available to independently verify the assertions of the research, or the author or vendor of the affected code has confirmed the presence of the vulnerability." }, "X": { "key": "X", @@ -5509,88 +5019,118 @@ } } }, - "MA": { - "key": "MA", + "S": { + "key": "S", "versions": { - "2.0.0": { - "version": "2.0.0", + "1.0.0": { + "version": "1.0.0", "obj": { "namespace": "cvss", - "key": "MA", - "version": "2.0.0", - "name": "Modified Availability Impact", - "definition": "This metric measures the impact to availability of a successfully exploited vulnerability.", + "key": "S", + "version": "1.0.0", + "name": "Scope", + "definition": "the ability for a vulnerability in one software component to impact resources beyond its means, or privileges", + "schemaVersion": "2.0.0", + "values": [ + { + "key": "U", + "name": "Unchanged", + "definition": "An exploited vulnerability can only affect resources managed by the same authority. In this case the vulnerable component and the impacted component are the same." + }, + { + "key": "C", + "name": "Changed", + "definition": "An exploited vulnerability can affect resources beyond the authorization privileges intended by the vulnerable component. In this case the vulnerable component and the impacted component are different." + } + ] + }, + "values": { + "U": { + "key": "U", + "name": "Unchanged", + "definition": "An exploited vulnerability can only affect resources managed by the same authority. In this case the vulnerable component and the impacted component are the same." + }, + "C": { + "key": "C", + "name": "Changed", + "definition": "An exploited vulnerability can affect resources beyond the authorization privileges intended by the vulnerable component. In this case the vulnerable component and the impacted component are different." + } + } + } + } + }, + "SC": { + "key": "SC", + "versions": { + "1.0.0": { + "version": "1.0.0", + "obj": { + "namespace": "cvss", + "key": "SC", + "version": "1.0.0", + "name": "Confidentiality Impact to the Subsequent System", + "definition": "This metric measures the impact to the confidentiality of the information managed by the system due to a successfully exploited vulnerability. Confidentiality refers to limiting information access and disclosure to only authorized users, as well as preventing access by, or disclosure to, unauthorized ones. The resulting score is greatest when the loss to the system is highest.", "schemaVersion": "2.0.0", "values": [ { "key": "N", - "name": "None", - "definition": "There is no impact to the availability of the system." + "name": "Negligible", + "definition": "There is no loss of confidentiality within the Subsequent System or all confidentiality impact is constrained to the Vulnerable System." }, { "key": "L", "name": "Low", - "definition": "There is reduced performance or interruptions in resource availability." + "definition": "There is some loss of confidentiality. Access to some restricted information is obtained, but the attacker does not have control over what information is obtained, or the amount or kind of loss is limited. The information disclosure does not cause a direct, serious loss to the Subsequent System." }, { "key": "H", "name": "High", - "definition": "There is total loss of availability, resulting in the attacker being able to fully deny access to resources in the impacted component; this loss is either sustained (while the attacker continues to deliver the attack) or persistent (the condition persists even after the attack has completed)." - }, - { - "key": "X", - "name": "Not Defined", - "definition": "This metric value is not defined. See CVSS documentation for details." + "definition": "There is a total loss of confidentiality, resulting in all resources within the Subsequent System being divulged to the attacker. Alternatively, access to only some restricted information is obtained, but the disclosed information presents a direct, serious impact." } ] }, "values": { "N": { "key": "N", - "name": "None", - "definition": "There is no impact to the availability of the system." + "name": "Negligible", + "definition": "There is no loss of confidentiality within the Subsequent System or all confidentiality impact is constrained to the Vulnerable System." }, "L": { "key": "L", "name": "Low", - "definition": "There is reduced performance or interruptions in resource availability." + "definition": "There is some loss of confidentiality. Access to some restricted information is obtained, but the attacker does not have control over what information is obtained, or the amount or kind of loss is limited. The information disclosure does not cause a direct, serious loss to the Subsequent System." }, "H": { "key": "H", "name": "High", - "definition": "There is total loss of availability, resulting in the attacker being able to fully deny access to resources in the impacted component; this loss is either sustained (while the attacker continues to deliver the attack) or persistent (the condition persists even after the attack has completed)." - }, - "X": { - "key": "X", - "name": "Not Defined", - "definition": "This metric value is not defined. See CVSS documentation for details." + "definition": "There is a total loss of confidentiality, resulting in all resources within the Subsequent System being divulged to the attacker. Alternatively, access to only some restricted information is obtained, but the disclosed information presents a direct, serious impact." } } } } }, - "MAT": { - "key": "MAT", + "AU": { + "key": "AU", "versions": { "1.0.0": { "version": "1.0.0", "obj": { "namespace": "cvss", - "key": "MAT", + "key": "AU", "version": "1.0.0", - "name": "Modified Attack Requirements", - "definition": "This metric captures the prerequisite deployment and execution conditions or variables of the vulnerable system that enable the attack.", + "name": "Automatable", + "definition": "The \"Automatable\" metric captures the answer to the question \"Can an attacker automate exploitation events for this vulnerability across multiple targets?\" based on steps 1-4 of the kill chain.", "schemaVersion": "2.0.0", "values": [ - { - "key": "P", - "name": "Present", - "definition": "The successful attack depends on the presence of specific deployment and execution conditions of the vulnerable system that enable the attack." - }, { "key": "N", - "name": "None", - "definition": "The successful attack does not depend on the deployment and execution conditions of the vulnerable system. The attacker can expect to be able to reach the vulnerability and execute the exploit under all or most instances of the vulnerability." + "name": "No", + "definition": "Attackers cannot reliably automate all 4 steps of the kill chain for this vulnerability for some reason. These steps are reconnaissance, weaponization, delivery, and exploitation." + }, + { + "key": "Y", + "name": "Yes", + "definition": "Attackers can reliably automate all 4 steps of the kill chain. These steps are reconnaissance, weaponization, delivery, and exploitation (e.g., the vulnerability is \"wormable\")." }, { "key": "X", @@ -5600,15 +5140,15 @@ ] }, "values": { - "P": { - "key": "P", - "name": "Present", - "definition": "The successful attack depends on the presence of specific deployment and execution conditions of the vulnerable system that enable the attack." - }, "N": { "key": "N", - "name": "None", - "definition": "The successful attack does not depend on the deployment and execution conditions of the vulnerable system. The attacker can expect to be able to reach the vulnerability and execute the exploit under all or most instances of the vulnerability." + "name": "No", + "definition": "Attackers cannot reliably automate all 4 steps of the kill chain for this vulnerability for some reason. These steps are reconnaissance, weaponization, delivery, and exploitation." + }, + "Y": { + "key": "Y", + "name": "Yes", + "definition": "Attackers can reliably automate all 4 steps of the kill chain. These steps are reconnaissance, weaponization, delivery, and exploitation (e.g., the vulnerability is \"wormable\")." }, "X": { "key": "X", @@ -5619,1273 +5159,1338 @@ } } }, - "MVC": { - "key": "MVC", + "U": { + "key": "U", "versions": { - "3.0.0": { - "version": "3.0.0", + "1.0.0": { + "version": "1.0.0", "obj": { "namespace": "cvss", - "key": "MVC", - "version": "3.0.0", - "name": "Modified Confidentiality Impact to the Vulnerable System", - "definition": "This metric measures the impact to the confidentiality of the information managed by the system due to a successfully exploited vulnerability. Confidentiality refers to limiting information access and disclosure to only authorized users, as well as preventing access by, or disclosure to, unauthorized ones.", + "key": "U", + "version": "1.0.0", + "name": "Provider Urgency", + "definition": "Many vendors currently provide supplemental severity ratings to consumers via product security advisories. Other vendors publish Qualitative Severity Ratings from the CVSS Specification Document in their advisories. To facilitate a standardized method to incorporate additional provider-supplied assessment, an optional \"pass-through\" Supplemental Metric called Provider Urgency is available.", "schemaVersion": "2.0.0", "values": [ { - "key": "N", - "name": "None", - "definition": "There is no loss of confidentiality within the impacted component." + "key": "X", + "name": "Not Defined", + "definition": "This metric value is not defined. See CVSS documentation for details." }, { - "key": "L", - "name": "Low", - "definition": "There is some loss of confidentiality. Access to some restricted information is obtained, but the attacker does not have control over what information is obtained, or the amount or kind of loss is constrained. The information disclosure does not cause a direct, serious loss to the impacted component." + "key": "C", + "name": "Clear", + "definition": "Provider has assessed the impact of this vulnerability as having no urgency (Informational)." }, { - "key": "H", - "name": "High", - "definition": "There is total loss of confidentiality, resulting in all resources within the impacted component being divulged to the attacker. Alternatively, access to only some restricted information is obtained, but the disclosed information presents a direct, serious impact. For example, an attacker steals the administrator's password, or private encryption keys of a web server." + "key": "G", + "name": "Green", + "definition": "Provider has assessed the impact of this vulnerability as having a reduced urgency." }, { - "key": "X", - "name": "Not Defined", - "definition": "This metric value is not defined. See CVSS documentation for details." + "key": "A", + "name": "Amber", + "definition": "Provider has assessed the impact of this vulnerability as having a moderate urgency." + }, + { + "key": "R", + "name": "Red", + "definition": "Provider has assessed the impact of this vulnerability as having the highest urgency." } ] }, "values": { - "N": { - "key": "N", - "name": "None", - "definition": "There is no loss of confidentiality within the impacted component." - }, - "L": { - "key": "L", - "name": "Low", - "definition": "There is some loss of confidentiality. Access to some restricted information is obtained, but the attacker does not have control over what information is obtained, or the amount or kind of loss is constrained. The information disclosure does not cause a direct, serious loss to the impacted component." - }, - "H": { - "key": "H", - "name": "High", - "definition": "There is total loss of confidentiality, resulting in all resources within the impacted component being divulged to the attacker. Alternatively, access to only some restricted information is obtained, but the disclosed information presents a direct, serious impact. For example, an attacker steals the administrator's password, or private encryption keys of a web server." - }, "X": { "key": "X", "name": "Not Defined", "definition": "This metric value is not defined. See CVSS documentation for details." + }, + "C": { + "key": "C", + "name": "Clear", + "definition": "Provider has assessed the impact of this vulnerability as having no urgency (Informational)." + }, + "G": { + "key": "G", + "name": "Green", + "definition": "Provider has assessed the impact of this vulnerability as having a reduced urgency." + }, + "A": { + "key": "A", + "name": "Amber", + "definition": "Provider has assessed the impact of this vulnerability as having a moderate urgency." + }, + "R": { + "key": "R", + "name": "Red", + "definition": "Provider has assessed the impact of this vulnerability as having the highest urgency." } } } } }, - "MVI": { - "key": "MVI", + "R": { + "key": "R", "versions": { - "3.0.0": { - "version": "3.0.0", + "1.0.0": { + "version": "1.0.0", "obj": { "namespace": "cvss", - "key": "MVI", - "version": "3.0.0", - "name": "Modified Integrity Impact to the Vulnerable System", - "definition": "This metric measures the impact to integrity of a successfully exploited vulnerability.", + "key": "R", + "version": "1.0.0", + "name": "Recovery", + "definition": "The Recovery metric describes the resilience of a system to recover services, in terms of performance and availability, after an attack has been performed.", "schemaVersion": "2.0.0", "values": [ { - "key": "N", - "name": "None", - "definition": "There is no loss of integrity within the Vulnerable System." + "key": "X", + "name": "Not Defined", + "definition": "This metric value is not defined. See CVSS documentation for details." }, { - "key": "L", - "name": "Low", - "definition": "Modification of data is possible, but the attacker does not have control over the consequence of a modification, or the amount of modification is limited. The data modification does not have a direct, serious impact to the Vulnerable System." + "key": "A", + "name": "Automatic", + "definition": "The system recovers services automatically after an attack has been performed." }, { - "key": "H", - "name": "High", - "definition": "There is a total loss of integrity, or a complete loss of protection." + "key": "U", + "name": "User", + "definition": "The system requires manual intervention by the user to recover services, after an attack has been performed." }, { - "key": "X", - "name": "Not Defined", - "definition": "This metric value is not defined. See CVSS documentation for details." + "key": "I", + "name": "Irrecoverable", + "definition": "The system services are irrecoverable by the user, after an attack has been performed." } ] }, "values": { - "N": { - "key": "N", - "name": "None", - "definition": "There is no loss of integrity within the Vulnerable System." - }, - "L": { - "key": "L", - "name": "Low", - "definition": "Modification of data is possible, but the attacker does not have control over the consequence of a modification, or the amount of modification is limited. The data modification does not have a direct, serious impact to the Vulnerable System." - }, - "H": { - "key": "H", - "name": "High", - "definition": "There is a total loss of integrity, or a complete loss of protection." - }, "X": { "key": "X", "name": "Not Defined", "definition": "This metric value is not defined. See CVSS documentation for details." + }, + "A": { + "key": "A", + "name": "Automatic", + "definition": "The system recovers services automatically after an attack has been performed." + }, + "U": { + "key": "U", + "name": "User", + "definition": "The system requires manual intervention by the user to recover services, after an attack has been performed." + }, + "I": { + "key": "I", + "name": "Irrecoverable", + "definition": "The system services are irrecoverable by the user, after an attack has been performed." } } } } }, - "MVA": { - "key": "MVA", + "SF": { + "key": "SF", "versions": { - "3.0.0": { - "version": "3.0.0", + "1.0.0": { + "version": "1.0.0", "obj": { "namespace": "cvss", - "key": "MVA", - "version": "3.0.0", - "name": "Modified Availability Impact to the Vulnerable System", - "definition": "This metric measures the impact to the availability of the impacted system resulting from a successfully exploited vulnerability.", + "key": "SF", + "version": "1.0.0", + "name": "Safety", + "definition": "The Safety decision point is a measure of the potential for harm to humans or the environment.", "schemaVersion": "2.0.0", "values": [ { - "key": "N", - "name": "None", - "definition": "There is no impact to availability within the Vulnerable System." - }, - { - "key": "L", - "name": "Low", - "definition": "There is reduced performance or interruptions in resource availability. Even if repeated exploitation of the vulnerability is possible, the attacker does not have the ability to completely deny service to legitimate users. The resources in the Vulnerable System are either partially available all of the time, or fully available only some of the time, but overall there is no direct, serious consequence to the Vulnerable System." + "key": "X", + "name": "Not Defined", + "definition": "This metric value is not defined. See CVSS documentation for details." }, { - "key": "H", - "name": "High", - "definition": "There is total loss of availability, resulting in the attacker being able to fully deny access to resources in the impacted component; this loss is either sustained (while the attacker continues to deliver the attack) or persistent (the condition persists even after the attack has completed)." + "key": "P", + "name": "Present", + "definition": "Consequences of the vulnerability meet definition of IEC 61508 consequence categories of \"marginal,\" \"critical,\" or \"catastrophic.\"" }, { - "key": "X", - "name": "Not Defined", - "definition": "This metric value is not defined. See CVSS documentation for details." + "key": "N", + "name": "Negligible", + "definition": "Consequences of the vulnerability meet definition of IEC 61508 consequence category \"negligible.\"" } ] }, "values": { - "N": { - "key": "N", - "name": "None", - "definition": "There is no impact to availability within the Vulnerable System." - }, - "L": { - "key": "L", - "name": "Low", - "definition": "There is reduced performance or interruptions in resource availability. Even if repeated exploitation of the vulnerability is possible, the attacker does not have the ability to completely deny service to legitimate users. The resources in the Vulnerable System are either partially available all of the time, or fully available only some of the time, but overall there is no direct, serious consequence to the Vulnerable System." - }, - "H": { - "key": "H", - "name": "High", - "definition": "There is total loss of availability, resulting in the attacker being able to fully deny access to resources in the impacted component; this loss is either sustained (while the attacker continues to deliver the attack) or persistent (the condition persists even after the attack has completed)." - }, "X": { "key": "X", "name": "Not Defined", "definition": "This metric value is not defined. See CVSS documentation for details." + }, + "P": { + "key": "P", + "name": "Present", + "definition": "Consequences of the vulnerability meet definition of IEC 61508 consequence categories of \"marginal,\" \"critical,\" or \"catastrophic.\"" + }, + "N": { + "key": "N", + "name": "Negligible", + "definition": "Consequences of the vulnerability meet definition of IEC 61508 consequence category \"negligible.\"" } } } } }, - "MSC": { - "key": "MSC", + "V": { + "key": "V", "versions": { "1.0.0": { "version": "1.0.0", "obj": { "namespace": "cvss", - "key": "MSC", + "key": "V", "version": "1.0.0", - "name": "Modified Confidentiality Impact to the Subsequent System", - "definition": "This metric measures the impact to the confidentiality of the information managed by the system due to a successfully exploited vulnerability. Confidentiality refers to limiting information access and disclosure to only authorized users, as well as preventing access by, or disclosure to, unauthorized ones. The resulting score is greatest when the loss to the system is highest.", + "name": "Value Density", + "definition": "Value Density describes the resources that the attacker will gain control over with a single exploitation event. It has two possible values, diffuse and concentrated.", "schemaVersion": "2.0.0", "values": [ { - "key": "N", - "name": "Negligible", - "definition": "There is no loss of confidentiality within the Subsequent System or all confidentiality impact is constrained to the Vulnerable System." + "key": "X", + "name": "Not Defined", + "definition": "This metric value is not defined. See CVSS documentation for details." }, { - "key": "L", - "name": "Low", - "definition": "There is some loss of confidentiality. Access to some restricted information is obtained, but the attacker does not have control over what information is obtained, or the amount or kind of loss is limited. The information disclosure does not cause a direct, serious loss to the Subsequent System." + "key": "D", + "name": "Diffuse", + "definition": "The vulnerable system has limited resources. That is, the resources that the attacker will gain control over with a single exploitation event are relatively small." }, { - "key": "H", - "name": "High", - "definition": "There is a total loss of confidentiality, resulting in all resources within the Subsequent System being divulged to the attacker. Alternatively, access to only some restricted information is obtained, but the disclosed information presents a direct, serious impact." - }, + "key": "C", + "name": "Concentrated", + "definition": "The vulnerable system is rich in resources. Heuristically, such systems are often the direct responsibility of \"system operators\" rather than users." + } + ] + }, + "values": { + "X": { + "key": "X", + "name": "Not Defined", + "definition": "This metric value is not defined. See CVSS documentation for details." + }, + "D": { + "key": "D", + "name": "Diffuse", + "definition": "The vulnerable system has limited resources. That is, the resources that the attacker will gain control over with a single exploitation event are relatively small." + }, + "C": { + "key": "C", + "name": "Concentrated", + "definition": "The vulnerable system is rich in resources. Heuristically, such systems are often the direct responsibility of \"system operators\" rather than users." + } + } + } + } + }, + "RE": { + "key": "RE", + "versions": { + "1.0.0": { + "version": "1.0.0", + "obj": { + "namespace": "cvss", + "key": "RE", + "version": "1.0.0", + "name": "Vulnerability Response Effort", + "definition": "The intention of the Vulnerability Response Effort metric is to provide supplemental information on how difficult it is for consumers to provide an initial response to the impact of vulnerabilities for deployed products and services in their infrastructure. The consumer can then take this additional information on effort required into consideration when applying mitigations and/or scheduling remediation.", + "schemaVersion": "2.0.0", + "values": [ { "key": "X", "name": "Not Defined", "definition": "This metric value is not defined. See CVSS documentation for details." + }, + { + "key": "L", + "name": "Low", + "definition": "The effort required to respond to a vulnerability is low/trivial." + }, + { + "key": "M", + "name": "Moderate", + "definition": "The actions required to respond to a vulnerability require some effort on behalf of the consumer and could cause minimal service impact to implement." + }, + { + "key": "H", + "name": "High", + "definition": "The actions required to respond to a vulnerability are significant and/or difficult, and may possibly lead to an extended, scheduled service impact. This would need to be considered for scheduling purposes including honoring any embargo on deployment of the selected response. Alternatively, response to the vulnerability in the field is not possible remotely. The only resolution to the vulnerability involves physical replacement (e.g. units deployed would have to be recalled for a depot level repair or replacement)." } ] }, "values": { - "N": { - "key": "N", - "name": "Negligible", - "definition": "There is no loss of confidentiality within the Subsequent System or all confidentiality impact is constrained to the Vulnerable System." + "X": { + "key": "X", + "name": "Not Defined", + "definition": "This metric value is not defined. See CVSS documentation for details." }, "L": { "key": "L", "name": "Low", - "definition": "There is some loss of confidentiality. Access to some restricted information is obtained, but the attacker does not have control over what information is obtained, or the amount or kind of loss is limited. The information disclosure does not cause a direct, serious loss to the Subsequent System." + "definition": "The effort required to respond to a vulnerability is low/trivial." + }, + "M": { + "key": "M", + "name": "Moderate", + "definition": "The actions required to respond to a vulnerability require some effort on behalf of the consumer and could cause minimal service impact to implement." }, "H": { "key": "H", "name": "High", - "definition": "There is a total loss of confidentiality, resulting in all resources within the Subsequent System being divulged to the attacker. Alternatively, access to only some restricted information is obtained, but the disclosed information presents a direct, serious impact." - }, - "X": { - "key": "X", - "name": "Not Defined", - "definition": "This metric value is not defined. See CVSS documentation for details." + "definition": "The actions required to respond to a vulnerability are significant and/or difficult, and may possibly lead to an extended, scheduled service impact. This would need to be considered for scheduling purposes including honoring any embargo on deployment of the selected response. Alternatively, response to the vulnerability in the field is not possible remotely. The only resolution to the vulnerability involves physical replacement (e.g. units deployed would have to be recalled for a depot level repair or replacement)." } } - }, - "1.0.1": { - "version": "1.0.1", + } + } + }, + "TD": { + "key": "TD", + "versions": { + "1.0.0": { + "version": "1.0.0", "obj": { "namespace": "cvss", - "key": "MSC", - "version": "1.0.1", - "name": "Modified Confidentiality Impact to the Subsequent System", - "definition": "This metric measures the impact to the confidentiality of the information managed by the system due to a successfully exploited vulnerability. Confidentiality refers to limiting information access and disclosure to only authorized users, as well as preventing access by, or disclosure to, unauthorized ones. The resulting score is greatest when the loss to the system is highest.", + "key": "TD", + "version": "1.0.0", + "name": "Target Distribution", + "definition": "This metric measures the relative size of the field of target systems susceptible to the vulnerability. It is meant as an environment-specific indicator in order to approximate the percentage of systems within the environment that could be affected by the vulnerability.", "schemaVersion": "2.0.0", "values": [ { "key": "N", - "name": "Negligible", - "definition": "There is negligible loss of confidentiality within the Subsequent System or all confidentiality impact is constrained to the Vulnerable System." + "name": "None", + "definition": "No target systems exist, or targets are so highly specialized that they only exist in a laboratory setting. Effectively 0% of the environment is at risk." }, { "key": "L", "name": "Low", - "definition": "There is some loss of confidentiality. Access to some restricted information is obtained, but the attacker does not have control over what information is obtained, or the amount or kind of loss is limited. The information disclosure does not cause a direct, serious loss to the Subsequent System." + "definition": "Targets exist inside the environment, but on a small scale. Between 1% - 15% of the total environment is at risk." }, { - "key": "H", - "name": "High", - "definition": "There is a total loss of confidentiality, resulting in all resources within the Subsequent System being divulged to the attacker. Alternatively, access to only some restricted information is obtained, but the disclosed information presents a direct, serious impact." + "key": "M", + "name": "Medium", + "definition": "Targets exist inside the environment, but on a medium scale. Between 16% - 49% of the total environment is at risk." }, { - "key": "X", - "name": "Not Defined", - "definition": "This metric value is not defined. See CVSS documentation for details." + "key": "H", + "name": "High", + "definition": "Targets exist inside the environment on a considerable scale. Between 50% - 100% of the total environment is considered at risk." } ] }, "values": { "N": { "key": "N", - "name": "Negligible", - "definition": "There is negligible loss of confidentiality within the Subsequent System or all confidentiality impact is constrained to the Vulnerable System." + "name": "None", + "definition": "No target systems exist, or targets are so highly specialized that they only exist in a laboratory setting. Effectively 0% of the environment is at risk." }, "L": { "key": "L", "name": "Low", - "definition": "There is some loss of confidentiality. Access to some restricted information is obtained, but the attacker does not have control over what information is obtained, or the amount or kind of loss is limited. The information disclosure does not cause a direct, serious loss to the Subsequent System." + "definition": "Targets exist inside the environment, but on a small scale. Between 1% - 15% of the total environment is at risk." + }, + "M": { + "key": "M", + "name": "Medium", + "definition": "Targets exist inside the environment, but on a medium scale. Between 16% - 49% of the total environment is at risk." }, "H": { "key": "H", "name": "High", - "definition": "There is a total loss of confidentiality, resulting in all resources within the Subsequent System being divulged to the attacker. Alternatively, access to only some restricted information is obtained, but the disclosed information presents a direct, serious impact." - }, - "X": { - "key": "X", - "name": "Not Defined", - "definition": "This metric value is not defined. See CVSS documentation for details." + "definition": "Targets exist inside the environment on a considerable scale. Between 50% - 100% of the total environment is considered at risk." } } - } - } - } - } - }, - "nist#800-30": { - "namespace": "nist#800-30", - "keys": { - "P_5X": { - "key": "P_5X", - "versions": { - "1.0.0": { - "version": "1.0.0", + }, + "1.1.0": { + "version": "1.1.0", "obj": { - "namespace": "nist#800-30", - "key": "P_5X", - "version": "1.0.0", - "name": "Probability Scale in 5 weighted levels, ascending", - "definition": "A probability scale with finer resolution at both extremes, based on NIST SP 800-30 Rev. 1 Appendix G", + "namespace": "cvss", + "key": "TD", + "version": "1.1.0", + "name": "Target Distribution", + "definition": "This metric measures the relative size of the field of target systems susceptible to the vulnerability. It is meant as an environment-specific indicator in order to approximate the percentage of systems within the environment that could be affected by the vulnerability.", "schemaVersion": "2.0.0", "values": [ { - "key": "VL", - "name": "Very Low", - "definition": "0% <= Probability < 5%. Highly unlikely." + "key": "N", + "name": "None", + "definition": "No target systems exist, or targets are so highly specialized that they only exist in a laboratory setting. Effectively 0% of the environment is at risk." }, { "key": "L", "name": "Low", - "definition": "5% <= Probability < 21%. Unlikely." + "definition": "Targets exist inside the environment, but on a small scale. Between 1% - 15% of the total environment is at risk." }, { "key": "M", - "name": "Moderate", - "definition": "21% <= Probability < 80%. Somewhat likely." + "name": "Medium", + "definition": "Targets exist inside the environment, but on a medium scale. Between 16% - 49% of the total environment is at risk." }, { "key": "H", "name": "High", - "definition": "80% <= Probability < 96%. Highly likely." + "definition": "Targets exist inside the environment on a considerable scale. Between 50% - 100% of the total environment is considered at risk." }, { - "key": "VH", - "name": "Very High", - "definition": "96% <= Probability <= 100%. Almost certain." + "key": "X", + "name": "Not Defined", + "definition": "This metric value is not defined. See CVSS documentation for details." } ] }, "values": { - "VL": { - "key": "VL", - "name": "Very Low", - "definition": "0% <= Probability < 5%. Highly unlikely." + "N": { + "key": "N", + "name": "None", + "definition": "No target systems exist, or targets are so highly specialized that they only exist in a laboratory setting. Effectively 0% of the environment is at risk." }, "L": { "key": "L", "name": "Low", - "definition": "5% <= Probability < 21%. Unlikely." + "definition": "Targets exist inside the environment, but on a small scale. Between 1% - 15% of the total environment is at risk." }, "M": { "key": "M", - "name": "Moderate", - "definition": "21% <= Probability < 80%. Somewhat likely." + "name": "Medium", + "definition": "Targets exist inside the environment, but on a medium scale. Between 16% - 49% of the total environment is at risk." }, "H": { "key": "H", "name": "High", - "definition": "80% <= Probability < 96%. Highly likely." + "definition": "Targets exist inside the environment on a considerable scale. Between 50% - 100% of the total environment is considered at risk." }, - "VH": { - "key": "VH", - "name": "Very High", - "definition": "96% <= Probability <= 100%. Almost certain." + "X": { + "key": "X", + "name": "Not Defined", + "definition": "This metric value is not defined. See CVSS documentation for details." } } } } - } - } - }, - "ssvc": { - "namespace": "ssvc", - "keys": { - "V": { - "key": "V", + }, + "UI": { + "key": "UI", "versions": { "1.0.0": { "version": "1.0.0", "obj": { - "namespace": "ssvc", - "key": "V", + "namespace": "cvss", + "key": "UI", "version": "1.0.0", - "name": "Virulence", - "definition": "The speed at which the vulnerability can be exploited.", + "name": "User Interaction", + "definition": "This metric captures the requirement for a user, other than the attacker, to participate in the successful compromise of the vulnerable component.", "schemaVersion": "2.0.0", "values": [ { - "key": "S", - "name": "Slow", - "definition": "Steps 1-4 of the kill chain cannot be reliably automated for this vulnerability for some reason. These steps are reconnaissance, weaponization, delivery, and exploitation." + "key": "R", + "name": "Required", + "definition": "Successful exploitation of this vulnerability requires a user to take some action before the vulnerability can be exploited." }, { - "key": "R", - "name": "Rapid", - "definition": "Steps 1-4 of the of the kill chain can be reliably automated. If the vulnerability allows remote code execution or command injection, the default response should be rapid." + "key": "N", + "name": "None", + "definition": "The vulnerable system can be exploited without interaction from any user." } ] }, "values": { - "S": { - "key": "S", - "name": "Slow", - "definition": "Steps 1-4 of the kill chain cannot be reliably automated for this vulnerability for some reason. These steps are reconnaissance, weaponization, delivery, and exploitation." - }, "R": { "key": "R", - "name": "Rapid", - "definition": "Steps 1-4 of the of the kill chain can be reliably automated. If the vulnerability allows remote code execution or command injection, the default response should be rapid." + "name": "Required", + "definition": "Successful exploitation of this vulnerability requires a user to take some action before the vulnerability can be exploited." + }, + "N": { + "key": "N", + "name": "None", + "definition": "The vulnerable system can be exploited without interaction from any user." } } - } - } - }, - "A": { - "key": "A", - "versions": { + }, "2.0.0": { "version": "2.0.0", "obj": { - "namespace": "ssvc", - "key": "A", + "namespace": "cvss", + "key": "UI", "version": "2.0.0", - "name": "Automatable", - "definition": "Can an attacker reliably automate creating exploitation events for this vulnerability?", + "name": "User Interaction", + "definition": "This metric captures the requirement for a human user, other than the attacker, to participate in the successful compromise of the vulnerable system. This metric determines whether the vulnerability can be exploited solely at the will of the attacker, or whether a separate user (or user-initiated process) must participate in some manner. The resulting score is greatest when no user interaction is required.", "schemaVersion": "2.0.0", "values": [ { - "key": "N", - "name": "No", - "definition": "Attackers cannot reliably automate steps 1-4 of the kill chain for this vulnerability. These steps are (1) reconnaissance, (2) weaponization, (3) delivery, and (4) exploitation." + "key": "A", + "name": "Active", + "definition": "Successful exploitation of this vulnerability requires a targeted user to perform specific, conscious interactions with the vulnerable system and the attacker’s payload, or the user’s interactions would actively subvert protection mechanisms which would lead to exploitation of the vulnerability." }, { - "key": "Y", - "name": "Yes", - "definition": "Attackers can reliably automate steps 1-4 of the kill chain." + "key": "P", + "name": "Passive", + "definition": "Successful exploitation of this vulnerability requires limited interaction by the targeted user with the vulnerable system and the attacker’s payload. These interactions would be considered involuntary and do not require that the user actively subvert protections built into the vulnerable system." + }, + { + "key": "N", + "name": "None", + "definition": "The vulnerable system can be exploited without interaction from any human user, other than the attacker." } ] }, "values": { + "A": { + "key": "A", + "name": "Active", + "definition": "Successful exploitation of this vulnerability requires a targeted user to perform specific, conscious interactions with the vulnerable system and the attacker’s payload, or the user’s interactions would actively subvert protection mechanisms which would lead to exploitation of the vulnerability." + }, + "P": { + "key": "P", + "name": "Passive", + "definition": "Successful exploitation of this vulnerability requires limited interaction by the targeted user with the vulnerable system and the attacker’s payload. These interactions would be considered involuntary and do not require that the user actively subvert protections built into the vulnerable system." + }, "N": { "key": "N", - "name": "No", - "definition": "Attackers cannot reliably automate steps 1-4 of the kill chain for this vulnerability. These steps are (1) reconnaissance, (2) weaponization, (3) delivery, and (4) exploitation." - }, - "Y": { - "key": "Y", - "name": "Yes", - "definition": "Attackers can reliably automate steps 1-4 of the kill chain." + "name": "None", + "definition": "The vulnerable system can be exploited without interaction from any human user, other than the attacker." } } } } }, - "CS": { - "key": "CS", + "CVSS": { + "key": "CVSS", "versions": { "1.0.0": { "version": "1.0.0", "obj": { - "namespace": "ssvc", - "key": "CS", + "namespace": "cvss", + "key": "CVSS", "version": "1.0.0", - "name": "Critical Software", - "definition": "Denotes whether a system meets a critical software definition.", + "name": "CVSS Qualitative Severity Rating Scale", + "definition": "The CVSS Qualitative Severity Rating Scale group.", "schemaVersion": "2.0.0", "values": [ { "key": "N", - "name": "No", - "definition": "System does not meet a critical software definition." + "name": "None", + "definition": "None (0.0)" }, { - "key": "Y", - "name": "Yes", - "definition": "System meets a critical software definition." + "key": "L", + "name": "Low", + "definition": "Low (0.1-3.9)" + }, + { + "key": "M", + "name": "Medium", + "definition": "Medium (4.0-6.9)" + }, + { + "key": "H", + "name": "High", + "definition": "High (7.0-8.9)" + }, + { + "key": "C", + "name": "Critical", + "definition": "Critical (9.0-10.0)" } ] }, "values": { "N": { "key": "N", - "name": "No", - "definition": "System does not meet a critical software definition." + "name": "None", + "definition": "None (0.0)" }, - "Y": { - "key": "Y", - "name": "Yes", - "definition": "System meets a critical software definition." + "L": { + "key": "L", + "name": "Low", + "definition": "Low (0.1-3.9)" + }, + "M": { + "key": "M", + "name": "Medium", + "definition": "Medium (4.0-6.9)" + }, + "H": { + "key": "H", + "name": "High", + "definition": "High (7.0-8.9)" + }, + "C": { + "key": "C", + "name": "Critical", + "definition": "Critical (9.0-10.0)" } } } } }, - "E": { - "key": "E", + "MAV": { + "key": "MAV", "versions": { - "1.0.0": { - "version": "1.0.0", + "3.0.0": { + "version": "3.0.0", "obj": { - "namespace": "ssvc", - "key": "E", - "version": "1.0.0", - "name": "Exploitation", - "definition": "The present state of exploitation of the vulnerability.", + "namespace": "cvss", + "key": "MAV", + "version": "3.0.0", + "name": "Modified Attack Vector", + "definition": "This metric reflects the context by which vulnerability exploitation is possible. ", "schemaVersion": "2.0.0", "values": [ { - "key": "N", - "name": "None", - "definition": "There is no evidence of active exploitation and no public proof of concept (PoC) of how to exploit the vulnerability." + "key": "P", + "name": "Physical", + "definition": "A vulnerability exploitable with Physical access requires the attacker to physically touch or manipulate the vulnerable component. Physical interaction may be brief (e.g. evil maid attack [1]) or persistent." }, { - "key": "P", - "name": "PoC", - "definition": "One of the following cases is true: (1) private evidence of exploitation is attested but not shared; (2) widespread hearsay attests to exploitation; (3) typical public PoC in places such as Metasploit or ExploitDB; or (4) the vulnerability has a well-known method of exploitation." + "key": "L", + "name": "Local", + "definition": "A vulnerability exploitable with Local access means that the vulnerable component is not bound to the network stack, and the attacker's path is via read/write/execute capabilities. In some cases, the attacker may be logged in locally in order to exploit the vulnerability, otherwise, she may rely on User Interaction to execute a malicious file." }, { "key": "A", - "name": "Active", - "definition": "Shared, observable, reliable evidence that the exploit is being used in the wild by real attackers; there is credible public reporting." + "name": "Adjacent", + "definition": "A vulnerability exploitable with adjacent network access means the vulnerable component is bound to the network stack, however the attack is limited to the same shared physical (e.g. Bluetooth, IEEE 802.11), or logical (e.g. local IP subnet) network, and cannot be performed across an OSI layer 3 boundary (e.g. a router)." + }, + { + "key": "N", + "name": "Network", + "definition": "A vulnerability exploitable with network access means the vulnerable component is bound to the network stack and the attacker's path is through OSI layer 3 (the network layer). Such a vulnerability is often termed 'remotely exploitable' and can be thought of as an attack being exploitable one or more network hops away (e.g. across layer 3 boundaries from routers)." + }, + { + "key": "X", + "name": "Not Defined", + "definition": "This metric value is not defined. See CVSS documentation for details." } ] }, "values": { - "N": { - "key": "N", - "name": "None", - "definition": "There is no evidence of active exploitation and no public proof of concept (PoC) of how to exploit the vulnerability." - }, "P": { "key": "P", - "name": "PoC", - "definition": "One of the following cases is true: (1) private evidence of exploitation is attested but not shared; (2) widespread hearsay attests to exploitation; (3) typical public PoC in places such as Metasploit or ExploitDB; or (4) the vulnerability has a well-known method of exploitation." + "name": "Physical", + "definition": "A vulnerability exploitable with Physical access requires the attacker to physically touch or manipulate the vulnerable component. Physical interaction may be brief (e.g. evil maid attack [1]) or persistent." + }, + "L": { + "key": "L", + "name": "Local", + "definition": "A vulnerability exploitable with Local access means that the vulnerable component is not bound to the network stack, and the attacker's path is via read/write/execute capabilities. In some cases, the attacker may be logged in locally in order to exploit the vulnerability, otherwise, she may rely on User Interaction to execute a malicious file." }, "A": { "key": "A", - "name": "Active", - "definition": "Shared, observable, reliable evidence that the exploit is being used in the wild by real attackers; there is credible public reporting." + "name": "Adjacent", + "definition": "A vulnerability exploitable with adjacent network access means the vulnerable component is bound to the network stack, however the attack is limited to the same shared physical (e.g. Bluetooth, IEEE 802.11), or logical (e.g. local IP subnet) network, and cannot be performed across an OSI layer 3 boundary (e.g. a router)." + }, + "N": { + "key": "N", + "name": "Network", + "definition": "A vulnerability exploitable with network access means the vulnerable component is bound to the network stack and the attacker's path is through OSI layer 3 (the network layer). Such a vulnerability is often termed 'remotely exploitable' and can be thought of as an attack being exploitable one or more network hops away (e.g. across layer 3 boundaries from routers)." + }, + "X": { + "key": "X", + "name": "Not Defined", + "definition": "This metric value is not defined. See CVSS documentation for details." } } }, - "1.1.0": { - "version": "1.1.0", + "3.0.1": { + "version": "3.0.1", "obj": { - "namespace": "ssvc", - "key": "E", - "version": "1.1.0", - "name": "Exploitation", - "definition": "The present state of exploitation of the vulnerability.", + "namespace": "cvss", + "key": "MAV", + "version": "3.0.1", + "name": "Modified Attack Vector", + "definition": "This metric reflects the context by which vulnerability exploitation is possible. This metric value (and consequently the resulting severity) will be larger the more remote (logically, and physically) an attacker can be in order to exploit the vulnerable system. The assumption is that the number of potential attackers for a vulnerability that could be exploited from across a network is larger than the number of potential attackers that could exploit a vulnerability requiring physical access to a device, and therefore warrants a greater severity.", "schemaVersion": "2.0.0", "values": [ { - "key": "N", - "name": "None", - "definition": "There is no evidence of active exploitation and no public proof of concept (PoC) of how to exploit the vulnerability." + "key": "P", + "name": "Physical", + "definition": "The attack requires the attacker to physically touch or manipulate the vulnerable system. Physical interaction may be brief (e.g., evil maid attack1) or persistent." }, { - "key": "P", - "name": "Public PoC", - "definition": "One of the following is true: (1) Typical public PoC exists in sources such as Metasploit or websites like ExploitDB; or (2) the vulnerability has a well-known method of exploitation." + "key": "L", + "name": "Local", + "definition": "The vulnerable system is not bound to the network stack and the attacker’s path is via read/write/execute capabilities. Either: the attacker exploits the vulnerability by accessing the target system locally (e.g., keyboard, console), or through terminal emulation (e.g., SSH); or the attacker relies on User Interaction by another person to perform actions required to exploit the vulnerability (e.g., using social engineering techniques to trick a legitimate user into opening a malicious document)." }, { "key": "A", - "name": "Active", - "definition": "Shared, observable, reliable evidence that the exploit is being used in the wild by real attackers; there is credible public reporting." + "name": "Adjacent", + "definition": "The vulnerable system is bound to a protocol stack, but the attack is limited at the protocol level to a logically adjacent topology. This can mean an attack must be launched from the same shared proximity (e.g., Bluetooth, NFC, or IEEE 802.11) or logical network (e.g., local IP subnet), or from within a secure or otherwise limited administrative domain (e.g., MPLS, secure VPN within an administrative network zone)." + }, + { + "key": "N", + "name": "Network", + "definition": "The vulnerable system is bound to the network stack and the set of possible attackers extends beyond the other options listed below, up to and including the entire Internet. Such a vulnerability is often termed “remotely exploitable” and can be thought of as an attack being exploitable at the protocol level one or more network hops away (e.g., across one or more routers)." + }, + { + "key": "X", + "name": "Not Defined", + "definition": "This metric value is not defined. See CVSS documentation for details." } ] }, "values": { - "N": { - "key": "N", - "name": "None", - "definition": "There is no evidence of active exploitation and no public proof of concept (PoC) of how to exploit the vulnerability." - }, "P": { "key": "P", - "name": "Public PoC", - "definition": "One of the following is true: (1) Typical public PoC exists in sources such as Metasploit or websites like ExploitDB; or (2) the vulnerability has a well-known method of exploitation." + "name": "Physical", + "definition": "The attack requires the attacker to physically touch or manipulate the vulnerable system. Physical interaction may be brief (e.g., evil maid attack1) or persistent." + }, + "L": { + "key": "L", + "name": "Local", + "definition": "The vulnerable system is not bound to the network stack and the attacker’s path is via read/write/execute capabilities. Either: the attacker exploits the vulnerability by accessing the target system locally (e.g., keyboard, console), or through terminal emulation (e.g., SSH); or the attacker relies on User Interaction by another person to perform actions required to exploit the vulnerability (e.g., using social engineering techniques to trick a legitimate user into opening a malicious document)." }, "A": { "key": "A", - "name": "Active", - "definition": "Shared, observable, reliable evidence that the exploit is being used in the wild by real attackers; there is credible public reporting." + "name": "Adjacent", + "definition": "The vulnerable system is bound to a protocol stack, but the attack is limited at the protocol level to a logically adjacent topology. This can mean an attack must be launched from the same shared proximity (e.g., Bluetooth, NFC, or IEEE 802.11) or logical network (e.g., local IP subnet), or from within a secure or otherwise limited administrative domain (e.g., MPLS, secure VPN within an administrative network zone)." + }, + "N": { + "key": "N", + "name": "Network", + "definition": "The vulnerable system is bound to the network stack and the set of possible attackers extends beyond the other options listed below, up to and including the entire Internet. Such a vulnerability is often termed “remotely exploitable” and can be thought of as an attack being exploitable at the protocol level one or more network hops away (e.g., across one or more routers)." + }, + "X": { + "key": "X", + "name": "Not Defined", + "definition": "This metric value is not defined. See CVSS documentation for details." } } } } }, - "HVA": { - "key": "HVA", + "MAC": { + "key": "MAC", "versions": { - "1.0.0": { - "version": "1.0.0", + "3.0.0": { + "version": "3.0.0", "obj": { - "namespace": "ssvc", - "key": "HVA", - "version": "1.0.0", - "name": "High Value Asset", - "definition": "Denotes whether a system meets a high value asset definition.", + "namespace": "cvss", + "key": "MAC", + "version": "3.0.0", + "name": "Modified Attack Complexity", + "definition": "This metric describes the conditions beyond the attacker's control that must exist in order to exploit the vulnerability.", "schemaVersion": "2.0.0", "values": [ { - "key": "N", - "name": "No", - "definition": "System does not meet a high value asset definition." + "key": "H", + "name": "High", + "definition": "A successful attack depends on conditions beyond the attacker's control." }, { - "key": "Y", - "name": "Yes", - "definition": "System meets a high value asset definition." + "key": "L", + "name": "Low", + "definition": "Specialized access conditions or extenuating circumstances do not exist. An attacker can expect repeatable success against the vulnerable component." + }, + { + "key": "X", + "name": "Not Defined", + "definition": "This metric value is not defined. See CVSS documentation for details." } ] }, "values": { - "N": { - "key": "N", - "name": "No", - "definition": "System does not meet a high value asset definition." + "H": { + "key": "H", + "name": "High", + "definition": "A successful attack depends on conditions beyond the attacker's control." }, - "Y": { - "key": "Y", - "name": "Yes", - "definition": "System meets a high value asset definition." + "L": { + "key": "L", + "name": "Low", + "definition": "Specialized access conditions or extenuating circumstances do not exist. An attacker can expect repeatable success against the vulnerable component." + }, + "X": { + "key": "X", + "name": "Not Defined", + "definition": "This metric value is not defined. See CVSS documentation for details." } } - } - } - }, - "MWI": { - "key": "MWI", - "versions": { - "1.0.0": { - "version": "1.0.0", + }, + "3.0.1": { + "version": "3.0.1", "obj": { - "namespace": "ssvc", - "key": "MWI", - "version": "1.0.0", - "name": "Mission and Well-Being Impact", - "definition": "Mission and Well-Being Impact is a combination of Mission Prevalence and Public Well-Being Impact.", + "namespace": "cvss", + "key": "MAC", + "version": "3.0.1", + "name": "Modified Attack Complexity", + "definition": "This metric captures measurable actions that must be taken by the attacker to actively evade or circumvent existing built-in security-enhancing conditions in order to obtain a working exploit. ", "schemaVersion": "2.0.0", "values": [ { - "key": "L", - "name": "Low", - "definition": "Mission Prevalence:Minimal AND Public Well-Being Impact:Minimal" + "key": "H", + "name": "High", + "definition": "The successful attack depends on the evasion or circumvention of security-enhancing techniques in place that would otherwise hinder the attack. These include: Evasion of exploit mitigation techniques. The attacker must have additional methods available to bypass security measures in place." }, { - "key": "M", - "name": "Medium", - "definition": "Mission Prevalence:Support AND Public Well-Being Impact:(Minimal OR Material)" + "key": "L", + "name": "Low", + "definition": "The attacker must take no measurable action to exploit the vulnerability. The attack requires no target-specific circumvention to exploit the vulnerability. An attacker can expect repeatable success against the vulnerable system. " }, { - "key": "H", - "name": "High", - "definition": "Mission Prevalence:Essential OR Public Well-Being Impact:(Irreversible)" + "key": "X", + "name": "Not Defined", + "definition": "This metric value is not defined. See CVSS documentation for details." } ] }, "values": { + "H": { + "key": "H", + "name": "High", + "definition": "The successful attack depends on the evasion or circumvention of security-enhancing techniques in place that would otherwise hinder the attack. These include: Evasion of exploit mitigation techniques. The attacker must have additional methods available to bypass security measures in place." + }, "L": { "key": "L", "name": "Low", - "definition": "Mission Prevalence:Minimal AND Public Well-Being Impact:Minimal" - }, - "M": { - "key": "M", - "name": "Medium", - "definition": "Mission Prevalence:Support AND Public Well-Being Impact:(Minimal OR Material)" + "definition": "The attacker must take no measurable action to exploit the vulnerability. The attack requires no target-specific circumvention to exploit the vulnerability. An attacker can expect repeatable success against the vulnerable system. " }, - "H": { - "key": "H", - "name": "High", - "definition": "Mission Prevalence:Essential OR Public Well-Being Impact:(Irreversible)" + "X": { + "key": "X", + "name": "Not Defined", + "definition": "This metric value is not defined. See CVSS documentation for details." } } } } }, - "HI": { - "key": "HI", + "MPR": { + "key": "MPR", "versions": { - "2.0.0": { - "version": "2.0.0", + "1.0.0": { + "version": "1.0.0", "obj": { - "namespace": "ssvc", - "key": "HI", - "version": "2.0.0", - "name": "Human Impact", - "definition": "Human Impact is a combination of Safety and Mission impacts.", + "namespace": "cvss", + "key": "MPR", + "version": "1.0.0", + "name": "Modified Privileges Required", + "definition": "This metric describes the level of privileges an attacker must possess before successfully exploiting the vulnerability.", "schemaVersion": "2.0.0", "values": [ { - "key": "L", - "name": "Low", - "definition": "Safety Impact:(None OR Minor) AND Mission Impact:(None OR Degraded OR Crippled)" + "key": "H", + "name": "High", + "definition": "The attacker is authorized with (i.e. requires) privileges that provide significant (e.g. administrative) control over the vulnerable component that could affect component-wide settings and files." }, { - "key": "M", - "name": "Medium", - "definition": "(Safety Impact:(None OR Minor) AND Mission Impact:MEF Failure) OR (Safety Impact:Major AND Mission Impact:(None OR Degraded OR Crippled))" + "key": "L", + "name": "Low", + "definition": "The attacker is authorized with (i.e. requires) privileges that provide basic user capabilities that could normally affect only settings and files owned by a user. Alternatively, an attacker with Low privileges may have the ability to cause an impact only to non-sensitive resources." }, { - "key": "H", - "name": "High", - "definition": "(Safety Impact:Hazardous AND Mission Impact:(None OR Degraded OR Crippled)) OR (Safety Impact:Major AND Mission Impact:MEF Failure)" + "key": "N", + "name": "None", + "definition": "The attacker is unauthorized prior to attack, and therefore does not require any access to settings or files to carry out an attack." }, { - "key": "VH", - "name": "Very High", - "definition": "Safety Impact:Catastrophic OR Mission Impact:Mission Failure" + "key": "X", + "name": "Not Defined", + "definition": "This metric value is not defined. See CVSS documentation for details." } ] }, "values": { + "H": { + "key": "H", + "name": "High", + "definition": "The attacker is authorized with (i.e. requires) privileges that provide significant (e.g. administrative) control over the vulnerable component that could affect component-wide settings and files." + }, "L": { "key": "L", "name": "Low", - "definition": "Safety Impact:(None OR Minor) AND Mission Impact:(None OR Degraded OR Crippled)" - }, - "M": { - "key": "M", - "name": "Medium", - "definition": "(Safety Impact:(None OR Minor) AND Mission Impact:MEF Failure) OR (Safety Impact:Major AND Mission Impact:(None OR Degraded OR Crippled))" + "definition": "The attacker is authorized with (i.e. requires) privileges that provide basic user capabilities that could normally affect only settings and files owned by a user. Alternatively, an attacker with Low privileges may have the ability to cause an impact only to non-sensitive resources." }, - "H": { - "key": "H", - "name": "High", - "definition": "(Safety Impact:Hazardous AND Mission Impact:(None OR Degraded OR Crippled)) OR (Safety Impact:Major AND Mission Impact:MEF Failure)" + "N": { + "key": "N", + "name": "None", + "definition": "The attacker is unauthorized prior to attack, and therefore does not require any access to settings or files to carry out an attack." }, - "VH": { - "key": "VH", - "name": "Very High", - "definition": "Safety Impact:Catastrophic OR Mission Impact:Mission Failure" + "X": { + "key": "X", + "name": "Not Defined", + "definition": "This metric value is not defined. See CVSS documentation for details." } } }, - "2.0.1": { - "version": "2.0.1", + "1.0.1": { + "version": "1.0.1", "obj": { - "namespace": "ssvc", - "key": "HI", - "version": "2.0.1", - "name": "Human Impact", - "definition": "Human Impact is a combination of Safety and Mission impacts.", + "namespace": "cvss", + "key": "MPR", + "version": "1.0.1", + "name": "Modified Privileges Required", + "definition": "This metric describes the level of privileges an attacker must possess prior to successfully exploiting the vulnerability. The method by which the attacker obtains privileged credentials prior to the attack (e.g., free trial accounts), is outside the scope of this metric. Generally, self-service provisioned accounts do not constitute a privilege requirement if the attacker can grant themselves privileges as part of the attack.", "schemaVersion": "2.0.0", "values": [ { - "key": "L", - "name": "Low", - "definition": "Safety Impact:(Negligible) AND Mission Impact:(None OR Degraded OR Crippled)" + "key": "H", + "name": "High", + "definition": "The attacker is authorized with (i.e., requires) privileges that provide significant (e.g., administrative) control over the vulnerable system allowing full access to the vulnerable system’s settings and files." }, { - "key": "M", - "name": "Medium", - "definition": "(Safety Impact:Negligible AND Mission Impact:MEF Failure) OR (Safety Impact:Marginal AND Mission Impact:(None OR Degraded OR Crippled))" + "key": "L", + "name": "Low", + "definition": "The attacker is authorized with (i.e., requires) privileges that provide basic capabilities that are typically limited to settings and resources owned by a single low-privileged user. Alternatively, an attacker with Low privileges has the ability to access only non-sensitive resources." }, { - "key": "H", - "name": "High", - "definition": "(Safety Impact:Critical AND Mission Impact:(None OR Degraded OR Crippled)) OR (Safety Impact:Marginal AND Mission Impact:MEF Failure)" + "key": "N", + "name": "None", + "definition": "The attacker is unauthorized prior to attack, and therefore does not require any access to settings or files to carry out an attack." }, { - "key": "VH", - "name": "Very High", - "definition": "Safety Impact:Catastrophic OR Mission Impact:Mission Failure" + "key": "X", + "name": "Not Defined", + "definition": "This metric value is not defined. See CVSS documentation for details." } ] }, "values": { + "H": { + "key": "H", + "name": "High", + "definition": "The attacker is authorized with (i.e., requires) privileges that provide significant (e.g., administrative) control over the vulnerable system allowing full access to the vulnerable system’s settings and files." + }, "L": { "key": "L", "name": "Low", - "definition": "Safety Impact:(Negligible) AND Mission Impact:(None OR Degraded OR Crippled)" - }, - "M": { - "key": "M", - "name": "Medium", - "definition": "(Safety Impact:Negligible AND Mission Impact:MEF Failure) OR (Safety Impact:Marginal AND Mission Impact:(None OR Degraded OR Crippled))" + "definition": "The attacker is authorized with (i.e., requires) privileges that provide basic capabilities that are typically limited to settings and resources owned by a single low-privileged user. Alternatively, an attacker with Low privileges has the ability to access only non-sensitive resources." }, - "H": { - "key": "H", - "name": "High", - "definition": "(Safety Impact:Critical AND Mission Impact:(None OR Degraded OR Crippled)) OR (Safety Impact:Marginal AND Mission Impact:MEF Failure)" + "N": { + "key": "N", + "name": "None", + "definition": "The attacker is unauthorized prior to attack, and therefore does not require any access to settings or files to carry out an attack." }, - "VH": { - "key": "VH", - "name": "Very High", - "definition": "Safety Impact:Catastrophic OR Mission Impact:Mission Failure" - } - } - }, - "2.0.2": { - "version": "2.0.2", - "obj": { - "namespace": "ssvc", - "key": "HI", - "version": "2.0.2", - "name": "Human Impact", - "definition": "Human Impact is a combination of Safety and Mission impacts.", - "schemaVersion": "2.0.0", - "values": [ - { - "key": "L", - "name": "Low", - "definition": "Safety Impact:(Negligible) AND Mission Impact:(Degraded OR Crippled)" - }, - { - "key": "M", - "name": "Medium", - "definition": "(Safety Impact:Negligible AND Mission Impact:MEF Failure) OR (Safety Impact:Marginal AND Mission Impact:(Degraded OR Crippled))" - }, - { - "key": "H", - "name": "High", - "definition": "(Safety Impact:Critical AND Mission Impact:(Degraded OR Crippled)) OR (Safety Impact:Marginal AND Mission Impact:MEF Failure)" - }, - { - "key": "VH", - "name": "Very High", - "definition": "Safety Impact:Catastrophic OR Mission Impact:Mission Failure" - } - ] - }, - "values": { - "L": { - "key": "L", - "name": "Low", - "definition": "Safety Impact:(Negligible) AND Mission Impact:(Degraded OR Crippled)" - }, - "M": { - "key": "M", - "name": "Medium", - "definition": "(Safety Impact:Negligible AND Mission Impact:MEF Failure) OR (Safety Impact:Marginal AND Mission Impact:(Degraded OR Crippled))" - }, - "H": { - "key": "H", - "name": "High", - "definition": "(Safety Impact:Critical AND Mission Impact:(Degraded OR Crippled)) OR (Safety Impact:Marginal AND Mission Impact:MEF Failure)" - }, - "VH": { - "key": "VH", - "name": "Very High", - "definition": "Safety Impact:Catastrophic OR Mission Impact:Mission Failure" + "X": { + "key": "X", + "name": "Not Defined", + "definition": "This metric value is not defined. See CVSS documentation for details." } } } } }, - "MI": { - "key": "MI", + "MUI": { + "key": "MUI", "versions": { "1.0.0": { "version": "1.0.0", "obj": { - "namespace": "ssvc", - "key": "MI", + "namespace": "cvss", + "key": "MUI", "version": "1.0.0", - "name": "Mission Impact", - "definition": "Impact on Mission Essential Functions of the Organization", + "name": "Modified User Interaction", + "definition": "This metric captures the requirement for a user, other than the attacker, to participate in the successful compromise of the vulnerable component.", "schemaVersion": "2.0.0", "values": [ { - "key": "N", - "name": "None", - "definition": "Little to no impact" - }, - { - "key": "NED", - "name": "Non-Essential Degraded", - "definition": "Degradation of non-essential functions; chronic degradation would eventually harm essential functions" - }, - { - "key": "MSC", - "name": "MEF Support Crippled", - "definition": "Activities that directly support essential functions are crippled; essential functions continue for a time" + "key": "R", + "name": "Required", + "definition": "Successful exploitation of this vulnerability requires a user to take some action before the vulnerability can be exploited." }, { - "key": "MEF", - "name": "MEF Failure", - "definition": "Any one mission essential function fails for period of time longer than acceptable; overall mission of the organization degraded but can still be accomplished for a time" + "key": "N", + "name": "None", + "definition": "The vulnerable system can be exploited without interaction from any user." }, { - "key": "MF", - "name": "Mission Failure", - "definition": "Multiple or all mission essential functions fail; ability to recover those functions degraded; organization’s ability to deliver its overall mission fails" + "key": "X", + "name": "Not Defined", + "definition": "This metric value is not defined. See CVSS documentation for details." } ] }, "values": { + "R": { + "key": "R", + "name": "Required", + "definition": "Successful exploitation of this vulnerability requires a user to take some action before the vulnerability can be exploited." + }, "N": { "key": "N", "name": "None", - "definition": "Little to no impact" - }, - "NED": { - "key": "NED", - "name": "Non-Essential Degraded", - "definition": "Degradation of non-essential functions; chronic degradation would eventually harm essential functions" - }, - "MSC": { - "key": "MSC", - "name": "MEF Support Crippled", - "definition": "Activities that directly support essential functions are crippled; essential functions continue for a time" - }, - "MEF": { - "key": "MEF", - "name": "MEF Failure", - "definition": "Any one mission essential function fails for period of time longer than acceptable; overall mission of the organization degraded but can still be accomplished for a time" + "definition": "The vulnerable system can be exploited without interaction from any user." }, - "MF": { - "key": "MF", - "name": "Mission Failure", - "definition": "Multiple or all mission essential functions fail; ability to recover those functions degraded; organization’s ability to deliver its overall mission fails" + "X": { + "key": "X", + "name": "Not Defined", + "definition": "This metric value is not defined. See CVSS documentation for details." } } }, "2.0.0": { "version": "2.0.0", "obj": { - "namespace": "ssvc", - "key": "MI", + "namespace": "cvss", + "key": "MUI", "version": "2.0.0", - "name": "Mission Impact", - "definition": "Impact on Mission Essential Functions of the Organization", + "name": "Modified User Interaction", + "definition": "This metric captures the requirement for a human user, other than the attacker, to participate in the successful compromise of the vulnerable system. This metric determines whether the vulnerability can be exploited solely at the will of the attacker, or whether a separate user (or user-initiated process) must participate in some manner. The resulting score is greatest when no user interaction is required.", "schemaVersion": "2.0.0", "values": [ { - "key": "D", - "name": "Degraded", - "definition": "Little to no impact up to degradation of non-essential functions; chronic degradation would eventually harm essential functions" + "key": "A", + "name": "Active", + "definition": "Successful exploitation of this vulnerability requires a targeted user to perform specific, conscious interactions with the vulnerable system and the attacker’s payload, or the user’s interactions would actively subvert protection mechanisms which would lead to exploitation of the vulnerability." }, { - "key": "MSC", - "name": "MEF Support Crippled", - "definition": "Activities that directly support essential functions are crippled; essential functions continue for a time" + "key": "P", + "name": "Passive", + "definition": "Successful exploitation of this vulnerability requires limited interaction by the targeted user with the vulnerable system and the attacker’s payload. These interactions would be considered involuntary and do not require that the user actively subvert protections built into the vulnerable system." }, { - "key": "MEF", - "name": "MEF Failure", - "definition": "Any one mission essential function fails for period of time longer than acceptable; overall mission of the organization degraded but can still be accomplished for a time" + "key": "N", + "name": "None", + "definition": "The vulnerable system can be exploited without interaction from any human user, other than the attacker." }, { - "key": "MF", - "name": "Mission Failure", - "definition": "Multiple or all mission essential functions fail; ability to recover those functions degraded; organization’s ability to deliver its overall mission fails" + "key": "X", + "name": "Not Defined", + "definition": "This metric value is not defined. See CVSS documentation for details." } ] }, "values": { - "D": { - "key": "D", - "name": "Degraded", - "definition": "Little to no impact up to degradation of non-essential functions; chronic degradation would eventually harm essential functions" + "A": { + "key": "A", + "name": "Active", + "definition": "Successful exploitation of this vulnerability requires a targeted user to perform specific, conscious interactions with the vulnerable system and the attacker’s payload, or the user’s interactions would actively subvert protection mechanisms which would lead to exploitation of the vulnerability." }, - "MSC": { - "key": "MSC", - "name": "MEF Support Crippled", - "definition": "Activities that directly support essential functions are crippled; essential functions continue for a time" + "P": { + "key": "P", + "name": "Passive", + "definition": "Successful exploitation of this vulnerability requires limited interaction by the targeted user with the vulnerable system and the attacker’s payload. These interactions would be considered involuntary and do not require that the user actively subvert protections built into the vulnerable system." }, - "MEF": { - "key": "MEF", - "name": "MEF Failure", - "definition": "Any one mission essential function fails for period of time longer than acceptable; overall mission of the organization degraded but can still be accomplished for a time" + "N": { + "key": "N", + "name": "None", + "definition": "The vulnerable system can be exploited without interaction from any human user, other than the attacker." }, - "MF": { - "key": "MF", - "name": "Mission Failure", - "definition": "Multiple or all mission essential functions fail; ability to recover those functions degraded; organization’s ability to deliver its overall mission fails" + "X": { + "key": "X", + "name": "Not Defined", + "definition": "This metric value is not defined. See CVSS documentation for details." } } } } }, - "PWI": { - "key": "PWI", + "MS": { + "key": "MS", "versions": { - "1.1.0": { - "version": "1.1.0", + "1.0.0": { + "version": "1.0.0", "obj": { - "namespace": "ssvc", - "key": "PWI", - "version": "1.1.0", - "name": "Public Well-Being Impact", - "definition": "A coarse-grained representation of impact to public well-being.", + "namespace": "cvss", + "key": "MS", + "version": "1.0.0", + "name": "Modified Scope", + "definition": "the ability for a vulnerability in one software component to impact resources beyond its means, or privileges", "schemaVersion": "2.0.0", "values": [ { - "key": "M", - "name": "Minimal", - "definition": "The effect is below the threshold for all aspects described in material. " + "key": "U", + "name": "Unchanged", + "definition": "An exploited vulnerability can only affect resources managed by the same authority. In this case the vulnerable component and the impacted component are the same." }, { - "key": "MA", - "name": "Material", - "definition": "Any one or more of these conditions hold. Physical harm: Does one or more of the following: (a) Causes physical distress or injury to system users. (b) Introduces occupational safety hazards. (c) Reduces and/or results in failure of cyber-physical system safety margins. Environment: Major externalities (property damage, environmental damage, etc.) are imposed on other parties. Financial: Financial losses likely lead to bankruptcy of multiple persons. Psychological: Widespread emotional or psychological harm, sufficient to necessitate counseling or therapy, impact populations of people. " + "key": "C", + "name": "Changed", + "definition": "An exploited vulnerability can affect resources beyond the authorization privileges intended by the vulnerable component. In this case the vulnerable component and the impacted component are different." }, { - "key": "I", - "name": "Irreversible", - "definition": "Any one or more of these conditions hold. Physical harm: One or both of the following are true: (a) Multiple fatalities are likely.(b) The cyber-physical system, of which the vulnerable componen is a part, is likely lost or destroyed. Environment: Extreme or serious externalities (immediate public health threat, environmental damage leading to small ecosystem collapse, etc.) are imposed on other parties. Financial: Social systems (elections, financial grid, etc.) supported by the software are destabilized and potentially collapse. Psychological: N/A " + "key": "X", + "name": "Not Defined", + "definition": "This metric value is not defined. See CVSS documentation for details." } ] }, "values": { - "M": { - "key": "M", - "name": "Minimal", - "definition": "The effect is below the threshold for all aspects described in material. " + "U": { + "key": "U", + "name": "Unchanged", + "definition": "An exploited vulnerability can only affect resources managed by the same authority. In this case the vulnerable component and the impacted component are the same." }, - "MA": { - "key": "MA", - "name": "Material", - "definition": "Any one or more of these conditions hold. Physical harm: Does one or more of the following: (a) Causes physical distress or injury to system users. (b) Introduces occupational safety hazards. (c) Reduces and/or results in failure of cyber-physical system safety margins. Environment: Major externalities (property damage, environmental damage, etc.) are imposed on other parties. Financial: Financial losses likely lead to bankruptcy of multiple persons. Psychological: Widespread emotional or psychological harm, sufficient to necessitate counseling or therapy, impact populations of people. " + "C": { + "key": "C", + "name": "Changed", + "definition": "An exploited vulnerability can affect resources beyond the authorization privileges intended by the vulnerable component. In this case the vulnerable component and the impacted component are different." }, - "I": { - "key": "I", - "name": "Irreversible", - "definition": "Any one or more of these conditions hold. Physical harm: One or both of the following are true: (a) Multiple fatalities are likely.(b) The cyber-physical system, of which the vulnerable componen is a part, is likely lost or destroyed. Environment: Extreme or serious externalities (immediate public health threat, environmental damage leading to small ecosystem collapse, etc.) are imposed on other parties. Financial: Social systems (elections, financial grid, etc.) supported by the software are destabilized and potentially collapse. Psychological: N/A " + "X": { + "key": "X", + "name": "Not Defined", + "definition": "This metric value is not defined. See CVSS documentation for details." } } } } }, - "PSI": { - "key": "PSI", + "MC": { + "key": "MC", "versions": { "2.0.0": { "version": "2.0.0", "obj": { - "namespace": "ssvc", - "key": "PSI", + "namespace": "cvss", + "key": "MC", "version": "2.0.0", - "name": "Public Safety Impact", - "definition": "A coarse-grained representation of impact to public safety.", + "name": "Modified Confidentiality Impact", + "definition": "This metric measures the impact to the confidentiality of the information resources managed by a software component due to a successfully exploited vulnerability.", "schemaVersion": "2.0.0", "values": [ { - "key": "M", - "name": "Minimal", - "definition": "Safety Impact:(None OR Minor)" - }, + "key": "N", + "name": "None", + "definition": "There is no loss of confidentiality within the impacted component." + }, { - "key": "S", - "name": "Significant", - "definition": "Safety Impact:(Major OR Hazardous OR Catastrophic)" - } - ] - }, - "values": { - "M": { - "key": "M", - "name": "Minimal", - "definition": "Safety Impact:(None OR Minor)" - }, - "S": { - "key": "S", - "name": "Significant", - "definition": "Safety Impact:(Major OR Hazardous OR Catastrophic)" - } - } - }, - "2.0.1": { - "version": "2.0.1", - "obj": { - "namespace": "ssvc", - "key": "PSI", - "version": "2.0.1", - "name": "Public Safety Impact", - "definition": "A coarse-grained representation of impact to public safety.", - "schemaVersion": "2.0.0", - "values": [ + "key": "L", + "name": "Low", + "definition": "There is some loss of confidentiality. Access to some restricted information is obtained, but the attacker does not have control over what information is obtained, or the amount or kind of loss is constrained. The information disclosure does not cause a direct, serious loss to the impacted component." + }, { - "key": "M", - "name": "Minimal", - "definition": "Safety Impact:Negligible" + "key": "H", + "name": "High", + "definition": "There is total loss of confidentiality, resulting in all resources within the impacted component being divulged to the attacker. Alternatively, access to only some restricted information is obtained, but the disclosed information presents a direct, serious impact. For example, an attacker steals the administrator's password, or private encryption keys of a web server." }, { - "key": "S", - "name": "Significant", - "definition": "Safety Impact:(Marginal OR Critical OR Catastrophic)" + "key": "X", + "name": "Not Defined", + "definition": "This metric value is not defined. See CVSS documentation for details." } ] }, "values": { - "M": { - "key": "M", - "name": "Minimal", - "definition": "Safety Impact:Negligible" + "N": { + "key": "N", + "name": "None", + "definition": "There is no loss of confidentiality within the impacted component." }, - "S": { - "key": "S", - "name": "Significant", - "definition": "Safety Impact:(Marginal OR Critical OR Catastrophic)" + "L": { + "key": "L", + "name": "Low", + "definition": "There is some loss of confidentiality. Access to some restricted information is obtained, but the attacker does not have control over what information is obtained, or the amount or kind of loss is constrained. The information disclosure does not cause a direct, serious loss to the impacted component." + }, + "H": { + "key": "H", + "name": "High", + "definition": "There is total loss of confidentiality, resulting in all resources within the impacted component being divulged to the attacker. Alternatively, access to only some restricted information is obtained, but the disclosed information presents a direct, serious impact. For example, an attacker steals the administrator's password, or private encryption keys of a web server." + }, + "X": { + "key": "X", + "name": "Not Defined", + "definition": "This metric value is not defined. See CVSS documentation for details." } } } } }, - "PVA": { - "key": "PVA", + "MI": { + "key": "MI", "versions": { - "1.0.0": { - "version": "1.0.0", + "2.0.0": { + "version": "2.0.0", "obj": { - "namespace": "ssvc", - "key": "PVA", - "version": "1.0.0", - "name": "Public Value Added", - "definition": "How much value would a publication from the coordinator benefit the broader community?", + "namespace": "cvss", + "key": "MI", + "version": "2.0.0", + "name": "Modified Integrity Impact", + "definition": "This metric measures the impact to integrity of a successfully exploited vulnerability.", "schemaVersion": "2.0.0", "values": [ + { + "key": "N", + "name": "None", + "definition": "There is no impact to the integrity of the system." + }, { "key": "L", - "name": "Limited", - "definition": "Minimal value added to the existing public information because existing information is already high quality and in multiple outlets." + "name": "Low", + "definition": "Modification of data is possible, but the attacker does not have control over the consequence of a modification, or the amount of modification is constrained. The data modification does not have a direct, serious impact on the impacted component." }, { - "key": "A", - "name": "Ampliative", - "definition": "Amplifies and/or augments the existing public information about the vulnerability, for example, adds additional detail, addresses or corrects errors in other public information, draws further attention to the vulnerability, etc." + "key": "H", + "name": "High", + "definition": "There is a total loss of integrity, or a complete loss of protection." }, { - "key": "P", - "name": "Precedence", - "definition": "The publication would be the first publicly available, or be coincident with the first publicly available." + "key": "X", + "name": "Not Defined", + "definition": "This metric value is not defined. See CVSS documentation for details." } ] }, "values": { + "N": { + "key": "N", + "name": "None", + "definition": "There is no impact to the integrity of the system." + }, "L": { "key": "L", - "name": "Limited", - "definition": "Minimal value added to the existing public information because existing information is already high quality and in multiple outlets." + "name": "Low", + "definition": "Modification of data is possible, but the attacker does not have control over the consequence of a modification, or the amount of modification is constrained. The data modification does not have a direct, serious impact on the impacted component." }, - "A": { - "key": "A", - "name": "Ampliative", - "definition": "Amplifies and/or augments the existing public information about the vulnerability, for example, adds additional detail, addresses or corrects errors in other public information, draws further attention to the vulnerability, etc." + "H": { + "key": "H", + "name": "High", + "definition": "There is a total loss of integrity, or a complete loss of protection." }, - "P": { - "key": "P", - "name": "Precedence", - "definition": "The publication would be the first publicly available, or be coincident with the first publicly available." + "X": { + "key": "X", + "name": "Not Defined", + "definition": "This metric value is not defined. See CVSS documentation for details." } } } } }, - "RC": { - "key": "RC", + "MA": { + "key": "MA", "versions": { - "1.0.0": { - "version": "1.0.0", + "2.0.0": { + "version": "2.0.0", "obj": { - "namespace": "ssvc", - "key": "RC", - "version": "1.0.0", - "name": "Report Credibility", - "definition": "Is the report credible?", + "namespace": "cvss", + "key": "MA", + "version": "2.0.0", + "name": "Modified Availability Impact", + "definition": "This metric measures the impact to availability of a successfully exploited vulnerability.", "schemaVersion": "2.0.0", "values": [ { - "key": "NC", - "name": "Not Credible", - "definition": "The report is not credible." + "key": "N", + "name": "None", + "definition": "There is no impact to the availability of the system." }, { - "key": "C", - "name": "Credible", - "definition": "The report is credible." + "key": "L", + "name": "Low", + "definition": "There is reduced performance or interruptions in resource availability." + }, + { + "key": "H", + "name": "High", + "definition": "There is total loss of availability, resulting in the attacker being able to fully deny access to resources in the impacted component; this loss is either sustained (while the attacker continues to deliver the attack) or persistent (the condition persists even after the attack has completed)." + }, + { + "key": "X", + "name": "Not Defined", + "definition": "This metric value is not defined. See CVSS documentation for details." } ] }, "values": { - "NC": { - "key": "NC", - "name": "Not Credible", - "definition": "The report is not credible." + "N": { + "key": "N", + "name": "None", + "definition": "There is no impact to the availability of the system." }, - "C": { - "key": "C", - "name": "Credible", - "definition": "The report is credible." + "L": { + "key": "L", + "name": "Low", + "definition": "There is reduced performance or interruptions in resource availability." + }, + "H": { + "key": "H", + "name": "High", + "definition": "There is total loss of availability, resulting in the attacker being able to fully deny access to resources in the impacted component; this loss is either sustained (while the attacker continues to deliver the attack) or persistent (the condition persists even after the attack has completed)." + }, + "X": { + "key": "X", + "name": "Not Defined", + "definition": "This metric value is not defined. See CVSS documentation for details." } } } } }, - "RP": { - "key": "RP", + "MAT": { + "key": "MAT", "versions": { "1.0.0": { "version": "1.0.0", "obj": { - "namespace": "ssvc", - "key": "RP", + "namespace": "cvss", + "key": "MAT", "version": "1.0.0", - "name": "Report Public", - "definition": "Is a viable report of the details of the vulnerability already publicly available?", + "name": "Modified Attack Requirements", + "definition": "This metric captures the prerequisite deployment and execution conditions or variables of the vulnerable system that enable the attack.", "schemaVersion": "2.0.0", "values": [ { - "key": "Y", - "name": "Yes", - "definition": "A public report of the vulnerability exists." + "key": "P", + "name": "Present", + "definition": "The successful attack depends on the presence of specific deployment and execution conditions of the vulnerable system that enable the attack." }, { "key": "N", - "name": "No", - "definition": "No public report of the vulnerability exists." + "name": "None", + "definition": "The successful attack does not depend on the deployment and execution conditions of the vulnerable system. The attacker can expect to be able to reach the vulnerability and execute the exploit under all or most instances of the vulnerability." + }, + { + "key": "X", + "name": "Not Defined", + "definition": "This metric value is not defined. See CVSS documentation for details." } ] }, "values": { - "Y": { - "key": "Y", - "name": "Yes", - "definition": "A public report of the vulnerability exists." + "P": { + "key": "P", + "name": "Present", + "definition": "The successful attack depends on the presence of specific deployment and execution conditions of the vulnerable system that enable the attack." }, "N": { "key": "N", - "name": "No", - "definition": "No public report of the vulnerability exists." + "name": "None", + "definition": "The successful attack does not depend on the deployment and execution conditions of the vulnerable system. The attacker can expect to be able to reach the vulnerability and execute the exploit under all or most instances of the vulnerability." + }, + "X": { + "key": "X", + "name": "Not Defined", + "definition": "This metric value is not defined. See CVSS documentation for details." } } } } }, - "SI": { - "key": "SI", + "MVC": { + "key": "MVC", "versions": { - "1.0.0": { - "version": "1.0.0", - "obj": { - "namespace": "ssvc", - "key": "SI", - "version": "1.0.0", - "name": "Safety Impact", - "definition": "The safety impact of the vulnerability.", + "3.0.0": { + "version": "3.0.0", + "obj": { + "namespace": "cvss", + "key": "MVC", + "version": "3.0.0", + "name": "Modified Confidentiality Impact to the Vulnerable System", + "definition": "This metric measures the impact to the confidentiality of the information managed by the system due to a successfully exploited vulnerability. Confidentiality refers to limiting information access and disclosure to only authorized users, as well as preventing access by, or disclosure to, unauthorized ones.", "schemaVersion": "2.0.0", "values": [ { "key": "N", "name": "None", - "definition": "The effect is below the threshold for all aspects described in Minor." - }, - { - "key": "M", - "name": "Minor", - "definition": "Any one or more of these conditions hold. Physical harm: Physical discomfort for users (not operators) of the system. Operator resiliency: Requires action by system operator to maintain safe system state as a result of exploitation of the vulnerability where operator actions would be well within expected operator abilities; OR causes a minor occupational safety hazard. System resiliency: Small reduction in built-in system safety margins; OR small reduction in system functional capabilities that support safe operation. Environment: Minor externalities (property damage, environmental damage, etc.) imposed on other parties. Financial Financial losses, which are not readily absorbable, to multiple persons. Psychological: Emotional or psychological harm, sufficient to be cause for counselling or therapy, to multiple persons." + "definition": "There is no loss of confidentiality within the impacted component." }, { - "key": "J", - "name": "Major", - "definition": "Any one or more of these conditions hold. Physical harm: Physical distress and injuries for users (not operators) of the system. Operator resiliency: Requires action by system operator to maintain safe system state as a result of exploitation of the vulnerability where operator actions would be within their capabilities but the actions require their full attention and effort; OR significant distraction or discomfort to operators; OR causes significant occupational safety hazard. System resiliency: System safety margin effectively eliminated but no actual harm; OR failure of system functional capabilities that support safe operation. Environment: Major externalities (property damage, environmental damage, etc.) imposed on other parties. Financial: Financial losses that likely lead to bankruptcy of multiple persons. Psychological: Widespread emotional or psychological harm, sufficient to be cause for counselling or therapy, to populations of people." + "key": "L", + "name": "Low", + "definition": "There is some loss of confidentiality. Access to some restricted information is obtained, but the attacker does not have control over what information is obtained, or the amount or kind of loss is constrained. The information disclosure does not cause a direct, serious loss to the impacted component." }, { "key": "H", - "name": "Hazardous", - "definition": "Any one or more of these conditions hold. Physical harm: Serious or fatal injuries, where fatalities are plausibly preventable via emergency services or other measures. Operator resiliency: Actions that would keep the system in a safe state are beyond system operator capabilities, resulting in adverse conditions; OR great physical distress to system operators such that they cannot be expected to operate the system properly. System resiliency: Parts of the cyber-physical system break; system’s ability to recover lost functionality remains intact. Environment: Serious externalities (threat to life as well as property, widespread environmental damage, measurable public health risks, etc.) imposed on other parties. Financial: Socio-technical system (elections, financial grid, etc.) of which the affected component is a part is actively destabilized and enters unsafe state. Psychological: N/A." + "name": "High", + "definition": "There is total loss of confidentiality, resulting in all resources within the impacted component being divulged to the attacker. Alternatively, access to only some restricted information is obtained, but the disclosed information presents a direct, serious impact. For example, an attacker steals the administrator's password, or private encryption keys of a web server." }, { - "key": "C", - "name": "Catastrophic", - "definition": "Any one or more of these conditions hold. Physical harm: Multiple immediate fatalities (Emergency response probably cannot save the victims.) Operator resiliency: Operator incapacitated (includes fatality or otherwise incapacitated). System resiliency: Total loss of whole cyber-physical system, of which the software is a part. Environment: Extreme externalities (immediate public health threat, environmental damage leading to small ecosystem collapse, etc.) imposed on other parties. Financial: Social systems (elections, financial grid, etc.) supported by the software collapse. Psychological: N/A." + "key": "X", + "name": "Not Defined", + "definition": "This metric value is not defined. See CVSS documentation for details." } ] }, @@ -6893,3567 +6498,3614 @@ "N": { "key": "N", "name": "None", - "definition": "The effect is below the threshold for all aspects described in Minor." - }, - "M": { - "key": "M", - "name": "Minor", - "definition": "Any one or more of these conditions hold. Physical harm: Physical discomfort for users (not operators) of the system. Operator resiliency: Requires action by system operator to maintain safe system state as a result of exploitation of the vulnerability where operator actions would be well within expected operator abilities; OR causes a minor occupational safety hazard. System resiliency: Small reduction in built-in system safety margins; OR small reduction in system functional capabilities that support safe operation. Environment: Minor externalities (property damage, environmental damage, etc.) imposed on other parties. Financial Financial losses, which are not readily absorbable, to multiple persons. Psychological: Emotional or psychological harm, sufficient to be cause for counselling or therapy, to multiple persons." + "definition": "There is no loss of confidentiality within the impacted component." }, - "J": { - "key": "J", - "name": "Major", - "definition": "Any one or more of these conditions hold. Physical harm: Physical distress and injuries for users (not operators) of the system. Operator resiliency: Requires action by system operator to maintain safe system state as a result of exploitation of the vulnerability where operator actions would be within their capabilities but the actions require their full attention and effort; OR significant distraction or discomfort to operators; OR causes significant occupational safety hazard. System resiliency: System safety margin effectively eliminated but no actual harm; OR failure of system functional capabilities that support safe operation. Environment: Major externalities (property damage, environmental damage, etc.) imposed on other parties. Financial: Financial losses that likely lead to bankruptcy of multiple persons. Psychological: Widespread emotional or psychological harm, sufficient to be cause for counselling or therapy, to populations of people." + "L": { + "key": "L", + "name": "Low", + "definition": "There is some loss of confidentiality. Access to some restricted information is obtained, but the attacker does not have control over what information is obtained, or the amount or kind of loss is constrained. The information disclosure does not cause a direct, serious loss to the impacted component." }, "H": { "key": "H", - "name": "Hazardous", - "definition": "Any one or more of these conditions hold. Physical harm: Serious or fatal injuries, where fatalities are plausibly preventable via emergency services or other measures. Operator resiliency: Actions that would keep the system in a safe state are beyond system operator capabilities, resulting in adverse conditions; OR great physical distress to system operators such that they cannot be expected to operate the system properly. System resiliency: Parts of the cyber-physical system break; system’s ability to recover lost functionality remains intact. Environment: Serious externalities (threat to life as well as property, widespread environmental damage, measurable public health risks, etc.) imposed on other parties. Financial: Socio-technical system (elections, financial grid, etc.) of which the affected component is a part is actively destabilized and enters unsafe state. Psychological: N/A." + "name": "High", + "definition": "There is total loss of confidentiality, resulting in all resources within the impacted component being divulged to the attacker. Alternatively, access to only some restricted information is obtained, but the disclosed information presents a direct, serious impact. For example, an attacker steals the administrator's password, or private encryption keys of a web server." }, - "C": { - "key": "C", - "name": "Catastrophic", - "definition": "Any one or more of these conditions hold. Physical harm: Multiple immediate fatalities (Emergency response probably cannot save the victims.) Operator resiliency: Operator incapacitated (includes fatality or otherwise incapacitated). System resiliency: Total loss of whole cyber-physical system, of which the software is a part. Environment: Extreme externalities (immediate public health threat, environmental damage leading to small ecosystem collapse, etc.) imposed on other parties. Financial: Social systems (elections, financial grid, etc.) supported by the software collapse. Psychological: N/A." + "X": { + "key": "X", + "name": "Not Defined", + "definition": "This metric value is not defined. See CVSS documentation for details." } } - }, - "2.0.0": { - "version": "2.0.0", + } + } + }, + "MVI": { + "key": "MVI", + "versions": { + "3.0.0": { + "version": "3.0.0", "obj": { - "namespace": "ssvc", - "key": "SI", - "version": "2.0.0", - "name": "Safety Impact", - "definition": "The safety impact of the vulnerability. (based on IEC 61508)", + "namespace": "cvss", + "key": "MVI", + "version": "3.0.0", + "name": "Modified Integrity Impact to the Vulnerable System", + "definition": "This metric measures the impact to integrity of a successfully exploited vulnerability.", "schemaVersion": "2.0.0", "values": [ { "key": "N", - "name": "Negligible", - "definition": "Any one or more of these conditions hold.

- *Physical harm*: Minor injuries at worst (IEC 61508 Negligible).
- *Operator resiliency*: Requires action by system operator to maintain safe system state as a result of exploitation of the vulnerability where operator actions would be well within expected operator abilities; OR causes a minor occupational safety hazard.
- *System resiliency*: Small reduction in built-in system safety margins; OR small reduction in system functional capabilities that support safe operation.
- *Environment*: Minor externalities (property damage, environmental damage, etc.) imposed on other parties.
- *Financial*: Financial losses, which are not readily absorbable, to multiple persons.
- *Psychological*: Emotional or psychological harm, sufficient to be cause for counselling or therapy, to multiple persons." + "name": "None", + "definition": "There is no loss of integrity within the Vulnerable System." }, { - "key": "M", - "name": "Marginal", - "definition": "Any one or more of these conditions hold.

- *Physical harm*: Major injuries to one or more persons (IEC 61508 Marginal).
- *Operator resiliency*: Requires action by system operator to maintain safe system state as a result of exploitation of the vulnerability where operator actions would be within their capabilities but the actions require their full attention and effort; OR significant distraction or discomfort to operators; OR causes significant occupational safety hazard.
- *System resiliency*: System safety margin effectively eliminated but no actual harm; OR failure of system functional capabilities that support safe operation.
- *Environment*: Major externalities (property damage, environmental damage, etc.) imposed on other parties.
- *Financial*: Financial losses that likely lead to bankruptcy of multiple persons.
- *Psychological*: Widespread emotional or psychological harm, sufficient to be cause for counselling or therapy, to populations of people." + "key": "L", + "name": "Low", + "definition": "Modification of data is possible, but the attacker does not have control over the consequence of a modification, or the amount of modification is limited. The data modification does not have a direct, serious impact to the Vulnerable System." }, { - "key": "R", - "name": "Critical", - "definition": "Any one or more of these conditions hold.

- *Physical harm*: Loss of life (IEC 61508 Critical).
- *Operator resiliency*: Actions that would keep the system in a safe state are beyond system operator capabilities, resulting in adverse conditions; OR great physical distress to system operators such that they cannot be expected to operate the system properly.
- *System resiliency*: Parts of the cyber-physical system break; system’s ability to recover lost functionality remains intact.
- *Environment*: Serious externalities (threat to life as well as property, widespread environmental damage, measurable public health risks, etc.) imposed on other parties.
- *Financial*: Socio-technical system (elections, financial grid, etc.) of which the affected component is a part is actively destabilized and enters unsafe state.
- *Psychological*: N/A." + "key": "H", + "name": "High", + "definition": "There is a total loss of integrity, or a complete loss of protection." }, { - "key": "C", - "name": "Catastrophic", - "definition": "Any one or more of these conditions hold.

- *Physical harm*: Multiple loss of life (IEC 61508 Catastrophic).
- *Operator resiliency*: Operator incapacitated (includes fatality or otherwise incapacitated).
- *System resiliency*: Total loss of whole cyber-physical system, of which the software is a part.
- *Environment*: Extreme externalities (immediate public health threat, environmental damage leading to small ecosystem collapse, etc.) imposed on other parties.
- *Financial*: Social systems (elections, financial grid, etc.) supported by the software collapse.
- *Psychological*: N/A." + "key": "X", + "name": "Not Defined", + "definition": "This metric value is not defined. See CVSS documentation for details." } ] }, "values": { "N": { "key": "N", - "name": "Negligible", - "definition": "Any one or more of these conditions hold.

- *Physical harm*: Minor injuries at worst (IEC 61508 Negligible).
- *Operator resiliency*: Requires action by system operator to maintain safe system state as a result of exploitation of the vulnerability where operator actions would be well within expected operator abilities; OR causes a minor occupational safety hazard.
- *System resiliency*: Small reduction in built-in system safety margins; OR small reduction in system functional capabilities that support safe operation.
- *Environment*: Minor externalities (property damage, environmental damage, etc.) imposed on other parties.
- *Financial*: Financial losses, which are not readily absorbable, to multiple persons.
- *Psychological*: Emotional or psychological harm, sufficient to be cause for counselling or therapy, to multiple persons." + "name": "None", + "definition": "There is no loss of integrity within the Vulnerable System." }, - "M": { - "key": "M", - "name": "Marginal", - "definition": "Any one or more of these conditions hold.

- *Physical harm*: Major injuries to one or more persons (IEC 61508 Marginal).
- *Operator resiliency*: Requires action by system operator to maintain safe system state as a result of exploitation of the vulnerability where operator actions would be within their capabilities but the actions require their full attention and effort; OR significant distraction or discomfort to operators; OR causes significant occupational safety hazard.
- *System resiliency*: System safety margin effectively eliminated but no actual harm; OR failure of system functional capabilities that support safe operation.
- *Environment*: Major externalities (property damage, environmental damage, etc.) imposed on other parties.
- *Financial*: Financial losses that likely lead to bankruptcy of multiple persons.
- *Psychological*: Widespread emotional or psychological harm, sufficient to be cause for counselling or therapy, to populations of people." + "L": { + "key": "L", + "name": "Low", + "definition": "Modification of data is possible, but the attacker does not have control over the consequence of a modification, or the amount of modification is limited. The data modification does not have a direct, serious impact to the Vulnerable System." }, - "R": { - "key": "R", - "name": "Critical", - "definition": "Any one or more of these conditions hold.

- *Physical harm*: Loss of life (IEC 61508 Critical).
- *Operator resiliency*: Actions that would keep the system in a safe state are beyond system operator capabilities, resulting in adverse conditions; OR great physical distress to system operators such that they cannot be expected to operate the system properly.
- *System resiliency*: Parts of the cyber-physical system break; system’s ability to recover lost functionality remains intact.
- *Environment*: Serious externalities (threat to life as well as property, widespread environmental damage, measurable public health risks, etc.) imposed on other parties.
- *Financial*: Socio-technical system (elections, financial grid, etc.) of which the affected component is a part is actively destabilized and enters unsafe state.
- *Psychological*: N/A." + "H": { + "key": "H", + "name": "High", + "definition": "There is a total loss of integrity, or a complete loss of protection." }, - "C": { - "key": "C", - "name": "Catastrophic", - "definition": "Any one or more of these conditions hold.

- *Physical harm*: Multiple loss of life (IEC 61508 Catastrophic).
- *Operator resiliency*: Operator incapacitated (includes fatality or otherwise incapacitated).
- *System resiliency*: Total loss of whole cyber-physical system, of which the software is a part.
- *Environment*: Extreme externalities (immediate public health threat, environmental damage leading to small ecosystem collapse, etc.) imposed on other parties.
- *Financial*: Social systems (elections, financial grid, etc.) supported by the software collapse.
- *Psychological*: N/A." + "X": { + "key": "X", + "name": "Not Defined", + "definition": "This metric value is not defined. See CVSS documentation for details." } } - }, - "2.0.1": { - "version": "2.0.1", + } + } + }, + "MVA": { + "key": "MVA", + "versions": { + "3.0.0": { + "version": "3.0.0", "obj": { - "namespace": "ssvc", - "key": "SI", - "version": "2.0.1", - "name": "Safety Impact", - "definition": "The safety impact of the vulnerability. (based on IEC 61508 with modifications)", + "namespace": "cvss", + "key": "MVA", + "version": "3.0.0", + "name": "Modified Availability Impact to the Vulnerable System", + "definition": "This metric measures the impact to the availability of the impacted system resulting from a successfully exploited vulnerability.", "schemaVersion": "2.0.0", "values": [ { "key": "N", - "name": "Negligible", - "definition": "Any one or more of these conditions hold. **Physical harm**: Minor injuries at worst (IEC 61508 Negligible). **Operator resiliency**: Requires action by system operator to maintain safe system state as a result of exploitation of the vulnerability where operator actions would be well within expected operator abilities; OR causes a minor occupational safety hazard. **System resiliency**: Small reduction in built-in system safety margins; OR small reduction in system functional capabilities that support safe operation. **Environment**: Minor externalities (property damage, environmental damage, etc.) imposed on other parties. **Financial**: Financial losses, which are not readily absorbable, to multiple persons. **Psychological**: Emotional or psychological harm, sufficient to be cause for counselling or therapy, to multiple persons." + "name": "None", + "definition": "There is no impact to availability within the Vulnerable System." }, { - "key": "M", - "name": "Marginal", - "definition": "Any one or more of these conditions hold. **Physical harm**: Major injuries to one or more persons (IEC 61508 Marginal). **Operator resiliency**: Requires action by system operator to maintain safe system state as a result of exploitation of the vulnerability where operator actions would be within their capabilities but the actions require their full attention and effort; OR significant distraction or discomfort to operators; OR causes significant occupational safety hazard. **System resiliency**: System safety margin effectively eliminated but no actual harm; OR failure of system functional capabilities that support safe operation. **Environment**: Major externalities (property damage, environmental damage, etc.) imposed on other parties. **Financial**: Financial losses that likely lead to bankruptcy of multiple persons. **Psychological**: Widespread emotional or psychological harm, sufficient to be cause for counselling or therapy, to populations of people." + "key": "L", + "name": "Low", + "definition": "There is reduced performance or interruptions in resource availability. Even if repeated exploitation of the vulnerability is possible, the attacker does not have the ability to completely deny service to legitimate users. The resources in the Vulnerable System are either partially available all of the time, or fully available only some of the time, but overall there is no direct, serious consequence to the Vulnerable System." }, { - "key": "R", - "name": "Critical", - "definition": "Any one or more of these conditions hold. **Physical harm**: Loss of life (IEC 61508 Critical). **Operator resiliency**: Actions that would keep the system in a safe state are beyond system operator capabilities, resulting in adverse conditions; OR great physical distress to system operators such that they cannot be expected to operate the system properly. **System resiliency**: Parts of the cyber-physical system break; system’s ability to recover lost functionality remains intact. **Environment**: Serious externalities (threat to life as well as property, widespread environmental damage, measurable public health risks, etc.) imposed on other parties. **Financial**: Socio-technical system (elections, financial grid, etc.) of which the affected component is a part is actively destabilized and enters unsafe state. **Psychological**: N/A." + "key": "H", + "name": "High", + "definition": "There is total loss of availability, resulting in the attacker being able to fully deny access to resources in the impacted component; this loss is either sustained (while the attacker continues to deliver the attack) or persistent (the condition persists even after the attack has completed)." }, { - "key": "C", - "name": "Catastrophic", - "definition": "Any one or more of these conditions hold. **Physical harm**: Multiple loss of life (IEC 61508 Catastrophic). **Operator resiliency**: Operator incapacitated (includes fatality or otherwise incapacitated). **System resiliency**: Total loss of whole cyber-physical system, of which the software is a part. **Environment**: Extreme externalities (immediate public health threat, environmental damage leading to small ecosystem collapse, etc.) imposed on other parties. **Financial**: Social systems (elections, financial grid, etc.) supported by the software collapse. **Psychological**: N/A." + "key": "X", + "name": "Not Defined", + "definition": "This metric value is not defined. See CVSS documentation for details." } ] }, "values": { "N": { "key": "N", - "name": "Negligible", - "definition": "Any one or more of these conditions hold. **Physical harm**: Minor injuries at worst (IEC 61508 Negligible). **Operator resiliency**: Requires action by system operator to maintain safe system state as a result of exploitation of the vulnerability where operator actions would be well within expected operator abilities; OR causes a minor occupational safety hazard. **System resiliency**: Small reduction in built-in system safety margins; OR small reduction in system functional capabilities that support safe operation. **Environment**: Minor externalities (property damage, environmental damage, etc.) imposed on other parties. **Financial**: Financial losses, which are not readily absorbable, to multiple persons. **Psychological**: Emotional or psychological harm, sufficient to be cause for counselling or therapy, to multiple persons." + "name": "None", + "definition": "There is no impact to availability within the Vulnerable System." }, - "M": { - "key": "M", - "name": "Marginal", - "definition": "Any one or more of these conditions hold. **Physical harm**: Major injuries to one or more persons (IEC 61508 Marginal). **Operator resiliency**: Requires action by system operator to maintain safe system state as a result of exploitation of the vulnerability where operator actions would be within their capabilities but the actions require their full attention and effort; OR significant distraction or discomfort to operators; OR causes significant occupational safety hazard. **System resiliency**: System safety margin effectively eliminated but no actual harm; OR failure of system functional capabilities that support safe operation. **Environment**: Major externalities (property damage, environmental damage, etc.) imposed on other parties. **Financial**: Financial losses that likely lead to bankruptcy of multiple persons. **Psychological**: Widespread emotional or psychological harm, sufficient to be cause for counselling or therapy, to populations of people." + "L": { + "key": "L", + "name": "Low", + "definition": "There is reduced performance or interruptions in resource availability. Even if repeated exploitation of the vulnerability is possible, the attacker does not have the ability to completely deny service to legitimate users. The resources in the Vulnerable System are either partially available all of the time, or fully available only some of the time, but overall there is no direct, serious consequence to the Vulnerable System." }, - "R": { - "key": "R", - "name": "Critical", - "definition": "Any one or more of these conditions hold. **Physical harm**: Loss of life (IEC 61508 Critical). **Operator resiliency**: Actions that would keep the system in a safe state are beyond system operator capabilities, resulting in adverse conditions; OR great physical distress to system operators such that they cannot be expected to operate the system properly. **System resiliency**: Parts of the cyber-physical system break; system’s ability to recover lost functionality remains intact. **Environment**: Serious externalities (threat to life as well as property, widespread environmental damage, measurable public health risks, etc.) imposed on other parties. **Financial**: Socio-technical system (elections, financial grid, etc.) of which the affected component is a part is actively destabilized and enters unsafe state. **Psychological**: N/A." + "H": { + "key": "H", + "name": "High", + "definition": "There is total loss of availability, resulting in the attacker being able to fully deny access to resources in the impacted component; this loss is either sustained (while the attacker continues to deliver the attack) or persistent (the condition persists even after the attack has completed)." }, - "C": { - "key": "C", - "name": "Catastrophic", - "definition": "Any one or more of these conditions hold. **Physical harm**: Multiple loss of life (IEC 61508 Catastrophic). **Operator resiliency**: Operator incapacitated (includes fatality or otherwise incapacitated). **System resiliency**: Total loss of whole cyber-physical system, of which the software is a part. **Environment**: Extreme externalities (immediate public health threat, environmental damage leading to small ecosystem collapse, etc.) imposed on other parties. **Financial**: Social systems (elections, financial grid, etc.) supported by the software collapse. **Psychological**: N/A." + "X": { + "key": "X", + "name": "Not Defined", + "definition": "This metric value is not defined. See CVSS documentation for details." } } } } }, - "SC": { - "key": "SC", + "MSC": { + "key": "MSC", "versions": { "1.0.0": { "version": "1.0.0", "obj": { - "namespace": "ssvc", - "key": "SC", + "namespace": "cvss", + "key": "MSC", "version": "1.0.0", - "name": "Supplier Cardinality", - "definition": "How many suppliers are responsible for the vulnerable component and its remediation or mitigation plan?", + "name": "Modified Confidentiality Impact to the Subsequent System", + "definition": "This metric measures the impact to the confidentiality of the information managed by the system due to a successfully exploited vulnerability. Confidentiality refers to limiting information access and disclosure to only authorized users, as well as preventing access by, or disclosure to, unauthorized ones. The resulting score is greatest when the loss to the system is highest.", "schemaVersion": "2.0.0", "values": [ { - "key": "O", - "name": "One", - "definition": "There is only one supplier of the vulnerable component." + "key": "N", + "name": "Negligible", + "definition": "There is no loss of confidentiality within the Subsequent System or all confidentiality impact is constrained to the Vulnerable System." }, { - "key": "M", - "name": "Multiple", - "definition": "There are multiple suppliers of the vulnerable component." + "key": "L", + "name": "Low", + "definition": "There is some loss of confidentiality. Access to some restricted information is obtained, but the attacker does not have control over what information is obtained, or the amount or kind of loss is limited. The information disclosure does not cause a direct, serious loss to the Subsequent System." + }, + { + "key": "H", + "name": "High", + "definition": "There is a total loss of confidentiality, resulting in all resources within the Subsequent System being divulged to the attacker. Alternatively, access to only some restricted information is obtained, but the disclosed information presents a direct, serious impact." + }, + { + "key": "X", + "name": "Not Defined", + "definition": "This metric value is not defined. See CVSS documentation for details." } ] }, "values": { - "O": { - "key": "O", - "name": "One", - "definition": "There is only one supplier of the vulnerable component." + "N": { + "key": "N", + "name": "Negligible", + "definition": "There is no loss of confidentiality within the Subsequent System or all confidentiality impact is constrained to the Vulnerable System." }, - "M": { - "key": "M", - "name": "Multiple", - "definition": "There are multiple suppliers of the vulnerable component." - } - } - } - } - }, - "SCON": { - "key": "SCON", - "versions": { - "1.0.0": { - "version": "1.0.0", + "L": { + "key": "L", + "name": "Low", + "definition": "There is some loss of confidentiality. Access to some restricted information is obtained, but the attacker does not have control over what information is obtained, or the amount or kind of loss is limited. The information disclosure does not cause a direct, serious loss to the Subsequent System." + }, + "H": { + "key": "H", + "name": "High", + "definition": "There is a total loss of confidentiality, resulting in all resources within the Subsequent System being divulged to the attacker. Alternatively, access to only some restricted information is obtained, but the disclosed information presents a direct, serious impact." + }, + "X": { + "key": "X", + "name": "Not Defined", + "definition": "This metric value is not defined. See CVSS documentation for details." + } + } + }, + "1.0.1": { + "version": "1.0.1", "obj": { - "namespace": "ssvc", - "key": "SCON", - "version": "1.0.0", - "name": "Supplier Contacted", - "definition": "Has the reporter made a good-faith effort to contact the supplier of the vulnerable component using a quality contact method?", + "namespace": "cvss", + "key": "MSC", + "version": "1.0.1", + "name": "Modified Confidentiality Impact to the Subsequent System", + "definition": "This metric measures the impact to the confidentiality of the information managed by the system due to a successfully exploited vulnerability. Confidentiality refers to limiting information access and disclosure to only authorized users, as well as preventing access by, or disclosure to, unauthorized ones. The resulting score is greatest when the loss to the system is highest.", "schemaVersion": "2.0.0", "values": [ { "key": "N", - "name": "No", - "definition": "The supplier has not been contacted." + "name": "Negligible", + "definition": "There is negligible loss of confidentiality within the Subsequent System or all confidentiality impact is constrained to the Vulnerable System." }, { - "key": "Y", - "name": "Yes", - "definition": "The supplier has been contacted." + "key": "L", + "name": "Low", + "definition": "There is some loss of confidentiality. Access to some restricted information is obtained, but the attacker does not have control over what information is obtained, or the amount or kind of loss is limited. The information disclosure does not cause a direct, serious loss to the Subsequent System." + }, + { + "key": "H", + "name": "High", + "definition": "There is a total loss of confidentiality, resulting in all resources within the Subsequent System being divulged to the attacker. Alternatively, access to only some restricted information is obtained, but the disclosed information presents a direct, serious impact." + }, + { + "key": "X", + "name": "Not Defined", + "definition": "This metric value is not defined. See CVSS documentation for details." } ] }, "values": { "N": { "key": "N", - "name": "No", - "definition": "The supplier has not been contacted." + "name": "Negligible", + "definition": "There is negligible loss of confidentiality within the Subsequent System or all confidentiality impact is constrained to the Vulnerable System." }, - "Y": { - "key": "Y", - "name": "Yes", - "definition": "The supplier has been contacted." + "L": { + "key": "L", + "name": "Low", + "definition": "There is some loss of confidentiality. Access to some restricted information is obtained, but the attacker does not have control over what information is obtained, or the amount or kind of loss is limited. The information disclosure does not cause a direct, serious loss to the Subsequent System." + }, + "H": { + "key": "H", + "name": "High", + "definition": "There is a total loss of confidentiality, resulting in all resources within the Subsequent System being divulged to the attacker. Alternatively, access to only some restricted information is obtained, but the disclosed information presents a direct, serious impact." + }, + "X": { + "key": "X", + "name": "Not Defined", + "definition": "This metric value is not defined. See CVSS documentation for details." } } } } - }, - "SE": { - "key": "SE", + } + } + }, + "nist#800-30": { + "namespace": "nist#800-30", + "keys": { + "P_5X": { + "key": "P_5X", "versions": { "1.0.0": { "version": "1.0.0", "obj": { - "namespace": "ssvc", - "key": "SE", + "namespace": "nist#800-30", + "key": "P_5X", "version": "1.0.0", - "name": "Supplier Engagement", - "definition": "Is the supplier responding to the reporter’s contact effort and actively participating in the coordination effort?", + "name": "Probability Scale in 5 weighted levels, ascending", + "definition": "A probability scale with finer resolution at both extremes, based on NIST SP 800-30 Rev. 1 Appendix G", "schemaVersion": "2.0.0", "values": [ { - "key": "A", - "name": "Active", - "definition": "The supplier is responding to the reporter’s contact effort and actively participating in the coordination effort." + "key": "VL", + "name": "Very Low", + "definition": "0% <= Probability < 5%. Highly unlikely." }, { - "key": "U", - "name": "Unresponsive", - "definition": "The supplier is not responding to the reporter’s contact effort and not actively participating in the coordination effort." + "key": "L", + "name": "Low", + "definition": "5% <= Probability < 21%. Unlikely." + }, + { + "key": "M", + "name": "Moderate", + "definition": "21% <= Probability < 80%. Somewhat likely." + }, + { + "key": "H", + "name": "High", + "definition": "80% <= Probability < 96%. Highly likely." + }, + { + "key": "VH", + "name": "Very High", + "definition": "96% <= Probability <= 100%. Almost certain." } ] }, "values": { - "A": { - "key": "A", - "name": "Active", - "definition": "The supplier is responding to the reporter’s contact effort and actively participating in the coordination effort." + "VL": { + "key": "VL", + "name": "Very Low", + "definition": "0% <= Probability < 5%. Highly unlikely." }, - "U": { - "key": "U", - "name": "Unresponsive", - "definition": "The supplier is not responding to the reporter’s contact effort and not actively participating in the coordination effort." + "L": { + "key": "L", + "name": "Low", + "definition": "5% <= Probability < 21%. Unlikely." + }, + "M": { + "key": "M", + "name": "Moderate", + "definition": "21% <= Probability < 80%. Somewhat likely." + }, + "H": { + "key": "H", + "name": "High", + "definition": "80% <= Probability < 96%. Highly likely." + }, + "VH": { + "key": "VH", + "name": "Very High", + "definition": "96% <= Probability <= 100%. Almost certain." } } } } - }, - "SINV": { - "key": "SINV", + } + } + }, + "ssvc": { + "namespace": "ssvc", + "keys": { + "V": { + "key": "V", "versions": { "1.0.0": { "version": "1.0.0", "obj": { "namespace": "ssvc", - "key": "SINV", + "key": "V", "version": "1.0.0", - "name": "Supplier Involvement", - "definition": "What is the state of the supplier’s work on addressing the vulnerability?", + "name": "Virulence", + "definition": "The speed at which the vulnerability can be exploited.", "schemaVersion": "2.0.0", "values": [ { - "key": "FR", - "name": "Fix Ready", - "definition": "The supplier has provided a patch or fix." - }, - { - "key": "C", - "name": "Cooperative", - "definition": "The supplier is actively generating a patch or fix; they may or may not have provided a mitigation or work-around in the mean time." + "key": "S", + "name": "Slow", + "definition": "Steps 1-4 of the kill chain cannot be reliably automated for this vulnerability for some reason. These steps are reconnaissance, weaponization, delivery, and exploitation." }, { - "key": "UU", - "name": "Uncooperative/Unresponsive", - "definition": "The supplier has not responded, declined to generate a remediation, or no longer exists." + "key": "R", + "name": "Rapid", + "definition": "Steps 1-4 of the of the kill chain can be reliably automated. If the vulnerability allows remote code execution or command injection, the default response should be rapid." } ] }, "values": { - "FR": { - "key": "FR", - "name": "Fix Ready", - "definition": "The supplier has provided a patch or fix." - }, - "C": { - "key": "C", - "name": "Cooperative", - "definition": "The supplier is actively generating a patch or fix; they may or may not have provided a mitigation or work-around in the mean time." + "S": { + "key": "S", + "name": "Slow", + "definition": "Steps 1-4 of the kill chain cannot be reliably automated for this vulnerability for some reason. These steps are reconnaissance, weaponization, delivery, and exploitation." }, - "UU": { - "key": "UU", - "name": "Uncooperative/Unresponsive", - "definition": "The supplier has not responded, declined to generate a remediation, or no longer exists." + "R": { + "key": "R", + "name": "Rapid", + "definition": "Steps 1-4 of the of the kill chain can be reliably automated. If the vulnerability allows remote code execution or command injection, the default response should be rapid." } } } } }, - "EXP": { - "key": "EXP", + "A": { + "key": "A", "versions": { - "1.0.0": { - "version": "1.0.0", + "2.0.0": { + "version": "2.0.0", "obj": { "namespace": "ssvc", - "key": "EXP", - "version": "1.0.0", - "name": "System Exposure", - "definition": "The Accessible Attack Surface of the Affected System or Service", + "key": "A", + "version": "2.0.0", + "name": "Automatable", + "definition": "Can an attacker reliably automate creating exploitation events for this vulnerability?", "schemaVersion": "2.0.0", "values": [ { - "key": "S", - "name": "Small", - "definition": "Local service or program; highly controlled network" - }, - { - "key": "C", - "name": "Controlled", - "definition": "Networked service with some access restrictions or mitigations already in place (whether locally or on the network). A successful mitigation must reliably interrupt the adversary’s attack, which requires the attack is detectable both reliably and quickly enough to respond. Controlled covers the situation in which a vulnerability can be exploited through chaining it with other vulnerabilities. The assumption is that the number of steps in the attack path is relatively low; if the path is long enough that it is implausible for an adversary to reliably execute it, then exposure should be small." + "key": "N", + "name": "No", + "definition": "Attackers cannot reliably automate steps 1-4 of the kill chain for this vulnerability. These steps are (1) reconnaissance, (2) weaponization, (3) delivery, and (4) exploitation." }, { - "key": "U", - "name": "Unavoidable", - "definition": "Internet or another widely accessible network where access cannot plausibly be restricted or controlled (e.g., DNS servers, web servers, VOIP servers, email servers)" + "key": "Y", + "name": "Yes", + "definition": "Attackers can reliably automate steps 1-4 of the kill chain." } ] }, "values": { - "S": { - "key": "S", - "name": "Small", - "definition": "Local service or program; highly controlled network" - }, - "C": { - "key": "C", - "name": "Controlled", - "definition": "Networked service with some access restrictions or mitigations already in place (whether locally or on the network). A successful mitigation must reliably interrupt the adversary’s attack, which requires the attack is detectable both reliably and quickly enough to respond. Controlled covers the situation in which a vulnerability can be exploited through chaining it with other vulnerabilities. The assumption is that the number of steps in the attack path is relatively low; if the path is long enough that it is implausible for an adversary to reliably execute it, then exposure should be small." + "N": { + "key": "N", + "name": "No", + "definition": "Attackers cannot reliably automate steps 1-4 of the kill chain for this vulnerability. These steps are (1) reconnaissance, (2) weaponization, (3) delivery, and (4) exploitation." }, - "U": { - "key": "U", - "name": "Unavoidable", - "definition": "Internet or another widely accessible network where access cannot plausibly be restricted or controlled (e.g., DNS servers, web servers, VOIP servers, email servers)" - } - } - }, - "1.0.1": { - "version": "1.0.1", - "obj": { - "namespace": "ssvc", - "key": "EXP", - "version": "1.0.1", - "name": "System Exposure", - "definition": "The Accessible Attack Surface of the Affected System or Service", - "schemaVersion": "2.0.0", - "values": [ - { - "key": "S", - "name": "Small", - "definition": "Local service or program; highly controlled network" - }, - { - "key": "C", - "name": "Controlled", - "definition": "Networked service with some access restrictions or mitigations already in place (whether locally or on the network). A successful mitigation must reliably interrupt the adversary’s attack, which requires the attack is detectable both reliably and quickly enough to respond. Controlled covers the situation in which a vulnerability can be exploited through chaining it with other vulnerabilities. The assumption is that the number of steps in the attack path is relatively low; if the path is long enough that it is implausible for an adversary to reliably execute it, then exposure should be small." - }, - { - "key": "O", - "name": "Open", - "definition": "Internet or another widely accessible network where access cannot plausibly be restricted or controlled (e.g., DNS servers, web servers, VOIP servers, email servers)" - } - ] - }, - "values": { - "S": { - "key": "S", - "name": "Small", - "definition": "Local service or program; highly controlled network" - }, - "C": { - "key": "C", - "name": "Controlled", - "definition": "Networked service with some access restrictions or mitigations already in place (whether locally or on the network). A successful mitigation must reliably interrupt the adversary’s attack, which requires the attack is detectable both reliably and quickly enough to respond. Controlled covers the situation in which a vulnerability can be exploited through chaining it with other vulnerabilities. The assumption is that the number of steps in the attack path is relatively low; if the path is long enough that it is implausible for an adversary to reliably execute it, then exposure should be small." - }, - "O": { - "key": "O", - "name": "Open", - "definition": "Internet or another widely accessible network where access cannot plausibly be restricted or controlled (e.g., DNS servers, web servers, VOIP servers, email servers)" + "Y": { + "key": "Y", + "name": "Yes", + "definition": "Attackers can reliably automate steps 1-4 of the kill chain." } } } } }, - "TI": { - "key": "TI", + "CS": { + "key": "CS", "versions": { "1.0.0": { "version": "1.0.0", "obj": { "namespace": "ssvc", - "key": "TI", + "key": "CS", "version": "1.0.0", - "name": "Technical Impact", - "definition": "The technical impact of the vulnerability.", + "name": "Critical Software", + "definition": "Denotes whether a system meets a critical software definition.", "schemaVersion": "2.0.0", "values": [ { - "key": "P", - "name": "Partial", - "definition": "The exploit gives the adversary limited control over, or information exposure about, the behavior of the software that contains the vulnerability. Or the exploit gives the adversary an importantly low stochastic opportunity for total control." + "key": "N", + "name": "No", + "definition": "System does not meet a critical software definition." }, { - "key": "T", - "name": "Total", - "definition": "The exploit gives the adversary total control over the behavior of the software, or it gives total disclosure of all information on the system that contains the vulnerability." + "key": "Y", + "name": "Yes", + "definition": "System meets a critical software definition." } ] }, "values": { - "P": { - "key": "P", - "name": "Partial", - "definition": "The exploit gives the adversary limited control over, or information exposure about, the behavior of the software that contains the vulnerability. Or the exploit gives the adversary an importantly low stochastic opportunity for total control." + "N": { + "key": "N", + "name": "No", + "definition": "System does not meet a critical software definition." }, - "T": { - "key": "T", - "name": "Total", - "definition": "The exploit gives the adversary total control over the behavior of the software, or it gives total disclosure of all information on the system that contains the vulnerability." + "Y": { + "key": "Y", + "name": "Yes", + "definition": "System meets a critical software definition." } } } } }, - "U": { - "key": "U", + "E": { + "key": "E", "versions": { "1.0.0": { "version": "1.0.0", "obj": { "namespace": "ssvc", - "key": "U", + "key": "E", "version": "1.0.0", - "name": "Utility", - "definition": "The Usefulness of the Exploit to the Adversary", + "name": "Exploitation", + "definition": "The present state of exploitation of the vulnerability.", "schemaVersion": "2.0.0", "values": [ { - "key": "L", - "name": "Laborious", - "definition": "Virulence:Slow and Value Density:Diffuse" + "key": "N", + "name": "None", + "definition": "There is no evidence of active exploitation and no public proof of concept (PoC) of how to exploit the vulnerability." }, { - "key": "E", - "name": "Efficient", - "definition": "Virulence:Rapid and Value Density:Diffuse OR Virulence:Slow and Value Density:Concentrated" + "key": "P", + "name": "PoC", + "definition": "One of the following cases is true: (1) private evidence of exploitation is attested but not shared; (2) widespread hearsay attests to exploitation; (3) typical public PoC in places such as Metasploit or ExploitDB; or (4) the vulnerability has a well-known method of exploitation." }, { - "key": "S", - "name": "Super Effective", - "definition": "Virulence:Rapid and Value Density:Concentrated" + "key": "A", + "name": "Active", + "definition": "Shared, observable, reliable evidence that the exploit is being used in the wild by real attackers; there is credible public reporting." } ] }, "values": { - "L": { - "key": "L", - "name": "Laborious", - "definition": "Virulence:Slow and Value Density:Diffuse" + "N": { + "key": "N", + "name": "None", + "definition": "There is no evidence of active exploitation and no public proof of concept (PoC) of how to exploit the vulnerability." }, - "E": { - "key": "E", - "name": "Efficient", - "definition": "Virulence:Rapid and Value Density:Diffuse OR Virulence:Slow and Value Density:Concentrated" + "P": { + "key": "P", + "name": "PoC", + "definition": "One of the following cases is true: (1) private evidence of exploitation is attested but not shared; (2) widespread hearsay attests to exploitation; (3) typical public PoC in places such as Metasploit or ExploitDB; or (4) the vulnerability has a well-known method of exploitation." }, - "S": { - "key": "S", - "name": "Super Effective", - "definition": "Virulence:Rapid and Value Density:Concentrated" + "A": { + "key": "A", + "name": "Active", + "definition": "Shared, observable, reliable evidence that the exploit is being used in the wild by real attackers; there is credible public reporting." } } }, - "1.0.1": { - "version": "1.0.1", + "1.1.0": { + "version": "1.1.0", "obj": { "namespace": "ssvc", - "key": "U", - "version": "1.0.1", - "name": "Utility", - "definition": "The Usefulness of the Exploit to the Adversary", + "key": "E", + "version": "1.1.0", + "name": "Exploitation", + "definition": "The present state of exploitation of the vulnerability.", "schemaVersion": "2.0.0", "values": [ { - "key": "L", - "name": "Laborious", - "definition": "Automatable:No AND Value Density:Diffuse" + "key": "N", + "name": "None", + "definition": "There is no evidence of active exploitation and no public proof of concept (PoC) of how to exploit the vulnerability." }, { - "key": "E", - "name": "Efficient", - "definition": "(Automatable:Yes AND Value Density:Diffuse) OR (Automatable:No AND Value Density:Concentrated)" + "key": "P", + "name": "Public PoC", + "definition": "One of the following is true: (1) Typical public PoC exists in sources such as Metasploit or websites like ExploitDB; or (2) the vulnerability has a well-known method of exploitation." }, { - "key": "S", - "name": "Super Effective", - "definition": "Automatable:Yes AND Value Density:Concentrated" + "key": "A", + "name": "Active", + "definition": "Shared, observable, reliable evidence that the exploit is being used in the wild by real attackers; there is credible public reporting." } ] }, "values": { - "L": { - "key": "L", - "name": "Laborious", - "definition": "Automatable:No AND Value Density:Diffuse" + "N": { + "key": "N", + "name": "None", + "definition": "There is no evidence of active exploitation and no public proof of concept (PoC) of how to exploit the vulnerability." }, - "E": { - "key": "E", - "name": "Efficient", - "definition": "(Automatable:Yes AND Value Density:Diffuse) OR (Automatable:No AND Value Density:Concentrated)" + "P": { + "key": "P", + "name": "Public PoC", + "definition": "One of the following is true: (1) Typical public PoC exists in sources such as Metasploit or websites like ExploitDB; or (2) the vulnerability has a well-known method of exploitation." }, - "S": { - "key": "S", - "name": "Super Effective", - "definition": "Automatable:Yes AND Value Density:Concentrated" + "A": { + "key": "A", + "name": "Active", + "definition": "Shared, observable, reliable evidence that the exploit is being used in the wild by real attackers; there is credible public reporting." } } } } }, - "VD": { - "key": "VD", + "HVA": { + "key": "HVA", "versions": { "1.0.0": { "version": "1.0.0", "obj": { "namespace": "ssvc", - "key": "VD", + "key": "HVA", "version": "1.0.0", - "name": "Value Density", - "definition": "The concentration of value in the target", + "name": "High Value Asset", + "definition": "Denotes whether a system meets a high value asset definition.", "schemaVersion": "2.0.0", "values": [ { - "key": "D", - "name": "Diffuse", - "definition": "The system that contains the vulnerable component has limited resources. That is, the resources that the adversary will gain control over with a single exploitation event are relatively small." + "key": "N", + "name": "No", + "definition": "System does not meet a high value asset definition." }, { - "key": "C", - "name": "Concentrated", - "definition": "The system that contains the vulnerable component is rich in resources. Heuristically, such systems are often the direct responsibility of “system operators” rather than users." + "key": "Y", + "name": "Yes", + "definition": "System meets a high value asset definition." } ] }, "values": { - "D": { - "key": "D", - "name": "Diffuse", - "definition": "The system that contains the vulnerable component has limited resources. That is, the resources that the adversary will gain control over with a single exploitation event are relatively small." + "N": { + "key": "N", + "name": "No", + "definition": "System does not meet a high value asset definition." }, - "C": { - "key": "C", - "name": "Concentrated", - "definition": "The system that contains the vulnerable component is rich in resources. Heuristically, such systems are often the direct responsibility of “system operators” rather than users." + "Y": { + "key": "Y", + "name": "Yes", + "definition": "System meets a high value asset definition." } } } } }, - "COORDINATE": { - "key": "COORDINATE", + "MWI": { + "key": "MWI", "versions": { "1.0.0": { "version": "1.0.0", "obj": { "namespace": "ssvc", - "key": "COORDINATE", + "key": "MWI", "version": "1.0.0", - "name": "Decline, Track, Coordinate", - "definition": "The coordinate outcome group.", + "name": "Mission and Well-Being Impact", + "definition": "Mission and Well-Being Impact is a combination of Mission Prevalence and Public Well-Being Impact.", "schemaVersion": "2.0.0", "values": [ { - "key": "D", - "name": "Decline", - "definition": "Decline" + "key": "L", + "name": "Low", + "definition": "Mission Prevalence:Minimal AND Public Well-Being Impact:Minimal" }, { - "key": "T", - "name": "Track", - "definition": "Track" + "key": "M", + "name": "Medium", + "definition": "Mission Prevalence:Support AND Public Well-Being Impact:(Minimal OR Material)" }, { - "key": "C", - "name": "Coordinate", - "definition": "Coordinate" + "key": "H", + "name": "High", + "definition": "Mission Prevalence:Essential OR Public Well-Being Impact:(Irreversible)" } ] }, "values": { - "D": { - "key": "D", - "name": "Decline", - "definition": "Decline" + "L": { + "key": "L", + "name": "Low", + "definition": "Mission Prevalence:Minimal AND Public Well-Being Impact:Minimal" }, - "T": { - "key": "T", - "name": "Track", - "definition": "Track" + "M": { + "key": "M", + "name": "Medium", + "definition": "Mission Prevalence:Support AND Public Well-Being Impact:(Minimal OR Material)" }, - "C": { - "key": "C", - "name": "Coordinate", - "definition": "Coordinate" + "H": { + "key": "H", + "name": "High", + "definition": "Mission Prevalence:Essential OR Public Well-Being Impact:(Irreversible)" } } - }, - "1.0.1": { - "version": "1.0.1", + } + } + }, + "HI": { + "key": "HI", + "versions": { + "2.0.0": { + "version": "2.0.0", "obj": { "namespace": "ssvc", - "key": "COORDINATE", - "version": "1.0.1", - "name": "Decline, Track, Coordinate", - "definition": "The coordinate outcome group.", + "key": "HI", + "version": "2.0.0", + "name": "Human Impact", + "definition": "Human Impact is a combination of Safety and Mission impacts.", "schemaVersion": "2.0.0", "values": [ { - "key": "D", - "name": "Decline", - "definition": "Do not act on the report." + "key": "L", + "name": "Low", + "definition": "Safety Impact:(None OR Minor) AND Mission Impact:(None OR Degraded OR Crippled)" }, { - "key": "T", - "name": "Track", - "definition": "Receive information about the vulnerability and monitor for status changes but do not take any overt actions." + "key": "M", + "name": "Medium", + "definition": "(Safety Impact:(None OR Minor) AND Mission Impact:MEF Failure) OR (Safety Impact:Major AND Mission Impact:(None OR Degraded OR Crippled))" }, { - "key": "C", - "name": "Coordinate", - "definition": "Take action on the report." + "key": "H", + "name": "High", + "definition": "(Safety Impact:Hazardous AND Mission Impact:(None OR Degraded OR Crippled)) OR (Safety Impact:Major AND Mission Impact:MEF Failure)" + }, + { + "key": "VH", + "name": "Very High", + "definition": "Safety Impact:Catastrophic OR Mission Impact:Mission Failure" } ] }, "values": { - "D": { - "key": "D", - "name": "Decline", - "definition": "Do not act on the report." + "L": { + "key": "L", + "name": "Low", + "definition": "Safety Impact:(None OR Minor) AND Mission Impact:(None OR Degraded OR Crippled)" }, - "T": { - "key": "T", - "name": "Track", - "definition": "Receive information about the vulnerability and monitor for status changes but do not take any overt actions." + "M": { + "key": "M", + "name": "Medium", + "definition": "(Safety Impact:(None OR Minor) AND Mission Impact:MEF Failure) OR (Safety Impact:Major AND Mission Impact:(None OR Degraded OR Crippled))" }, - "C": { - "key": "C", - "name": "Coordinate", - "definition": "Take action on the report." + "H": { + "key": "H", + "name": "High", + "definition": "(Safety Impact:Hazardous AND Mission Impact:(None OR Degraded OR Crippled)) OR (Safety Impact:Major AND Mission Impact:MEF Failure)" + }, + "VH": { + "key": "VH", + "name": "Very High", + "definition": "Safety Impact:Catastrophic OR Mission Impact:Mission Failure" } } - } - } - }, - "DSOI": { - "key": "DSOI", - "versions": { - "1.0.0": { - "version": "1.0.0", + }, + "2.0.1": { + "version": "2.0.1", "obj": { "namespace": "ssvc", - "key": "DSOI", - "version": "1.0.0", - "name": "Defer, Scheduled, Out-of-Cycle, Immediate", - "definition": "The original SSVC outcome group.", + "key": "HI", + "version": "2.0.1", + "name": "Human Impact", + "definition": "Human Impact is a combination of Safety and Mission impacts.", "schemaVersion": "2.0.0", "values": [ { - "key": "D", - "name": "Defer", - "definition": "Defer" + "key": "L", + "name": "Low", + "definition": "Safety Impact:(Negligible) AND Mission Impact:(None OR Degraded OR Crippled)" }, { - "key": "S", - "name": "Scheduled", - "definition": "Scheduled" + "key": "M", + "name": "Medium", + "definition": "(Safety Impact:Negligible AND Mission Impact:MEF Failure) OR (Safety Impact:Marginal AND Mission Impact:(None OR Degraded OR Crippled))" }, { - "key": "O", - "name": "Out-of-Cycle", - "definition": "Out-of-Cycle" + "key": "H", + "name": "High", + "definition": "(Safety Impact:Critical AND Mission Impact:(None OR Degraded OR Crippled)) OR (Safety Impact:Marginal AND Mission Impact:MEF Failure)" }, { - "key": "I", - "name": "Immediate", - "definition": "Immediate" + "key": "VH", + "name": "Very High", + "definition": "Safety Impact:Catastrophic OR Mission Impact:Mission Failure" } ] }, "values": { - "D": { - "key": "D", - "name": "Defer", - "definition": "Defer" + "L": { + "key": "L", + "name": "Low", + "definition": "Safety Impact:(Negligible) AND Mission Impact:(None OR Degraded OR Crippled)" }, - "S": { - "key": "S", - "name": "Scheduled", - "definition": "Scheduled" + "M": { + "key": "M", + "name": "Medium", + "definition": "(Safety Impact:Negligible AND Mission Impact:MEF Failure) OR (Safety Impact:Marginal AND Mission Impact:(None OR Degraded OR Crippled))" }, - "O": { - "key": "O", - "name": "Out-of-Cycle", - "definition": "Out-of-Cycle" + "H": { + "key": "H", + "name": "High", + "definition": "(Safety Impact:Critical AND Mission Impact:(None OR Degraded OR Crippled)) OR (Safety Impact:Marginal AND Mission Impact:MEF Failure)" }, - "I": { - "key": "I", - "name": "Immediate", - "definition": "Immediate" + "VH": { + "key": "VH", + "name": "Very High", + "definition": "Safety Impact:Catastrophic OR Mission Impact:Mission Failure" } } - } - } - }, - "PUBLISH": { - "key": "PUBLISH", - "versions": { - "1.0.0": { - "version": "1.0.0", + }, + "2.0.2": { + "version": "2.0.2", "obj": { "namespace": "ssvc", - "key": "PUBLISH", - "version": "1.0.0", - "name": "Publish, Do Not Publish", - "definition": "The publish outcome group.", + "key": "HI", + "version": "2.0.2", + "name": "Human Impact", + "definition": "Human Impact is a combination of Safety and Mission impacts.", "schemaVersion": "2.0.0", "values": [ { - "key": "N", - "name": "Do Not Publish", - "definition": "Do Not Publish" + "key": "L", + "name": "Low", + "definition": "Safety Impact:(Negligible) AND Mission Impact:(Degraded OR Crippled)" }, { - "key": "P", - "name": "Publish", - "definition": "Publish" + "key": "M", + "name": "Medium", + "definition": "(Safety Impact:Negligible AND Mission Impact:MEF Failure) OR (Safety Impact:Marginal AND Mission Impact:(Degraded OR Crippled))" + }, + { + "key": "H", + "name": "High", + "definition": "(Safety Impact:Critical AND Mission Impact:(Degraded OR Crippled)) OR (Safety Impact:Marginal AND Mission Impact:MEF Failure)" + }, + { + "key": "VH", + "name": "Very High", + "definition": "Safety Impact:Catastrophic OR Mission Impact:Mission Failure" } ] }, "values": { - "N": { - "key": "N", - "name": "Do Not Publish", - "definition": "Do Not Publish" + "L": { + "key": "L", + "name": "Low", + "definition": "Safety Impact:(Negligible) AND Mission Impact:(Degraded OR Crippled)" }, - "P": { - "key": "P", - "name": "Publish", - "definition": "Publish" + "M": { + "key": "M", + "name": "Medium", + "definition": "(Safety Impact:Negligible AND Mission Impact:MEF Failure) OR (Safety Impact:Marginal AND Mission Impact:(Degraded OR Crippled))" + }, + "H": { + "key": "H", + "name": "High", + "definition": "(Safety Impact:Critical AND Mission Impact:(Degraded OR Crippled)) OR (Safety Impact:Marginal AND Mission Impact:MEF Failure)" + }, + "VH": { + "key": "VH", + "name": "Very High", + "definition": "Safety Impact:Catastrophic OR Mission Impact:Mission Failure" } } } } - } - } - }, - "x_com.yahooinc#prioritized-risk-remediation": { - "namespace": "x_com.yahooinc#prioritized-risk-remediation", - "keys": { - "PARANOIDS": { - "key": "PARANOIDS", + }, + "MI": { + "key": "MI", "versions": { "1.0.0": { "version": "1.0.0", "obj": { - "namespace": "x_com.yahooinc#prioritized-risk-remediation", - "key": "PARANOIDS", - "version": "1.0.0", - "name": "theParanoids", - "definition": "PrioritizedRiskRemediation outcome group based on TheParanoids.", + "namespace": "ssvc", + "key": "MI", + "version": "1.0.0", + "name": "Mission Impact", + "definition": "Impact on Mission Essential Functions of the Organization", "schemaVersion": "2.0.0", "values": [ { - "key": "5", - "name": "Track 5", - "definition": "Track" + "key": "N", + "name": "None", + "definition": "Little to no impact" }, { - "key": "4", - "name": "Track Closely 4", - "definition": "Track Closely" + "key": "NED", + "name": "Non-Essential Degraded", + "definition": "Degradation of non-essential functions; chronic degradation would eventually harm essential functions" }, { - "key": "3", - "name": "Attend 3", - "definition": "Attend" + "key": "MSC", + "name": "MEF Support Crippled", + "definition": "Activities that directly support essential functions are crippled; essential functions continue for a time" }, { - "key": "2", - "name": "Attend 2", - "definition": "Attend" + "key": "MEF", + "name": "MEF Failure", + "definition": "Any one mission essential function fails for period of time longer than acceptable; overall mission of the organization degraded but can still be accomplished for a time" }, { - "key": "1", - "name": "Act 1", - "definition": "Act" + "key": "MF", + "name": "Mission Failure", + "definition": "Multiple or all mission essential functions fail; ability to recover those functions degraded; organization’s ability to deliver its overall mission fails" + } + ] + }, + "values": { + "N": { + "key": "N", + "name": "None", + "definition": "Little to no impact" + }, + "NED": { + "key": "NED", + "name": "Non-Essential Degraded", + "definition": "Degradation of non-essential functions; chronic degradation would eventually harm essential functions" + }, + "MSC": { + "key": "MSC", + "name": "MEF Support Crippled", + "definition": "Activities that directly support essential functions are crippled; essential functions continue for a time" + }, + "MEF": { + "key": "MEF", + "name": "MEF Failure", + "definition": "Any one mission essential function fails for period of time longer than acceptable; overall mission of the organization degraded but can still be accomplished for a time" + }, + "MF": { + "key": "MF", + "name": "Mission Failure", + "definition": "Multiple or all mission essential functions fail; ability to recover those functions degraded; organization’s ability to deliver its overall mission fails" + } + } + }, + "2.0.0": { + "version": "2.0.0", + "obj": { + "namespace": "ssvc", + "key": "MI", + "version": "2.0.0", + "name": "Mission Impact", + "definition": "Impact on Mission Essential Functions of the Organization", + "schemaVersion": "2.0.0", + "values": [ + { + "key": "D", + "name": "Degraded", + "definition": "Little to no impact up to degradation of non-essential functions; chronic degradation would eventually harm essential functions" }, { - "key": "0", - "name": "Act ASAP 0", - "definition": "Act ASAP" + "key": "MSC", + "name": "MEF Support Crippled", + "definition": "Activities that directly support essential functions are crippled; essential functions continue for a time" + }, + { + "key": "MEF", + "name": "MEF Failure", + "definition": "Any one mission essential function fails for period of time longer than acceptable; overall mission of the organization degraded but can still be accomplished for a time" + }, + { + "key": "MF", + "name": "Mission Failure", + "definition": "Multiple or all mission essential functions fail; ability to recover those functions degraded; organization’s ability to deliver its overall mission fails" } ] }, "values": { - "5": { - "key": "5", - "name": "Track 5", - "definition": "Track" + "D": { + "key": "D", + "name": "Degraded", + "definition": "Little to no impact up to degradation of non-essential functions; chronic degradation would eventually harm essential functions" }, - "4": { - "key": "4", - "name": "Track Closely 4", - "definition": "Track Closely" + "MSC": { + "key": "MSC", + "name": "MEF Support Crippled", + "definition": "Activities that directly support essential functions are crippled; essential functions continue for a time" }, - "3": { - "key": "3", - "name": "Attend 3", - "definition": "Attend" + "MEF": { + "key": "MEF", + "name": "MEF Failure", + "definition": "Any one mission essential function fails for period of time longer than acceptable; overall mission of the organization degraded but can still be accomplished for a time" }, - "2": { - "key": "2", - "name": "Attend 2", - "definition": "Attend" + "MF": { + "key": "MF", + "name": "Mission Failure", + "definition": "Multiple or all mission essential functions fail; ability to recover those functions degraded; organization’s ability to deliver its overall mission fails" + } + } + } + } + }, + "PWI": { + "key": "PWI", + "versions": { + "1.1.0": { + "version": "1.1.0", + "obj": { + "namespace": "ssvc", + "key": "PWI", + "version": "1.1.0", + "name": "Public Well-Being Impact", + "definition": "A coarse-grained representation of impact to public well-being.", + "schemaVersion": "2.0.0", + "values": [ + { + "key": "M", + "name": "Minimal", + "definition": "The effect is below the threshold for all aspects described in material. " + }, + { + "key": "MA", + "name": "Material", + "definition": "Any one or more of these conditions hold. Physical harm: Does one or more of the following: (a) Causes physical distress or injury to system users. (b) Introduces occupational safety hazards. (c) Reduces and/or results in failure of cyber-physical system safety margins. Environment: Major externalities (property damage, environmental damage, etc.) are imposed on other parties. Financial: Financial losses likely lead to bankruptcy of multiple persons. Psychological: Widespread emotional or psychological harm, sufficient to necessitate counseling or therapy, impact populations of people. " + }, + { + "key": "I", + "name": "Irreversible", + "definition": "Any one or more of these conditions hold. Physical harm: One or both of the following are true: (a) Multiple fatalities are likely.(b) The cyber-physical system, of which the vulnerable componen is a part, is likely lost or destroyed. Environment: Extreme or serious externalities (immediate public health threat, environmental damage leading to small ecosystem collapse, etc.) are imposed on other parties. Financial: Social systems (elections, financial grid, etc.) supported by the software are destabilized and potentially collapse. Psychological: N/A " + } + ] + }, + "values": { + "M": { + "key": "M", + "name": "Minimal", + "definition": "The effect is below the threshold for all aspects described in material. " }, - "1": { - "key": "1", - "name": "Act 1", - "definition": "Act" + "MA": { + "key": "MA", + "name": "Material", + "definition": "Any one or more of these conditions hold. Physical harm: Does one or more of the following: (a) Causes physical distress or injury to system users. (b) Introduces occupational safety hazards. (c) Reduces and/or results in failure of cyber-physical system safety margins. Environment: Major externalities (property damage, environmental damage, etc.) are imposed on other parties. Financial: Financial losses likely lead to bankruptcy of multiple persons. Psychological: Widespread emotional or psychological harm, sufficient to necessitate counseling or therapy, impact populations of people. " }, - "0": { - "key": "0", - "name": "Act ASAP 0", - "definition": "Act ASAP" + "I": { + "key": "I", + "name": "Irreversible", + "definition": "Any one or more of these conditions hold. Physical harm: One or both of the following are true: (a) Multiple fatalities are likely.(b) The cyber-physical system, of which the vulnerable componen is a part, is likely lost or destroyed. Environment: Extreme or serious externalities (immediate public health threat, environmental damage leading to small ecosystem collapse, etc.) are imposed on other parties. Financial: Social systems (elections, financial grid, etc.) supported by the software are destabilized and potentially collapse. Psychological: N/A " } } } } - } - } - } - } - }, - "DecisionTable": { - "type": "DecisionTable", - "namespaces": { - "cisa": { - "namespace": "cisa", - "keys": { - "DT_CO": { - "key": "DT_CO", + }, + "PSI": { + "key": "PSI", "versions": { - "2.0.3": { - "version": "2.0.3", + "2.0.0": { + "version": "2.0.0", "obj": { - "namespace": "cisa", - "key": "DT_CO", - "version": "2.0.3", - "name": "CISA Coordinator", - "definition": "CISA Coordinator decision table for SSVC", + "namespace": "ssvc", + "key": "PSI", + "version": "2.0.0", + "name": "Public Safety Impact", + "definition": "A coarse-grained representation of impact to public safety.", "schemaVersion": "2.0.0", - "decision_points": { - "ssvc:E:1.1.0": { - "namespace": "ssvc", - "key": "E", - "version": "1.1.0", - "name": "Exploitation", - "definition": "The present state of exploitation of the vulnerability.", - "schemaVersion": "2.0.0", - "values": [ - { - "key": "N", - "name": "None", - "definition": "There is no evidence of active exploitation and no public proof of concept (PoC) of how to exploit the vulnerability." - }, - { - "key": "P", - "name": "Public PoC", - "definition": "One of the following is true: (1) Typical public PoC exists in sources such as Metasploit or websites like ExploitDB; or (2) the vulnerability has a well-known method of exploitation." - }, - { - "key": "A", - "name": "Active", - "definition": "Shared, observable, reliable evidence that the exploit is being used in the wild by real attackers; there is credible public reporting." - } - ] + "values": [ + { + "key": "M", + "name": "Minimal", + "definition": "Safety Impact:(None OR Minor)" }, - "ssvc:A:2.0.0": { - "namespace": "ssvc", - "key": "A", - "version": "2.0.0", - "name": "Automatable", - "definition": "Can an attacker reliably automate creating exploitation events for this vulnerability?", - "schemaVersion": "2.0.0", - "values": [ - { - "key": "N", - "name": "No", - "definition": "Attackers cannot reliably automate steps 1-4 of the kill chain for this vulnerability. These steps are (1) reconnaissance, (2) weaponization, (3) delivery, and (4) exploitation." - }, - { - "key": "Y", - "name": "Yes", - "definition": "Attackers can reliably automate steps 1-4 of the kill chain." - } - ] - }, - "ssvc:TI:1.0.0": { - "namespace": "ssvc", - "key": "TI", - "version": "1.0.0", - "name": "Technical Impact", - "definition": "The technical impact of the vulnerability.", - "schemaVersion": "2.0.0", - "values": [ - { - "key": "P", - "name": "Partial", - "definition": "The exploit gives the adversary limited control over, or information exposure about, the behavior of the software that contains the vulnerability. Or the exploit gives the adversary an importantly low stochastic opportunity for total control." - }, - { - "key": "T", - "name": "Total", - "definition": "The exploit gives the adversary total control over the behavior of the software, or it gives total disclosure of all information on the system that contains the vulnerability." - } - ] - }, - "ssvc:MWI:1.0.0": { - "namespace": "ssvc", - "key": "MWI", - "version": "1.0.0", - "name": "Mission and Well-Being Impact", - "definition": "Mission and Well-Being Impact is a combination of Mission Prevalence and Public Well-Being Impact.", - "schemaVersion": "2.0.0", - "values": [ - { - "key": "L", - "name": "Low", - "definition": "Mission Prevalence:Minimal AND Public Well-Being Impact:Minimal" - }, - { - "key": "M", - "name": "Medium", - "definition": "Mission Prevalence:Support AND Public Well-Being Impact:(Minimal OR Material)" - }, - { - "key": "H", - "name": "High", - "definition": "Mission Prevalence:Essential OR Public Well-Being Impact:(Irreversible)" - } - ] - }, - "cisa:CISA:1.1.0": { - "namespace": "cisa", - "key": "CISA", - "version": "1.1.0", - "name": "CISA Levels", - "definition": "The CISA outcome group. CISA uses its own SSVC decision tree model to prioritize relevant vulnerabilities into four possible decisions: Track, Track*, Attend, and Act.", - "schemaVersion": "2.0.0", - "values": [ - { - "key": "T", - "name": "Track", - "definition": "The vulnerability does not require action at this time. The organization would continue to track the vulnerability and reassess it if new information becomes available. CISA recommends remediating Track vulnerabilities within standard update timelines." - }, - { - "key": "T*", - "name": "Track*", - "definition": "The vulnerability contains specific characteristics that may require closer monitoring for changes. CISA recommends remediating Track* vulnerabilities within standard update timelines." - }, - { - "key": "AT", - "name": "Attend", - "definition": "The vulnerability requires attention from the organization's internal, supervisory-level individuals. Necessary actions may include requesting assistance or information about the vulnerability and may involve publishing a notification, either internally and/or externally, about the vulnerability. CISA recommends remediating Attend vulnerabilities sooner than standard update timelines." - }, - { - "key": "AC", - "name": "Act", - "definition": "The vulnerability requires attention from the organization's internal, supervisory-level and leadership-level individuals. Necessary actions include requesting assistance or information about the vulnerability, as well as publishing a notification either internally and/or externally. Typically, internal groups would meet to determine the overall response and then execute agreed upon actions. CISA recommends remediating Act vulnerabilities as soon as possible." - } - ] + { + "key": "S", + "name": "Significant", + "definition": "Safety Impact:(Major OR Hazardous OR Catastrophic)" } + ] + }, + "values": { + "M": { + "key": "M", + "name": "Minimal", + "definition": "Safety Impact:(None OR Minor)" }, - "outcome": "cisa:CISA:1.1.0", - "mapping": [ - { - "ssvc:E:1.1.0": "N", - "ssvc:A:2.0.0": "N", - "ssvc:TI:1.0.0": "P", - "ssvc:MWI:1.0.0": "L", - "cisa:CISA:1.1.0": "T" - }, - { - "ssvc:E:1.1.0": "N", - "ssvc:A:2.0.0": "N", - "ssvc:TI:1.0.0": "P", - "ssvc:MWI:1.0.0": "M", - "cisa:CISA:1.1.0": "T" - }, - { - "ssvc:E:1.1.0": "N", - "ssvc:A:2.0.0": "N", - "ssvc:TI:1.0.0": "P", - "ssvc:MWI:1.0.0": "H", - "cisa:CISA:1.1.0": "T" - }, + "S": { + "key": "S", + "name": "Significant", + "definition": "Safety Impact:(Major OR Hazardous OR Catastrophic)" + } + } + }, + "2.0.1": { + "version": "2.0.1", + "obj": { + "namespace": "ssvc", + "key": "PSI", + "version": "2.0.1", + "name": "Public Safety Impact", + "definition": "A coarse-grained representation of impact to public safety.", + "schemaVersion": "2.0.0", + "values": [ { - "ssvc:E:1.1.0": "N", - "ssvc:A:2.0.0": "N", - "ssvc:TI:1.0.0": "T", - "ssvc:MWI:1.0.0": "L", - "cisa:CISA:1.1.0": "T" + "key": "M", + "name": "Minimal", + "definition": "Safety Impact:Negligible" }, { - "ssvc:E:1.1.0": "N", - "ssvc:A:2.0.0": "N", - "ssvc:TI:1.0.0": "T", - "ssvc:MWI:1.0.0": "M", - "cisa:CISA:1.1.0": "T" - }, + "key": "S", + "name": "Significant", + "definition": "Safety Impact:(Marginal OR Critical OR Catastrophic)" + } + ] + }, + "values": { + "M": { + "key": "M", + "name": "Minimal", + "definition": "Safety Impact:Negligible" + }, + "S": { + "key": "S", + "name": "Significant", + "definition": "Safety Impact:(Marginal OR Critical OR Catastrophic)" + } + } + } + } + }, + "PVA": { + "key": "PVA", + "versions": { + "1.0.0": { + "version": "1.0.0", + "obj": { + "namespace": "ssvc", + "key": "PVA", + "version": "1.0.0", + "name": "Public Value Added", + "definition": "How much value would a publication from the coordinator benefit the broader community?", + "schemaVersion": "2.0.0", + "values": [ { - "ssvc:E:1.1.0": "N", - "ssvc:A:2.0.0": "N", - "ssvc:TI:1.0.0": "T", - "ssvc:MWI:1.0.0": "H", - "cisa:CISA:1.1.0": "T*" + "key": "L", + "name": "Limited", + "definition": "Minimal value added to the existing public information because existing information is already high quality and in multiple outlets." }, { - "ssvc:E:1.1.0": "N", - "ssvc:A:2.0.0": "Y", - "ssvc:TI:1.0.0": "P", - "ssvc:MWI:1.0.0": "L", - "cisa:CISA:1.1.0": "T" + "key": "A", + "name": "Ampliative", + "definition": "Amplifies and/or augments the existing public information about the vulnerability, for example, adds additional detail, addresses or corrects errors in other public information, draws further attention to the vulnerability, etc." }, { - "ssvc:E:1.1.0": "N", - "ssvc:A:2.0.0": "Y", - "ssvc:TI:1.0.0": "P", - "ssvc:MWI:1.0.0": "M", - "cisa:CISA:1.1.0": "T" - }, + "key": "P", + "name": "Precedence", + "definition": "The publication would be the first publicly available, or be coincident with the first publicly available." + } + ] + }, + "values": { + "L": { + "key": "L", + "name": "Limited", + "definition": "Minimal value added to the existing public information because existing information is already high quality and in multiple outlets." + }, + "A": { + "key": "A", + "name": "Ampliative", + "definition": "Amplifies and/or augments the existing public information about the vulnerability, for example, adds additional detail, addresses or corrects errors in other public information, draws further attention to the vulnerability, etc." + }, + "P": { + "key": "P", + "name": "Precedence", + "definition": "The publication would be the first publicly available, or be coincident with the first publicly available." + } + } + } + } + }, + "RC": { + "key": "RC", + "versions": { + "1.0.0": { + "version": "1.0.0", + "obj": { + "namespace": "ssvc", + "key": "RC", + "version": "1.0.0", + "name": "Report Credibility", + "definition": "Is the report credible?", + "schemaVersion": "2.0.0", + "values": [ { - "ssvc:E:1.1.0": "N", - "ssvc:A:2.0.0": "Y", - "ssvc:TI:1.0.0": "P", - "ssvc:MWI:1.0.0": "H", - "cisa:CISA:1.1.0": "AT" + "key": "NC", + "name": "Not Credible", + "definition": "The report is not credible." }, { - "ssvc:E:1.1.0": "N", - "ssvc:A:2.0.0": "Y", - "ssvc:TI:1.0.0": "T", - "ssvc:MWI:1.0.0": "L", - "cisa:CISA:1.1.0": "T" - }, + "key": "C", + "name": "Credible", + "definition": "The report is credible." + } + ] + }, + "values": { + "NC": { + "key": "NC", + "name": "Not Credible", + "definition": "The report is not credible." + }, + "C": { + "key": "C", + "name": "Credible", + "definition": "The report is credible." + } + } + } + } + }, + "RP": { + "key": "RP", + "versions": { + "1.0.0": { + "version": "1.0.0", + "obj": { + "namespace": "ssvc", + "key": "RP", + "version": "1.0.0", + "name": "Report Public", + "definition": "Is a viable report of the details of the vulnerability already publicly available?", + "schemaVersion": "2.0.0", + "values": [ { - "ssvc:E:1.1.0": "N", - "ssvc:A:2.0.0": "Y", - "ssvc:TI:1.0.0": "T", - "ssvc:MWI:1.0.0": "M", - "cisa:CISA:1.1.0": "T" + "key": "Y", + "name": "Yes", + "definition": "A public report of the vulnerability exists." }, { - "ssvc:E:1.1.0": "N", - "ssvc:A:2.0.0": "Y", - "ssvc:TI:1.0.0": "T", - "ssvc:MWI:1.0.0": "H", - "cisa:CISA:1.1.0": "AT" - }, + "key": "N", + "name": "No", + "definition": "No public report of the vulnerability exists." + } + ] + }, + "values": { + "Y": { + "key": "Y", + "name": "Yes", + "definition": "A public report of the vulnerability exists." + }, + "N": { + "key": "N", + "name": "No", + "definition": "No public report of the vulnerability exists." + } + } + } + } + }, + "SI": { + "key": "SI", + "versions": { + "1.0.0": { + "version": "1.0.0", + "obj": { + "namespace": "ssvc", + "key": "SI", + "version": "1.0.0", + "name": "Safety Impact", + "definition": "The safety impact of the vulnerability.", + "schemaVersion": "2.0.0", + "values": [ { - "ssvc:E:1.1.0": "P", - "ssvc:A:2.0.0": "N", - "ssvc:TI:1.0.0": "P", - "ssvc:MWI:1.0.0": "L", - "cisa:CISA:1.1.0": "T" + "key": "N", + "name": "None", + "definition": "The effect is below the threshold for all aspects described in Minor." }, { - "ssvc:E:1.1.0": "P", - "ssvc:A:2.0.0": "N", - "ssvc:TI:1.0.0": "P", - "ssvc:MWI:1.0.0": "M", - "cisa:CISA:1.1.0": "T" + "key": "M", + "name": "Minor", + "definition": "Any one or more of these conditions hold. Physical harm: Physical discomfort for users (not operators) of the system. Operator resiliency: Requires action by system operator to maintain safe system state as a result of exploitation of the vulnerability where operator actions would be well within expected operator abilities; OR causes a minor occupational safety hazard. System resiliency: Small reduction in built-in system safety margins; OR small reduction in system functional capabilities that support safe operation. Environment: Minor externalities (property damage, environmental damage, etc.) imposed on other parties. Financial Financial losses, which are not readily absorbable, to multiple persons. Psychological: Emotional or psychological harm, sufficient to be cause for counselling or therapy, to multiple persons." }, { - "ssvc:E:1.1.0": "P", - "ssvc:A:2.0.0": "N", - "ssvc:TI:1.0.0": "P", - "ssvc:MWI:1.0.0": "H", - "cisa:CISA:1.1.0": "T*" + "key": "J", + "name": "Major", + "definition": "Any one or more of these conditions hold. Physical harm: Physical distress and injuries for users (not operators) of the system. Operator resiliency: Requires action by system operator to maintain safe system state as a result of exploitation of the vulnerability where operator actions would be within their capabilities but the actions require their full attention and effort; OR significant distraction or discomfort to operators; OR causes significant occupational safety hazard. System resiliency: System safety margin effectively eliminated but no actual harm; OR failure of system functional capabilities that support safe operation. Environment: Major externalities (property damage, environmental damage, etc.) imposed on other parties. Financial: Financial losses that likely lead to bankruptcy of multiple persons. Psychological: Widespread emotional or psychological harm, sufficient to be cause for counselling or therapy, to populations of people." }, { - "ssvc:E:1.1.0": "P", - "ssvc:A:2.0.0": "N", - "ssvc:TI:1.0.0": "T", - "ssvc:MWI:1.0.0": "L", - "cisa:CISA:1.1.0": "T" + "key": "H", + "name": "Hazardous", + "definition": "Any one or more of these conditions hold. Physical harm: Serious or fatal injuries, where fatalities are plausibly preventable via emergency services or other measures. Operator resiliency: Actions that would keep the system in a safe state are beyond system operator capabilities, resulting in adverse conditions; OR great physical distress to system operators such that they cannot be expected to operate the system properly. System resiliency: Parts of the cyber-physical system break; system’s ability to recover lost functionality remains intact. Environment: Serious externalities (threat to life as well as property, widespread environmental damage, measurable public health risks, etc.) imposed on other parties. Financial: Socio-technical system (elections, financial grid, etc.) of which the affected component is a part is actively destabilized and enters unsafe state. Psychological: N/A." }, { - "ssvc:E:1.1.0": "P", - "ssvc:A:2.0.0": "N", - "ssvc:TI:1.0.0": "T", - "ssvc:MWI:1.0.0": "M", - "cisa:CISA:1.1.0": "T*" - }, + "key": "C", + "name": "Catastrophic", + "definition": "Any one or more of these conditions hold. Physical harm: Multiple immediate fatalities (Emergency response probably cannot save the victims.) Operator resiliency: Operator incapacitated (includes fatality or otherwise incapacitated). System resiliency: Total loss of whole cyber-physical system, of which the software is a part. Environment: Extreme externalities (immediate public health threat, environmental damage leading to small ecosystem collapse, etc.) imposed on other parties. Financial: Social systems (elections, financial grid, etc.) supported by the software collapse. Psychological: N/A." + } + ] + }, + "values": { + "N": { + "key": "N", + "name": "None", + "definition": "The effect is below the threshold for all aspects described in Minor." + }, + "M": { + "key": "M", + "name": "Minor", + "definition": "Any one or more of these conditions hold. Physical harm: Physical discomfort for users (not operators) of the system. Operator resiliency: Requires action by system operator to maintain safe system state as a result of exploitation of the vulnerability where operator actions would be well within expected operator abilities; OR causes a minor occupational safety hazard. System resiliency: Small reduction in built-in system safety margins; OR small reduction in system functional capabilities that support safe operation. Environment: Minor externalities (property damage, environmental damage, etc.) imposed on other parties. Financial Financial losses, which are not readily absorbable, to multiple persons. Psychological: Emotional or psychological harm, sufficient to be cause for counselling or therapy, to multiple persons." + }, + "J": { + "key": "J", + "name": "Major", + "definition": "Any one or more of these conditions hold. Physical harm: Physical distress and injuries for users (not operators) of the system. Operator resiliency: Requires action by system operator to maintain safe system state as a result of exploitation of the vulnerability where operator actions would be within their capabilities but the actions require their full attention and effort; OR significant distraction or discomfort to operators; OR causes significant occupational safety hazard. System resiliency: System safety margin effectively eliminated but no actual harm; OR failure of system functional capabilities that support safe operation. Environment: Major externalities (property damage, environmental damage, etc.) imposed on other parties. Financial: Financial losses that likely lead to bankruptcy of multiple persons. Psychological: Widespread emotional or psychological harm, sufficient to be cause for counselling or therapy, to populations of people." + }, + "H": { + "key": "H", + "name": "Hazardous", + "definition": "Any one or more of these conditions hold. Physical harm: Serious or fatal injuries, where fatalities are plausibly preventable via emergency services or other measures. Operator resiliency: Actions that would keep the system in a safe state are beyond system operator capabilities, resulting in adverse conditions; OR great physical distress to system operators such that they cannot be expected to operate the system properly. System resiliency: Parts of the cyber-physical system break; system’s ability to recover lost functionality remains intact. Environment: Serious externalities (threat to life as well as property, widespread environmental damage, measurable public health risks, etc.) imposed on other parties. Financial: Socio-technical system (elections, financial grid, etc.) of which the affected component is a part is actively destabilized and enters unsafe state. Psychological: N/A." + }, + "C": { + "key": "C", + "name": "Catastrophic", + "definition": "Any one or more of these conditions hold. Physical harm: Multiple immediate fatalities (Emergency response probably cannot save the victims.) Operator resiliency: Operator incapacitated (includes fatality or otherwise incapacitated). System resiliency: Total loss of whole cyber-physical system, of which the software is a part. Environment: Extreme externalities (immediate public health threat, environmental damage leading to small ecosystem collapse, etc.) imposed on other parties. Financial: Social systems (elections, financial grid, etc.) supported by the software collapse. Psychological: N/A." + } + } + }, + "2.0.0": { + "version": "2.0.0", + "obj": { + "namespace": "ssvc", + "key": "SI", + "version": "2.0.0", + "name": "Safety Impact", + "definition": "The safety impact of the vulnerability. (based on IEC 61508)", + "schemaVersion": "2.0.0", + "values": [ { - "ssvc:E:1.1.0": "P", - "ssvc:A:2.0.0": "N", - "ssvc:TI:1.0.0": "T", - "ssvc:MWI:1.0.0": "H", - "cisa:CISA:1.1.0": "AT" + "key": "N", + "name": "Negligible", + "definition": "Any one or more of these conditions hold.

- *Physical harm*: Minor injuries at worst (IEC 61508 Negligible).
- *Operator resiliency*: Requires action by system operator to maintain safe system state as a result of exploitation of the vulnerability where operator actions would be well within expected operator abilities; OR causes a minor occupational safety hazard.
- *System resiliency*: Small reduction in built-in system safety margins; OR small reduction in system functional capabilities that support safe operation.
- *Environment*: Minor externalities (property damage, environmental damage, etc.) imposed on other parties.
- *Financial*: Financial losses, which are not readily absorbable, to multiple persons.
- *Psychological*: Emotional or psychological harm, sufficient to be cause for counselling or therapy, to multiple persons." }, { - "ssvc:E:1.1.0": "P", - "ssvc:A:2.0.0": "Y", - "ssvc:TI:1.0.0": "P", - "ssvc:MWI:1.0.0": "L", - "cisa:CISA:1.1.0": "T" + "key": "M", + "name": "Marginal", + "definition": "Any one or more of these conditions hold.

- *Physical harm*: Major injuries to one or more persons (IEC 61508 Marginal).
- *Operator resiliency*: Requires action by system operator to maintain safe system state as a result of exploitation of the vulnerability where operator actions would be within their capabilities but the actions require their full attention and effort; OR significant distraction or discomfort to operators; OR causes significant occupational safety hazard.
- *System resiliency*: System safety margin effectively eliminated but no actual harm; OR failure of system functional capabilities that support safe operation.
- *Environment*: Major externalities (property damage, environmental damage, etc.) imposed on other parties.
- *Financial*: Financial losses that likely lead to bankruptcy of multiple persons.
- *Psychological*: Widespread emotional or psychological harm, sufficient to be cause for counselling or therapy, to populations of people." }, { - "ssvc:E:1.1.0": "P", - "ssvc:A:2.0.0": "Y", - "ssvc:TI:1.0.0": "P", - "ssvc:MWI:1.0.0": "M", - "cisa:CISA:1.1.0": "T" + "key": "R", + "name": "Critical", + "definition": "Any one or more of these conditions hold.

- *Physical harm*: Loss of life (IEC 61508 Critical).
- *Operator resiliency*: Actions that would keep the system in a safe state are beyond system operator capabilities, resulting in adverse conditions; OR great physical distress to system operators such that they cannot be expected to operate the system properly.
- *System resiliency*: Parts of the cyber-physical system break; system’s ability to recover lost functionality remains intact.
- *Environment*: Serious externalities (threat to life as well as property, widespread environmental damage, measurable public health risks, etc.) imposed on other parties.
- *Financial*: Socio-technical system (elections, financial grid, etc.) of which the affected component is a part is actively destabilized and enters unsafe state.
- *Psychological*: N/A." }, { - "ssvc:E:1.1.0": "P", - "ssvc:A:2.0.0": "Y", - "ssvc:TI:1.0.0": "P", - "ssvc:MWI:1.0.0": "H", - "cisa:CISA:1.1.0": "AT" + "key": "C", + "name": "Catastrophic", + "definition": "Any one or more of these conditions hold.

- *Physical harm*: Multiple loss of life (IEC 61508 Catastrophic).
- *Operator resiliency*: Operator incapacitated (includes fatality or otherwise incapacitated).
- *System resiliency*: Total loss of whole cyber-physical system, of which the software is a part.
- *Environment*: Extreme externalities (immediate public health threat, environmental damage leading to small ecosystem collapse, etc.) imposed on other parties.
- *Financial*: Social systems (elections, financial grid, etc.) supported by the software collapse.
- *Psychological*: N/A." + } + ] + }, + "values": { + "N": { + "key": "N", + "name": "Negligible", + "definition": "Any one or more of these conditions hold.

- *Physical harm*: Minor injuries at worst (IEC 61508 Negligible).
- *Operator resiliency*: Requires action by system operator to maintain safe system state as a result of exploitation of the vulnerability where operator actions would be well within expected operator abilities; OR causes a minor occupational safety hazard.
- *System resiliency*: Small reduction in built-in system safety margins; OR small reduction in system functional capabilities that support safe operation.
- *Environment*: Minor externalities (property damage, environmental damage, etc.) imposed on other parties.
- *Financial*: Financial losses, which are not readily absorbable, to multiple persons.
- *Psychological*: Emotional or psychological harm, sufficient to be cause for counselling or therapy, to multiple persons." + }, + "M": { + "key": "M", + "name": "Marginal", + "definition": "Any one or more of these conditions hold.

- *Physical harm*: Major injuries to one or more persons (IEC 61508 Marginal).
- *Operator resiliency*: Requires action by system operator to maintain safe system state as a result of exploitation of the vulnerability where operator actions would be within their capabilities but the actions require their full attention and effort; OR significant distraction or discomfort to operators; OR causes significant occupational safety hazard.
- *System resiliency*: System safety margin effectively eliminated but no actual harm; OR failure of system functional capabilities that support safe operation.
- *Environment*: Major externalities (property damage, environmental damage, etc.) imposed on other parties.
- *Financial*: Financial losses that likely lead to bankruptcy of multiple persons.
- *Psychological*: Widespread emotional or psychological harm, sufficient to be cause for counselling or therapy, to populations of people." + }, + "R": { + "key": "R", + "name": "Critical", + "definition": "Any one or more of these conditions hold.

- *Physical harm*: Loss of life (IEC 61508 Critical).
- *Operator resiliency*: Actions that would keep the system in a safe state are beyond system operator capabilities, resulting in adverse conditions; OR great physical distress to system operators such that they cannot be expected to operate the system properly.
- *System resiliency*: Parts of the cyber-physical system break; system’s ability to recover lost functionality remains intact.
- *Environment*: Serious externalities (threat to life as well as property, widespread environmental damage, measurable public health risks, etc.) imposed on other parties.
- *Financial*: Socio-technical system (elections, financial grid, etc.) of which the affected component is a part is actively destabilized and enters unsafe state.
- *Psychological*: N/A." + }, + "C": { + "key": "C", + "name": "Catastrophic", + "definition": "Any one or more of these conditions hold.

- *Physical harm*: Multiple loss of life (IEC 61508 Catastrophic).
- *Operator resiliency*: Operator incapacitated (includes fatality or otherwise incapacitated).
- *System resiliency*: Total loss of whole cyber-physical system, of which the software is a part.
- *Environment*: Extreme externalities (immediate public health threat, environmental damage leading to small ecosystem collapse, etc.) imposed on other parties.
- *Financial*: Social systems (elections, financial grid, etc.) supported by the software collapse.
- *Psychological*: N/A." + } + } + }, + "2.0.1": { + "version": "2.0.1", + "obj": { + "namespace": "ssvc", + "key": "SI", + "version": "2.0.1", + "name": "Safety Impact", + "definition": "The safety impact of the vulnerability. (based on IEC 61508 with modifications)", + "schemaVersion": "2.0.0", + "values": [ + { + "key": "N", + "name": "Negligible", + "definition": "Any one or more of these conditions hold. **Physical harm**: Minor injuries at worst (IEC 61508 Negligible). **Operator resiliency**: Requires action by system operator to maintain safe system state as a result of exploitation of the vulnerability where operator actions would be well within expected operator abilities; OR causes a minor occupational safety hazard. **System resiliency**: Small reduction in built-in system safety margins; OR small reduction in system functional capabilities that support safe operation. **Environment**: Minor externalities (property damage, environmental damage, etc.) imposed on other parties. **Financial**: Financial losses, which are not readily absorbable, to multiple persons. **Psychological**: Emotional or psychological harm, sufficient to be cause for counselling or therapy, to multiple persons." }, { - "ssvc:E:1.1.0": "P", - "ssvc:A:2.0.0": "Y", - "ssvc:TI:1.0.0": "T", - "ssvc:MWI:1.0.0": "L", - "cisa:CISA:1.1.0": "T" + "key": "M", + "name": "Marginal", + "definition": "Any one or more of these conditions hold. **Physical harm**: Major injuries to one or more persons (IEC 61508 Marginal). **Operator resiliency**: Requires action by system operator to maintain safe system state as a result of exploitation of the vulnerability where operator actions would be within their capabilities but the actions require their full attention and effort; OR significant distraction or discomfort to operators; OR causes significant occupational safety hazard. **System resiliency**: System safety margin effectively eliminated but no actual harm; OR failure of system functional capabilities that support safe operation. **Environment**: Major externalities (property damage, environmental damage, etc.) imposed on other parties. **Financial**: Financial losses that likely lead to bankruptcy of multiple persons. **Psychological**: Widespread emotional or psychological harm, sufficient to be cause for counselling or therapy, to populations of people." }, { - "ssvc:E:1.1.0": "P", - "ssvc:A:2.0.0": "Y", - "ssvc:TI:1.0.0": "T", - "ssvc:MWI:1.0.0": "M", - "cisa:CISA:1.1.0": "T*" + "key": "R", + "name": "Critical", + "definition": "Any one or more of these conditions hold. **Physical harm**: Loss of life (IEC 61508 Critical). **Operator resiliency**: Actions that would keep the system in a safe state are beyond system operator capabilities, resulting in adverse conditions; OR great physical distress to system operators such that they cannot be expected to operate the system properly. **System resiliency**: Parts of the cyber-physical system break; system’s ability to recover lost functionality remains intact. **Environment**: Serious externalities (threat to life as well as property, widespread environmental damage, measurable public health risks, etc.) imposed on other parties. **Financial**: Socio-technical system (elections, financial grid, etc.) of which the affected component is a part is actively destabilized and enters unsafe state. **Psychological**: N/A." }, { - "ssvc:E:1.1.0": "P", - "ssvc:A:2.0.0": "Y", - "ssvc:TI:1.0.0": "T", - "ssvc:MWI:1.0.0": "H", - "cisa:CISA:1.1.0": "AT" - }, - { - "ssvc:E:1.1.0": "A", - "ssvc:A:2.0.0": "N", - "ssvc:TI:1.0.0": "P", - "ssvc:MWI:1.0.0": "L", - "cisa:CISA:1.1.0": "T" - }, - { - "ssvc:E:1.1.0": "A", - "ssvc:A:2.0.0": "N", - "ssvc:TI:1.0.0": "P", - "ssvc:MWI:1.0.0": "M", - "cisa:CISA:1.1.0": "T" - }, - { - "ssvc:E:1.1.0": "A", - "ssvc:A:2.0.0": "N", - "ssvc:TI:1.0.0": "P", - "ssvc:MWI:1.0.0": "H", - "cisa:CISA:1.1.0": "AT" - }, - { - "ssvc:E:1.1.0": "A", - "ssvc:A:2.0.0": "N", - "ssvc:TI:1.0.0": "T", - "ssvc:MWI:1.0.0": "L", - "cisa:CISA:1.1.0": "T" - }, - { - "ssvc:E:1.1.0": "A", - "ssvc:A:2.0.0": "N", - "ssvc:TI:1.0.0": "T", - "ssvc:MWI:1.0.0": "M", - "cisa:CISA:1.1.0": "AT" - }, - { - "ssvc:E:1.1.0": "A", - "ssvc:A:2.0.0": "N", - "ssvc:TI:1.0.0": "T", - "ssvc:MWI:1.0.0": "H", - "cisa:CISA:1.1.0": "AC" - }, - { - "ssvc:E:1.1.0": "A", - "ssvc:A:2.0.0": "Y", - "ssvc:TI:1.0.0": "P", - "ssvc:MWI:1.0.0": "L", - "cisa:CISA:1.1.0": "AT" - }, - { - "ssvc:E:1.1.0": "A", - "ssvc:A:2.0.0": "Y", - "ssvc:TI:1.0.0": "P", - "ssvc:MWI:1.0.0": "M", - "cisa:CISA:1.1.0": "AT" - }, - { - "ssvc:E:1.1.0": "A", - "ssvc:A:2.0.0": "Y", - "ssvc:TI:1.0.0": "P", - "ssvc:MWI:1.0.0": "H", - "cisa:CISA:1.1.0": "AC" - }, - { - "ssvc:E:1.1.0": "A", - "ssvc:A:2.0.0": "Y", - "ssvc:TI:1.0.0": "T", - "ssvc:MWI:1.0.0": "L", - "cisa:CISA:1.1.0": "AT" - }, - { - "ssvc:E:1.1.0": "A", - "ssvc:A:2.0.0": "Y", - "ssvc:TI:1.0.0": "T", - "ssvc:MWI:1.0.0": "M", - "cisa:CISA:1.1.0": "AC" - }, - { - "ssvc:E:1.1.0": "A", - "ssvc:A:2.0.0": "Y", - "ssvc:TI:1.0.0": "T", - "ssvc:MWI:1.0.0": "H", - "cisa:CISA:1.1.0": "AC" + "key": "C", + "name": "Catastrophic", + "definition": "Any one or more of these conditions hold. **Physical harm**: Multiple loss of life (IEC 61508 Catastrophic). **Operator resiliency**: Operator incapacitated (includes fatality or otherwise incapacitated). **System resiliency**: Total loss of whole cyber-physical system, of which the software is a part. **Environment**: Extreme externalities (immediate public health threat, environmental damage leading to small ecosystem collapse, etc.) imposed on other parties. **Financial**: Social systems (elections, financial grid, etc.) supported by the software collapse. **Psychological**: N/A." } ] + }, + "values": { + "N": { + "key": "N", + "name": "Negligible", + "definition": "Any one or more of these conditions hold. **Physical harm**: Minor injuries at worst (IEC 61508 Negligible). **Operator resiliency**: Requires action by system operator to maintain safe system state as a result of exploitation of the vulnerability where operator actions would be well within expected operator abilities; OR causes a minor occupational safety hazard. **System resiliency**: Small reduction in built-in system safety margins; OR small reduction in system functional capabilities that support safe operation. **Environment**: Minor externalities (property damage, environmental damage, etc.) imposed on other parties. **Financial**: Financial losses, which are not readily absorbable, to multiple persons. **Psychological**: Emotional or psychological harm, sufficient to be cause for counselling or therapy, to multiple persons." + }, + "M": { + "key": "M", + "name": "Marginal", + "definition": "Any one or more of these conditions hold. **Physical harm**: Major injuries to one or more persons (IEC 61508 Marginal). **Operator resiliency**: Requires action by system operator to maintain safe system state as a result of exploitation of the vulnerability where operator actions would be within their capabilities but the actions require their full attention and effort; OR significant distraction or discomfort to operators; OR causes significant occupational safety hazard. **System resiliency**: System safety margin effectively eliminated but no actual harm; OR failure of system functional capabilities that support safe operation. **Environment**: Major externalities (property damage, environmental damage, etc.) imposed on other parties. **Financial**: Financial losses that likely lead to bankruptcy of multiple persons. **Psychological**: Widespread emotional or psychological harm, sufficient to be cause for counselling or therapy, to populations of people." + }, + "R": { + "key": "R", + "name": "Critical", + "definition": "Any one or more of these conditions hold. **Physical harm**: Loss of life (IEC 61508 Critical). **Operator resiliency**: Actions that would keep the system in a safe state are beyond system operator capabilities, resulting in adverse conditions; OR great physical distress to system operators such that they cannot be expected to operate the system properly. **System resiliency**: Parts of the cyber-physical system break; system’s ability to recover lost functionality remains intact. **Environment**: Serious externalities (threat to life as well as property, widespread environmental damage, measurable public health risks, etc.) imposed on other parties. **Financial**: Socio-technical system (elections, financial grid, etc.) of which the affected component is a part is actively destabilized and enters unsafe state. **Psychological**: N/A." + }, + "C": { + "key": "C", + "name": "Catastrophic", + "definition": "Any one or more of these conditions hold. **Physical harm**: Multiple loss of life (IEC 61508 Catastrophic). **Operator resiliency**: Operator incapacitated (includes fatality or otherwise incapacitated). **System resiliency**: Total loss of whole cyber-physical system, of which the software is a part. **Environment**: Extreme externalities (immediate public health threat, environmental damage leading to small ecosystem collapse, etc.) imposed on other parties. **Financial**: Social systems (elections, financial grid, etc.) supported by the software collapse. **Psychological**: N/A." + } } } } - } - } - }, - "cvss": { - "namespace": "cvss", - "keys": { - "DT_CVSS_EQ5": { - "key": "DT_CVSS_EQ5", + }, + "SC": { + "key": "SC", "versions": { "1.0.0": { "version": "1.0.0", "obj": { - "namespace": "cvss", - "key": "DT_CVSS_EQ5", + "namespace": "ssvc", + "key": "SC", "version": "1.0.0", - "name": "CVSS v4 Equivalence Set 5", - "definition": "CVSS Equivalence Set 5 Decision Table", + "name": "Supplier Cardinality", + "definition": "How many suppliers are responsible for the vulnerable component and its remediation or mitigation plan?", "schemaVersion": "2.0.0", - "decision_points": { - "cvss:E_NoX:2.0.0": { - "namespace": "cvss", - "key": "E_NoX", - "version": "2.0.0", - "name": "Exploit Maturity (without Not Defined)", - "definition": "This metric measures the likelihood of the vulnerability being attacked, and is based on the current state of exploit techniques, exploit code availability, or active, “in-the-wild” exploitation. This version does not include the Not Defined (X) option.", - "schemaVersion": "2.0.0", - "values": [ - { - "key": "U", - "name": "Unreported", - "definition": "Based on available threat intelligence each of the following must apply: No knowledge of publicly available proof-of-concept exploit code No knowledge of reported attempts to exploit this vulnerability No knowledge of publicly available solutions used to simplify attempts to exploit the vulnerability (i.e., neither the “POC” nor “Attacked” values apply)" - }, - { - "key": "P", - "name": "Proof-of-Concept", - "definition": "Based on available threat intelligence each of the following must apply: Proof-of-concept exploit code is publicly available No knowledge of reported attempts to exploit this vulnerability No knowledge of publicly available solutions used to simplify attempts to exploit the vulnerability (i.e., the “Attacked” value does not apply)" - }, - { - "key": "A", - "name": "Attacked", - "definition": "Based on available threat intelligence either of the following must apply: Attacks targeting this vulnerability (attempted or successful) have been reported Solutions to simplify attempts to exploit the vulnerability are publicly or privately available (such as exploit toolkits)" - } - ] + "values": [ + { + "key": "O", + "name": "One", + "definition": "There is only one supplier of the vulnerable component." }, - "cvss:EQ5:1.0.0": { - "namespace": "cvss", - "key": "EQ5", - "version": "1.0.0", - "name": "Equivalence Set 5", - "definition": "E with 3 levels specified in Table 28", - "schemaVersion": "2.0.0", - "values": [ - { - "key": "L", - "name": "Low", - "definition": "2: E:U" - }, - { - "key": "M", - "name": "Medium", - "definition": "1: E:P" - }, - { - "key": "H", - "name": "High", - "definition": "0: E:A" - } - ] + { + "key": "M", + "name": "Multiple", + "definition": "There are multiple suppliers of the vulnerable component." } + ] + }, + "values": { + "O": { + "key": "O", + "name": "One", + "definition": "There is only one supplier of the vulnerable component." }, - "outcome": "cvss:EQ5:1.0.0", - "mapping": [ - { - "cvss:E_NoX:2.0.0": "U", - "cvss:EQ5:1.0.0": "L" - }, + "M": { + "key": "M", + "name": "Multiple", + "definition": "There are multiple suppliers of the vulnerable component." + } + } + } + } + }, + "SCON": { + "key": "SCON", + "versions": { + "1.0.0": { + "version": "1.0.0", + "obj": { + "namespace": "ssvc", + "key": "SCON", + "version": "1.0.0", + "name": "Supplier Contacted", + "definition": "Has the reporter made a good-faith effort to contact the supplier of the vulnerable component using a quality contact method?", + "schemaVersion": "2.0.0", + "values": [ { - "cvss:E_NoX:2.0.0": "P", - "cvss:EQ5:1.0.0": "M" + "key": "N", + "name": "No", + "definition": "The supplier has not been contacted." }, { - "cvss:E_NoX:2.0.0": "A", - "cvss:EQ5:1.0.0": "H" + "key": "Y", + "name": "Yes", + "definition": "The supplier has been contacted." } ] + }, + "values": { + "N": { + "key": "N", + "name": "No", + "definition": "The supplier has not been contacted." + }, + "Y": { + "key": "Y", + "name": "Yes", + "definition": "The supplier has been contacted." + } } } } }, - "DT_CVSS4_EQ4": { - "key": "DT_CVSS4_EQ4", + "SE": { + "key": "SE", "versions": { "1.0.0": { "version": "1.0.0", "obj": { - "namespace": "cvss", - "key": "DT_CVSS4_EQ4", + "namespace": "ssvc", + "key": "SE", "version": "1.0.0", - "name": "CVSS v4 Equivalence Set 4", - "definition": "This decision table models equivalence set 4 from CVSS v4.", + "name": "Supplier Engagement", + "definition": "Is the supplier responding to the reporter’s contact effort and actively participating in the coordination effort?", "schemaVersion": "2.0.0", - "decision_points": { - "cvss:SC:1.0.0": { - "namespace": "cvss", - "key": "SC", - "version": "1.0.0", - "name": "Confidentiality Impact to the Subsequent System", - "definition": "This metric measures the impact to the confidentiality of the information managed by the system due to a successfully exploited vulnerability. Confidentiality refers to limiting information access and disclosure to only authorized users, as well as preventing access by, or disclosure to, unauthorized ones. The resulting score is greatest when the loss to the system is highest.", - "schemaVersion": "2.0.0", - "values": [ - { - "key": "N", - "name": "Negligible", - "definition": "There is no loss of confidentiality within the Subsequent System or all confidentiality impact is constrained to the Vulnerable System." - }, - { - "key": "L", - "name": "Low", - "definition": "There is some loss of confidentiality. Access to some restricted information is obtained, but the attacker does not have control over what information is obtained, or the amount or kind of loss is limited. The information disclosure does not cause a direct, serious loss to the Subsequent System." - }, - { - "key": "H", - "name": "High", - "definition": "There is a total loss of confidentiality, resulting in all resources within the Subsequent System being divulged to the attacker. Alternatively, access to only some restricted information is obtained, but the disclosed information presents a direct, serious impact." - } - ] - }, - "cvss:MSI_NoX:1.0.1": { - "namespace": "cvss", - "key": "MSI_NoX", - "version": "1.0.1", - "name": "Modified Integrity Impact to the Subsequent System (without Not Defined)", - "definition": "This metric measures the impact to integrity of a successfully exploited vulnerability. Integrity refers to the trustworthiness and veracity of information. Integrity of a system is impacted when an attacker causes unauthorized modification of system data. Integrity is also impacted when a system user can repudiate critical actions taken in the context of the system (e.g. due to insufficient logging). The resulting score is greatest when the consequence to the system is highest. This version does not include the Not Defined (X) option.", - "schemaVersion": "2.0.0", - "values": [ - { - "key": "N", - "name": "Negligible", - "definition": "There is negligible loss of integrity within the Subsequent System or all integrity impact is constrained to the Vulnerable System." - }, - { - "key": "L", - "name": "Low", - "definition": "Modification of data is possible, but the attacker does not have control over the consequence of a modification, or the amount of modification is limited. The data modification does not have a direct, serious impact to the Subsequent System." - }, - { - "key": "H", - "name": "High", - "definition": "There is a total loss of integrity, or a complete loss of protection. For example, the attacker is able to modify any/all files protected by the Subsequent System. Alternatively, only some files can be modified, but malicious modification would present a direct, serious consequence to the Subsequent System." - }, - { - "key": "S", - "name": "Safety", - "definition": "The Safety metric value measures the impact regarding the Safety of a human actor or participant that can be predictably injured as a result of the vulnerability being exploited." - } - ] - }, - "cvss:MSA_NoX:1.0.1": { - "namespace": "cvss", - "key": "MSA_NoX", - "version": "1.0.1", - "name": "Modified Availability Impact to the Subsequent System (without Not Defined)", - "definition": "This metric measures the impact on availability a successful exploit of the vulnerability will have on the Subsequent System. This version does not include the Not Defined (X) option.", - "schemaVersion": "2.0.0", - "values": [ - { - "key": "N", - "name": "Negligible", - "definition": "There is negligible impact to availability within the Subsequent System or all availability impact is constrained to the Vulnerable System." - }, - { - "key": "L", - "name": "Low", - "definition": "Performance is reduced or there are interruptions in resource availability. Even if repeated exploitation of the vulnerability is possible, the attacker does not have the ability to completely deny service to legitimate users." - }, - { - "key": "H", - "name": "High", - "definition": "There is a total loss of availability, resulting in the attacker being able to fully deny access to resources in the Subsequent System; this loss is either sustained (while the attacker continues to deliver the attack) or persistent (the condition persists even after the attack has completed)." - }, - { - "key": "S", - "name": "Safety", - "definition": "The Safety metric value measures the impact regarding the Safety of a human actor or participant that can be predictably injured as a result of the vulnerability being exploited." - } - ] - }, - "cvss:EQ4:1.0.0": { - "namespace": "cvss", - "key": "EQ4", - "version": "1.0.0", - "name": "Equivalence Set 4", - "definition": "SC/SI/SA with 3 levels specified in Table 27", - "schemaVersion": "2.0.0", - "values": [ - { - "key": "L", - "name": "Low", - "definition": "2: not (MSI:S or MSA:S) and not (SC:H or SI:H or SA:H)" - }, - { - "key": "M", - "name": "Medium", - "definition": "1: not (MSI:S or MSA:S) and (SC:H or SI:H or SA:H)" - }, - { - "key": "H", - "name": "High", - "definition": "0: MSI:S or MSA:S" - } - ] - } - }, - "outcome": "cvss:EQ4:1.0.0", - "mapping": [ - { - "cvss:SC:1.0.0": "N", - "cvss:MSI_NoX:1.0.1": "N", - "cvss:MSA_NoX:1.0.1": "N", - "cvss:EQ4:1.0.0": "L" - }, - { - "cvss:SC:1.0.0": "L", - "cvss:MSI_NoX:1.0.1": "N", - "cvss:MSA_NoX:1.0.1": "N", - "cvss:EQ4:1.0.0": "L" - }, - { - "cvss:SC:1.0.0": "N", - "cvss:MSI_NoX:1.0.1": "L", - "cvss:MSA_NoX:1.0.1": "N", - "cvss:EQ4:1.0.0": "L" - }, + "values": [ { - "cvss:SC:1.0.0": "N", - "cvss:MSI_NoX:1.0.1": "N", - "cvss:MSA_NoX:1.0.1": "L", - "cvss:EQ4:1.0.0": "L" + "key": "A", + "name": "Active", + "definition": "The supplier is responding to the reporter’s contact effort and actively participating in the coordination effort." }, { - "cvss:SC:1.0.0": "H", - "cvss:MSI_NoX:1.0.1": "N", - "cvss:MSA_NoX:1.0.1": "N", - "cvss:EQ4:1.0.0": "M" - }, + "key": "U", + "name": "Unresponsive", + "definition": "The supplier is not responding to the reporter’s contact effort and not actively participating in the coordination effort." + } + ] + }, + "values": { + "A": { + "key": "A", + "name": "Active", + "definition": "The supplier is responding to the reporter’s contact effort and actively participating in the coordination effort." + }, + "U": { + "key": "U", + "name": "Unresponsive", + "definition": "The supplier is not responding to the reporter’s contact effort and not actively participating in the coordination effort." + } + } + } + } + }, + "SINV": { + "key": "SINV", + "versions": { + "1.0.0": { + "version": "1.0.0", + "obj": { + "namespace": "ssvc", + "key": "SINV", + "version": "1.0.0", + "name": "Supplier Involvement", + "definition": "What is the state of the supplier’s work on addressing the vulnerability?", + "schemaVersion": "2.0.0", + "values": [ { - "cvss:SC:1.0.0": "L", - "cvss:MSI_NoX:1.0.1": "L", - "cvss:MSA_NoX:1.0.1": "N", - "cvss:EQ4:1.0.0": "L" + "key": "FR", + "name": "Fix Ready", + "definition": "The supplier has provided a patch or fix." }, { - "cvss:SC:1.0.0": "N", - "cvss:MSI_NoX:1.0.1": "H", - "cvss:MSA_NoX:1.0.1": "N", - "cvss:EQ4:1.0.0": "M" + "key": "C", + "name": "Cooperative", + "definition": "The supplier is actively generating a patch or fix; they may or may not have provided a mitigation or work-around in the mean time." }, { - "cvss:SC:1.0.0": "L", - "cvss:MSI_NoX:1.0.1": "N", - "cvss:MSA_NoX:1.0.1": "L", - "cvss:EQ4:1.0.0": "L" - }, + "key": "UU", + "name": "Uncooperative/Unresponsive", + "definition": "The supplier has not responded, declined to generate a remediation, or no longer exists." + } + ] + }, + "values": { + "FR": { + "key": "FR", + "name": "Fix Ready", + "definition": "The supplier has provided a patch or fix." + }, + "C": { + "key": "C", + "name": "Cooperative", + "definition": "The supplier is actively generating a patch or fix; they may or may not have provided a mitigation or work-around in the mean time." + }, + "UU": { + "key": "UU", + "name": "Uncooperative/Unresponsive", + "definition": "The supplier has not responded, declined to generate a remediation, or no longer exists." + } + } + } + } + }, + "EXP": { + "key": "EXP", + "versions": { + "1.0.0": { + "version": "1.0.0", + "obj": { + "namespace": "ssvc", + "key": "EXP", + "version": "1.0.0", + "name": "System Exposure", + "definition": "The Accessible Attack Surface of the Affected System or Service", + "schemaVersion": "2.0.0", + "values": [ { - "cvss:SC:1.0.0": "N", - "cvss:MSI_NoX:1.0.1": "L", - "cvss:MSA_NoX:1.0.1": "L", - "cvss:EQ4:1.0.0": "L" + "key": "S", + "name": "Small", + "definition": "Local service or program; highly controlled network" }, { - "cvss:SC:1.0.0": "N", - "cvss:MSI_NoX:1.0.1": "N", - "cvss:MSA_NoX:1.0.1": "H", - "cvss:EQ4:1.0.0": "M" + "key": "C", + "name": "Controlled", + "definition": "Networked service with some access restrictions or mitigations already in place (whether locally or on the network). A successful mitigation must reliably interrupt the adversary’s attack, which requires the attack is detectable both reliably and quickly enough to respond. Controlled covers the situation in which a vulnerability can be exploited through chaining it with other vulnerabilities. The assumption is that the number of steps in the attack path is relatively low; if the path is long enough that it is implausible for an adversary to reliably execute it, then exposure should be small." }, { - "cvss:SC:1.0.0": "H", - "cvss:MSI_NoX:1.0.1": "L", - "cvss:MSA_NoX:1.0.1": "N", - "cvss:EQ4:1.0.0": "M" - }, + "key": "U", + "name": "Unavoidable", + "definition": "Internet or another widely accessible network where access cannot plausibly be restricted or controlled (e.g., DNS servers, web servers, VOIP servers, email servers)" + } + ] + }, + "values": { + "S": { + "key": "S", + "name": "Small", + "definition": "Local service or program; highly controlled network" + }, + "C": { + "key": "C", + "name": "Controlled", + "definition": "Networked service with some access restrictions or mitigations already in place (whether locally or on the network). A successful mitigation must reliably interrupt the adversary’s attack, which requires the attack is detectable both reliably and quickly enough to respond. Controlled covers the situation in which a vulnerability can be exploited through chaining it with other vulnerabilities. The assumption is that the number of steps in the attack path is relatively low; if the path is long enough that it is implausible for an adversary to reliably execute it, then exposure should be small." + }, + "U": { + "key": "U", + "name": "Unavoidable", + "definition": "Internet or another widely accessible network where access cannot plausibly be restricted or controlled (e.g., DNS servers, web servers, VOIP servers, email servers)" + } + } + }, + "1.0.1": { + "version": "1.0.1", + "obj": { + "namespace": "ssvc", + "key": "EXP", + "version": "1.0.1", + "name": "System Exposure", + "definition": "The Accessible Attack Surface of the Affected System or Service", + "schemaVersion": "2.0.0", + "values": [ { - "cvss:SC:1.0.0": "L", - "cvss:MSI_NoX:1.0.1": "H", - "cvss:MSA_NoX:1.0.1": "N", - "cvss:EQ4:1.0.0": "M" + "key": "S", + "name": "Small", + "definition": "Local service or program; highly controlled network" }, { - "cvss:SC:1.0.0": "N", - "cvss:MSI_NoX:1.0.1": "S", - "cvss:MSA_NoX:1.0.1": "N", - "cvss:EQ4:1.0.0": "H" + "key": "C", + "name": "Controlled", + "definition": "Networked service with some access restrictions or mitigations already in place (whether locally or on the network). A successful mitigation must reliably interrupt the adversary’s attack, which requires the attack is detectable both reliably and quickly enough to respond. Controlled covers the situation in which a vulnerability can be exploited through chaining it with other vulnerabilities. The assumption is that the number of steps in the attack path is relatively low; if the path is long enough that it is implausible for an adversary to reliably execute it, then exposure should be small." }, { - "cvss:SC:1.0.0": "H", - "cvss:MSI_NoX:1.0.1": "N", - "cvss:MSA_NoX:1.0.1": "L", - "cvss:EQ4:1.0.0": "M" - }, + "key": "O", + "name": "Open", + "definition": "Internet or another widely accessible network where access cannot plausibly be restricted or controlled (e.g., DNS servers, web servers, VOIP servers, email servers)" + } + ] + }, + "values": { + "S": { + "key": "S", + "name": "Small", + "definition": "Local service or program; highly controlled network" + }, + "C": { + "key": "C", + "name": "Controlled", + "definition": "Networked service with some access restrictions or mitigations already in place (whether locally or on the network). A successful mitigation must reliably interrupt the adversary’s attack, which requires the attack is detectable both reliably and quickly enough to respond. Controlled covers the situation in which a vulnerability can be exploited through chaining it with other vulnerabilities. The assumption is that the number of steps in the attack path is relatively low; if the path is long enough that it is implausible for an adversary to reliably execute it, then exposure should be small." + }, + "O": { + "key": "O", + "name": "Open", + "definition": "Internet or another widely accessible network where access cannot plausibly be restricted or controlled (e.g., DNS servers, web servers, VOIP servers, email servers)" + } + } + } + } + }, + "TI": { + "key": "TI", + "versions": { + "1.0.0": { + "version": "1.0.0", + "obj": { + "namespace": "ssvc", + "key": "TI", + "version": "1.0.0", + "name": "Technical Impact", + "definition": "The technical impact of the vulnerability.", + "schemaVersion": "2.0.0", + "values": [ { - "cvss:SC:1.0.0": "L", - "cvss:MSI_NoX:1.0.1": "L", - "cvss:MSA_NoX:1.0.1": "L", - "cvss:EQ4:1.0.0": "L" + "key": "P", + "name": "Partial", + "definition": "The exploit gives the adversary limited control over, or information exposure about, the behavior of the software that contains the vulnerability. Or the exploit gives the adversary an importantly low stochastic opportunity for total control." }, { - "cvss:SC:1.0.0": "N", - "cvss:MSI_NoX:1.0.1": "H", - "cvss:MSA_NoX:1.0.1": "L", - "cvss:EQ4:1.0.0": "M" - }, + "key": "T", + "name": "Total", + "definition": "The exploit gives the adversary total control over the behavior of the software, or it gives total disclosure of all information on the system that contains the vulnerability." + } + ] + }, + "values": { + "P": { + "key": "P", + "name": "Partial", + "definition": "The exploit gives the adversary limited control over, or information exposure about, the behavior of the software that contains the vulnerability. Or the exploit gives the adversary an importantly low stochastic opportunity for total control." + }, + "T": { + "key": "T", + "name": "Total", + "definition": "The exploit gives the adversary total control over the behavior of the software, or it gives total disclosure of all information on the system that contains the vulnerability." + } + } + } + } + }, + "U": { + "key": "U", + "versions": { + "1.0.0": { + "version": "1.0.0", + "obj": { + "namespace": "ssvc", + "key": "U", + "version": "1.0.0", + "name": "Utility", + "definition": "The Usefulness of the Exploit to the Adversary", + "schemaVersion": "2.0.0", + "values": [ { - "cvss:SC:1.0.0": "L", - "cvss:MSI_NoX:1.0.1": "N", - "cvss:MSA_NoX:1.0.1": "H", - "cvss:EQ4:1.0.0": "M" + "key": "L", + "name": "Laborious", + "definition": "Virulence:Slow and Value Density:Diffuse" }, { - "cvss:SC:1.0.0": "N", - "cvss:MSI_NoX:1.0.1": "L", - "cvss:MSA_NoX:1.0.1": "H", - "cvss:EQ4:1.0.0": "M" + "key": "E", + "name": "Efficient", + "definition": "Virulence:Rapid and Value Density:Diffuse OR Virulence:Slow and Value Density:Concentrated" }, { - "cvss:SC:1.0.0": "N", - "cvss:MSI_NoX:1.0.1": "N", - "cvss:MSA_NoX:1.0.1": "S", - "cvss:EQ4:1.0.0": "H" - }, + "key": "S", + "name": "Super Effective", + "definition": "Virulence:Rapid and Value Density:Concentrated" + } + ] + }, + "values": { + "L": { + "key": "L", + "name": "Laborious", + "definition": "Virulence:Slow and Value Density:Diffuse" + }, + "E": { + "key": "E", + "name": "Efficient", + "definition": "Virulence:Rapid and Value Density:Diffuse OR Virulence:Slow and Value Density:Concentrated" + }, + "S": { + "key": "S", + "name": "Super Effective", + "definition": "Virulence:Rapid and Value Density:Concentrated" + } + } + }, + "1.0.1": { + "version": "1.0.1", + "obj": { + "namespace": "ssvc", + "key": "U", + "version": "1.0.1", + "name": "Utility", + "definition": "The Usefulness of the Exploit to the Adversary", + "schemaVersion": "2.0.0", + "values": [ { - "cvss:SC:1.0.0": "H", - "cvss:MSI_NoX:1.0.1": "H", - "cvss:MSA_NoX:1.0.1": "N", - "cvss:EQ4:1.0.0": "M" + "key": "L", + "name": "Laborious", + "definition": "Automatable:No AND Value Density:Diffuse" }, { - "cvss:SC:1.0.0": "L", - "cvss:MSI_NoX:1.0.1": "S", - "cvss:MSA_NoX:1.0.1": "N", - "cvss:EQ4:1.0.0": "H" + "key": "E", + "name": "Efficient", + "definition": "(Automatable:Yes AND Value Density:Diffuse) OR (Automatable:No AND Value Density:Concentrated)" }, { - "cvss:SC:1.0.0": "H", - "cvss:MSI_NoX:1.0.1": "L", - "cvss:MSA_NoX:1.0.1": "L", - "cvss:EQ4:1.0.0": "M" + "key": "S", + "name": "Super Effective", + "definition": "Automatable:Yes AND Value Density:Concentrated" + } + ] + }, + "values": { + "L": { + "key": "L", + "name": "Laborious", + "definition": "Automatable:No AND Value Density:Diffuse" + }, + "E": { + "key": "E", + "name": "Efficient", + "definition": "(Automatable:Yes AND Value Density:Diffuse) OR (Automatable:No AND Value Density:Concentrated)" + }, + "S": { + "key": "S", + "name": "Super Effective", + "definition": "Automatable:Yes AND Value Density:Concentrated" + } + } + } + } + }, + "VD": { + "key": "VD", + "versions": { + "1.0.0": { + "version": "1.0.0", + "obj": { + "namespace": "ssvc", + "key": "VD", + "version": "1.0.0", + "name": "Value Density", + "definition": "The concentration of value in the target", + "schemaVersion": "2.0.0", + "values": [ + { + "key": "D", + "name": "Diffuse", + "definition": "The system that contains the vulnerable component has limited resources. That is, the resources that the adversary will gain control over with a single exploitation event are relatively small." }, { - "cvss:SC:1.0.0": "L", - "cvss:MSI_NoX:1.0.1": "H", - "cvss:MSA_NoX:1.0.1": "L", - "cvss:EQ4:1.0.0": "M" - }, - { - "cvss:SC:1.0.0": "N", - "cvss:MSI_NoX:1.0.1": "S", - "cvss:MSA_NoX:1.0.1": "L", - "cvss:EQ4:1.0.0": "H" - }, - { - "cvss:SC:1.0.0": "H", - "cvss:MSI_NoX:1.0.1": "N", - "cvss:MSA_NoX:1.0.1": "H", - "cvss:EQ4:1.0.0": "M" - }, - { - "cvss:SC:1.0.0": "L", - "cvss:MSI_NoX:1.0.1": "L", - "cvss:MSA_NoX:1.0.1": "H", - "cvss:EQ4:1.0.0": "M" - }, - { - "cvss:SC:1.0.0": "N", - "cvss:MSI_NoX:1.0.1": "H", - "cvss:MSA_NoX:1.0.1": "H", - "cvss:EQ4:1.0.0": "M" - }, - { - "cvss:SC:1.0.0": "L", - "cvss:MSI_NoX:1.0.1": "N", - "cvss:MSA_NoX:1.0.1": "S", - "cvss:EQ4:1.0.0": "H" - }, - { - "cvss:SC:1.0.0": "N", - "cvss:MSI_NoX:1.0.1": "L", - "cvss:MSA_NoX:1.0.1": "S", - "cvss:EQ4:1.0.0": "H" - }, - { - "cvss:SC:1.0.0": "H", - "cvss:MSI_NoX:1.0.1": "S", - "cvss:MSA_NoX:1.0.1": "N", - "cvss:EQ4:1.0.0": "H" - }, - { - "cvss:SC:1.0.0": "H", - "cvss:MSI_NoX:1.0.1": "H", - "cvss:MSA_NoX:1.0.1": "L", - "cvss:EQ4:1.0.0": "M" - }, - { - "cvss:SC:1.0.0": "L", - "cvss:MSI_NoX:1.0.1": "S", - "cvss:MSA_NoX:1.0.1": "L", - "cvss:EQ4:1.0.0": "H" - }, - { - "cvss:SC:1.0.0": "H", - "cvss:MSI_NoX:1.0.1": "L", - "cvss:MSA_NoX:1.0.1": "H", - "cvss:EQ4:1.0.0": "M" - }, - { - "cvss:SC:1.0.0": "L", - "cvss:MSI_NoX:1.0.1": "H", - "cvss:MSA_NoX:1.0.1": "H", - "cvss:EQ4:1.0.0": "M" - }, - { - "cvss:SC:1.0.0": "N", - "cvss:MSI_NoX:1.0.1": "S", - "cvss:MSA_NoX:1.0.1": "H", - "cvss:EQ4:1.0.0": "H" - }, - { - "cvss:SC:1.0.0": "H", - "cvss:MSI_NoX:1.0.1": "N", - "cvss:MSA_NoX:1.0.1": "S", - "cvss:EQ4:1.0.0": "H" - }, - { - "cvss:SC:1.0.0": "L", - "cvss:MSI_NoX:1.0.1": "L", - "cvss:MSA_NoX:1.0.1": "S", - "cvss:EQ4:1.0.0": "H" - }, - { - "cvss:SC:1.0.0": "N", - "cvss:MSI_NoX:1.0.1": "H", - "cvss:MSA_NoX:1.0.1": "S", - "cvss:EQ4:1.0.0": "H" - }, - { - "cvss:SC:1.0.0": "H", - "cvss:MSI_NoX:1.0.1": "S", - "cvss:MSA_NoX:1.0.1": "L", - "cvss:EQ4:1.0.0": "H" - }, - { - "cvss:SC:1.0.0": "H", - "cvss:MSI_NoX:1.0.1": "H", - "cvss:MSA_NoX:1.0.1": "H", - "cvss:EQ4:1.0.0": "M" - }, - { - "cvss:SC:1.0.0": "L", - "cvss:MSI_NoX:1.0.1": "S", - "cvss:MSA_NoX:1.0.1": "H", - "cvss:EQ4:1.0.0": "H" - }, - { - "cvss:SC:1.0.0": "H", - "cvss:MSI_NoX:1.0.1": "L", - "cvss:MSA_NoX:1.0.1": "S", - "cvss:EQ4:1.0.0": "H" - }, + "key": "C", + "name": "Concentrated", + "definition": "The system that contains the vulnerable component is rich in resources. Heuristically, such systems are often the direct responsibility of “system operators” rather than users." + } + ] + }, + "values": { + "D": { + "key": "D", + "name": "Diffuse", + "definition": "The system that contains the vulnerable component has limited resources. That is, the resources that the adversary will gain control over with a single exploitation event are relatively small." + }, + "C": { + "key": "C", + "name": "Concentrated", + "definition": "The system that contains the vulnerable component is rich in resources. Heuristically, such systems are often the direct responsibility of “system operators” rather than users." + } + } + } + } + }, + "COORDINATE": { + "key": "COORDINATE", + "versions": { + "1.0.0": { + "version": "1.0.0", + "obj": { + "namespace": "ssvc", + "key": "COORDINATE", + "version": "1.0.0", + "name": "Decline, Track, Coordinate", + "definition": "The coordinate outcome group.", + "schemaVersion": "2.0.0", + "values": [ { - "cvss:SC:1.0.0": "L", - "cvss:MSI_NoX:1.0.1": "H", - "cvss:MSA_NoX:1.0.1": "S", - "cvss:EQ4:1.0.0": "H" + "key": "D", + "name": "Decline", + "definition": "Decline" }, { - "cvss:SC:1.0.0": "N", - "cvss:MSI_NoX:1.0.1": "S", - "cvss:MSA_NoX:1.0.1": "S", - "cvss:EQ4:1.0.0": "H" + "key": "T", + "name": "Track", + "definition": "Track" }, { - "cvss:SC:1.0.0": "H", - "cvss:MSI_NoX:1.0.1": "S", - "cvss:MSA_NoX:1.0.1": "H", - "cvss:EQ4:1.0.0": "H" - }, + "key": "C", + "name": "Coordinate", + "definition": "Coordinate" + } + ] + }, + "values": { + "D": { + "key": "D", + "name": "Decline", + "definition": "Decline" + }, + "T": { + "key": "T", + "name": "Track", + "definition": "Track" + }, + "C": { + "key": "C", + "name": "Coordinate", + "definition": "Coordinate" + } + } + }, + "1.0.1": { + "version": "1.0.1", + "obj": { + "namespace": "ssvc", + "key": "COORDINATE", + "version": "1.0.1", + "name": "Decline, Track, Coordinate", + "definition": "The coordinate outcome group.", + "schemaVersion": "2.0.0", + "values": [ { - "cvss:SC:1.0.0": "H", - "cvss:MSI_NoX:1.0.1": "H", - "cvss:MSA_NoX:1.0.1": "S", - "cvss:EQ4:1.0.0": "H" + "key": "D", + "name": "Decline", + "definition": "Do not act on the report." }, { - "cvss:SC:1.0.0": "L", - "cvss:MSI_NoX:1.0.1": "S", - "cvss:MSA_NoX:1.0.1": "S", - "cvss:EQ4:1.0.0": "H" + "key": "T", + "name": "Track", + "definition": "Receive information about the vulnerability and monitor for status changes but do not take any overt actions." }, { - "cvss:SC:1.0.0": "H", - "cvss:MSI_NoX:1.0.1": "S", - "cvss:MSA_NoX:1.0.1": "S", - "cvss:EQ4:1.0.0": "H" + "key": "C", + "name": "Coordinate", + "definition": "Take action on the report." } ] + }, + "values": { + "D": { + "key": "D", + "name": "Decline", + "definition": "Do not act on the report." + }, + "T": { + "key": "T", + "name": "Track", + "definition": "Receive information about the vulnerability and monitor for status changes but do not take any overt actions." + }, + "C": { + "key": "C", + "name": "Coordinate", + "definition": "Take action on the report." + } } } } }, - "DT_CVSS4_EQ1": { - "key": "DT_CVSS4_EQ1", + "DSOI": { + "key": "DSOI", "versions": { "1.0.0": { "version": "1.0.0", "obj": { - "namespace": "cvss", - "key": "DT_CVSS4_EQ1", + "namespace": "ssvc", + "key": "DSOI", "version": "1.0.0", - "name": "CVSS v4 Equivalence Set 1", - "definition": "This decision table models equivalence set 1 from CVSS v4. Factors include Attack Vector (AV), Privileges Required (PR), and User Interaction (UI).", + "name": "Defer, Scheduled, Out-of-Cycle, Immediate", + "definition": "The original SSVC outcome group.", "schemaVersion": "2.0.0", - "decision_points": { - "cvss:AV:3.0.1": { - "namespace": "cvss", - "key": "AV", - "version": "3.0.1", - "name": "Attack Vector", - "definition": "This metric reflects the context by which vulnerability exploitation is possible. This metric value (and consequently the resulting severity) will be larger the more remote (logically, and physically) an attacker can be in order to exploit the vulnerable system. The assumption is that the number of potential attackers for a vulnerability that could be exploited from across a network is larger than the number of potential attackers that could exploit a vulnerability requiring physical access to a device, and therefore warrants a greater severity.", - "schemaVersion": "2.0.0", - "values": [ - { - "key": "P", - "name": "Physical", - "definition": "The attack requires the attacker to physically touch or manipulate the vulnerable system. Physical interaction may be brief (e.g., evil maid attack1) or persistent." - }, - { - "key": "L", - "name": "Local", - "definition": "The vulnerable system is not bound to the network stack and the attacker’s path is via read/write/execute capabilities. Either: the attacker exploits the vulnerability by accessing the target system locally (e.g., keyboard, console), or through terminal emulation (e.g., SSH); or the attacker relies on User Interaction by another person to perform actions required to exploit the vulnerability (e.g., using social engineering techniques to trick a legitimate user into opening a malicious document)." - }, - { - "key": "A", - "name": "Adjacent", - "definition": "The vulnerable system is bound to a protocol stack, but the attack is limited at the protocol level to a logically adjacent topology. This can mean an attack must be launched from the same shared proximity (e.g., Bluetooth, NFC, or IEEE 802.11) or logical network (e.g., local IP subnet), or from within a secure or otherwise limited administrative domain (e.g., MPLS, secure VPN within an administrative network zone)." - }, - { - "key": "N", - "name": "Network", - "definition": "The vulnerable system is bound to the network stack and the set of possible attackers extends beyond the other options listed below, up to and including the entire Internet. Such a vulnerability is often termed “remotely exploitable” and can be thought of as an attack being exploitable at the protocol level one or more network hops away (e.g., across one or more routers)." - } - ] - }, - "cvss:PR:1.0.1": { - "namespace": "cvss", - "key": "PR", - "version": "1.0.1", - "name": "Privileges Required", - "definition": "This metric describes the level of privileges an attacker must possess prior to successfully exploiting the vulnerability. The method by which the attacker obtains privileged credentials prior to the attack (e.g., free trial accounts), is outside the scope of this metric. Generally, self-service provisioned accounts do not constitute a privilege requirement if the attacker can grant themselves privileges as part of the attack.", - "schemaVersion": "2.0.0", - "values": [ - { - "key": "H", - "name": "High", - "definition": "The attacker is authorized with (i.e., requires) privileges that provide significant (e.g., administrative) control over the vulnerable system allowing full access to the vulnerable system’s settings and files." - }, - { - "key": "L", - "name": "Low", - "definition": "The attacker is authorized with (i.e., requires) privileges that provide basic capabilities that are typically limited to settings and resources owned by a single low-privileged user. Alternatively, an attacker with Low privileges has the ability to access only non-sensitive resources." - }, - { - "key": "N", - "name": "None", - "definition": "The attacker is unauthorized prior to attack, and therefore does not require any access to settings or files to carry out an attack." - } - ] - }, - "cvss:UI:2.0.0": { - "namespace": "cvss", - "key": "UI", - "version": "2.0.0", - "name": "User Interaction", - "definition": "This metric captures the requirement for a human user, other than the attacker, to participate in the successful compromise of the vulnerable system. This metric determines whether the vulnerability can be exploited solely at the will of the attacker, or whether a separate user (or user-initiated process) must participate in some manner. The resulting score is greatest when no user interaction is required.", - "schemaVersion": "2.0.0", - "values": [ - { - "key": "A", - "name": "Active", - "definition": "Successful exploitation of this vulnerability requires a targeted user to perform specific, conscious interactions with the vulnerable system and the attacker’s payload, or the user’s interactions would actively subvert protection mechanisms which would lead to exploitation of the vulnerability." - }, - { - "key": "P", - "name": "Passive", - "definition": "Successful exploitation of this vulnerability requires limited interaction by the targeted user with the vulnerable system and the attacker’s payload. These interactions would be considered involuntary and do not require that the user actively subvert protections built into the vulnerable system." - }, - { - "key": "N", - "name": "None", - "definition": "The vulnerable system can be exploited without interaction from any human user, other than the attacker." - } - ] - }, - "cvss:EQ1:1.0.0": { - "namespace": "cvss", - "key": "EQ1", - "version": "1.0.0", - "name": "Equivalence Set 1", - "definition": "AV/PR/UI with 3 levels specified in Table 24", - "schemaVersion": "2.0.0", - "values": [ - { - "key": "L", - "name": "Low", - "definition": "2: AV:P or not(AV:N or PR:N or UI:N)" - }, - { - "key": "M", - "name": "Medium", - "definition": "1: (AV:N or PR:N or UI:N) and not (AV:N and PR:N and UI:N) and not AV:P" - }, - { - "key": "H", - "name": "High", - "definition": "0: AV:N and PR:N and UI:N" - } - ] - } - }, - "outcome": "cvss:EQ1:1.0.0", - "mapping": [ + "values": [ { - "cvss:AV:3.0.1": "P", - "cvss:PR:1.0.1": "H", - "cvss:UI:2.0.0": "A", - "cvss:EQ1:1.0.0": "L" + "key": "D", + "name": "Defer", + "definition": "Defer" }, { - "cvss:AV:3.0.1": "L", - "cvss:PR:1.0.1": "H", - "cvss:UI:2.0.0": "A", - "cvss:EQ1:1.0.0": "L" + "key": "S", + "name": "Scheduled", + "definition": "Scheduled" }, { - "cvss:AV:3.0.1": "P", - "cvss:PR:1.0.1": "L", - "cvss:UI:2.0.0": "A", - "cvss:EQ1:1.0.0": "L" + "key": "O", + "name": "Out-of-Cycle", + "definition": "Out-of-Cycle" }, { - "cvss:AV:3.0.1": "P", - "cvss:PR:1.0.1": "H", - "cvss:UI:2.0.0": "P", - "cvss:EQ1:1.0.0": "L" + "key": "I", + "name": "Immediate", + "definition": "Immediate" + } + ] + }, + "values": { + "D": { + "key": "D", + "name": "Defer", + "definition": "Defer" + }, + "S": { + "key": "S", + "name": "Scheduled", + "definition": "Scheduled" + }, + "O": { + "key": "O", + "name": "Out-of-Cycle", + "definition": "Out-of-Cycle" + }, + "I": { + "key": "I", + "name": "Immediate", + "definition": "Immediate" + } + } + } + } + }, + "PUBLISH": { + "key": "PUBLISH", + "versions": { + "1.0.0": { + "version": "1.0.0", + "obj": { + "namespace": "ssvc", + "key": "PUBLISH", + "version": "1.0.0", + "name": "Publish, Do Not Publish", + "definition": "The publish outcome group.", + "schemaVersion": "2.0.0", + "values": [ + { + "key": "N", + "name": "Do Not Publish", + "definition": "Do Not Publish" }, { - "cvss:AV:3.0.1": "A", - "cvss:PR:1.0.1": "H", - "cvss:UI:2.0.0": "A", - "cvss:EQ1:1.0.0": "L" + "key": "P", + "name": "Publish", + "definition": "Publish" + } + ] + }, + "values": { + "N": { + "key": "N", + "name": "Do Not Publish", + "definition": "Do Not Publish" + }, + "P": { + "key": "P", + "name": "Publish", + "definition": "Publish" + } + } + } + } + } + } + }, + "x_com.yahooinc#prioritized-risk-remediation": { + "namespace": "x_com.yahooinc#prioritized-risk-remediation", + "keys": { + "PARANOIDS": { + "key": "PARANOIDS", + "versions": { + "1.0.0": { + "version": "1.0.0", + "obj": { + "namespace": "x_com.yahooinc#prioritized-risk-remediation", + "key": "PARANOIDS", + "version": "1.0.0", + "name": "theParanoids", + "definition": "PrioritizedRiskRemediation outcome group based on TheParanoids.", + "schemaVersion": "2.0.0", + "values": [ + { + "key": "5", + "name": "Track 5", + "definition": "Track" }, { - "cvss:AV:3.0.1": "L", - "cvss:PR:1.0.1": "L", - "cvss:UI:2.0.0": "A", - "cvss:EQ1:1.0.0": "L" + "key": "4", + "name": "Track Closely 4", + "definition": "Track Closely" }, { - "cvss:AV:3.0.1": "P", - "cvss:PR:1.0.1": "N", - "cvss:UI:2.0.0": "A", - "cvss:EQ1:1.0.0": "L" + "key": "3", + "name": "Attend 3", + "definition": "Attend" }, { - "cvss:AV:3.0.1": "L", - "cvss:PR:1.0.1": "H", - "cvss:UI:2.0.0": "P", - "cvss:EQ1:1.0.0": "L" + "key": "2", + "name": "Attend 2", + "definition": "Attend" }, { - "cvss:AV:3.0.1": "P", - "cvss:PR:1.0.1": "L", - "cvss:UI:2.0.0": "P", - "cvss:EQ1:1.0.0": "L" + "key": "1", + "name": "Act 1", + "definition": "Act" }, { - "cvss:AV:3.0.1": "P", - "cvss:PR:1.0.1": "H", - "cvss:UI:2.0.0": "N", - "cvss:EQ1:1.0.0": "L" - }, - { - "cvss:AV:3.0.1": "N", - "cvss:PR:1.0.1": "H", - "cvss:UI:2.0.0": "A", - "cvss:EQ1:1.0.0": "M" - }, - { - "cvss:AV:3.0.1": "A", - "cvss:PR:1.0.1": "L", - "cvss:UI:2.0.0": "A", - "cvss:EQ1:1.0.0": "L" - }, - { - "cvss:AV:3.0.1": "L", - "cvss:PR:1.0.1": "N", - "cvss:UI:2.0.0": "A", - "cvss:EQ1:1.0.0": "M" - }, - { - "cvss:AV:3.0.1": "A", - "cvss:PR:1.0.1": "H", - "cvss:UI:2.0.0": "P", - "cvss:EQ1:1.0.0": "L" - }, - { - "cvss:AV:3.0.1": "L", - "cvss:PR:1.0.1": "L", - "cvss:UI:2.0.0": "P", - "cvss:EQ1:1.0.0": "L" - }, - { - "cvss:AV:3.0.1": "P", - "cvss:PR:1.0.1": "N", - "cvss:UI:2.0.0": "P", - "cvss:EQ1:1.0.0": "L" - }, - { - "cvss:AV:3.0.1": "L", - "cvss:PR:1.0.1": "H", - "cvss:UI:2.0.0": "N", - "cvss:EQ1:1.0.0": "M" - }, - { - "cvss:AV:3.0.1": "P", - "cvss:PR:1.0.1": "L", - "cvss:UI:2.0.0": "N", - "cvss:EQ1:1.0.0": "L" - }, - { - "cvss:AV:3.0.1": "N", - "cvss:PR:1.0.1": "L", - "cvss:UI:2.0.0": "A", - "cvss:EQ1:1.0.0": "M" - }, - { - "cvss:AV:3.0.1": "A", - "cvss:PR:1.0.1": "N", - "cvss:UI:2.0.0": "A", - "cvss:EQ1:1.0.0": "M" - }, - { - "cvss:AV:3.0.1": "N", - "cvss:PR:1.0.1": "H", - "cvss:UI:2.0.0": "P", - "cvss:EQ1:1.0.0": "M" - }, - { - "cvss:AV:3.0.1": "A", - "cvss:PR:1.0.1": "L", - "cvss:UI:2.0.0": "P", - "cvss:EQ1:1.0.0": "L" - }, - { - "cvss:AV:3.0.1": "L", - "cvss:PR:1.0.1": "N", - "cvss:UI:2.0.0": "P", - "cvss:EQ1:1.0.0": "M" - }, - { - "cvss:AV:3.0.1": "A", - "cvss:PR:1.0.1": "H", - "cvss:UI:2.0.0": "N", - "cvss:EQ1:1.0.0": "M" - }, - { - "cvss:AV:3.0.1": "L", - "cvss:PR:1.0.1": "L", - "cvss:UI:2.0.0": "N", - "cvss:EQ1:1.0.0": "M" - }, - { - "cvss:AV:3.0.1": "P", - "cvss:PR:1.0.1": "N", - "cvss:UI:2.0.0": "N", - "cvss:EQ1:1.0.0": "L" - }, - { - "cvss:AV:3.0.1": "N", - "cvss:PR:1.0.1": "N", - "cvss:UI:2.0.0": "A", - "cvss:EQ1:1.0.0": "M" - }, - { - "cvss:AV:3.0.1": "N", - "cvss:PR:1.0.1": "L", - "cvss:UI:2.0.0": "P", - "cvss:EQ1:1.0.0": "M" - }, - { - "cvss:AV:3.0.1": "A", - "cvss:PR:1.0.1": "N", - "cvss:UI:2.0.0": "P", - "cvss:EQ1:1.0.0": "M" - }, - { - "cvss:AV:3.0.1": "N", - "cvss:PR:1.0.1": "H", - "cvss:UI:2.0.0": "N", - "cvss:EQ1:1.0.0": "M" - }, - { - "cvss:AV:3.0.1": "A", - "cvss:PR:1.0.1": "L", - "cvss:UI:2.0.0": "N", - "cvss:EQ1:1.0.0": "M" - }, - { - "cvss:AV:3.0.1": "L", - "cvss:PR:1.0.1": "N", - "cvss:UI:2.0.0": "N", - "cvss:EQ1:1.0.0": "M" - }, - { - "cvss:AV:3.0.1": "N", - "cvss:PR:1.0.1": "N", - "cvss:UI:2.0.0": "P", - "cvss:EQ1:1.0.0": "M" - }, - { - "cvss:AV:3.0.1": "N", - "cvss:PR:1.0.1": "L", - "cvss:UI:2.0.0": "N", - "cvss:EQ1:1.0.0": "M" - }, - { - "cvss:AV:3.0.1": "A", - "cvss:PR:1.0.1": "N", - "cvss:UI:2.0.0": "N", - "cvss:EQ1:1.0.0": "M" - }, - { - "cvss:AV:3.0.1": "N", - "cvss:PR:1.0.1": "N", - "cvss:UI:2.0.0": "N", - "cvss:EQ1:1.0.0": "H" + "key": "0", + "name": "Act ASAP 0", + "definition": "Act ASAP" } ] + }, + "values": { + "5": { + "key": "5", + "name": "Track 5", + "definition": "Track" + }, + "4": { + "key": "4", + "name": "Track Closely 4", + "definition": "Track Closely" + }, + "3": { + "key": "3", + "name": "Attend 3", + "definition": "Attend" + }, + "2": { + "key": "2", + "name": "Attend 2", + "definition": "Attend" + }, + "1": { + "key": "1", + "name": "Act 1", + "definition": "Act" + }, + "0": { + "key": "0", + "name": "Act ASAP 0", + "definition": "Act ASAP" + } } } } - }, - "DT_CVSS4_EQ6": { - "key": "DT_CVSS4_EQ6", + } + } + } + } + }, + "DecisionTable": { + "type": "DecisionTable", + "namespaces": { + "cisa": { + "namespace": "cisa", + "keys": { + "DT_CO": { + "key": "DT_CO", "versions": { - "1.0.0": { - "version": "1.0.0", + "2.0.3": { + "version": "2.0.3", "obj": { - "namespace": "cvss", - "key": "DT_CVSS4_EQ6", - "version": "1.0.0", - "name": "CVSS v4 Equivalence Set 6", - "definition": "This decision table models equivalence set 6 from CVSS v4.", + "namespace": "cisa", + "key": "DT_CO", + "version": "2.0.3", + "name": "CISA Coordinator", + "definition": "CISA Coordinator decision table for SSVC", "schemaVersion": "2.0.0", "decision_points": { - "cvss:CR_NoX:1.1.1": { - "namespace": "cvss", - "key": "CR_NoX", - "version": "1.1.1", - "name": "Confidentiality Requirement (without Not Defined)", - "definition": "This metric enables the consumer to customize the assessment depending on the importance of the affected IT asset to the analyst’s organization, measured in terms of Confidentiality. This version does not include the Not Defined (X) option.", + "ssvc:E:1.1.0": { + "namespace": "ssvc", + "key": "E", + "version": "1.1.0", + "name": "Exploitation", + "definition": "The present state of exploitation of the vulnerability.", "schemaVersion": "2.0.0", "values": [ { - "key": "L", - "name": "Low", - "definition": "Loss of confidentiality is likely to have only a limited adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)." + "key": "N", + "name": "None", + "definition": "There is no evidence of active exploitation and no public proof of concept (PoC) of how to exploit the vulnerability." }, { - "key": "M", - "name": "Medium", - "definition": "Loss of confidentiality is likely to have a serious adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)." + "key": "P", + "name": "Public PoC", + "definition": "One of the following is true: (1) Typical public PoC exists in sources such as Metasploit or websites like ExploitDB; or (2) the vulnerability has a well-known method of exploitation." }, { - "key": "H", - "name": "High", - "definition": "Loss of confidentiality is likely to have a catastrophic adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)." + "key": "A", + "name": "Active", + "definition": "Shared, observable, reliable evidence that the exploit is being used in the wild by real attackers; there is credible public reporting." } ] }, - "cvss:VC:3.0.0": { - "namespace": "cvss", - "key": "VC", - "version": "3.0.0", - "name": "Confidentiality Impact to the Vulnerable System", - "definition": "This metric measures the impact to the confidentiality of the information managed by the system due to a successfully exploited vulnerability. Confidentiality refers to limiting information access and disclosure to only authorized users, as well as preventing access by, or disclosure to, unauthorized ones.", + "ssvc:A:2.0.0": { + "namespace": "ssvc", + "key": "A", + "version": "2.0.0", + "name": "Automatable", + "definition": "Can an attacker reliably automate creating exploitation events for this vulnerability?", "schemaVersion": "2.0.0", "values": [ { "key": "N", - "name": "None", - "definition": "There is no loss of confidentiality within the impacted component." - }, - { - "key": "L", - "name": "Low", - "definition": "There is some loss of confidentiality. Access to some restricted information is obtained, but the attacker does not have control over what information is obtained, or the amount or kind of loss is constrained. The information disclosure does not cause a direct, serious loss to the impacted component." - }, - { - "key": "H", - "name": "High", - "definition": "There is total loss of confidentiality, resulting in all resources within the impacted component being divulged to the attacker. Alternatively, access to only some restricted information is obtained, but the disclosed information presents a direct, serious impact. For example, an attacker steals the administrator's password, or private encryption keys of a web server." - } - ] - }, - "cvss:IR_NoX:1.1.1": { - "namespace": "cvss", - "key": "IR_NoX", - "version": "1.1.1", - "name": "Integrity Requirement (without Not Defined)", - "definition": "This metric enables the consumer to customize the assessment depending on the importance of the affected IT asset to the analyst’s organization, measured in terms of Confidentiality. This version does not include the Not Defined (X) option.", - "schemaVersion": "2.0.0", - "values": [ - { - "key": "L", - "name": "Low", - "definition": "Loss of integrity is likely to have only a limited adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)." - }, - { - "key": "M", - "name": "Medium", - "definition": "Loss of integrity is likely to have a serious adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)." + "name": "No", + "definition": "Attackers cannot reliably automate steps 1-4 of the kill chain for this vulnerability. These steps are (1) reconnaissance, (2) weaponization, (3) delivery, and (4) exploitation." }, { - "key": "H", - "name": "High", - "definition": "Loss of integrity is likely to have a catastrophic adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)." + "key": "Y", + "name": "Yes", + "definition": "Attackers can reliably automate steps 1-4 of the kill chain." } ] }, - "cvss:VI:3.0.0": { - "namespace": "cvss", - "key": "VI", - "version": "3.0.0", - "name": "Integrity Impact to the Vulnerable System", - "definition": "This metric measures the impact to integrity of a successfully exploited vulnerability.", + "ssvc:TI:1.0.0": { + "namespace": "ssvc", + "key": "TI", + "version": "1.0.0", + "name": "Technical Impact", + "definition": "The technical impact of the vulnerability.", "schemaVersion": "2.0.0", "values": [ { - "key": "N", - "name": "None", - "definition": "There is no loss of integrity within the Vulnerable System." - }, - { - "key": "L", - "name": "Low", - "definition": "Modification of data is possible, but the attacker does not have control over the consequence of a modification, or the amount of modification is limited. The data modification does not have a direct, serious impact to the Vulnerable System." + "key": "P", + "name": "Partial", + "definition": "The exploit gives the adversary limited control over, or information exposure about, the behavior of the software that contains the vulnerability. Or the exploit gives the adversary an importantly low stochastic opportunity for total control." }, { - "key": "H", - "name": "High", - "definition": "There is a total loss of integrity, or a complete loss of protection." + "key": "T", + "name": "Total", + "definition": "The exploit gives the adversary total control over the behavior of the software, or it gives total disclosure of all information on the system that contains the vulnerability." } ] }, - "cvss:AR_NoX:1.1.1": { - "namespace": "cvss", - "key": "AR_NoX", - "version": "1.1.1", - "name": "Availability Requirement (without Not Defined)", - "definition": "This metric enables the consumer to customize the assessment depending on the importance of the affected IT asset to the analyst’s organization, measured in terms of Availability. This version does not include the Not Defined (X) option.", + "ssvc:MWI:1.0.0": { + "namespace": "ssvc", + "key": "MWI", + "version": "1.0.0", + "name": "Mission and Well-Being Impact", + "definition": "Mission and Well-Being Impact is a combination of Mission Prevalence and Public Well-Being Impact.", "schemaVersion": "2.0.0", "values": [ { "key": "L", "name": "Low", - "definition": "Loss of availability is likely to have only a limited adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)." + "definition": "Mission Prevalence:Minimal AND Public Well-Being Impact:Minimal" }, { "key": "M", "name": "Medium", - "definition": "Loss of availability is likely to have a serious adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)." + "definition": "Mission Prevalence:Support AND Public Well-Being Impact:(Minimal OR Material)" }, { "key": "H", "name": "High", - "definition": "Loss of availability is likely to have a catastrophic adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)." + "definition": "Mission Prevalence:Essential OR Public Well-Being Impact:(Irreversible)" } ] }, - "cvss:VA:3.0.0": { - "namespace": "cvss", - "key": "VA", - "version": "3.0.0", - "name": "Availability Impact to the Vulnerable System", - "definition": "This metric measures the impact to the availability of the impacted system resulting from a successfully exploited vulnerability.", + "cisa:CISA:1.1.0": { + "namespace": "cisa", + "key": "CISA", + "version": "1.1.0", + "name": "CISA Levels", + "definition": "The CISA outcome group. CISA uses its own SSVC decision tree model to prioritize relevant vulnerabilities into four possible decisions: Track, Track*, Attend, and Act.", "schemaVersion": "2.0.0", "values": [ { - "key": "N", - "name": "None", - "definition": "There is no impact to availability within the Vulnerable System." + "key": "T", + "name": "Track", + "definition": "The vulnerability does not require action at this time. The organization would continue to track the vulnerability and reassess it if new information becomes available. CISA recommends remediating Track vulnerabilities within standard update timelines." }, { - "key": "L", - "name": "Low", - "definition": "There is reduced performance or interruptions in resource availability. Even if repeated exploitation of the vulnerability is possible, the attacker does not have the ability to completely deny service to legitimate users. The resources in the Vulnerable System are either partially available all of the time, or fully available only some of the time, but overall there is no direct, serious consequence to the Vulnerable System." + "key": "T*", + "name": "Track*", + "definition": "The vulnerability contains specific characteristics that may require closer monitoring for changes. CISA recommends remediating Track* vulnerabilities within standard update timelines." }, { - "key": "H", - "name": "High", - "definition": "There is total loss of availability, resulting in the attacker being able to fully deny access to resources in the impacted component; this loss is either sustained (while the attacker continues to deliver the attack) or persistent (the condition persists even after the attack has completed)." - } - ] - }, - "cvss:EQ6:1.0.0": { - "namespace": "cvss", - "key": "EQ6", - "version": "1.0.0", - "name": "Equivalence Set 6", - "definition": "VC/VI/VA+CR/CI/CA with 2 levels specified in Table 29", - "schemaVersion": "2.0.0", - "values": [ - { - "key": "L", - "name": "Low", - "definition": "1: not (CR:H and VC:H) and not (IR:H and VI:H) and not (AR:H and VA:H)" + "key": "AT", + "name": "Attend", + "definition": "The vulnerability requires attention from the organization's internal, supervisory-level individuals. Necessary actions may include requesting assistance or information about the vulnerability and may involve publishing a notification, either internally and/or externally, about the vulnerability. CISA recommends remediating Attend vulnerabilities sooner than standard update timelines." }, { - "key": "H", - "name": "High", - "definition": "0: (CR:H and VC:H) or (IR:H and VI:H) or (AR:H and VA:H)" + "key": "AC", + "name": "Act", + "definition": "The vulnerability requires attention from the organization's internal, supervisory-level and leadership-level individuals. Necessary actions include requesting assistance or information about the vulnerability, as well as publishing a notification either internally and/or externally. Typically, internal groups would meet to determine the overall response and then execute agreed upon actions. CISA recommends remediating Act vulnerabilities as soon as possible." } ] } }, - "outcome": "cvss:EQ6:1.0.0", + "outcome": "cisa:CISA:1.1.0", "mapping": [ { - "cvss:CR_NoX:1.1.1": "L", - "cvss:VC:3.0.0": "N", - "cvss:IR_NoX:1.1.1": "L", - "cvss:VI:3.0.0": "N", - "cvss:AR_NoX:1.1.1": "L", - "cvss:VA:3.0.0": "N", - "cvss:EQ6:1.0.0": "L" - }, - { - "cvss:CR_NoX:1.1.1": "M", - "cvss:VC:3.0.0": "N", - "cvss:IR_NoX:1.1.1": "L", - "cvss:VI:3.0.0": "N", - "cvss:AR_NoX:1.1.1": "L", - "cvss:VA:3.0.0": "N", - "cvss:EQ6:1.0.0": "L" + "ssvc:E:1.1.0": "N", + "ssvc:A:2.0.0": "N", + "ssvc:TI:1.0.0": "P", + "ssvc:MWI:1.0.0": "L", + "cisa:CISA:1.1.0": "T" }, { - "cvss:CR_NoX:1.1.1": "L", - "cvss:VC:3.0.0": "L", - "cvss:IR_NoX:1.1.1": "L", - "cvss:VI:3.0.0": "N", - "cvss:AR_NoX:1.1.1": "L", - "cvss:VA:3.0.0": "N", - "cvss:EQ6:1.0.0": "L" + "ssvc:E:1.1.0": "N", + "ssvc:A:2.0.0": "N", + "ssvc:TI:1.0.0": "P", + "ssvc:MWI:1.0.0": "M", + "cisa:CISA:1.1.0": "T" }, { - "cvss:CR_NoX:1.1.1": "L", - "cvss:VC:3.0.0": "N", - "cvss:IR_NoX:1.1.1": "M", - "cvss:VI:3.0.0": "N", - "cvss:AR_NoX:1.1.1": "L", - "cvss:VA:3.0.0": "N", - "cvss:EQ6:1.0.0": "L" + "ssvc:E:1.1.0": "N", + "ssvc:A:2.0.0": "N", + "ssvc:TI:1.0.0": "P", + "ssvc:MWI:1.0.0": "H", + "cisa:CISA:1.1.0": "T" }, { - "cvss:CR_NoX:1.1.1": "L", - "cvss:VC:3.0.0": "N", - "cvss:IR_NoX:1.1.1": "L", - "cvss:VI:3.0.0": "L", - "cvss:AR_NoX:1.1.1": "L", - "cvss:VA:3.0.0": "N", - "cvss:EQ6:1.0.0": "L" + "ssvc:E:1.1.0": "N", + "ssvc:A:2.0.0": "N", + "ssvc:TI:1.0.0": "T", + "ssvc:MWI:1.0.0": "L", + "cisa:CISA:1.1.0": "T" }, { - "cvss:CR_NoX:1.1.1": "L", - "cvss:VC:3.0.0": "N", - "cvss:IR_NoX:1.1.1": "L", - "cvss:VI:3.0.0": "N", - "cvss:AR_NoX:1.1.1": "M", - "cvss:VA:3.0.0": "N", - "cvss:EQ6:1.0.0": "L" + "ssvc:E:1.1.0": "N", + "ssvc:A:2.0.0": "N", + "ssvc:TI:1.0.0": "T", + "ssvc:MWI:1.0.0": "M", + "cisa:CISA:1.1.0": "T" }, { - "cvss:CR_NoX:1.1.1": "L", - "cvss:VC:3.0.0": "N", - "cvss:IR_NoX:1.1.1": "L", - "cvss:VI:3.0.0": "N", - "cvss:AR_NoX:1.1.1": "L", - "cvss:VA:3.0.0": "L", - "cvss:EQ6:1.0.0": "L" + "ssvc:E:1.1.0": "N", + "ssvc:A:2.0.0": "N", + "ssvc:TI:1.0.0": "T", + "ssvc:MWI:1.0.0": "H", + "cisa:CISA:1.1.0": "T*" }, { - "cvss:CR_NoX:1.1.1": "H", - "cvss:VC:3.0.0": "N", - "cvss:IR_NoX:1.1.1": "L", - "cvss:VI:3.0.0": "N", - "cvss:AR_NoX:1.1.1": "L", - "cvss:VA:3.0.0": "N", - "cvss:EQ6:1.0.0": "L" + "ssvc:E:1.1.0": "N", + "ssvc:A:2.0.0": "Y", + "ssvc:TI:1.0.0": "P", + "ssvc:MWI:1.0.0": "L", + "cisa:CISA:1.1.0": "T" }, { - "cvss:CR_NoX:1.1.1": "M", - "cvss:VC:3.0.0": "L", - "cvss:IR_NoX:1.1.1": "L", - "cvss:VI:3.0.0": "N", - "cvss:AR_NoX:1.1.1": "L", - "cvss:VA:3.0.0": "N", - "cvss:EQ6:1.0.0": "L" + "ssvc:E:1.1.0": "N", + "ssvc:A:2.0.0": "Y", + "ssvc:TI:1.0.0": "P", + "ssvc:MWI:1.0.0": "M", + "cisa:CISA:1.1.0": "T" }, { - "cvss:CR_NoX:1.1.1": "L", - "cvss:VC:3.0.0": "H", - "cvss:IR_NoX:1.1.1": "L", - "cvss:VI:3.0.0": "N", - "cvss:AR_NoX:1.1.1": "L", - "cvss:VA:3.0.0": "N", - "cvss:EQ6:1.0.0": "L" + "ssvc:E:1.1.0": "N", + "ssvc:A:2.0.0": "Y", + "ssvc:TI:1.0.0": "P", + "ssvc:MWI:1.0.0": "H", + "cisa:CISA:1.1.0": "AT" }, { - "cvss:CR_NoX:1.1.1": "M", - "cvss:VC:3.0.0": "N", - "cvss:IR_NoX:1.1.1": "M", - "cvss:VI:3.0.0": "N", - "cvss:AR_NoX:1.1.1": "L", - "cvss:VA:3.0.0": "N", - "cvss:EQ6:1.0.0": "L" + "ssvc:E:1.1.0": "N", + "ssvc:A:2.0.0": "Y", + "ssvc:TI:1.0.0": "T", + "ssvc:MWI:1.0.0": "L", + "cisa:CISA:1.1.0": "T" }, { - "cvss:CR_NoX:1.1.1": "L", - "cvss:VC:3.0.0": "L", - "cvss:IR_NoX:1.1.1": "M", - "cvss:VI:3.0.0": "N", - "cvss:AR_NoX:1.1.1": "L", - "cvss:VA:3.0.0": "N", - "cvss:EQ6:1.0.0": "L" + "ssvc:E:1.1.0": "N", + "ssvc:A:2.0.0": "Y", + "ssvc:TI:1.0.0": "T", + "ssvc:MWI:1.0.0": "M", + "cisa:CISA:1.1.0": "T" }, { - "cvss:CR_NoX:1.1.1": "L", - "cvss:VC:3.0.0": "N", - "cvss:IR_NoX:1.1.1": "H", - "cvss:VI:3.0.0": "N", - "cvss:AR_NoX:1.1.1": "L", - "cvss:VA:3.0.0": "N", - "cvss:EQ6:1.0.0": "L" + "ssvc:E:1.1.0": "N", + "ssvc:A:2.0.0": "Y", + "ssvc:TI:1.0.0": "T", + "ssvc:MWI:1.0.0": "H", + "cisa:CISA:1.1.0": "AT" }, { - "cvss:CR_NoX:1.1.1": "M", - "cvss:VC:3.0.0": "N", - "cvss:IR_NoX:1.1.1": "L", - "cvss:VI:3.0.0": "L", - "cvss:AR_NoX:1.1.1": "L", - "cvss:VA:3.0.0": "N", - "cvss:EQ6:1.0.0": "L" + "ssvc:E:1.1.0": "P", + "ssvc:A:2.0.0": "N", + "ssvc:TI:1.0.0": "P", + "ssvc:MWI:1.0.0": "L", + "cisa:CISA:1.1.0": "T" }, { - "cvss:CR_NoX:1.1.1": "L", - "cvss:VC:3.0.0": "L", - "cvss:IR_NoX:1.1.1": "L", - "cvss:VI:3.0.0": "L", - "cvss:AR_NoX:1.1.1": "L", - "cvss:VA:3.0.0": "N", - "cvss:EQ6:1.0.0": "L" + "ssvc:E:1.1.0": "P", + "ssvc:A:2.0.0": "N", + "ssvc:TI:1.0.0": "P", + "ssvc:MWI:1.0.0": "M", + "cisa:CISA:1.1.0": "T" }, { - "cvss:CR_NoX:1.1.1": "L", - "cvss:VC:3.0.0": "N", - "cvss:IR_NoX:1.1.1": "M", - "cvss:VI:3.0.0": "L", - "cvss:AR_NoX:1.1.1": "L", - "cvss:VA:3.0.0": "N", - "cvss:EQ6:1.0.0": "L" + "ssvc:E:1.1.0": "P", + "ssvc:A:2.0.0": "N", + "ssvc:TI:1.0.0": "P", + "ssvc:MWI:1.0.0": "H", + "cisa:CISA:1.1.0": "T*" }, { - "cvss:CR_NoX:1.1.1": "L", - "cvss:VC:3.0.0": "N", - "cvss:IR_NoX:1.1.1": "L", - "cvss:VI:3.0.0": "H", - "cvss:AR_NoX:1.1.1": "L", - "cvss:VA:3.0.0": "N", - "cvss:EQ6:1.0.0": "L" + "ssvc:E:1.1.0": "P", + "ssvc:A:2.0.0": "N", + "ssvc:TI:1.0.0": "T", + "ssvc:MWI:1.0.0": "L", + "cisa:CISA:1.1.0": "T" }, { - "cvss:CR_NoX:1.1.1": "M", - "cvss:VC:3.0.0": "N", - "cvss:IR_NoX:1.1.1": "L", - "cvss:VI:3.0.0": "N", - "cvss:AR_NoX:1.1.1": "M", - "cvss:VA:3.0.0": "N", - "cvss:EQ6:1.0.0": "L" + "ssvc:E:1.1.0": "P", + "ssvc:A:2.0.0": "N", + "ssvc:TI:1.0.0": "T", + "ssvc:MWI:1.0.0": "M", + "cisa:CISA:1.1.0": "T*" }, { - "cvss:CR_NoX:1.1.1": "L", - "cvss:VC:3.0.0": "L", - "cvss:IR_NoX:1.1.1": "L", - "cvss:VI:3.0.0": "N", - "cvss:AR_NoX:1.1.1": "M", - "cvss:VA:3.0.0": "N", - "cvss:EQ6:1.0.0": "L" + "ssvc:E:1.1.0": "P", + "ssvc:A:2.0.0": "N", + "ssvc:TI:1.0.0": "T", + "ssvc:MWI:1.0.0": "H", + "cisa:CISA:1.1.0": "AT" }, { - "cvss:CR_NoX:1.1.1": "L", - "cvss:VC:3.0.0": "N", - "cvss:IR_NoX:1.1.1": "M", - "cvss:VI:3.0.0": "N", - "cvss:AR_NoX:1.1.1": "M", - "cvss:VA:3.0.0": "N", - "cvss:EQ6:1.0.0": "L" + "ssvc:E:1.1.0": "P", + "ssvc:A:2.0.0": "Y", + "ssvc:TI:1.0.0": "P", + "ssvc:MWI:1.0.0": "L", + "cisa:CISA:1.1.0": "T" }, { - "cvss:CR_NoX:1.1.1": "L", - "cvss:VC:3.0.0": "N", - "cvss:IR_NoX:1.1.1": "L", - "cvss:VI:3.0.0": "L", - "cvss:AR_NoX:1.1.1": "M", - "cvss:VA:3.0.0": "N", - "cvss:EQ6:1.0.0": "L" + "ssvc:E:1.1.0": "P", + "ssvc:A:2.0.0": "Y", + "ssvc:TI:1.0.0": "P", + "ssvc:MWI:1.0.0": "M", + "cisa:CISA:1.1.0": "T" }, { - "cvss:CR_NoX:1.1.1": "L", - "cvss:VC:3.0.0": "N", - "cvss:IR_NoX:1.1.1": "L", - "cvss:VI:3.0.0": "N", - "cvss:AR_NoX:1.1.1": "H", - "cvss:VA:3.0.0": "N", - "cvss:EQ6:1.0.0": "L" + "ssvc:E:1.1.0": "P", + "ssvc:A:2.0.0": "Y", + "ssvc:TI:1.0.0": "P", + "ssvc:MWI:1.0.0": "H", + "cisa:CISA:1.1.0": "AT" }, { - "cvss:CR_NoX:1.1.1": "M", - "cvss:VC:3.0.0": "N", - "cvss:IR_NoX:1.1.1": "L", - "cvss:VI:3.0.0": "N", - "cvss:AR_NoX:1.1.1": "L", - "cvss:VA:3.0.0": "L", - "cvss:EQ6:1.0.0": "L" + "ssvc:E:1.1.0": "P", + "ssvc:A:2.0.0": "Y", + "ssvc:TI:1.0.0": "T", + "ssvc:MWI:1.0.0": "L", + "cisa:CISA:1.1.0": "T" }, { - "cvss:CR_NoX:1.1.1": "L", - "cvss:VC:3.0.0": "L", - "cvss:IR_NoX:1.1.1": "L", - "cvss:VI:3.0.0": "N", - "cvss:AR_NoX:1.1.1": "L", - "cvss:VA:3.0.0": "L", - "cvss:EQ6:1.0.0": "L" + "ssvc:E:1.1.0": "P", + "ssvc:A:2.0.0": "Y", + "ssvc:TI:1.0.0": "T", + "ssvc:MWI:1.0.0": "M", + "cisa:CISA:1.1.0": "T*" }, { - "cvss:CR_NoX:1.1.1": "L", - "cvss:VC:3.0.0": "N", - "cvss:IR_NoX:1.1.1": "M", - "cvss:VI:3.0.0": "N", - "cvss:AR_NoX:1.1.1": "L", - "cvss:VA:3.0.0": "L", - "cvss:EQ6:1.0.0": "L" + "ssvc:E:1.1.0": "P", + "ssvc:A:2.0.0": "Y", + "ssvc:TI:1.0.0": "T", + "ssvc:MWI:1.0.0": "H", + "cisa:CISA:1.1.0": "AT" }, { - "cvss:CR_NoX:1.1.1": "L", - "cvss:VC:3.0.0": "N", - "cvss:IR_NoX:1.1.1": "L", - "cvss:VI:3.0.0": "L", - "cvss:AR_NoX:1.1.1": "L", - "cvss:VA:3.0.0": "L", - "cvss:EQ6:1.0.0": "L" + "ssvc:E:1.1.0": "A", + "ssvc:A:2.0.0": "N", + "ssvc:TI:1.0.0": "P", + "ssvc:MWI:1.0.0": "L", + "cisa:CISA:1.1.0": "T" }, { - "cvss:CR_NoX:1.1.1": "L", - "cvss:VC:3.0.0": "N", - "cvss:IR_NoX:1.1.1": "L", - "cvss:VI:3.0.0": "N", - "cvss:AR_NoX:1.1.1": "M", - "cvss:VA:3.0.0": "L", - "cvss:EQ6:1.0.0": "L" + "ssvc:E:1.1.0": "A", + "ssvc:A:2.0.0": "N", + "ssvc:TI:1.0.0": "P", + "ssvc:MWI:1.0.0": "M", + "cisa:CISA:1.1.0": "T" }, { - "cvss:CR_NoX:1.1.1": "L", - "cvss:VC:3.0.0": "N", - "cvss:IR_NoX:1.1.1": "L", - "cvss:VI:3.0.0": "N", - "cvss:AR_NoX:1.1.1": "L", - "cvss:VA:3.0.0": "H", - "cvss:EQ6:1.0.0": "L" + "ssvc:E:1.1.0": "A", + "ssvc:A:2.0.0": "N", + "ssvc:TI:1.0.0": "P", + "ssvc:MWI:1.0.0": "H", + "cisa:CISA:1.1.0": "AT" }, { - "cvss:CR_NoX:1.1.1": "H", - "cvss:VC:3.0.0": "L", - "cvss:IR_NoX:1.1.1": "L", - "cvss:VI:3.0.0": "N", - "cvss:AR_NoX:1.1.1": "L", - "cvss:VA:3.0.0": "N", - "cvss:EQ6:1.0.0": "L" + "ssvc:E:1.1.0": "A", + "ssvc:A:2.0.0": "N", + "ssvc:TI:1.0.0": "T", + "ssvc:MWI:1.0.0": "L", + "cisa:CISA:1.1.0": "T" }, { - "cvss:CR_NoX:1.1.1": "M", - "cvss:VC:3.0.0": "H", - "cvss:IR_NoX:1.1.1": "L", - "cvss:VI:3.0.0": "N", - "cvss:AR_NoX:1.1.1": "L", - "cvss:VA:3.0.0": "N", - "cvss:EQ6:1.0.0": "L" + "ssvc:E:1.1.0": "A", + "ssvc:A:2.0.0": "N", + "ssvc:TI:1.0.0": "T", + "ssvc:MWI:1.0.0": "M", + "cisa:CISA:1.1.0": "AT" }, { - "cvss:CR_NoX:1.1.1": "H", - "cvss:VC:3.0.0": "N", - "cvss:IR_NoX:1.1.1": "M", - "cvss:VI:3.0.0": "N", - "cvss:AR_NoX:1.1.1": "L", - "cvss:VA:3.0.0": "N", - "cvss:EQ6:1.0.0": "L" - }, - { - "cvss:CR_NoX:1.1.1": "M", - "cvss:VC:3.0.0": "L", - "cvss:IR_NoX:1.1.1": "M", - "cvss:VI:3.0.0": "N", - "cvss:AR_NoX:1.1.1": "L", - "cvss:VA:3.0.0": "N", - "cvss:EQ6:1.0.0": "L" - }, - { - "cvss:CR_NoX:1.1.1": "L", - "cvss:VC:3.0.0": "H", - "cvss:IR_NoX:1.1.1": "M", - "cvss:VI:3.0.0": "N", - "cvss:AR_NoX:1.1.1": "L", - "cvss:VA:3.0.0": "N", - "cvss:EQ6:1.0.0": "L" - }, - { - "cvss:CR_NoX:1.1.1": "M", - "cvss:VC:3.0.0": "N", - "cvss:IR_NoX:1.1.1": "H", - "cvss:VI:3.0.0": "N", - "cvss:AR_NoX:1.1.1": "L", - "cvss:VA:3.0.0": "N", - "cvss:EQ6:1.0.0": "L" + "ssvc:E:1.1.0": "A", + "ssvc:A:2.0.0": "N", + "ssvc:TI:1.0.0": "T", + "ssvc:MWI:1.0.0": "H", + "cisa:CISA:1.1.0": "AC" }, { - "cvss:CR_NoX:1.1.1": "L", - "cvss:VC:3.0.0": "L", - "cvss:IR_NoX:1.1.1": "H", - "cvss:VI:3.0.0": "N", - "cvss:AR_NoX:1.1.1": "L", - "cvss:VA:3.0.0": "N", - "cvss:EQ6:1.0.0": "L" + "ssvc:E:1.1.0": "A", + "ssvc:A:2.0.0": "Y", + "ssvc:TI:1.0.0": "P", + "ssvc:MWI:1.0.0": "L", + "cisa:CISA:1.1.0": "AT" }, { - "cvss:CR_NoX:1.1.1": "H", - "cvss:VC:3.0.0": "N", - "cvss:IR_NoX:1.1.1": "L", - "cvss:VI:3.0.0": "L", - "cvss:AR_NoX:1.1.1": "L", - "cvss:VA:3.0.0": "N", - "cvss:EQ6:1.0.0": "L" + "ssvc:E:1.1.0": "A", + "ssvc:A:2.0.0": "Y", + "ssvc:TI:1.0.0": "P", + "ssvc:MWI:1.0.0": "M", + "cisa:CISA:1.1.0": "AT" }, { - "cvss:CR_NoX:1.1.1": "M", - "cvss:VC:3.0.0": "L", - "cvss:IR_NoX:1.1.1": "L", - "cvss:VI:3.0.0": "L", - "cvss:AR_NoX:1.1.1": "L", - "cvss:VA:3.0.0": "N", - "cvss:EQ6:1.0.0": "L" + "ssvc:E:1.1.0": "A", + "ssvc:A:2.0.0": "Y", + "ssvc:TI:1.0.0": "P", + "ssvc:MWI:1.0.0": "H", + "cisa:CISA:1.1.0": "AC" }, { - "cvss:CR_NoX:1.1.1": "L", - "cvss:VC:3.0.0": "H", - "cvss:IR_NoX:1.1.1": "L", - "cvss:VI:3.0.0": "L", - "cvss:AR_NoX:1.1.1": "L", - "cvss:VA:3.0.0": "N", - "cvss:EQ6:1.0.0": "L" + "ssvc:E:1.1.0": "A", + "ssvc:A:2.0.0": "Y", + "ssvc:TI:1.0.0": "T", + "ssvc:MWI:1.0.0": "L", + "cisa:CISA:1.1.0": "AT" }, { - "cvss:CR_NoX:1.1.1": "M", - "cvss:VC:3.0.0": "N", - "cvss:IR_NoX:1.1.1": "M", - "cvss:VI:3.0.0": "L", - "cvss:AR_NoX:1.1.1": "L", - "cvss:VA:3.0.0": "N", - "cvss:EQ6:1.0.0": "L" + "ssvc:E:1.1.0": "A", + "ssvc:A:2.0.0": "Y", + "ssvc:TI:1.0.0": "T", + "ssvc:MWI:1.0.0": "M", + "cisa:CISA:1.1.0": "AC" }, { - "cvss:CR_NoX:1.1.1": "L", - "cvss:VC:3.0.0": "L", - "cvss:IR_NoX:1.1.1": "M", - "cvss:VI:3.0.0": "L", - "cvss:AR_NoX:1.1.1": "L", - "cvss:VA:3.0.0": "N", - "cvss:EQ6:1.0.0": "L" + "ssvc:E:1.1.0": "A", + "ssvc:A:2.0.0": "Y", + "ssvc:TI:1.0.0": "T", + "ssvc:MWI:1.0.0": "H", + "cisa:CISA:1.1.0": "AC" + } + ] + } + } + } + } + } + }, + "cvss": { + "namespace": "cvss", + "keys": { + "DT_CVSS_EQ5": { + "key": "DT_CVSS_EQ5", + "versions": { + "1.0.0": { + "version": "1.0.0", + "obj": { + "namespace": "cvss", + "key": "DT_CVSS_EQ5", + "version": "1.0.0", + "name": "CVSS v4 Equivalence Set 5", + "definition": "CVSS Equivalence Set 5 Decision Table", + "schemaVersion": "2.0.0", + "decision_points": { + "cvss:E_NoX:2.0.0": { + "namespace": "cvss", + "key": "E_NoX", + "version": "2.0.0", + "name": "Exploit Maturity (without Not Defined)", + "definition": "This metric measures the likelihood of the vulnerability being attacked, and is based on the current state of exploit techniques, exploit code availability, or active, “in-the-wild” exploitation. This version does not include the Not Defined (X) option.", + "schemaVersion": "2.0.0", + "values": [ + { + "key": "U", + "name": "Unreported", + "definition": "Based on available threat intelligence each of the following must apply: No knowledge of publicly available proof-of-concept exploit code No knowledge of reported attempts to exploit this vulnerability No knowledge of publicly available solutions used to simplify attempts to exploit the vulnerability (i.e., neither the “POC” nor “Attacked” values apply)" + }, + { + "key": "P", + "name": "Proof-of-Concept", + "definition": "Based on available threat intelligence each of the following must apply: Proof-of-concept exploit code is publicly available No knowledge of reported attempts to exploit this vulnerability No knowledge of publicly available solutions used to simplify attempts to exploit the vulnerability (i.e., the “Attacked” value does not apply)" + }, + { + "key": "A", + "name": "Attacked", + "definition": "Based on available threat intelligence either of the following must apply: Attacks targeting this vulnerability (attempted or successful) have been reported Solutions to simplify attempts to exploit the vulnerability are publicly or privately available (such as exploit toolkits)" + } + ] }, + "cvss:EQ5:1.0.0": { + "namespace": "cvss", + "key": "EQ5", + "version": "1.0.0", + "name": "Equivalence Set 5", + "definition": "E with 3 levels specified in Table 28", + "schemaVersion": "2.0.0", + "values": [ + { + "key": "L", + "name": "Low", + "definition": "2: E:U" + }, + { + "key": "M", + "name": "Medium", + "definition": "1: E:P" + }, + { + "key": "H", + "name": "High", + "definition": "0: E:A" + } + ] + } + }, + "outcome": "cvss:EQ5:1.0.0", + "mapping": [ { - "cvss:CR_NoX:1.1.1": "L", - "cvss:VC:3.0.0": "N", - "cvss:IR_NoX:1.1.1": "H", - "cvss:VI:3.0.0": "L", - "cvss:AR_NoX:1.1.1": "L", - "cvss:VA:3.0.0": "N", - "cvss:EQ6:1.0.0": "L" + "cvss:E_NoX:2.0.0": "U", + "cvss:EQ5:1.0.0": "L" }, { - "cvss:CR_NoX:1.1.1": "M", - "cvss:VC:3.0.0": "N", - "cvss:IR_NoX:1.1.1": "L", - "cvss:VI:3.0.0": "H", - "cvss:AR_NoX:1.1.1": "L", - "cvss:VA:3.0.0": "N", - "cvss:EQ6:1.0.0": "L" + "cvss:E_NoX:2.0.0": "P", + "cvss:EQ5:1.0.0": "M" }, { - "cvss:CR_NoX:1.1.1": "L", - "cvss:VC:3.0.0": "L", - "cvss:IR_NoX:1.1.1": "L", - "cvss:VI:3.0.0": "H", - "cvss:AR_NoX:1.1.1": "L", - "cvss:VA:3.0.0": "N", - "cvss:EQ6:1.0.0": "L" + "cvss:E_NoX:2.0.0": "A", + "cvss:EQ5:1.0.0": "H" + } + ] + } + } + } + }, + "DT_CVSS4_EQ4": { + "key": "DT_CVSS4_EQ4", + "versions": { + "1.0.0": { + "version": "1.0.0", + "obj": { + "namespace": "cvss", + "key": "DT_CVSS4_EQ4", + "version": "1.0.0", + "name": "CVSS v4 Equivalence Set 4", + "definition": "This decision table models equivalence set 4 from CVSS v4.", + "schemaVersion": "2.0.0", + "decision_points": { + "cvss:SC:1.0.0": { + "namespace": "cvss", + "key": "SC", + "version": "1.0.0", + "name": "Confidentiality Impact to the Subsequent System", + "definition": "This metric measures the impact to the confidentiality of the information managed by the system due to a successfully exploited vulnerability. Confidentiality refers to limiting information access and disclosure to only authorized users, as well as preventing access by, or disclosure to, unauthorized ones. The resulting score is greatest when the loss to the system is highest.", + "schemaVersion": "2.0.0", + "values": [ + { + "key": "N", + "name": "Negligible", + "definition": "There is no loss of confidentiality within the Subsequent System or all confidentiality impact is constrained to the Vulnerable System." + }, + { + "key": "L", + "name": "Low", + "definition": "There is some loss of confidentiality. Access to some restricted information is obtained, but the attacker does not have control over what information is obtained, or the amount or kind of loss is limited. The information disclosure does not cause a direct, serious loss to the Subsequent System." + }, + { + "key": "H", + "name": "High", + "definition": "There is a total loss of confidentiality, resulting in all resources within the Subsequent System being divulged to the attacker. Alternatively, access to only some restricted information is obtained, but the disclosed information presents a direct, serious impact." + } + ] }, - { - "cvss:CR_NoX:1.1.1": "L", - "cvss:VC:3.0.0": "N", - "cvss:IR_NoX:1.1.1": "M", - "cvss:VI:3.0.0": "H", - "cvss:AR_NoX:1.1.1": "L", - "cvss:VA:3.0.0": "N", - "cvss:EQ6:1.0.0": "L" + "cvss:MSI_NoX:1.0.1": { + "namespace": "cvss", + "key": "MSI_NoX", + "version": "1.0.1", + "name": "Modified Integrity Impact to the Subsequent System (without Not Defined)", + "definition": "This metric measures the impact to integrity of a successfully exploited vulnerability. Integrity refers to the trustworthiness and veracity of information. Integrity of a system is impacted when an attacker causes unauthorized modification of system data. Integrity is also impacted when a system user can repudiate critical actions taken in the context of the system (e.g. due to insufficient logging). The resulting score is greatest when the consequence to the system is highest. This version does not include the Not Defined (X) option.", + "schemaVersion": "2.0.0", + "values": [ + { + "key": "N", + "name": "Negligible", + "definition": "There is negligible loss of integrity within the Subsequent System or all integrity impact is constrained to the Vulnerable System." + }, + { + "key": "L", + "name": "Low", + "definition": "Modification of data is possible, but the attacker does not have control over the consequence of a modification, or the amount of modification is limited. The data modification does not have a direct, serious impact to the Subsequent System." + }, + { + "key": "H", + "name": "High", + "definition": "There is a total loss of integrity, or a complete loss of protection. For example, the attacker is able to modify any/all files protected by the Subsequent System. Alternatively, only some files can be modified, but malicious modification would present a direct, serious consequence to the Subsequent System." + }, + { + "key": "S", + "name": "Safety", + "definition": "The Safety metric value measures the impact regarding the Safety of a human actor or participant that can be predictably injured as a result of the vulnerability being exploited." + } + ] }, - { - "cvss:CR_NoX:1.1.1": "H", - "cvss:VC:3.0.0": "N", - "cvss:IR_NoX:1.1.1": "L", - "cvss:VI:3.0.0": "N", - "cvss:AR_NoX:1.1.1": "M", - "cvss:VA:3.0.0": "N", - "cvss:EQ6:1.0.0": "L" + "cvss:MSA_NoX:1.0.1": { + "namespace": "cvss", + "key": "MSA_NoX", + "version": "1.0.1", + "name": "Modified Availability Impact to the Subsequent System (without Not Defined)", + "definition": "This metric measures the impact on availability a successful exploit of the vulnerability will have on the Subsequent System. This version does not include the Not Defined (X) option.", + "schemaVersion": "2.0.0", + "values": [ + { + "key": "N", + "name": "Negligible", + "definition": "There is negligible impact to availability within the Subsequent System or all availability impact is constrained to the Vulnerable System." + }, + { + "key": "L", + "name": "Low", + "definition": "Performance is reduced or there are interruptions in resource availability. Even if repeated exploitation of the vulnerability is possible, the attacker does not have the ability to completely deny service to legitimate users." + }, + { + "key": "H", + "name": "High", + "definition": "There is a total loss of availability, resulting in the attacker being able to fully deny access to resources in the Subsequent System; this loss is either sustained (while the attacker continues to deliver the attack) or persistent (the condition persists even after the attack has completed)." + }, + { + "key": "S", + "name": "Safety", + "definition": "The Safety metric value measures the impact regarding the Safety of a human actor or participant that can be predictably injured as a result of the vulnerability being exploited." + } + ] }, + "cvss:EQ4:1.0.0": { + "namespace": "cvss", + "key": "EQ4", + "version": "1.0.0", + "name": "Equivalence Set 4", + "definition": "SC/SI/SA with 3 levels specified in Table 27", + "schemaVersion": "2.0.0", + "values": [ + { + "key": "L", + "name": "Low", + "definition": "2: not (MSI:S or MSA:S) and not (SC:H or SI:H or SA:H)" + }, + { + "key": "M", + "name": "Medium", + "definition": "1: not (MSI:S or MSA:S) and (SC:H or SI:H or SA:H)" + }, + { + "key": "H", + "name": "High", + "definition": "0: MSI:S or MSA:S" + } + ] + } + }, + "outcome": "cvss:EQ4:1.0.0", + "mapping": [ { - "cvss:CR_NoX:1.1.1": "M", - "cvss:VC:3.0.0": "L", - "cvss:IR_NoX:1.1.1": "L", - "cvss:VI:3.0.0": "N", - "cvss:AR_NoX:1.1.1": "M", - "cvss:VA:3.0.0": "N", - "cvss:EQ6:1.0.0": "L" + "cvss:SC:1.0.0": "N", + "cvss:MSI_NoX:1.0.1": "N", + "cvss:MSA_NoX:1.0.1": "N", + "cvss:EQ4:1.0.0": "L" }, { - "cvss:CR_NoX:1.1.1": "L", - "cvss:VC:3.0.0": "H", - "cvss:IR_NoX:1.1.1": "L", - "cvss:VI:3.0.0": "N", - "cvss:AR_NoX:1.1.1": "M", - "cvss:VA:3.0.0": "N", - "cvss:EQ6:1.0.0": "L" + "cvss:SC:1.0.0": "L", + "cvss:MSI_NoX:1.0.1": "N", + "cvss:MSA_NoX:1.0.1": "N", + "cvss:EQ4:1.0.0": "L" }, { - "cvss:CR_NoX:1.1.1": "M", - "cvss:VC:3.0.0": "N", - "cvss:IR_NoX:1.1.1": "M", - "cvss:VI:3.0.0": "N", - "cvss:AR_NoX:1.1.1": "M", - "cvss:VA:3.0.0": "N", - "cvss:EQ6:1.0.0": "L" + "cvss:SC:1.0.0": "N", + "cvss:MSI_NoX:1.0.1": "L", + "cvss:MSA_NoX:1.0.1": "N", + "cvss:EQ4:1.0.0": "L" }, { - "cvss:CR_NoX:1.1.1": "L", - "cvss:VC:3.0.0": "L", - "cvss:IR_NoX:1.1.1": "M", - "cvss:VI:3.0.0": "N", - "cvss:AR_NoX:1.1.1": "M", - "cvss:VA:3.0.0": "N", - "cvss:EQ6:1.0.0": "L" + "cvss:SC:1.0.0": "N", + "cvss:MSI_NoX:1.0.1": "N", + "cvss:MSA_NoX:1.0.1": "L", + "cvss:EQ4:1.0.0": "L" }, { - "cvss:CR_NoX:1.1.1": "L", - "cvss:VC:3.0.0": "N", - "cvss:IR_NoX:1.1.1": "H", - "cvss:VI:3.0.0": "N", - "cvss:AR_NoX:1.1.1": "M", - "cvss:VA:3.0.0": "N", - "cvss:EQ6:1.0.0": "L" + "cvss:SC:1.0.0": "H", + "cvss:MSI_NoX:1.0.1": "N", + "cvss:MSA_NoX:1.0.1": "N", + "cvss:EQ4:1.0.0": "M" }, { - "cvss:CR_NoX:1.1.1": "M", - "cvss:VC:3.0.0": "N", - "cvss:IR_NoX:1.1.1": "L", - "cvss:VI:3.0.0": "L", - "cvss:AR_NoX:1.1.1": "M", - "cvss:VA:3.0.0": "N", - "cvss:EQ6:1.0.0": "L" + "cvss:SC:1.0.0": "L", + "cvss:MSI_NoX:1.0.1": "L", + "cvss:MSA_NoX:1.0.1": "N", + "cvss:EQ4:1.0.0": "L" }, { - "cvss:CR_NoX:1.1.1": "L", - "cvss:VC:3.0.0": "L", - "cvss:IR_NoX:1.1.1": "L", - "cvss:VI:3.0.0": "L", - "cvss:AR_NoX:1.1.1": "M", - "cvss:VA:3.0.0": "N", - "cvss:EQ6:1.0.0": "L" + "cvss:SC:1.0.0": "N", + "cvss:MSI_NoX:1.0.1": "H", + "cvss:MSA_NoX:1.0.1": "N", + "cvss:EQ4:1.0.0": "M" }, { - "cvss:CR_NoX:1.1.1": "L", - "cvss:VC:3.0.0": "N", - "cvss:IR_NoX:1.1.1": "M", - "cvss:VI:3.0.0": "L", - "cvss:AR_NoX:1.1.1": "M", - "cvss:VA:3.0.0": "N", - "cvss:EQ6:1.0.0": "L" + "cvss:SC:1.0.0": "L", + "cvss:MSI_NoX:1.0.1": "N", + "cvss:MSA_NoX:1.0.1": "L", + "cvss:EQ4:1.0.0": "L" }, { - "cvss:CR_NoX:1.1.1": "L", - "cvss:VC:3.0.0": "N", - "cvss:IR_NoX:1.1.1": "L", - "cvss:VI:3.0.0": "H", - "cvss:AR_NoX:1.1.1": "M", - "cvss:VA:3.0.0": "N", - "cvss:EQ6:1.0.0": "L" + "cvss:SC:1.0.0": "N", + "cvss:MSI_NoX:1.0.1": "L", + "cvss:MSA_NoX:1.0.1": "L", + "cvss:EQ4:1.0.0": "L" }, { - "cvss:CR_NoX:1.1.1": "M", - "cvss:VC:3.0.0": "N", - "cvss:IR_NoX:1.1.1": "L", - "cvss:VI:3.0.0": "N", - "cvss:AR_NoX:1.1.1": "H", - "cvss:VA:3.0.0": "N", - "cvss:EQ6:1.0.0": "L" + "cvss:SC:1.0.0": "N", + "cvss:MSI_NoX:1.0.1": "N", + "cvss:MSA_NoX:1.0.1": "H", + "cvss:EQ4:1.0.0": "M" }, { - "cvss:CR_NoX:1.1.1": "L", - "cvss:VC:3.0.0": "L", - "cvss:IR_NoX:1.1.1": "L", - "cvss:VI:3.0.0": "N", - "cvss:AR_NoX:1.1.1": "H", - "cvss:VA:3.0.0": "N", - "cvss:EQ6:1.0.0": "L" + "cvss:SC:1.0.0": "H", + "cvss:MSI_NoX:1.0.1": "L", + "cvss:MSA_NoX:1.0.1": "N", + "cvss:EQ4:1.0.0": "M" }, { - "cvss:CR_NoX:1.1.1": "L", - "cvss:VC:3.0.0": "N", - "cvss:IR_NoX:1.1.1": "M", - "cvss:VI:3.0.0": "N", - "cvss:AR_NoX:1.1.1": "H", - "cvss:VA:3.0.0": "N", - "cvss:EQ6:1.0.0": "L" + "cvss:SC:1.0.0": "L", + "cvss:MSI_NoX:1.0.1": "H", + "cvss:MSA_NoX:1.0.1": "N", + "cvss:EQ4:1.0.0": "M" }, { - "cvss:CR_NoX:1.1.1": "L", - "cvss:VC:3.0.0": "N", - "cvss:IR_NoX:1.1.1": "L", - "cvss:VI:3.0.0": "L", - "cvss:AR_NoX:1.1.1": "H", - "cvss:VA:3.0.0": "N", - "cvss:EQ6:1.0.0": "L" + "cvss:SC:1.0.0": "N", + "cvss:MSI_NoX:1.0.1": "S", + "cvss:MSA_NoX:1.0.1": "N", + "cvss:EQ4:1.0.0": "H" }, { - "cvss:CR_NoX:1.1.1": "H", - "cvss:VC:3.0.0": "N", - "cvss:IR_NoX:1.1.1": "L", - "cvss:VI:3.0.0": "N", - "cvss:AR_NoX:1.1.1": "L", - "cvss:VA:3.0.0": "L", - "cvss:EQ6:1.0.0": "L" + "cvss:SC:1.0.0": "H", + "cvss:MSI_NoX:1.0.1": "N", + "cvss:MSA_NoX:1.0.1": "L", + "cvss:EQ4:1.0.0": "M" }, { - "cvss:CR_NoX:1.1.1": "M", - "cvss:VC:3.0.0": "L", - "cvss:IR_NoX:1.1.1": "L", - "cvss:VI:3.0.0": "N", - "cvss:AR_NoX:1.1.1": "L", - "cvss:VA:3.0.0": "L", - "cvss:EQ6:1.0.0": "L" + "cvss:SC:1.0.0": "L", + "cvss:MSI_NoX:1.0.1": "L", + "cvss:MSA_NoX:1.0.1": "L", + "cvss:EQ4:1.0.0": "L" }, { - "cvss:CR_NoX:1.1.1": "L", - "cvss:VC:3.0.0": "H", - "cvss:IR_NoX:1.1.1": "L", - "cvss:VI:3.0.0": "N", - "cvss:AR_NoX:1.1.1": "L", - "cvss:VA:3.0.0": "L", - "cvss:EQ6:1.0.0": "L" + "cvss:SC:1.0.0": "N", + "cvss:MSI_NoX:1.0.1": "H", + "cvss:MSA_NoX:1.0.1": "L", + "cvss:EQ4:1.0.0": "M" }, { - "cvss:CR_NoX:1.1.1": "M", - "cvss:VC:3.0.0": "N", - "cvss:IR_NoX:1.1.1": "M", - "cvss:VI:3.0.0": "N", - "cvss:AR_NoX:1.1.1": "L", - "cvss:VA:3.0.0": "L", - "cvss:EQ6:1.0.0": "L" + "cvss:SC:1.0.0": "L", + "cvss:MSI_NoX:1.0.1": "N", + "cvss:MSA_NoX:1.0.1": "H", + "cvss:EQ4:1.0.0": "M" }, { - "cvss:CR_NoX:1.1.1": "L", - "cvss:VC:3.0.0": "L", - "cvss:IR_NoX:1.1.1": "M", - "cvss:VI:3.0.0": "N", - "cvss:AR_NoX:1.1.1": "L", - "cvss:VA:3.0.0": "L", - "cvss:EQ6:1.0.0": "L" + "cvss:SC:1.0.0": "N", + "cvss:MSI_NoX:1.0.1": "L", + "cvss:MSA_NoX:1.0.1": "H", + "cvss:EQ4:1.0.0": "M" }, { - "cvss:CR_NoX:1.1.1": "L", - "cvss:VC:3.0.0": "N", - "cvss:IR_NoX:1.1.1": "H", - "cvss:VI:3.0.0": "N", - "cvss:AR_NoX:1.1.1": "L", - "cvss:VA:3.0.0": "L", - "cvss:EQ6:1.0.0": "L" + "cvss:SC:1.0.0": "N", + "cvss:MSI_NoX:1.0.1": "N", + "cvss:MSA_NoX:1.0.1": "S", + "cvss:EQ4:1.0.0": "H" }, { - "cvss:CR_NoX:1.1.1": "M", - "cvss:VC:3.0.0": "N", - "cvss:IR_NoX:1.1.1": "L", - "cvss:VI:3.0.0": "L", - "cvss:AR_NoX:1.1.1": "L", - "cvss:VA:3.0.0": "L", - "cvss:EQ6:1.0.0": "L" + "cvss:SC:1.0.0": "H", + "cvss:MSI_NoX:1.0.1": "H", + "cvss:MSA_NoX:1.0.1": "N", + "cvss:EQ4:1.0.0": "M" }, { - "cvss:CR_NoX:1.1.1": "L", - "cvss:VC:3.0.0": "L", - "cvss:IR_NoX:1.1.1": "L", - "cvss:VI:3.0.0": "L", - "cvss:AR_NoX:1.1.1": "L", - "cvss:VA:3.0.0": "L", - "cvss:EQ6:1.0.0": "L" + "cvss:SC:1.0.0": "L", + "cvss:MSI_NoX:1.0.1": "S", + "cvss:MSA_NoX:1.0.1": "N", + "cvss:EQ4:1.0.0": "H" }, { - "cvss:CR_NoX:1.1.1": "L", - "cvss:VC:3.0.0": "N", - "cvss:IR_NoX:1.1.1": "M", - "cvss:VI:3.0.0": "L", - "cvss:AR_NoX:1.1.1": "L", - "cvss:VA:3.0.0": "L", - "cvss:EQ6:1.0.0": "L" + "cvss:SC:1.0.0": "H", + "cvss:MSI_NoX:1.0.1": "L", + "cvss:MSA_NoX:1.0.1": "L", + "cvss:EQ4:1.0.0": "M" }, { - "cvss:CR_NoX:1.1.1": "L", - "cvss:VC:3.0.0": "N", - "cvss:IR_NoX:1.1.1": "L", - "cvss:VI:3.0.0": "H", - "cvss:AR_NoX:1.1.1": "L", - "cvss:VA:3.0.0": "L", - "cvss:EQ6:1.0.0": "L" + "cvss:SC:1.0.0": "L", + "cvss:MSI_NoX:1.0.1": "H", + "cvss:MSA_NoX:1.0.1": "L", + "cvss:EQ4:1.0.0": "M" }, { - "cvss:CR_NoX:1.1.1": "M", - "cvss:VC:3.0.0": "N", - "cvss:IR_NoX:1.1.1": "L", - "cvss:VI:3.0.0": "N", - "cvss:AR_NoX:1.1.1": "M", - "cvss:VA:3.0.0": "L", - "cvss:EQ6:1.0.0": "L" + "cvss:SC:1.0.0": "N", + "cvss:MSI_NoX:1.0.1": "S", + "cvss:MSA_NoX:1.0.1": "L", + "cvss:EQ4:1.0.0": "H" }, { - "cvss:CR_NoX:1.1.1": "L", - "cvss:VC:3.0.0": "L", - "cvss:IR_NoX:1.1.1": "L", - "cvss:VI:3.0.0": "N", - "cvss:AR_NoX:1.1.1": "M", - "cvss:VA:3.0.0": "L", - "cvss:EQ6:1.0.0": "L" + "cvss:SC:1.0.0": "H", + "cvss:MSI_NoX:1.0.1": "N", + "cvss:MSA_NoX:1.0.1": "H", + "cvss:EQ4:1.0.0": "M" }, { - "cvss:CR_NoX:1.1.1": "L", - "cvss:VC:3.0.0": "N", - "cvss:IR_NoX:1.1.1": "M", - "cvss:VI:3.0.0": "N", - "cvss:AR_NoX:1.1.1": "M", - "cvss:VA:3.0.0": "L", - "cvss:EQ6:1.0.0": "L" + "cvss:SC:1.0.0": "L", + "cvss:MSI_NoX:1.0.1": "L", + "cvss:MSA_NoX:1.0.1": "H", + "cvss:EQ4:1.0.0": "M" }, { - "cvss:CR_NoX:1.1.1": "L", - "cvss:VC:3.0.0": "N", - "cvss:IR_NoX:1.1.1": "L", - "cvss:VI:3.0.0": "L", - "cvss:AR_NoX:1.1.1": "M", - "cvss:VA:3.0.0": "L", - "cvss:EQ6:1.0.0": "L" + "cvss:SC:1.0.0": "N", + "cvss:MSI_NoX:1.0.1": "H", + "cvss:MSA_NoX:1.0.1": "H", + "cvss:EQ4:1.0.0": "M" }, { - "cvss:CR_NoX:1.1.1": "L", - "cvss:VC:3.0.0": "N", - "cvss:IR_NoX:1.1.1": "L", - "cvss:VI:3.0.0": "N", - "cvss:AR_NoX:1.1.1": "H", - "cvss:VA:3.0.0": "L", - "cvss:EQ6:1.0.0": "L" + "cvss:SC:1.0.0": "L", + "cvss:MSI_NoX:1.0.1": "N", + "cvss:MSA_NoX:1.0.1": "S", + "cvss:EQ4:1.0.0": "H" }, { - "cvss:CR_NoX:1.1.1": "M", - "cvss:VC:3.0.0": "N", - "cvss:IR_NoX:1.1.1": "L", - "cvss:VI:3.0.0": "N", - "cvss:AR_NoX:1.1.1": "L", - "cvss:VA:3.0.0": "H", - "cvss:EQ6:1.0.0": "L" + "cvss:SC:1.0.0": "N", + "cvss:MSI_NoX:1.0.1": "L", + "cvss:MSA_NoX:1.0.1": "S", + "cvss:EQ4:1.0.0": "H" }, { - "cvss:CR_NoX:1.1.1": "L", - "cvss:VC:3.0.0": "L", - "cvss:IR_NoX:1.1.1": "L", - "cvss:VI:3.0.0": "N", - "cvss:AR_NoX:1.1.1": "L", - "cvss:VA:3.0.0": "H", - "cvss:EQ6:1.0.0": "L" + "cvss:SC:1.0.0": "H", + "cvss:MSI_NoX:1.0.1": "S", + "cvss:MSA_NoX:1.0.1": "N", + "cvss:EQ4:1.0.0": "H" }, { - "cvss:CR_NoX:1.1.1": "L", - "cvss:VC:3.0.0": "N", - "cvss:IR_NoX:1.1.1": "M", - "cvss:VI:3.0.0": "N", - "cvss:AR_NoX:1.1.1": "L", - "cvss:VA:3.0.0": "H", - "cvss:EQ6:1.0.0": "L" + "cvss:SC:1.0.0": "H", + "cvss:MSI_NoX:1.0.1": "H", + "cvss:MSA_NoX:1.0.1": "L", + "cvss:EQ4:1.0.0": "M" }, { - "cvss:CR_NoX:1.1.1": "L", - "cvss:VC:3.0.0": "N", - "cvss:IR_NoX:1.1.1": "L", - "cvss:VI:3.0.0": "L", - "cvss:AR_NoX:1.1.1": "L", - "cvss:VA:3.0.0": "H", - "cvss:EQ6:1.0.0": "L" + "cvss:SC:1.0.0": "L", + "cvss:MSI_NoX:1.0.1": "S", + "cvss:MSA_NoX:1.0.1": "L", + "cvss:EQ4:1.0.0": "H" }, { - "cvss:CR_NoX:1.1.1": "L", - "cvss:VC:3.0.0": "N", - "cvss:IR_NoX:1.1.1": "L", - "cvss:VI:3.0.0": "N", - "cvss:AR_NoX:1.1.1": "M", - "cvss:VA:3.0.0": "H", - "cvss:EQ6:1.0.0": "L" + "cvss:SC:1.0.0": "H", + "cvss:MSI_NoX:1.0.1": "L", + "cvss:MSA_NoX:1.0.1": "H", + "cvss:EQ4:1.0.0": "M" }, { - "cvss:CR_NoX:1.1.1": "H", - "cvss:VC:3.0.0": "H", - "cvss:IR_NoX:1.1.1": "L", - "cvss:VI:3.0.0": "N", - "cvss:AR_NoX:1.1.1": "L", - "cvss:VA:3.0.0": "N", - "cvss:EQ6:1.0.0": "H" + "cvss:SC:1.0.0": "L", + "cvss:MSI_NoX:1.0.1": "H", + "cvss:MSA_NoX:1.0.1": "H", + "cvss:EQ4:1.0.0": "M" }, { - "cvss:CR_NoX:1.1.1": "H", - "cvss:VC:3.0.0": "L", - "cvss:IR_NoX:1.1.1": "M", - "cvss:VI:3.0.0": "N", - "cvss:AR_NoX:1.1.1": "L", - "cvss:VA:3.0.0": "N", - "cvss:EQ6:1.0.0": "L" + "cvss:SC:1.0.0": "N", + "cvss:MSI_NoX:1.0.1": "S", + "cvss:MSA_NoX:1.0.1": "H", + "cvss:EQ4:1.0.0": "H" }, { - "cvss:CR_NoX:1.1.1": "M", - "cvss:VC:3.0.0": "H", - "cvss:IR_NoX:1.1.1": "M", - "cvss:VI:3.0.0": "N", - "cvss:AR_NoX:1.1.1": "L", - "cvss:VA:3.0.0": "N", - "cvss:EQ6:1.0.0": "L" + "cvss:SC:1.0.0": "H", + "cvss:MSI_NoX:1.0.1": "N", + "cvss:MSA_NoX:1.0.1": "S", + "cvss:EQ4:1.0.0": "H" }, { - "cvss:CR_NoX:1.1.1": "H", - "cvss:VC:3.0.0": "N", - "cvss:IR_NoX:1.1.1": "H", - "cvss:VI:3.0.0": "N", - "cvss:AR_NoX:1.1.1": "L", - "cvss:VA:3.0.0": "N", - "cvss:EQ6:1.0.0": "L" + "cvss:SC:1.0.0": "L", + "cvss:MSI_NoX:1.0.1": "L", + "cvss:MSA_NoX:1.0.1": "S", + "cvss:EQ4:1.0.0": "H" }, { - "cvss:CR_NoX:1.1.1": "M", - "cvss:VC:3.0.0": "L", - "cvss:IR_NoX:1.1.1": "H", - "cvss:VI:3.0.0": "N", - "cvss:AR_NoX:1.1.1": "L", - "cvss:VA:3.0.0": "N", - "cvss:EQ6:1.0.0": "L" + "cvss:SC:1.0.0": "N", + "cvss:MSI_NoX:1.0.1": "H", + "cvss:MSA_NoX:1.0.1": "S", + "cvss:EQ4:1.0.0": "H" }, { - "cvss:CR_NoX:1.1.1": "L", - "cvss:VC:3.0.0": "H", - "cvss:IR_NoX:1.1.1": "H", - "cvss:VI:3.0.0": "N", - "cvss:AR_NoX:1.1.1": "L", - "cvss:VA:3.0.0": "N", - "cvss:EQ6:1.0.0": "L" + "cvss:SC:1.0.0": "H", + "cvss:MSI_NoX:1.0.1": "S", + "cvss:MSA_NoX:1.0.1": "L", + "cvss:EQ4:1.0.0": "H" }, { - "cvss:CR_NoX:1.1.1": "H", - "cvss:VC:3.0.0": "L", - "cvss:IR_NoX:1.1.1": "L", - "cvss:VI:3.0.0": "L", - "cvss:AR_NoX:1.1.1": "L", - "cvss:VA:3.0.0": "N", - "cvss:EQ6:1.0.0": "L" + "cvss:SC:1.0.0": "H", + "cvss:MSI_NoX:1.0.1": "H", + "cvss:MSA_NoX:1.0.1": "H", + "cvss:EQ4:1.0.0": "M" }, { - "cvss:CR_NoX:1.1.1": "M", - "cvss:VC:3.0.0": "H", - "cvss:IR_NoX:1.1.1": "L", - "cvss:VI:3.0.0": "L", - "cvss:AR_NoX:1.1.1": "L", - "cvss:VA:3.0.0": "N", - "cvss:EQ6:1.0.0": "L" + "cvss:SC:1.0.0": "L", + "cvss:MSI_NoX:1.0.1": "S", + "cvss:MSA_NoX:1.0.1": "H", + "cvss:EQ4:1.0.0": "H" }, { - "cvss:CR_NoX:1.1.1": "H", - "cvss:VC:3.0.0": "N", - "cvss:IR_NoX:1.1.1": "M", - "cvss:VI:3.0.0": "L", - "cvss:AR_NoX:1.1.1": "L", - "cvss:VA:3.0.0": "N", - "cvss:EQ6:1.0.0": "L" + "cvss:SC:1.0.0": "H", + "cvss:MSI_NoX:1.0.1": "L", + "cvss:MSA_NoX:1.0.1": "S", + "cvss:EQ4:1.0.0": "H" }, { - "cvss:CR_NoX:1.1.1": "M", - "cvss:VC:3.0.0": "L", - "cvss:IR_NoX:1.1.1": "M", - "cvss:VI:3.0.0": "L", - "cvss:AR_NoX:1.1.1": "L", - "cvss:VA:3.0.0": "N", - "cvss:EQ6:1.0.0": "L" + "cvss:SC:1.0.0": "L", + "cvss:MSI_NoX:1.0.1": "H", + "cvss:MSA_NoX:1.0.1": "S", + "cvss:EQ4:1.0.0": "H" }, { - "cvss:CR_NoX:1.1.1": "L", - "cvss:VC:3.0.0": "H", - "cvss:IR_NoX:1.1.1": "M", - "cvss:VI:3.0.0": "L", - "cvss:AR_NoX:1.1.1": "L", - "cvss:VA:3.0.0": "N", - "cvss:EQ6:1.0.0": "L" + "cvss:SC:1.0.0": "N", + "cvss:MSI_NoX:1.0.1": "S", + "cvss:MSA_NoX:1.0.1": "S", + "cvss:EQ4:1.0.0": "H" }, { - "cvss:CR_NoX:1.1.1": "M", - "cvss:VC:3.0.0": "N", - "cvss:IR_NoX:1.1.1": "H", - "cvss:VI:3.0.0": "L", - "cvss:AR_NoX:1.1.1": "L", - "cvss:VA:3.0.0": "N", - "cvss:EQ6:1.0.0": "L" + "cvss:SC:1.0.0": "H", + "cvss:MSI_NoX:1.0.1": "S", + "cvss:MSA_NoX:1.0.1": "H", + "cvss:EQ4:1.0.0": "H" }, { - "cvss:CR_NoX:1.1.1": "L", - "cvss:VC:3.0.0": "L", - "cvss:IR_NoX:1.1.1": "H", - "cvss:VI:3.0.0": "L", - "cvss:AR_NoX:1.1.1": "L", - "cvss:VA:3.0.0": "N", - "cvss:EQ6:1.0.0": "L" + "cvss:SC:1.0.0": "H", + "cvss:MSI_NoX:1.0.1": "H", + "cvss:MSA_NoX:1.0.1": "S", + "cvss:EQ4:1.0.0": "H" }, { - "cvss:CR_NoX:1.1.1": "H", - "cvss:VC:3.0.0": "N", - "cvss:IR_NoX:1.1.1": "L", - "cvss:VI:3.0.0": "H", - "cvss:AR_NoX:1.1.1": "L", - "cvss:VA:3.0.0": "N", - "cvss:EQ6:1.0.0": "L" + "cvss:SC:1.0.0": "L", + "cvss:MSI_NoX:1.0.1": "S", + "cvss:MSA_NoX:1.0.1": "S", + "cvss:EQ4:1.0.0": "H" }, { - "cvss:CR_NoX:1.1.1": "M", - "cvss:VC:3.0.0": "L", - "cvss:IR_NoX:1.1.1": "L", - "cvss:VI:3.0.0": "H", - "cvss:AR_NoX:1.1.1": "L", - "cvss:VA:3.0.0": "N", - "cvss:EQ6:1.0.0": "L" + "cvss:SC:1.0.0": "H", + "cvss:MSI_NoX:1.0.1": "S", + "cvss:MSA_NoX:1.0.1": "S", + "cvss:EQ4:1.0.0": "H" + } + ] + } + } + } + }, + "DT_CVSS4_EQ1": { + "key": "DT_CVSS4_EQ1", + "versions": { + "1.0.0": { + "version": "1.0.0", + "obj": { + "namespace": "cvss", + "key": "DT_CVSS4_EQ1", + "version": "1.0.0", + "name": "CVSS v4 Equivalence Set 1", + "definition": "This decision table models equivalence set 1 from CVSS v4. Factors include Attack Vector (AV), Privileges Required (PR), and User Interaction (UI).", + "schemaVersion": "2.0.0", + "decision_points": { + "cvss:AV:3.0.1": { + "namespace": "cvss", + "key": "AV", + "version": "3.0.1", + "name": "Attack Vector", + "definition": "This metric reflects the context by which vulnerability exploitation is possible. This metric value (and consequently the resulting severity) will be larger the more remote (logically, and physically) an attacker can be in order to exploit the vulnerable system. The assumption is that the number of potential attackers for a vulnerability that could be exploited from across a network is larger than the number of potential attackers that could exploit a vulnerability requiring physical access to a device, and therefore warrants a greater severity.", + "schemaVersion": "2.0.0", + "values": [ + { + "key": "P", + "name": "Physical", + "definition": "The attack requires the attacker to physically touch or manipulate the vulnerable system. Physical interaction may be brief (e.g., evil maid attack1) or persistent." + }, + { + "key": "L", + "name": "Local", + "definition": "The vulnerable system is not bound to the network stack and the attacker’s path is via read/write/execute capabilities. Either: the attacker exploits the vulnerability by accessing the target system locally (e.g., keyboard, console), or through terminal emulation (e.g., SSH); or the attacker relies on User Interaction by another person to perform actions required to exploit the vulnerability (e.g., using social engineering techniques to trick a legitimate user into opening a malicious document)." + }, + { + "key": "A", + "name": "Adjacent", + "definition": "The vulnerable system is bound to a protocol stack, but the attack is limited at the protocol level to a logically adjacent topology. This can mean an attack must be launched from the same shared proximity (e.g., Bluetooth, NFC, or IEEE 802.11) or logical network (e.g., local IP subnet), or from within a secure or otherwise limited administrative domain (e.g., MPLS, secure VPN within an administrative network zone)." + }, + { + "key": "N", + "name": "Network", + "definition": "The vulnerable system is bound to the network stack and the set of possible attackers extends beyond the other options listed below, up to and including the entire Internet. Such a vulnerability is often termed “remotely exploitable” and can be thought of as an attack being exploitable at the protocol level one or more network hops away (e.g., across one or more routers)." + } + ] }, - { - "cvss:CR_NoX:1.1.1": "L", - "cvss:VC:3.0.0": "H", - "cvss:IR_NoX:1.1.1": "L", - "cvss:VI:3.0.0": "H", - "cvss:AR_NoX:1.1.1": "L", - "cvss:VA:3.0.0": "N", - "cvss:EQ6:1.0.0": "L" + "cvss:PR:1.0.1": { + "namespace": "cvss", + "key": "PR", + "version": "1.0.1", + "name": "Privileges Required", + "definition": "This metric describes the level of privileges an attacker must possess prior to successfully exploiting the vulnerability. The method by which the attacker obtains privileged credentials prior to the attack (e.g., free trial accounts), is outside the scope of this metric. Generally, self-service provisioned accounts do not constitute a privilege requirement if the attacker can grant themselves privileges as part of the attack.", + "schemaVersion": "2.0.0", + "values": [ + { + "key": "H", + "name": "High", + "definition": "The attacker is authorized with (i.e., requires) privileges that provide significant (e.g., administrative) control over the vulnerable system allowing full access to the vulnerable system’s settings and files." + }, + { + "key": "L", + "name": "Low", + "definition": "The attacker is authorized with (i.e., requires) privileges that provide basic capabilities that are typically limited to settings and resources owned by a single low-privileged user. Alternatively, an attacker with Low privileges has the ability to access only non-sensitive resources." + }, + { + "key": "N", + "name": "None", + "definition": "The attacker is unauthorized prior to attack, and therefore does not require any access to settings or files to carry out an attack." + } + ] }, - { - "cvss:CR_NoX:1.1.1": "M", - "cvss:VC:3.0.0": "N", - "cvss:IR_NoX:1.1.1": "M", - "cvss:VI:3.0.0": "H", - "cvss:AR_NoX:1.1.1": "L", - "cvss:VA:3.0.0": "N", - "cvss:EQ6:1.0.0": "L" + "cvss:UI:2.0.0": { + "namespace": "cvss", + "key": "UI", + "version": "2.0.0", + "name": "User Interaction", + "definition": "This metric captures the requirement for a human user, other than the attacker, to participate in the successful compromise of the vulnerable system. This metric determines whether the vulnerability can be exploited solely at the will of the attacker, or whether a separate user (or user-initiated process) must participate in some manner. The resulting score is greatest when no user interaction is required.", + "schemaVersion": "2.0.0", + "values": [ + { + "key": "A", + "name": "Active", + "definition": "Successful exploitation of this vulnerability requires a targeted user to perform specific, conscious interactions with the vulnerable system and the attacker’s payload, or the user’s interactions would actively subvert protection mechanisms which would lead to exploitation of the vulnerability." + }, + { + "key": "P", + "name": "Passive", + "definition": "Successful exploitation of this vulnerability requires limited interaction by the targeted user with the vulnerable system and the attacker’s payload. These interactions would be considered involuntary and do not require that the user actively subvert protections built into the vulnerable system." + }, + { + "key": "N", + "name": "None", + "definition": "The vulnerable system can be exploited without interaction from any human user, other than the attacker." + } + ] }, + "cvss:EQ1:1.0.0": { + "namespace": "cvss", + "key": "EQ1", + "version": "1.0.0", + "name": "Equivalence Set 1", + "definition": "AV/PR/UI with 3 levels specified in Table 24", + "schemaVersion": "2.0.0", + "values": [ + { + "key": "L", + "name": "Low", + "definition": "2: AV:P or not(AV:N or PR:N or UI:N)" + }, + { + "key": "M", + "name": "Medium", + "definition": "1: (AV:N or PR:N or UI:N) and not (AV:N and PR:N and UI:N) and not AV:P" + }, + { + "key": "H", + "name": "High", + "definition": "0: AV:N and PR:N and UI:N" + } + ] + } + }, + "outcome": "cvss:EQ1:1.0.0", + "mapping": [ { - "cvss:CR_NoX:1.1.1": "L", - "cvss:VC:3.0.0": "L", - "cvss:IR_NoX:1.1.1": "M", - "cvss:VI:3.0.0": "H", - "cvss:AR_NoX:1.1.1": "L", - "cvss:VA:3.0.0": "N", - "cvss:EQ6:1.0.0": "L" + "cvss:AV:3.0.1": "P", + "cvss:PR:1.0.1": "H", + "cvss:UI:2.0.0": "A", + "cvss:EQ1:1.0.0": "L" }, { - "cvss:CR_NoX:1.1.1": "L", - "cvss:VC:3.0.0": "N", - "cvss:IR_NoX:1.1.1": "H", - "cvss:VI:3.0.0": "H", - "cvss:AR_NoX:1.1.1": "L", - "cvss:VA:3.0.0": "N", - "cvss:EQ6:1.0.0": "H" + "cvss:AV:3.0.1": "L", + "cvss:PR:1.0.1": "H", + "cvss:UI:2.0.0": "A", + "cvss:EQ1:1.0.0": "L" }, { - "cvss:CR_NoX:1.1.1": "H", - "cvss:VC:3.0.0": "L", - "cvss:IR_NoX:1.1.1": "L", - "cvss:VI:3.0.0": "N", - "cvss:AR_NoX:1.1.1": "M", - "cvss:VA:3.0.0": "N", - "cvss:EQ6:1.0.0": "L" + "cvss:AV:3.0.1": "P", + "cvss:PR:1.0.1": "L", + "cvss:UI:2.0.0": "A", + "cvss:EQ1:1.0.0": "L" }, { - "cvss:CR_NoX:1.1.1": "M", - "cvss:VC:3.0.0": "H", - "cvss:IR_NoX:1.1.1": "L", - "cvss:VI:3.0.0": "N", - "cvss:AR_NoX:1.1.1": "M", - "cvss:VA:3.0.0": "N", - "cvss:EQ6:1.0.0": "L" + "cvss:AV:3.0.1": "P", + "cvss:PR:1.0.1": "H", + "cvss:UI:2.0.0": "P", + "cvss:EQ1:1.0.0": "L" }, { - "cvss:CR_NoX:1.1.1": "H", - "cvss:VC:3.0.0": "N", - "cvss:IR_NoX:1.1.1": "M", - "cvss:VI:3.0.0": "N", - "cvss:AR_NoX:1.1.1": "M", - "cvss:VA:3.0.0": "N", - "cvss:EQ6:1.0.0": "L" + "cvss:AV:3.0.1": "A", + "cvss:PR:1.0.1": "H", + "cvss:UI:2.0.0": "A", + "cvss:EQ1:1.0.0": "L" }, { - "cvss:CR_NoX:1.1.1": "M", - "cvss:VC:3.0.0": "L", - "cvss:IR_NoX:1.1.1": "M", - "cvss:VI:3.0.0": "N", - "cvss:AR_NoX:1.1.1": "M", - "cvss:VA:3.0.0": "N", - "cvss:EQ6:1.0.0": "L" + "cvss:AV:3.0.1": "L", + "cvss:PR:1.0.1": "L", + "cvss:UI:2.0.0": "A", + "cvss:EQ1:1.0.0": "L" }, { - "cvss:CR_NoX:1.1.1": "L", - "cvss:VC:3.0.0": "H", - "cvss:IR_NoX:1.1.1": "M", - "cvss:VI:3.0.0": "N", - "cvss:AR_NoX:1.1.1": "M", - "cvss:VA:3.0.0": "N", - "cvss:EQ6:1.0.0": "L" + "cvss:AV:3.0.1": "P", + "cvss:PR:1.0.1": "N", + "cvss:UI:2.0.0": "A", + "cvss:EQ1:1.0.0": "L" }, { - "cvss:CR_NoX:1.1.1": "M", - "cvss:VC:3.0.0": "N", - "cvss:IR_NoX:1.1.1": "H", - "cvss:VI:3.0.0": "N", - "cvss:AR_NoX:1.1.1": "M", - "cvss:VA:3.0.0": "N", - "cvss:EQ6:1.0.0": "L" + "cvss:AV:3.0.1": "L", + "cvss:PR:1.0.1": "H", + "cvss:UI:2.0.0": "P", + "cvss:EQ1:1.0.0": "L" }, { - "cvss:CR_NoX:1.1.1": "L", - "cvss:VC:3.0.0": "L", - "cvss:IR_NoX:1.1.1": "H", - "cvss:VI:3.0.0": "N", - "cvss:AR_NoX:1.1.1": "M", - "cvss:VA:3.0.0": "N", - "cvss:EQ6:1.0.0": "L" + "cvss:AV:3.0.1": "P", + "cvss:PR:1.0.1": "L", + "cvss:UI:2.0.0": "P", + "cvss:EQ1:1.0.0": "L" }, { - "cvss:CR_NoX:1.1.1": "H", - "cvss:VC:3.0.0": "N", - "cvss:IR_NoX:1.1.1": "L", - "cvss:VI:3.0.0": "L", - "cvss:AR_NoX:1.1.1": "M", - "cvss:VA:3.0.0": "N", - "cvss:EQ6:1.0.0": "L" + "cvss:AV:3.0.1": "P", + "cvss:PR:1.0.1": "H", + "cvss:UI:2.0.0": "N", + "cvss:EQ1:1.0.0": "L" }, { - "cvss:CR_NoX:1.1.1": "M", - "cvss:VC:3.0.0": "L", - "cvss:IR_NoX:1.1.1": "L", - "cvss:VI:3.0.0": "L", - "cvss:AR_NoX:1.1.1": "M", - "cvss:VA:3.0.0": "N", - "cvss:EQ6:1.0.0": "L" + "cvss:AV:3.0.1": "N", + "cvss:PR:1.0.1": "H", + "cvss:UI:2.0.0": "A", + "cvss:EQ1:1.0.0": "M" }, { - "cvss:CR_NoX:1.1.1": "L", - "cvss:VC:3.0.0": "H", - "cvss:IR_NoX:1.1.1": "L", - "cvss:VI:3.0.0": "L", - "cvss:AR_NoX:1.1.1": "M", - "cvss:VA:3.0.0": "N", - "cvss:EQ6:1.0.0": "L" + "cvss:AV:3.0.1": "A", + "cvss:PR:1.0.1": "L", + "cvss:UI:2.0.0": "A", + "cvss:EQ1:1.0.0": "L" }, { - "cvss:CR_NoX:1.1.1": "M", - "cvss:VC:3.0.0": "N", - "cvss:IR_NoX:1.1.1": "M", - "cvss:VI:3.0.0": "L", - "cvss:AR_NoX:1.1.1": "M", - "cvss:VA:3.0.0": "N", - "cvss:EQ6:1.0.0": "L" + "cvss:AV:3.0.1": "L", + "cvss:PR:1.0.1": "N", + "cvss:UI:2.0.0": "A", + "cvss:EQ1:1.0.0": "M" }, { - "cvss:CR_NoX:1.1.1": "L", - "cvss:VC:3.0.0": "L", - "cvss:IR_NoX:1.1.1": "M", - "cvss:VI:3.0.0": "L", - "cvss:AR_NoX:1.1.1": "M", - "cvss:VA:3.0.0": "N", - "cvss:EQ6:1.0.0": "L" + "cvss:AV:3.0.1": "A", + "cvss:PR:1.0.1": "H", + "cvss:UI:2.0.0": "P", + "cvss:EQ1:1.0.0": "L" }, { - "cvss:CR_NoX:1.1.1": "L", - "cvss:VC:3.0.0": "N", - "cvss:IR_NoX:1.1.1": "H", - "cvss:VI:3.0.0": "L", - "cvss:AR_NoX:1.1.1": "M", - "cvss:VA:3.0.0": "N", - "cvss:EQ6:1.0.0": "L" + "cvss:AV:3.0.1": "L", + "cvss:PR:1.0.1": "L", + "cvss:UI:2.0.0": "P", + "cvss:EQ1:1.0.0": "L" }, { - "cvss:CR_NoX:1.1.1": "M", - "cvss:VC:3.0.0": "N", - "cvss:IR_NoX:1.1.1": "L", - "cvss:VI:3.0.0": "H", - "cvss:AR_NoX:1.1.1": "M", - "cvss:VA:3.0.0": "N", - "cvss:EQ6:1.0.0": "L" + "cvss:AV:3.0.1": "P", + "cvss:PR:1.0.1": "N", + "cvss:UI:2.0.0": "P", + "cvss:EQ1:1.0.0": "L" }, { - "cvss:CR_NoX:1.1.1": "L", - "cvss:VC:3.0.0": "L", - "cvss:IR_NoX:1.1.1": "L", - "cvss:VI:3.0.0": "H", - "cvss:AR_NoX:1.1.1": "M", - "cvss:VA:3.0.0": "N", - "cvss:EQ6:1.0.0": "L" + "cvss:AV:3.0.1": "L", + "cvss:PR:1.0.1": "H", + "cvss:UI:2.0.0": "N", + "cvss:EQ1:1.0.0": "M" }, { - "cvss:CR_NoX:1.1.1": "L", - "cvss:VC:3.0.0": "N", - "cvss:IR_NoX:1.1.1": "M", - "cvss:VI:3.0.0": "H", - "cvss:AR_NoX:1.1.1": "M", - "cvss:VA:3.0.0": "N", - "cvss:EQ6:1.0.0": "L" + "cvss:AV:3.0.1": "P", + "cvss:PR:1.0.1": "L", + "cvss:UI:2.0.0": "N", + "cvss:EQ1:1.0.0": "L" }, { - "cvss:CR_NoX:1.1.1": "H", - "cvss:VC:3.0.0": "N", - "cvss:IR_NoX:1.1.1": "L", - "cvss:VI:3.0.0": "N", - "cvss:AR_NoX:1.1.1": "H", - "cvss:VA:3.0.0": "N", - "cvss:EQ6:1.0.0": "L" + "cvss:AV:3.0.1": "N", + "cvss:PR:1.0.1": "L", + "cvss:UI:2.0.0": "A", + "cvss:EQ1:1.0.0": "M" }, { - "cvss:CR_NoX:1.1.1": "M", - "cvss:VC:3.0.0": "L", - "cvss:IR_NoX:1.1.1": "L", - "cvss:VI:3.0.0": "N", - "cvss:AR_NoX:1.1.1": "H", - "cvss:VA:3.0.0": "N", - "cvss:EQ6:1.0.0": "L" + "cvss:AV:3.0.1": "A", + "cvss:PR:1.0.1": "N", + "cvss:UI:2.0.0": "A", + "cvss:EQ1:1.0.0": "M" }, { - "cvss:CR_NoX:1.1.1": "L", - "cvss:VC:3.0.0": "H", - "cvss:IR_NoX:1.1.1": "L", - "cvss:VI:3.0.0": "N", - "cvss:AR_NoX:1.1.1": "H", - "cvss:VA:3.0.0": "N", - "cvss:EQ6:1.0.0": "L" + "cvss:AV:3.0.1": "N", + "cvss:PR:1.0.1": "H", + "cvss:UI:2.0.0": "P", + "cvss:EQ1:1.0.0": "M" }, { - "cvss:CR_NoX:1.1.1": "M", - "cvss:VC:3.0.0": "N", - "cvss:IR_NoX:1.1.1": "M", - "cvss:VI:3.0.0": "N", - "cvss:AR_NoX:1.1.1": "H", - "cvss:VA:3.0.0": "N", - "cvss:EQ6:1.0.0": "L" + "cvss:AV:3.0.1": "A", + "cvss:PR:1.0.1": "L", + "cvss:UI:2.0.0": "P", + "cvss:EQ1:1.0.0": "L" }, { - "cvss:CR_NoX:1.1.1": "L", - "cvss:VC:3.0.0": "L", - "cvss:IR_NoX:1.1.1": "M", - "cvss:VI:3.0.0": "N", - "cvss:AR_NoX:1.1.1": "H", - "cvss:VA:3.0.0": "N", - "cvss:EQ6:1.0.0": "L" + "cvss:AV:3.0.1": "L", + "cvss:PR:1.0.1": "N", + "cvss:UI:2.0.0": "P", + "cvss:EQ1:1.0.0": "M" }, { - "cvss:CR_NoX:1.1.1": "L", - "cvss:VC:3.0.0": "N", - "cvss:IR_NoX:1.1.1": "H", - "cvss:VI:3.0.0": "N", - "cvss:AR_NoX:1.1.1": "H", - "cvss:VA:3.0.0": "N", - "cvss:EQ6:1.0.0": "L" - }, - { - "cvss:CR_NoX:1.1.1": "M", - "cvss:VC:3.0.0": "N", - "cvss:IR_NoX:1.1.1": "L", - "cvss:VI:3.0.0": "L", - "cvss:AR_NoX:1.1.1": "H", - "cvss:VA:3.0.0": "N", - "cvss:EQ6:1.0.0": "L" + "cvss:AV:3.0.1": "A", + "cvss:PR:1.0.1": "H", + "cvss:UI:2.0.0": "N", + "cvss:EQ1:1.0.0": "M" }, { - "cvss:CR_NoX:1.1.1": "L", - "cvss:VC:3.0.0": "L", - "cvss:IR_NoX:1.1.1": "L", - "cvss:VI:3.0.0": "L", - "cvss:AR_NoX:1.1.1": "H", - "cvss:VA:3.0.0": "N", - "cvss:EQ6:1.0.0": "L" + "cvss:AV:3.0.1": "L", + "cvss:PR:1.0.1": "L", + "cvss:UI:2.0.0": "N", + "cvss:EQ1:1.0.0": "M" }, { - "cvss:CR_NoX:1.1.1": "L", - "cvss:VC:3.0.0": "N", - "cvss:IR_NoX:1.1.1": "M", - "cvss:VI:3.0.0": "L", - "cvss:AR_NoX:1.1.1": "H", - "cvss:VA:3.0.0": "N", - "cvss:EQ6:1.0.0": "L" + "cvss:AV:3.0.1": "P", + "cvss:PR:1.0.1": "N", + "cvss:UI:2.0.0": "N", + "cvss:EQ1:1.0.0": "L" }, { - "cvss:CR_NoX:1.1.1": "L", - "cvss:VC:3.0.0": "N", - "cvss:IR_NoX:1.1.1": "L", - "cvss:VI:3.0.0": "H", - "cvss:AR_NoX:1.1.1": "H", - "cvss:VA:3.0.0": "N", - "cvss:EQ6:1.0.0": "L" + "cvss:AV:3.0.1": "N", + "cvss:PR:1.0.1": "N", + "cvss:UI:2.0.0": "A", + "cvss:EQ1:1.0.0": "M" }, { - "cvss:CR_NoX:1.1.1": "H", - "cvss:VC:3.0.0": "L", - "cvss:IR_NoX:1.1.1": "L", - "cvss:VI:3.0.0": "N", - "cvss:AR_NoX:1.1.1": "L", - "cvss:VA:3.0.0": "L", - "cvss:EQ6:1.0.0": "L" + "cvss:AV:3.0.1": "N", + "cvss:PR:1.0.1": "L", + "cvss:UI:2.0.0": "P", + "cvss:EQ1:1.0.0": "M" }, { - "cvss:CR_NoX:1.1.1": "M", - "cvss:VC:3.0.0": "H", - "cvss:IR_NoX:1.1.1": "L", - "cvss:VI:3.0.0": "N", - "cvss:AR_NoX:1.1.1": "L", - "cvss:VA:3.0.0": "L", - "cvss:EQ6:1.0.0": "L" + "cvss:AV:3.0.1": "A", + "cvss:PR:1.0.1": "N", + "cvss:UI:2.0.0": "P", + "cvss:EQ1:1.0.0": "M" }, { - "cvss:CR_NoX:1.1.1": "H", - "cvss:VC:3.0.0": "N", - "cvss:IR_NoX:1.1.1": "M", - "cvss:VI:3.0.0": "N", - "cvss:AR_NoX:1.1.1": "L", - "cvss:VA:3.0.0": "L", - "cvss:EQ6:1.0.0": "L" + "cvss:AV:3.0.1": "N", + "cvss:PR:1.0.1": "H", + "cvss:UI:2.0.0": "N", + "cvss:EQ1:1.0.0": "M" }, { - "cvss:CR_NoX:1.1.1": "M", - "cvss:VC:3.0.0": "L", - "cvss:IR_NoX:1.1.1": "M", - "cvss:VI:3.0.0": "N", - "cvss:AR_NoX:1.1.1": "L", - "cvss:VA:3.0.0": "L", - "cvss:EQ6:1.0.0": "L" + "cvss:AV:3.0.1": "A", + "cvss:PR:1.0.1": "L", + "cvss:UI:2.0.0": "N", + "cvss:EQ1:1.0.0": "M" }, { - "cvss:CR_NoX:1.1.1": "L", - "cvss:VC:3.0.0": "H", - "cvss:IR_NoX:1.1.1": "M", - "cvss:VI:3.0.0": "N", - "cvss:AR_NoX:1.1.1": "L", - "cvss:VA:3.0.0": "L", - "cvss:EQ6:1.0.0": "L" + "cvss:AV:3.0.1": "L", + "cvss:PR:1.0.1": "N", + "cvss:UI:2.0.0": "N", + "cvss:EQ1:1.0.0": "M" }, { - "cvss:CR_NoX:1.1.1": "M", - "cvss:VC:3.0.0": "N", - "cvss:IR_NoX:1.1.1": "H", - "cvss:VI:3.0.0": "N", - "cvss:AR_NoX:1.1.1": "L", - "cvss:VA:3.0.0": "L", - "cvss:EQ6:1.0.0": "L" + "cvss:AV:3.0.1": "N", + "cvss:PR:1.0.1": "N", + "cvss:UI:2.0.0": "P", + "cvss:EQ1:1.0.0": "M" }, { - "cvss:CR_NoX:1.1.1": "L", - "cvss:VC:3.0.0": "L", - "cvss:IR_NoX:1.1.1": "H", - "cvss:VI:3.0.0": "N", - "cvss:AR_NoX:1.1.1": "L", - "cvss:VA:3.0.0": "L", - "cvss:EQ6:1.0.0": "L" + "cvss:AV:3.0.1": "N", + "cvss:PR:1.0.1": "L", + "cvss:UI:2.0.0": "N", + "cvss:EQ1:1.0.0": "M" }, { - "cvss:CR_NoX:1.1.1": "H", - "cvss:VC:3.0.0": "N", - "cvss:IR_NoX:1.1.1": "L", - "cvss:VI:3.0.0": "L", - "cvss:AR_NoX:1.1.1": "L", - "cvss:VA:3.0.0": "L", - "cvss:EQ6:1.0.0": "L" + "cvss:AV:3.0.1": "A", + "cvss:PR:1.0.1": "N", + "cvss:UI:2.0.0": "N", + "cvss:EQ1:1.0.0": "M" }, { - "cvss:CR_NoX:1.1.1": "M", - "cvss:VC:3.0.0": "L", - "cvss:IR_NoX:1.1.1": "L", - "cvss:VI:3.0.0": "L", - "cvss:AR_NoX:1.1.1": "L", - "cvss:VA:3.0.0": "L", - "cvss:EQ6:1.0.0": "L" + "cvss:AV:3.0.1": "N", + "cvss:PR:1.0.1": "N", + "cvss:UI:2.0.0": "N", + "cvss:EQ1:1.0.0": "H" + } + ] + } + } + } + }, + "DT_CVSS4_EQ6": { + "key": "DT_CVSS4_EQ6", + "versions": { + "1.0.0": { + "version": "1.0.0", + "obj": { + "namespace": "cvss", + "key": "DT_CVSS4_EQ6", + "version": "1.0.0", + "name": "CVSS v4 Equivalence Set 6", + "definition": "This decision table models equivalence set 6 from CVSS v4.", + "schemaVersion": "2.0.0", + "decision_points": { + "cvss:CR_NoX:1.1.1": { + "namespace": "cvss", + "key": "CR_NoX", + "version": "1.1.1", + "name": "Confidentiality Requirement (without Not Defined)", + "definition": "This metric enables the consumer to customize the assessment depending on the importance of the affected IT asset to the analyst’s organization, measured in terms of Confidentiality. This version does not include the Not Defined (X) option.", + "schemaVersion": "2.0.0", + "values": [ + { + "key": "L", + "name": "Low", + "definition": "Loss of confidentiality is likely to have only a limited adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)." + }, + { + "key": "M", + "name": "Medium", + "definition": "Loss of confidentiality is likely to have a serious adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)." + }, + { + "key": "H", + "name": "High", + "definition": "Loss of confidentiality is likely to have a catastrophic adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)." + } + ] }, - { - "cvss:CR_NoX:1.1.1": "L", - "cvss:VC:3.0.0": "H", - "cvss:IR_NoX:1.1.1": "L", - "cvss:VI:3.0.0": "L", - "cvss:AR_NoX:1.1.1": "L", - "cvss:VA:3.0.0": "L", - "cvss:EQ6:1.0.0": "L" + "cvss:VC:3.0.0": { + "namespace": "cvss", + "key": "VC", + "version": "3.0.0", + "name": "Confidentiality Impact to the Vulnerable System", + "definition": "This metric measures the impact to the confidentiality of the information managed by the system due to a successfully exploited vulnerability. Confidentiality refers to limiting information access and disclosure to only authorized users, as well as preventing access by, or disclosure to, unauthorized ones.", + "schemaVersion": "2.0.0", + "values": [ + { + "key": "N", + "name": "None", + "definition": "There is no loss of confidentiality within the impacted component." + }, + { + "key": "L", + "name": "Low", + "definition": "There is some loss of confidentiality. Access to some restricted information is obtained, but the attacker does not have control over what information is obtained, or the amount or kind of loss is constrained. The information disclosure does not cause a direct, serious loss to the impacted component." + }, + { + "key": "H", + "name": "High", + "definition": "There is total loss of confidentiality, resulting in all resources within the impacted component being divulged to the attacker. Alternatively, access to only some restricted information is obtained, but the disclosed information presents a direct, serious impact. For example, an attacker steals the administrator's password, or private encryption keys of a web server." + } + ] }, - { - "cvss:CR_NoX:1.1.1": "M", - "cvss:VC:3.0.0": "N", - "cvss:IR_NoX:1.1.1": "M", - "cvss:VI:3.0.0": "L", - "cvss:AR_NoX:1.1.1": "L", - "cvss:VA:3.0.0": "L", - "cvss:EQ6:1.0.0": "L" + "cvss:IR_NoX:1.1.1": { + "namespace": "cvss", + "key": "IR_NoX", + "version": "1.1.1", + "name": "Integrity Requirement (without Not Defined)", + "definition": "This metric enables the consumer to customize the assessment depending on the importance of the affected IT asset to the analyst’s organization, measured in terms of Confidentiality. This version does not include the Not Defined (X) option.", + "schemaVersion": "2.0.0", + "values": [ + { + "key": "L", + "name": "Low", + "definition": "Loss of integrity is likely to have only a limited adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)." + }, + { + "key": "M", + "name": "Medium", + "definition": "Loss of integrity is likely to have a serious adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)." + }, + { + "key": "H", + "name": "High", + "definition": "Loss of integrity is likely to have a catastrophic adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)." + } + ] }, - { - "cvss:CR_NoX:1.1.1": "L", - "cvss:VC:3.0.0": "L", - "cvss:IR_NoX:1.1.1": "M", - "cvss:VI:3.0.0": "L", - "cvss:AR_NoX:1.1.1": "L", - "cvss:VA:3.0.0": "L", - "cvss:EQ6:1.0.0": "L" + "cvss:VI:3.0.0": { + "namespace": "cvss", + "key": "VI", + "version": "3.0.0", + "name": "Integrity Impact to the Vulnerable System", + "definition": "This metric measures the impact to integrity of a successfully exploited vulnerability.", + "schemaVersion": "2.0.0", + "values": [ + { + "key": "N", + "name": "None", + "definition": "There is no loss of integrity within the Vulnerable System." + }, + { + "key": "L", + "name": "Low", + "definition": "Modification of data is possible, but the attacker does not have control over the consequence of a modification, or the amount of modification is limited. The data modification does not have a direct, serious impact to the Vulnerable System." + }, + { + "key": "H", + "name": "High", + "definition": "There is a total loss of integrity, or a complete loss of protection." + } + ] + }, + "cvss:AR_NoX:1.1.1": { + "namespace": "cvss", + "key": "AR_NoX", + "version": "1.1.1", + "name": "Availability Requirement (without Not Defined)", + "definition": "This metric enables the consumer to customize the assessment depending on the importance of the affected IT asset to the analyst’s organization, measured in terms of Availability. This version does not include the Not Defined (X) option.", + "schemaVersion": "2.0.0", + "values": [ + { + "key": "L", + "name": "Low", + "definition": "Loss of availability is likely to have only a limited adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)." + }, + { + "key": "M", + "name": "Medium", + "definition": "Loss of availability is likely to have a serious adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)." + }, + { + "key": "H", + "name": "High", + "definition": "Loss of availability is likely to have a catastrophic adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)." + } + ] + }, + "cvss:VA:3.0.0": { + "namespace": "cvss", + "key": "VA", + "version": "3.0.0", + "name": "Availability Impact to the Vulnerable System", + "definition": "This metric measures the impact to the availability of the impacted system resulting from a successfully exploited vulnerability.", + "schemaVersion": "2.0.0", + "values": [ + { + "key": "N", + "name": "None", + "definition": "There is no impact to availability within the Vulnerable System." + }, + { + "key": "L", + "name": "Low", + "definition": "There is reduced performance or interruptions in resource availability. Even if repeated exploitation of the vulnerability is possible, the attacker does not have the ability to completely deny service to legitimate users. The resources in the Vulnerable System are either partially available all of the time, or fully available only some of the time, but overall there is no direct, serious consequence to the Vulnerable System." + }, + { + "key": "H", + "name": "High", + "definition": "There is total loss of availability, resulting in the attacker being able to fully deny access to resources in the impacted component; this loss is either sustained (while the attacker continues to deliver the attack) or persistent (the condition persists even after the attack has completed)." + } + ] }, + "cvss:EQ6:1.0.0": { + "namespace": "cvss", + "key": "EQ6", + "version": "1.0.0", + "name": "Equivalence Set 6", + "definition": "VC/VI/VA+CR/CI/CA with 2 levels specified in Table 29", + "schemaVersion": "2.0.0", + "values": [ + { + "key": "L", + "name": "Low", + "definition": "1: not (CR:H and VC:H) and not (IR:H and VI:H) and not (AR:H and VA:H)" + }, + { + "key": "H", + "name": "High", + "definition": "0: (CR:H and VC:H) or (IR:H and VI:H) or (AR:H and VA:H)" + } + ] + } + }, + "outcome": "cvss:EQ6:1.0.0", + "mapping": [ { "cvss:CR_NoX:1.1.1": "L", "cvss:VC:3.0.0": "N", - "cvss:IR_NoX:1.1.1": "H", - "cvss:VI:3.0.0": "L", + "cvss:IR_NoX:1.1.1": "L", + "cvss:VI:3.0.0": "N", "cvss:AR_NoX:1.1.1": "L", - "cvss:VA:3.0.0": "L", + "cvss:VA:3.0.0": "N", "cvss:EQ6:1.0.0": "L" }, { "cvss:CR_NoX:1.1.1": "M", "cvss:VC:3.0.0": "N", "cvss:IR_NoX:1.1.1": "L", - "cvss:VI:3.0.0": "H", + "cvss:VI:3.0.0": "N", "cvss:AR_NoX:1.1.1": "L", - "cvss:VA:3.0.0": "L", + "cvss:VA:3.0.0": "N", "cvss:EQ6:1.0.0": "L" }, { "cvss:CR_NoX:1.1.1": "L", "cvss:VC:3.0.0": "L", "cvss:IR_NoX:1.1.1": "L", - "cvss:VI:3.0.0": "H", + "cvss:VI:3.0.0": "N", "cvss:AR_NoX:1.1.1": "L", - "cvss:VA:3.0.0": "L", + "cvss:VA:3.0.0": "N", "cvss:EQ6:1.0.0": "L" }, { "cvss:CR_NoX:1.1.1": "L", "cvss:VC:3.0.0": "N", "cvss:IR_NoX:1.1.1": "M", - "cvss:VI:3.0.0": "H", + "cvss:VI:3.0.0": "N", "cvss:AR_NoX:1.1.1": "L", - "cvss:VA:3.0.0": "L", + "cvss:VA:3.0.0": "N", "cvss:EQ6:1.0.0": "L" }, { - "cvss:CR_NoX:1.1.1": "H", + "cvss:CR_NoX:1.1.1": "L", + "cvss:VC:3.0.0": "N", + "cvss:IR_NoX:1.1.1": "L", + "cvss:VI:3.0.0": "L", + "cvss:AR_NoX:1.1.1": "L", + "cvss:VA:3.0.0": "N", + "cvss:EQ6:1.0.0": "L" + }, + { + "cvss:CR_NoX:1.1.1": "L", "cvss:VC:3.0.0": "N", "cvss:IR_NoX:1.1.1": "L", "cvss:VI:3.0.0": "N", "cvss:AR_NoX:1.1.1": "M", + "cvss:VA:3.0.0": "N", + "cvss:EQ6:1.0.0": "L" + }, + { + "cvss:CR_NoX:1.1.1": "L", + "cvss:VC:3.0.0": "N", + "cvss:IR_NoX:1.1.1": "L", + "cvss:VI:3.0.0": "N", + "cvss:AR_NoX:1.1.1": "L", "cvss:VA:3.0.0": "L", "cvss:EQ6:1.0.0": "L" }, + { + "cvss:CR_NoX:1.1.1": "H", + "cvss:VC:3.0.0": "N", + "cvss:IR_NoX:1.1.1": "L", + "cvss:VI:3.0.0": "N", + "cvss:AR_NoX:1.1.1": "L", + "cvss:VA:3.0.0": "N", + "cvss:EQ6:1.0.0": "L" + }, { "cvss:CR_NoX:1.1.1": "M", "cvss:VC:3.0.0": "L", "cvss:IR_NoX:1.1.1": "L", "cvss:VI:3.0.0": "N", - "cvss:AR_NoX:1.1.1": "M", - "cvss:VA:3.0.0": "L", + "cvss:AR_NoX:1.1.1": "L", + "cvss:VA:3.0.0": "N", "cvss:EQ6:1.0.0": "L" }, { @@ -10461,8 +10113,8 @@ "cvss:VC:3.0.0": "H", "cvss:IR_NoX:1.1.1": "L", "cvss:VI:3.0.0": "N", - "cvss:AR_NoX:1.1.1": "M", - "cvss:VA:3.0.0": "L", + "cvss:AR_NoX:1.1.1": "L", + "cvss:VA:3.0.0": "N", "cvss:EQ6:1.0.0": "L" }, { @@ -10470,8 +10122,8 @@ "cvss:VC:3.0.0": "N", "cvss:IR_NoX:1.1.1": "M", "cvss:VI:3.0.0": "N", - "cvss:AR_NoX:1.1.1": "M", - "cvss:VA:3.0.0": "L", + "cvss:AR_NoX:1.1.1": "L", + "cvss:VA:3.0.0": "N", "cvss:EQ6:1.0.0": "L" }, { @@ -10479,8 +10131,8 @@ "cvss:VC:3.0.0": "L", "cvss:IR_NoX:1.1.1": "M", "cvss:VI:3.0.0": "N", - "cvss:AR_NoX:1.1.1": "M", - "cvss:VA:3.0.0": "L", + "cvss:AR_NoX:1.1.1": "L", + "cvss:VA:3.0.0": "N", "cvss:EQ6:1.0.0": "L" }, { @@ -10488,8 +10140,8 @@ "cvss:VC:3.0.0": "N", "cvss:IR_NoX:1.1.1": "H", "cvss:VI:3.0.0": "N", - "cvss:AR_NoX:1.1.1": "M", - "cvss:VA:3.0.0": "L", + "cvss:AR_NoX:1.1.1": "L", + "cvss:VA:3.0.0": "N", "cvss:EQ6:1.0.0": "L" }, { @@ -10497,8 +10149,8 @@ "cvss:VC:3.0.0": "N", "cvss:IR_NoX:1.1.1": "L", "cvss:VI:3.0.0": "L", - "cvss:AR_NoX:1.1.1": "M", - "cvss:VA:3.0.0": "L", + "cvss:AR_NoX:1.1.1": "L", + "cvss:VA:3.0.0": "N", "cvss:EQ6:1.0.0": "L" }, { @@ -10506,8 +10158,8 @@ "cvss:VC:3.0.0": "L", "cvss:IR_NoX:1.1.1": "L", "cvss:VI:3.0.0": "L", - "cvss:AR_NoX:1.1.1": "M", - "cvss:VA:3.0.0": "L", + "cvss:AR_NoX:1.1.1": "L", + "cvss:VA:3.0.0": "N", "cvss:EQ6:1.0.0": "L" }, { @@ -10515,8 +10167,8 @@ "cvss:VC:3.0.0": "N", "cvss:IR_NoX:1.1.1": "M", "cvss:VI:3.0.0": "L", - "cvss:AR_NoX:1.1.1": "M", - "cvss:VA:3.0.0": "L", + "cvss:AR_NoX:1.1.1": "L", + "cvss:VA:3.0.0": "N", "cvss:EQ6:1.0.0": "L" }, { @@ -10524,8 +10176,8 @@ "cvss:VC:3.0.0": "N", "cvss:IR_NoX:1.1.1": "L", "cvss:VI:3.0.0": "H", - "cvss:AR_NoX:1.1.1": "M", - "cvss:VA:3.0.0": "L", + "cvss:AR_NoX:1.1.1": "L", + "cvss:VA:3.0.0": "N", "cvss:EQ6:1.0.0": "L" }, { @@ -10533,8 +10185,8 @@ "cvss:VC:3.0.0": "N", "cvss:IR_NoX:1.1.1": "L", "cvss:VI:3.0.0": "N", - "cvss:AR_NoX:1.1.1": "H", - "cvss:VA:3.0.0": "L", + "cvss:AR_NoX:1.1.1": "M", + "cvss:VA:3.0.0": "N", "cvss:EQ6:1.0.0": "L" }, { @@ -10542,8 +10194,8 @@ "cvss:VC:3.0.0": "L", "cvss:IR_NoX:1.1.1": "L", "cvss:VI:3.0.0": "N", - "cvss:AR_NoX:1.1.1": "H", - "cvss:VA:3.0.0": "L", + "cvss:AR_NoX:1.1.1": "M", + "cvss:VA:3.0.0": "N", "cvss:EQ6:1.0.0": "L" }, { @@ -10551,8 +10203,8 @@ "cvss:VC:3.0.0": "N", "cvss:IR_NoX:1.1.1": "M", "cvss:VI:3.0.0": "N", - "cvss:AR_NoX:1.1.1": "H", - "cvss:VA:3.0.0": "L", + "cvss:AR_NoX:1.1.1": "M", + "cvss:VA:3.0.0": "N", "cvss:EQ6:1.0.0": "L" }, { @@ -10560,157 +10212,121 @@ "cvss:VC:3.0.0": "N", "cvss:IR_NoX:1.1.1": "L", "cvss:VI:3.0.0": "L", - "cvss:AR_NoX:1.1.1": "H", - "cvss:VA:3.0.0": "L", + "cvss:AR_NoX:1.1.1": "M", + "cvss:VA:3.0.0": "N", "cvss:EQ6:1.0.0": "L" }, { - "cvss:CR_NoX:1.1.1": "H", + "cvss:CR_NoX:1.1.1": "L", "cvss:VC:3.0.0": "N", "cvss:IR_NoX:1.1.1": "L", "cvss:VI:3.0.0": "N", - "cvss:AR_NoX:1.1.1": "L", - "cvss:VA:3.0.0": "H", + "cvss:AR_NoX:1.1.1": "H", + "cvss:VA:3.0.0": "N", "cvss:EQ6:1.0.0": "L" }, { "cvss:CR_NoX:1.1.1": "M", - "cvss:VC:3.0.0": "L", + "cvss:VC:3.0.0": "N", "cvss:IR_NoX:1.1.1": "L", "cvss:VI:3.0.0": "N", "cvss:AR_NoX:1.1.1": "L", - "cvss:VA:3.0.0": "H", + "cvss:VA:3.0.0": "L", "cvss:EQ6:1.0.0": "L" }, { "cvss:CR_NoX:1.1.1": "L", - "cvss:VC:3.0.0": "H", + "cvss:VC:3.0.0": "L", "cvss:IR_NoX:1.1.1": "L", "cvss:VI:3.0.0": "N", "cvss:AR_NoX:1.1.1": "L", - "cvss:VA:3.0.0": "H", + "cvss:VA:3.0.0": "L", "cvss:EQ6:1.0.0": "L" }, { - "cvss:CR_NoX:1.1.1": "M", + "cvss:CR_NoX:1.1.1": "L", "cvss:VC:3.0.0": "N", "cvss:IR_NoX:1.1.1": "M", "cvss:VI:3.0.0": "N", "cvss:AR_NoX:1.1.1": "L", - "cvss:VA:3.0.0": "H", + "cvss:VA:3.0.0": "L", "cvss:EQ6:1.0.0": "L" }, { "cvss:CR_NoX:1.1.1": "L", - "cvss:VC:3.0.0": "L", - "cvss:IR_NoX:1.1.1": "M", - "cvss:VI:3.0.0": "N", + "cvss:VC:3.0.0": "N", + "cvss:IR_NoX:1.1.1": "L", + "cvss:VI:3.0.0": "L", "cvss:AR_NoX:1.1.1": "L", - "cvss:VA:3.0.0": "H", + "cvss:VA:3.0.0": "L", "cvss:EQ6:1.0.0": "L" }, { "cvss:CR_NoX:1.1.1": "L", "cvss:VC:3.0.0": "N", - "cvss:IR_NoX:1.1.1": "H", + "cvss:IR_NoX:1.1.1": "L", "cvss:VI:3.0.0": "N", - "cvss:AR_NoX:1.1.1": "L", - "cvss:VA:3.0.0": "H", + "cvss:AR_NoX:1.1.1": "M", + "cvss:VA:3.0.0": "L", "cvss:EQ6:1.0.0": "L" }, { - "cvss:CR_NoX:1.1.1": "M", + "cvss:CR_NoX:1.1.1": "L", "cvss:VC:3.0.0": "N", "cvss:IR_NoX:1.1.1": "L", - "cvss:VI:3.0.0": "L", + "cvss:VI:3.0.0": "N", "cvss:AR_NoX:1.1.1": "L", "cvss:VA:3.0.0": "H", "cvss:EQ6:1.0.0": "L" }, { - "cvss:CR_NoX:1.1.1": "L", + "cvss:CR_NoX:1.1.1": "H", "cvss:VC:3.0.0": "L", "cvss:IR_NoX:1.1.1": "L", - "cvss:VI:3.0.0": "L", + "cvss:VI:3.0.0": "N", "cvss:AR_NoX:1.1.1": "L", - "cvss:VA:3.0.0": "H", + "cvss:VA:3.0.0": "N", "cvss:EQ6:1.0.0": "L" }, { - "cvss:CR_NoX:1.1.1": "L", - "cvss:VC:3.0.0": "N", - "cvss:IR_NoX:1.1.1": "M", - "cvss:VI:3.0.0": "L", + "cvss:CR_NoX:1.1.1": "M", + "cvss:VC:3.0.0": "H", + "cvss:IR_NoX:1.1.1": "L", + "cvss:VI:3.0.0": "N", "cvss:AR_NoX:1.1.1": "L", - "cvss:VA:3.0.0": "H", + "cvss:VA:3.0.0": "N", "cvss:EQ6:1.0.0": "L" }, { - "cvss:CR_NoX:1.1.1": "L", + "cvss:CR_NoX:1.1.1": "H", "cvss:VC:3.0.0": "N", - "cvss:IR_NoX:1.1.1": "L", - "cvss:VI:3.0.0": "H", + "cvss:IR_NoX:1.1.1": "M", + "cvss:VI:3.0.0": "N", "cvss:AR_NoX:1.1.1": "L", - "cvss:VA:3.0.0": "H", + "cvss:VA:3.0.0": "N", "cvss:EQ6:1.0.0": "L" }, { "cvss:CR_NoX:1.1.1": "M", - "cvss:VC:3.0.0": "N", - "cvss:IR_NoX:1.1.1": "L", - "cvss:VI:3.0.0": "N", - "cvss:AR_NoX:1.1.1": "M", - "cvss:VA:3.0.0": "H", - "cvss:EQ6:1.0.0": "L" - }, - { - "cvss:CR_NoX:1.1.1": "L", "cvss:VC:3.0.0": "L", - "cvss:IR_NoX:1.1.1": "L", - "cvss:VI:3.0.0": "N", - "cvss:AR_NoX:1.1.1": "M", - "cvss:VA:3.0.0": "H", - "cvss:EQ6:1.0.0": "L" - }, - { - "cvss:CR_NoX:1.1.1": "L", - "cvss:VC:3.0.0": "N", "cvss:IR_NoX:1.1.1": "M", "cvss:VI:3.0.0": "N", - "cvss:AR_NoX:1.1.1": "M", - "cvss:VA:3.0.0": "H", - "cvss:EQ6:1.0.0": "L" - }, - { - "cvss:CR_NoX:1.1.1": "L", - "cvss:VC:3.0.0": "N", - "cvss:IR_NoX:1.1.1": "L", - "cvss:VI:3.0.0": "L", - "cvss:AR_NoX:1.1.1": "M", - "cvss:VA:3.0.0": "H", + "cvss:AR_NoX:1.1.1": "L", + "cvss:VA:3.0.0": "N", "cvss:EQ6:1.0.0": "L" }, { "cvss:CR_NoX:1.1.1": "L", - "cvss:VC:3.0.0": "N", - "cvss:IR_NoX:1.1.1": "L", - "cvss:VI:3.0.0": "N", - "cvss:AR_NoX:1.1.1": "H", - "cvss:VA:3.0.0": "H", - "cvss:EQ6:1.0.0": "H" - }, - { - "cvss:CR_NoX:1.1.1": "H", "cvss:VC:3.0.0": "H", "cvss:IR_NoX:1.1.1": "M", "cvss:VI:3.0.0": "N", "cvss:AR_NoX:1.1.1": "L", "cvss:VA:3.0.0": "N", - "cvss:EQ6:1.0.0": "H" + "cvss:EQ6:1.0.0": "L" }, { - "cvss:CR_NoX:1.1.1": "H", - "cvss:VC:3.0.0": "L", + "cvss:CR_NoX:1.1.1": "M", + "cvss:VC:3.0.0": "N", "cvss:IR_NoX:1.1.1": "H", "cvss:VI:3.0.0": "N", "cvss:AR_NoX:1.1.1": "L", @@ -10718,8 +10334,8 @@ "cvss:EQ6:1.0.0": "L" }, { - "cvss:CR_NoX:1.1.1": "M", - "cvss:VC:3.0.0": "H", + "cvss:CR_NoX:1.1.1": "L", + "cvss:VC:3.0.0": "L", "cvss:IR_NoX:1.1.1": "H", "cvss:VI:3.0.0": "N", "cvss:AR_NoX:1.1.1": "L", @@ -10728,44 +10344,44 @@ }, { "cvss:CR_NoX:1.1.1": "H", - "cvss:VC:3.0.0": "H", + "cvss:VC:3.0.0": "N", "cvss:IR_NoX:1.1.1": "L", "cvss:VI:3.0.0": "L", "cvss:AR_NoX:1.1.1": "L", "cvss:VA:3.0.0": "N", - "cvss:EQ6:1.0.0": "H" + "cvss:EQ6:1.0.0": "L" }, { - "cvss:CR_NoX:1.1.1": "H", + "cvss:CR_NoX:1.1.1": "M", "cvss:VC:3.0.0": "L", - "cvss:IR_NoX:1.1.1": "M", + "cvss:IR_NoX:1.1.1": "L", "cvss:VI:3.0.0": "L", "cvss:AR_NoX:1.1.1": "L", "cvss:VA:3.0.0": "N", "cvss:EQ6:1.0.0": "L" }, { - "cvss:CR_NoX:1.1.1": "M", + "cvss:CR_NoX:1.1.1": "L", "cvss:VC:3.0.0": "H", - "cvss:IR_NoX:1.1.1": "M", + "cvss:IR_NoX:1.1.1": "L", "cvss:VI:3.0.0": "L", "cvss:AR_NoX:1.1.1": "L", "cvss:VA:3.0.0": "N", "cvss:EQ6:1.0.0": "L" }, { - "cvss:CR_NoX:1.1.1": "H", + "cvss:CR_NoX:1.1.1": "M", "cvss:VC:3.0.0": "N", - "cvss:IR_NoX:1.1.1": "H", + "cvss:IR_NoX:1.1.1": "M", "cvss:VI:3.0.0": "L", "cvss:AR_NoX:1.1.1": "L", "cvss:VA:3.0.0": "N", "cvss:EQ6:1.0.0": "L" }, { - "cvss:CR_NoX:1.1.1": "M", + "cvss:CR_NoX:1.1.1": "L", "cvss:VC:3.0.0": "L", - "cvss:IR_NoX:1.1.1": "H", + "cvss:IR_NoX:1.1.1": "M", "cvss:VI:3.0.0": "L", "cvss:AR_NoX:1.1.1": "L", "cvss:VA:3.0.0": "N", @@ -10773,44 +10389,26 @@ }, { "cvss:CR_NoX:1.1.1": "L", - "cvss:VC:3.0.0": "H", + "cvss:VC:3.0.0": "N", "cvss:IR_NoX:1.1.1": "H", "cvss:VI:3.0.0": "L", "cvss:AR_NoX:1.1.1": "L", "cvss:VA:3.0.0": "N", "cvss:EQ6:1.0.0": "L" }, - { - "cvss:CR_NoX:1.1.1": "H", - "cvss:VC:3.0.0": "L", - "cvss:IR_NoX:1.1.1": "L", - "cvss:VI:3.0.0": "H", - "cvss:AR_NoX:1.1.1": "L", - "cvss:VA:3.0.0": "N", - "cvss:EQ6:1.0.0": "L" - }, { "cvss:CR_NoX:1.1.1": "M", - "cvss:VC:3.0.0": "H", - "cvss:IR_NoX:1.1.1": "L", - "cvss:VI:3.0.0": "H", - "cvss:AR_NoX:1.1.1": "L", - "cvss:VA:3.0.0": "N", - "cvss:EQ6:1.0.0": "L" - }, - { - "cvss:CR_NoX:1.1.1": "H", "cvss:VC:3.0.0": "N", - "cvss:IR_NoX:1.1.1": "M", + "cvss:IR_NoX:1.1.1": "L", "cvss:VI:3.0.0": "H", "cvss:AR_NoX:1.1.1": "L", "cvss:VA:3.0.0": "N", "cvss:EQ6:1.0.0": "L" }, { - "cvss:CR_NoX:1.1.1": "M", + "cvss:CR_NoX:1.1.1": "L", "cvss:VC:3.0.0": "L", - "cvss:IR_NoX:1.1.1": "M", + "cvss:IR_NoX:1.1.1": "L", "cvss:VI:3.0.0": "H", "cvss:AR_NoX:1.1.1": "L", "cvss:VA:3.0.0": "N", @@ -10818,71 +10416,53 @@ }, { "cvss:CR_NoX:1.1.1": "L", - "cvss:VC:3.0.0": "H", + "cvss:VC:3.0.0": "N", "cvss:IR_NoX:1.1.1": "M", "cvss:VI:3.0.0": "H", "cvss:AR_NoX:1.1.1": "L", "cvss:VA:3.0.0": "N", "cvss:EQ6:1.0.0": "L" }, - { - "cvss:CR_NoX:1.1.1": "M", - "cvss:VC:3.0.0": "N", - "cvss:IR_NoX:1.1.1": "H", - "cvss:VI:3.0.0": "H", - "cvss:AR_NoX:1.1.1": "L", - "cvss:VA:3.0.0": "N", - "cvss:EQ6:1.0.0": "H" - }, - { - "cvss:CR_NoX:1.1.1": "L", - "cvss:VC:3.0.0": "L", - "cvss:IR_NoX:1.1.1": "H", - "cvss:VI:3.0.0": "H", - "cvss:AR_NoX:1.1.1": "L", - "cvss:VA:3.0.0": "N", - "cvss:EQ6:1.0.0": "H" - }, { "cvss:CR_NoX:1.1.1": "H", - "cvss:VC:3.0.0": "H", + "cvss:VC:3.0.0": "N", "cvss:IR_NoX:1.1.1": "L", "cvss:VI:3.0.0": "N", "cvss:AR_NoX:1.1.1": "M", "cvss:VA:3.0.0": "N", - "cvss:EQ6:1.0.0": "H" + "cvss:EQ6:1.0.0": "L" }, { - "cvss:CR_NoX:1.1.1": "H", + "cvss:CR_NoX:1.1.1": "M", "cvss:VC:3.0.0": "L", - "cvss:IR_NoX:1.1.1": "M", + "cvss:IR_NoX:1.1.1": "L", "cvss:VI:3.0.0": "N", "cvss:AR_NoX:1.1.1": "M", "cvss:VA:3.0.0": "N", "cvss:EQ6:1.0.0": "L" }, { - "cvss:CR_NoX:1.1.1": "M", + "cvss:CR_NoX:1.1.1": "L", "cvss:VC:3.0.0": "H", - "cvss:IR_NoX:1.1.1": "M", + "cvss:IR_NoX:1.1.1": "L", "cvss:VI:3.0.0": "N", "cvss:AR_NoX:1.1.1": "M", "cvss:VA:3.0.0": "N", "cvss:EQ6:1.0.0": "L" }, { - "cvss:CR_NoX:1.1.1": "H", + "cvss:CR_NoX:1.1.1": "M", "cvss:VC:3.0.0": "N", - "cvss:IR_NoX:1.1.1": "H", + "cvss:IR_NoX:1.1.1": "M", "cvss:VI:3.0.0": "N", "cvss:AR_NoX:1.1.1": "M", "cvss:VA:3.0.0": "N", "cvss:EQ6:1.0.0": "L" }, { - "cvss:CR_NoX:1.1.1": "M", + "cvss:CR_NoX:1.1.1": "L", "cvss:VC:3.0.0": "L", - "cvss:IR_NoX:1.1.1": "H", + "cvss:IR_NoX:1.1.1": "M", "cvss:VI:3.0.0": "N", "cvss:AR_NoX:1.1.1": "M", "cvss:VA:3.0.0": "N", @@ -10890,7 +10470,7 @@ }, { "cvss:CR_NoX:1.1.1": "L", - "cvss:VC:3.0.0": "H", + "cvss:VC:3.0.0": "N", "cvss:IR_NoX:1.1.1": "H", "cvss:VI:3.0.0": "N", "cvss:AR_NoX:1.1.1": "M", @@ -10898,8 +10478,8 @@ "cvss:EQ6:1.0.0": "L" }, { - "cvss:CR_NoX:1.1.1": "H", - "cvss:VC:3.0.0": "L", + "cvss:CR_NoX:1.1.1": "M", + "cvss:VC:3.0.0": "N", "cvss:IR_NoX:1.1.1": "L", "cvss:VI:3.0.0": "L", "cvss:AR_NoX:1.1.1": "M", @@ -10907,8 +10487,8 @@ "cvss:EQ6:1.0.0": "L" }, { - "cvss:CR_NoX:1.1.1": "M", - "cvss:VC:3.0.0": "H", + "cvss:CR_NoX:1.1.1": "L", + "cvss:VC:3.0.0": "L", "cvss:IR_NoX:1.1.1": "L", "cvss:VI:3.0.0": "L", "cvss:AR_NoX:1.1.1": "M", @@ -10916,7 +10496,7 @@ "cvss:EQ6:1.0.0": "L" }, { - "cvss:CR_NoX:1.1.1": "H", + "cvss:CR_NoX:1.1.1": "L", "cvss:VC:3.0.0": "N", "cvss:IR_NoX:1.1.1": "M", "cvss:VI:3.0.0": "L", @@ -10925,38 +10505,47 @@ "cvss:EQ6:1.0.0": "L" }, { - "cvss:CR_NoX:1.1.1": "M", - "cvss:VC:3.0.0": "L", - "cvss:IR_NoX:1.1.1": "M", - "cvss:VI:3.0.0": "L", + "cvss:CR_NoX:1.1.1": "L", + "cvss:VC:3.0.0": "N", + "cvss:IR_NoX:1.1.1": "L", + "cvss:VI:3.0.0": "H", "cvss:AR_NoX:1.1.1": "M", "cvss:VA:3.0.0": "N", "cvss:EQ6:1.0.0": "L" }, + { + "cvss:CR_NoX:1.1.1": "M", + "cvss:VC:3.0.0": "N", + "cvss:IR_NoX:1.1.1": "L", + "cvss:VI:3.0.0": "N", + "cvss:AR_NoX:1.1.1": "H", + "cvss:VA:3.0.0": "N", + "cvss:EQ6:1.0.0": "L" + }, { "cvss:CR_NoX:1.1.1": "L", - "cvss:VC:3.0.0": "H", - "cvss:IR_NoX:1.1.1": "M", - "cvss:VI:3.0.0": "L", - "cvss:AR_NoX:1.1.1": "M", + "cvss:VC:3.0.0": "L", + "cvss:IR_NoX:1.1.1": "L", + "cvss:VI:3.0.0": "N", + "cvss:AR_NoX:1.1.1": "H", "cvss:VA:3.0.0": "N", "cvss:EQ6:1.0.0": "L" }, { - "cvss:CR_NoX:1.1.1": "M", + "cvss:CR_NoX:1.1.1": "L", "cvss:VC:3.0.0": "N", - "cvss:IR_NoX:1.1.1": "H", - "cvss:VI:3.0.0": "L", - "cvss:AR_NoX:1.1.1": "M", + "cvss:IR_NoX:1.1.1": "M", + "cvss:VI:3.0.0": "N", + "cvss:AR_NoX:1.1.1": "H", "cvss:VA:3.0.0": "N", "cvss:EQ6:1.0.0": "L" }, { "cvss:CR_NoX:1.1.1": "L", - "cvss:VC:3.0.0": "L", - "cvss:IR_NoX:1.1.1": "H", + "cvss:VC:3.0.0": "N", + "cvss:IR_NoX:1.1.1": "L", "cvss:VI:3.0.0": "L", - "cvss:AR_NoX:1.1.1": "M", + "cvss:AR_NoX:1.1.1": "H", "cvss:VA:3.0.0": "N", "cvss:EQ6:1.0.0": "L" }, @@ -10964,198 +10553,180 @@ "cvss:CR_NoX:1.1.1": "H", "cvss:VC:3.0.0": "N", "cvss:IR_NoX:1.1.1": "L", - "cvss:VI:3.0.0": "H", - "cvss:AR_NoX:1.1.1": "M", - "cvss:VA:3.0.0": "N", + "cvss:VI:3.0.0": "N", + "cvss:AR_NoX:1.1.1": "L", + "cvss:VA:3.0.0": "L", "cvss:EQ6:1.0.0": "L" }, { "cvss:CR_NoX:1.1.1": "M", "cvss:VC:3.0.0": "L", "cvss:IR_NoX:1.1.1": "L", - "cvss:VI:3.0.0": "H", - "cvss:AR_NoX:1.1.1": "M", - "cvss:VA:3.0.0": "N", + "cvss:VI:3.0.0": "N", + "cvss:AR_NoX:1.1.1": "L", + "cvss:VA:3.0.0": "L", "cvss:EQ6:1.0.0": "L" }, { "cvss:CR_NoX:1.1.1": "L", "cvss:VC:3.0.0": "H", "cvss:IR_NoX:1.1.1": "L", - "cvss:VI:3.0.0": "H", - "cvss:AR_NoX:1.1.1": "M", - "cvss:VA:3.0.0": "N", + "cvss:VI:3.0.0": "N", + "cvss:AR_NoX:1.1.1": "L", + "cvss:VA:3.0.0": "L", "cvss:EQ6:1.0.0": "L" }, { "cvss:CR_NoX:1.1.1": "M", "cvss:VC:3.0.0": "N", "cvss:IR_NoX:1.1.1": "M", - "cvss:VI:3.0.0": "H", - "cvss:AR_NoX:1.1.1": "M", - "cvss:VA:3.0.0": "N", + "cvss:VI:3.0.0": "N", + "cvss:AR_NoX:1.1.1": "L", + "cvss:VA:3.0.0": "L", "cvss:EQ6:1.0.0": "L" }, { "cvss:CR_NoX:1.1.1": "L", "cvss:VC:3.0.0": "L", "cvss:IR_NoX:1.1.1": "M", - "cvss:VI:3.0.0": "H", - "cvss:AR_NoX:1.1.1": "M", - "cvss:VA:3.0.0": "N", + "cvss:VI:3.0.0": "N", + "cvss:AR_NoX:1.1.1": "L", + "cvss:VA:3.0.0": "L", "cvss:EQ6:1.0.0": "L" }, { "cvss:CR_NoX:1.1.1": "L", "cvss:VC:3.0.0": "N", "cvss:IR_NoX:1.1.1": "H", - "cvss:VI:3.0.0": "H", - "cvss:AR_NoX:1.1.1": "M", - "cvss:VA:3.0.0": "N", - "cvss:EQ6:1.0.0": "H" + "cvss:VI:3.0.0": "N", + "cvss:AR_NoX:1.1.1": "L", + "cvss:VA:3.0.0": "L", + "cvss:EQ6:1.0.0": "L" }, { - "cvss:CR_NoX:1.1.1": "H", - "cvss:VC:3.0.0": "L", + "cvss:CR_NoX:1.1.1": "M", + "cvss:VC:3.0.0": "N", "cvss:IR_NoX:1.1.1": "L", - "cvss:VI:3.0.0": "N", - "cvss:AR_NoX:1.1.1": "H", - "cvss:VA:3.0.0": "N", + "cvss:VI:3.0.0": "L", + "cvss:AR_NoX:1.1.1": "L", + "cvss:VA:3.0.0": "L", "cvss:EQ6:1.0.0": "L" }, { - "cvss:CR_NoX:1.1.1": "M", - "cvss:VC:3.0.0": "H", + "cvss:CR_NoX:1.1.1": "L", + "cvss:VC:3.0.0": "L", "cvss:IR_NoX:1.1.1": "L", - "cvss:VI:3.0.0": "N", - "cvss:AR_NoX:1.1.1": "H", - "cvss:VA:3.0.0": "N", + "cvss:VI:3.0.0": "L", + "cvss:AR_NoX:1.1.1": "L", + "cvss:VA:3.0.0": "L", "cvss:EQ6:1.0.0": "L" }, { - "cvss:CR_NoX:1.1.1": "H", + "cvss:CR_NoX:1.1.1": "L", "cvss:VC:3.0.0": "N", "cvss:IR_NoX:1.1.1": "M", - "cvss:VI:3.0.0": "N", - "cvss:AR_NoX:1.1.1": "H", - "cvss:VA:3.0.0": "N", - "cvss:EQ6:1.0.0": "L" - }, - { - "cvss:CR_NoX:1.1.1": "M", - "cvss:VC:3.0.0": "L", - "cvss:IR_NoX:1.1.1": "M", - "cvss:VI:3.0.0": "N", - "cvss:AR_NoX:1.1.1": "H", - "cvss:VA:3.0.0": "N", + "cvss:VI:3.0.0": "L", + "cvss:AR_NoX:1.1.1": "L", + "cvss:VA:3.0.0": "L", "cvss:EQ6:1.0.0": "L" }, { "cvss:CR_NoX:1.1.1": "L", - "cvss:VC:3.0.0": "H", - "cvss:IR_NoX:1.1.1": "M", - "cvss:VI:3.0.0": "N", - "cvss:AR_NoX:1.1.1": "H", - "cvss:VA:3.0.0": "N", + "cvss:VC:3.0.0": "N", + "cvss:IR_NoX:1.1.1": "L", + "cvss:VI:3.0.0": "H", + "cvss:AR_NoX:1.1.1": "L", + "cvss:VA:3.0.0": "L", "cvss:EQ6:1.0.0": "L" }, { "cvss:CR_NoX:1.1.1": "M", "cvss:VC:3.0.0": "N", - "cvss:IR_NoX:1.1.1": "H", + "cvss:IR_NoX:1.1.1": "L", "cvss:VI:3.0.0": "N", - "cvss:AR_NoX:1.1.1": "H", - "cvss:VA:3.0.0": "N", + "cvss:AR_NoX:1.1.1": "M", + "cvss:VA:3.0.0": "L", "cvss:EQ6:1.0.0": "L" }, { "cvss:CR_NoX:1.1.1": "L", "cvss:VC:3.0.0": "L", - "cvss:IR_NoX:1.1.1": "H", + "cvss:IR_NoX:1.1.1": "L", "cvss:VI:3.0.0": "N", - "cvss:AR_NoX:1.1.1": "H", - "cvss:VA:3.0.0": "N", + "cvss:AR_NoX:1.1.1": "M", + "cvss:VA:3.0.0": "L", "cvss:EQ6:1.0.0": "L" }, { - "cvss:CR_NoX:1.1.1": "H", + "cvss:CR_NoX:1.1.1": "L", "cvss:VC:3.0.0": "N", - "cvss:IR_NoX:1.1.1": "L", - "cvss:VI:3.0.0": "L", - "cvss:AR_NoX:1.1.1": "H", - "cvss:VA:3.0.0": "N", + "cvss:IR_NoX:1.1.1": "M", + "cvss:VI:3.0.0": "N", + "cvss:AR_NoX:1.1.1": "M", + "cvss:VA:3.0.0": "L", "cvss:EQ6:1.0.0": "L" }, { - "cvss:CR_NoX:1.1.1": "M", - "cvss:VC:3.0.0": "L", + "cvss:CR_NoX:1.1.1": "L", + "cvss:VC:3.0.0": "N", "cvss:IR_NoX:1.1.1": "L", "cvss:VI:3.0.0": "L", - "cvss:AR_NoX:1.1.1": "H", - "cvss:VA:3.0.0": "N", + "cvss:AR_NoX:1.1.1": "M", + "cvss:VA:3.0.0": "L", "cvss:EQ6:1.0.0": "L" }, { "cvss:CR_NoX:1.1.1": "L", - "cvss:VC:3.0.0": "H", + "cvss:VC:3.0.0": "N", "cvss:IR_NoX:1.1.1": "L", - "cvss:VI:3.0.0": "L", + "cvss:VI:3.0.0": "N", "cvss:AR_NoX:1.1.1": "H", - "cvss:VA:3.0.0": "N", + "cvss:VA:3.0.0": "L", "cvss:EQ6:1.0.0": "L" }, { "cvss:CR_NoX:1.1.1": "M", "cvss:VC:3.0.0": "N", - "cvss:IR_NoX:1.1.1": "M", - "cvss:VI:3.0.0": "L", - "cvss:AR_NoX:1.1.1": "H", - "cvss:VA:3.0.0": "N", + "cvss:IR_NoX:1.1.1": "L", + "cvss:VI:3.0.0": "N", + "cvss:AR_NoX:1.1.1": "L", + "cvss:VA:3.0.0": "H", "cvss:EQ6:1.0.0": "L" }, { "cvss:CR_NoX:1.1.1": "L", "cvss:VC:3.0.0": "L", - "cvss:IR_NoX:1.1.1": "M", - "cvss:VI:3.0.0": "L", - "cvss:AR_NoX:1.1.1": "H", - "cvss:VA:3.0.0": "N", + "cvss:IR_NoX:1.1.1": "L", + "cvss:VI:3.0.0": "N", + "cvss:AR_NoX:1.1.1": "L", + "cvss:VA:3.0.0": "H", "cvss:EQ6:1.0.0": "L" }, { "cvss:CR_NoX:1.1.1": "L", "cvss:VC:3.0.0": "N", - "cvss:IR_NoX:1.1.1": "H", - "cvss:VI:3.0.0": "L", - "cvss:AR_NoX:1.1.1": "H", - "cvss:VA:3.0.0": "N", - "cvss:EQ6:1.0.0": "L" - }, - { - "cvss:CR_NoX:1.1.1": "M", - "cvss:VC:3.0.0": "N", - "cvss:IR_NoX:1.1.1": "L", - "cvss:VI:3.0.0": "H", - "cvss:AR_NoX:1.1.1": "H", - "cvss:VA:3.0.0": "N", + "cvss:IR_NoX:1.1.1": "M", + "cvss:VI:3.0.0": "N", + "cvss:AR_NoX:1.1.1": "L", + "cvss:VA:3.0.0": "H", "cvss:EQ6:1.0.0": "L" }, { "cvss:CR_NoX:1.1.1": "L", - "cvss:VC:3.0.0": "L", + "cvss:VC:3.0.0": "N", "cvss:IR_NoX:1.1.1": "L", - "cvss:VI:3.0.0": "H", - "cvss:AR_NoX:1.1.1": "H", - "cvss:VA:3.0.0": "N", + "cvss:VI:3.0.0": "L", + "cvss:AR_NoX:1.1.1": "L", + "cvss:VA:3.0.0": "H", "cvss:EQ6:1.0.0": "L" }, { "cvss:CR_NoX:1.1.1": "L", "cvss:VC:3.0.0": "N", - "cvss:IR_NoX:1.1.1": "M", - "cvss:VI:3.0.0": "H", - "cvss:AR_NoX:1.1.1": "H", - "cvss:VA:3.0.0": "N", + "cvss:IR_NoX:1.1.1": "L", + "cvss:VI:3.0.0": "N", + "cvss:AR_NoX:1.1.1": "M", + "cvss:VA:3.0.0": "H", "cvss:EQ6:1.0.0": "L" }, { @@ -11164,7 +10735,7 @@ "cvss:IR_NoX:1.1.1": "L", "cvss:VI:3.0.0": "N", "cvss:AR_NoX:1.1.1": "L", - "cvss:VA:3.0.0": "L", + "cvss:VA:3.0.0": "N", "cvss:EQ6:1.0.0": "H" }, { @@ -11173,7 +10744,7 @@ "cvss:IR_NoX:1.1.1": "M", "cvss:VI:3.0.0": "N", "cvss:AR_NoX:1.1.1": "L", - "cvss:VA:3.0.0": "L", + "cvss:VA:3.0.0": "N", "cvss:EQ6:1.0.0": "L" }, { @@ -11182,7 +10753,7 @@ "cvss:IR_NoX:1.1.1": "M", "cvss:VI:3.0.0": "N", "cvss:AR_NoX:1.1.1": "L", - "cvss:VA:3.0.0": "L", + "cvss:VA:3.0.0": "N", "cvss:EQ6:1.0.0": "L" }, { @@ -11191,7 +10762,7 @@ "cvss:IR_NoX:1.1.1": "H", "cvss:VI:3.0.0": "N", "cvss:AR_NoX:1.1.1": "L", - "cvss:VA:3.0.0": "L", + "cvss:VA:3.0.0": "N", "cvss:EQ6:1.0.0": "L" }, { @@ -11200,7 +10771,7 @@ "cvss:IR_NoX:1.1.1": "H", "cvss:VI:3.0.0": "N", "cvss:AR_NoX:1.1.1": "L", - "cvss:VA:3.0.0": "L", + "cvss:VA:3.0.0": "N", "cvss:EQ6:1.0.0": "L" }, { @@ -11209,7 +10780,7 @@ "cvss:IR_NoX:1.1.1": "H", "cvss:VI:3.0.0": "N", "cvss:AR_NoX:1.1.1": "L", - "cvss:VA:3.0.0": "L", + "cvss:VA:3.0.0": "N", "cvss:EQ6:1.0.0": "L" }, { @@ -11218,7 +10789,7 @@ "cvss:IR_NoX:1.1.1": "L", "cvss:VI:3.0.0": "L", "cvss:AR_NoX:1.1.1": "L", - "cvss:VA:3.0.0": "L", + "cvss:VA:3.0.0": "N", "cvss:EQ6:1.0.0": "L" }, { @@ -11227,7 +10798,7 @@ "cvss:IR_NoX:1.1.1": "L", "cvss:VI:3.0.0": "L", "cvss:AR_NoX:1.1.1": "L", - "cvss:VA:3.0.0": "L", + "cvss:VA:3.0.0": "N", "cvss:EQ6:1.0.0": "L" }, { @@ -11236,7 +10807,7 @@ "cvss:IR_NoX:1.1.1": "M", "cvss:VI:3.0.0": "L", "cvss:AR_NoX:1.1.1": "L", - "cvss:VA:3.0.0": "L", + "cvss:VA:3.0.0": "N", "cvss:EQ6:1.0.0": "L" }, { @@ -11245,7 +10816,7 @@ "cvss:IR_NoX:1.1.1": "M", "cvss:VI:3.0.0": "L", "cvss:AR_NoX:1.1.1": "L", - "cvss:VA:3.0.0": "L", + "cvss:VA:3.0.0": "N", "cvss:EQ6:1.0.0": "L" }, { @@ -11254,7 +10825,7 @@ "cvss:IR_NoX:1.1.1": "M", "cvss:VI:3.0.0": "L", "cvss:AR_NoX:1.1.1": "L", - "cvss:VA:3.0.0": "L", + "cvss:VA:3.0.0": "N", "cvss:EQ6:1.0.0": "L" }, { @@ -11263,7 +10834,7 @@ "cvss:IR_NoX:1.1.1": "H", "cvss:VI:3.0.0": "L", "cvss:AR_NoX:1.1.1": "L", - "cvss:VA:3.0.0": "L", + "cvss:VA:3.0.0": "N", "cvss:EQ6:1.0.0": "L" }, { @@ -11272,7 +10843,7 @@ "cvss:IR_NoX:1.1.1": "H", "cvss:VI:3.0.0": "L", "cvss:AR_NoX:1.1.1": "L", - "cvss:VA:3.0.0": "L", + "cvss:VA:3.0.0": "N", "cvss:EQ6:1.0.0": "L" }, { @@ -11281,7 +10852,7 @@ "cvss:IR_NoX:1.1.1": "L", "cvss:VI:3.0.0": "H", "cvss:AR_NoX:1.1.1": "L", - "cvss:VA:3.0.0": "L", + "cvss:VA:3.0.0": "N", "cvss:EQ6:1.0.0": "L" }, { @@ -11290,7 +10861,7 @@ "cvss:IR_NoX:1.1.1": "L", "cvss:VI:3.0.0": "H", "cvss:AR_NoX:1.1.1": "L", - "cvss:VA:3.0.0": "L", + "cvss:VA:3.0.0": "N", "cvss:EQ6:1.0.0": "L" }, { @@ -11299,7 +10870,7 @@ "cvss:IR_NoX:1.1.1": "L", "cvss:VI:3.0.0": "H", "cvss:AR_NoX:1.1.1": "L", - "cvss:VA:3.0.0": "L", + "cvss:VA:3.0.0": "N", "cvss:EQ6:1.0.0": "L" }, { @@ -11308,7 +10879,7 @@ "cvss:IR_NoX:1.1.1": "M", "cvss:VI:3.0.0": "H", "cvss:AR_NoX:1.1.1": "L", - "cvss:VA:3.0.0": "L", + "cvss:VA:3.0.0": "N", "cvss:EQ6:1.0.0": "L" }, { @@ -11317,7 +10888,7 @@ "cvss:IR_NoX:1.1.1": "M", "cvss:VI:3.0.0": "H", "cvss:AR_NoX:1.1.1": "L", - "cvss:VA:3.0.0": "L", + "cvss:VA:3.0.0": "N", "cvss:EQ6:1.0.0": "L" }, { @@ -11326,7 +10897,7 @@ "cvss:IR_NoX:1.1.1": "H", "cvss:VI:3.0.0": "H", "cvss:AR_NoX:1.1.1": "L", - "cvss:VA:3.0.0": "L", + "cvss:VA:3.0.0": "N", "cvss:EQ6:1.0.0": "H" }, { @@ -11335,7 +10906,7 @@ "cvss:IR_NoX:1.1.1": "L", "cvss:VI:3.0.0": "N", "cvss:AR_NoX:1.1.1": "M", - "cvss:VA:3.0.0": "L", + "cvss:VA:3.0.0": "N", "cvss:EQ6:1.0.0": "L" }, { @@ -11344,7 +10915,7 @@ "cvss:IR_NoX:1.1.1": "L", "cvss:VI:3.0.0": "N", "cvss:AR_NoX:1.1.1": "M", - "cvss:VA:3.0.0": "L", + "cvss:VA:3.0.0": "N", "cvss:EQ6:1.0.0": "L" }, { @@ -11353,7 +10924,7 @@ "cvss:IR_NoX:1.1.1": "M", "cvss:VI:3.0.0": "N", "cvss:AR_NoX:1.1.1": "M", - "cvss:VA:3.0.0": "L", + "cvss:VA:3.0.0": "N", "cvss:EQ6:1.0.0": "L" }, { @@ -11362,7 +10933,7 @@ "cvss:IR_NoX:1.1.1": "M", "cvss:VI:3.0.0": "N", "cvss:AR_NoX:1.1.1": "M", - "cvss:VA:3.0.0": "L", + "cvss:VA:3.0.0": "N", "cvss:EQ6:1.0.0": "L" }, { @@ -11371,7 +10942,7 @@ "cvss:IR_NoX:1.1.1": "M", "cvss:VI:3.0.0": "N", "cvss:AR_NoX:1.1.1": "M", - "cvss:VA:3.0.0": "L", + "cvss:VA:3.0.0": "N", "cvss:EQ6:1.0.0": "L" }, { @@ -11380,7 +10951,7 @@ "cvss:IR_NoX:1.1.1": "H", "cvss:VI:3.0.0": "N", "cvss:AR_NoX:1.1.1": "M", - "cvss:VA:3.0.0": "L", + "cvss:VA:3.0.0": "N", "cvss:EQ6:1.0.0": "L" }, { @@ -11389,7 +10960,7 @@ "cvss:IR_NoX:1.1.1": "H", "cvss:VI:3.0.0": "N", "cvss:AR_NoX:1.1.1": "M", - "cvss:VA:3.0.0": "L", + "cvss:VA:3.0.0": "N", "cvss:EQ6:1.0.0": "L" }, { @@ -11398,7 +10969,7 @@ "cvss:IR_NoX:1.1.1": "L", "cvss:VI:3.0.0": "L", "cvss:AR_NoX:1.1.1": "M", - "cvss:VA:3.0.0": "L", + "cvss:VA:3.0.0": "N", "cvss:EQ6:1.0.0": "L" }, { @@ -11407,7 +10978,7 @@ "cvss:IR_NoX:1.1.1": "L", "cvss:VI:3.0.0": "L", "cvss:AR_NoX:1.1.1": "M", - "cvss:VA:3.0.0": "L", + "cvss:VA:3.0.0": "N", "cvss:EQ6:1.0.0": "L" }, { @@ -11416,7 +10987,7 @@ "cvss:IR_NoX:1.1.1": "L", "cvss:VI:3.0.0": "L", "cvss:AR_NoX:1.1.1": "M", - "cvss:VA:3.0.0": "L", + "cvss:VA:3.0.0": "N", "cvss:EQ6:1.0.0": "L" }, { @@ -11425,7 +10996,7 @@ "cvss:IR_NoX:1.1.1": "M", "cvss:VI:3.0.0": "L", "cvss:AR_NoX:1.1.1": "M", - "cvss:VA:3.0.0": "L", + "cvss:VA:3.0.0": "N", "cvss:EQ6:1.0.0": "L" }, { @@ -11434,7 +11005,7 @@ "cvss:IR_NoX:1.1.1": "M", "cvss:VI:3.0.0": "L", "cvss:AR_NoX:1.1.1": "M", - "cvss:VA:3.0.0": "L", + "cvss:VA:3.0.0": "N", "cvss:EQ6:1.0.0": "L" }, { @@ -11443,7 +11014,7 @@ "cvss:IR_NoX:1.1.1": "H", "cvss:VI:3.0.0": "L", "cvss:AR_NoX:1.1.1": "M", - "cvss:VA:3.0.0": "L", + "cvss:VA:3.0.0": "N", "cvss:EQ6:1.0.0": "L" }, { @@ -11452,7 +11023,7 @@ "cvss:IR_NoX:1.1.1": "L", "cvss:VI:3.0.0": "H", "cvss:AR_NoX:1.1.1": "M", - "cvss:VA:3.0.0": "L", + "cvss:VA:3.0.0": "N", "cvss:EQ6:1.0.0": "L" }, { @@ -11461,7 +11032,7 @@ "cvss:IR_NoX:1.1.1": "L", "cvss:VI:3.0.0": "H", "cvss:AR_NoX:1.1.1": "M", - "cvss:VA:3.0.0": "L", + "cvss:VA:3.0.0": "N", "cvss:EQ6:1.0.0": "L" }, { @@ -11470,7 +11041,7 @@ "cvss:IR_NoX:1.1.1": "M", "cvss:VI:3.0.0": "H", "cvss:AR_NoX:1.1.1": "M", - "cvss:VA:3.0.0": "L", + "cvss:VA:3.0.0": "N", "cvss:EQ6:1.0.0": "L" }, { @@ -11479,7 +11050,7 @@ "cvss:IR_NoX:1.1.1": "L", "cvss:VI:3.0.0": "N", "cvss:AR_NoX:1.1.1": "H", - "cvss:VA:3.0.0": "L", + "cvss:VA:3.0.0": "N", "cvss:EQ6:1.0.0": "L" }, { @@ -11488,7 +11059,7 @@ "cvss:IR_NoX:1.1.1": "L", "cvss:VI:3.0.0": "N", "cvss:AR_NoX:1.1.1": "H", - "cvss:VA:3.0.0": "L", + "cvss:VA:3.0.0": "N", "cvss:EQ6:1.0.0": "L" }, { @@ -11497,7 +11068,7 @@ "cvss:IR_NoX:1.1.1": "L", "cvss:VI:3.0.0": "N", "cvss:AR_NoX:1.1.1": "H", - "cvss:VA:3.0.0": "L", + "cvss:VA:3.0.0": "N", "cvss:EQ6:1.0.0": "L" }, { @@ -11506,7 +11077,7 @@ "cvss:IR_NoX:1.1.1": "M", "cvss:VI:3.0.0": "N", "cvss:AR_NoX:1.1.1": "H", - "cvss:VA:3.0.0": "L", + "cvss:VA:3.0.0": "N", "cvss:EQ6:1.0.0": "L" }, { @@ -11515,7 +11086,7 @@ "cvss:IR_NoX:1.1.1": "M", "cvss:VI:3.0.0": "N", "cvss:AR_NoX:1.1.1": "H", - "cvss:VA:3.0.0": "L", + "cvss:VA:3.0.0": "N", "cvss:EQ6:1.0.0": "L" }, { @@ -11524,7 +11095,7 @@ "cvss:IR_NoX:1.1.1": "H", "cvss:VI:3.0.0": "N", "cvss:AR_NoX:1.1.1": "H", - "cvss:VA:3.0.0": "L", + "cvss:VA:3.0.0": "N", "cvss:EQ6:1.0.0": "L" }, { @@ -11533,7 +11104,7 @@ "cvss:IR_NoX:1.1.1": "L", "cvss:VI:3.0.0": "L", "cvss:AR_NoX:1.1.1": "H", - "cvss:VA:3.0.0": "L", + "cvss:VA:3.0.0": "N", "cvss:EQ6:1.0.0": "L" }, { @@ -11542,7 +11113,7 @@ "cvss:IR_NoX:1.1.1": "L", "cvss:VI:3.0.0": "L", "cvss:AR_NoX:1.1.1": "H", - "cvss:VA:3.0.0": "L", + "cvss:VA:3.0.0": "N", "cvss:EQ6:1.0.0": "L" }, { @@ -11551,7 +11122,7 @@ "cvss:IR_NoX:1.1.1": "M", "cvss:VI:3.0.0": "L", "cvss:AR_NoX:1.1.1": "H", - "cvss:VA:3.0.0": "L", + "cvss:VA:3.0.0": "N", "cvss:EQ6:1.0.0": "L" }, { @@ -11560,7 +11131,7 @@ "cvss:IR_NoX:1.1.1": "L", "cvss:VI:3.0.0": "H", "cvss:AR_NoX:1.1.1": "H", - "cvss:VA:3.0.0": "L", + "cvss:VA:3.0.0": "N", "cvss:EQ6:1.0.0": "L" }, { @@ -11569,7 +11140,7 @@ "cvss:IR_NoX:1.1.1": "L", "cvss:VI:3.0.0": "N", "cvss:AR_NoX:1.1.1": "L", - "cvss:VA:3.0.0": "H", + "cvss:VA:3.0.0": "L", "cvss:EQ6:1.0.0": "L" }, { @@ -11578,7 +11149,7 @@ "cvss:IR_NoX:1.1.1": "L", "cvss:VI:3.0.0": "N", "cvss:AR_NoX:1.1.1": "L", - "cvss:VA:3.0.0": "H", + "cvss:VA:3.0.0": "L", "cvss:EQ6:1.0.0": "L" }, { @@ -11587,7 +11158,7 @@ "cvss:IR_NoX:1.1.1": "M", "cvss:VI:3.0.0": "N", "cvss:AR_NoX:1.1.1": "L", - "cvss:VA:3.0.0": "H", + "cvss:VA:3.0.0": "L", "cvss:EQ6:1.0.0": "L" }, { @@ -11596,7 +11167,7 @@ "cvss:IR_NoX:1.1.1": "M", "cvss:VI:3.0.0": "N", "cvss:AR_NoX:1.1.1": "L", - "cvss:VA:3.0.0": "H", + "cvss:VA:3.0.0": "L", "cvss:EQ6:1.0.0": "L" }, { @@ -11605,7 +11176,7 @@ "cvss:IR_NoX:1.1.1": "M", "cvss:VI:3.0.0": "N", "cvss:AR_NoX:1.1.1": "L", - "cvss:VA:3.0.0": "H", + "cvss:VA:3.0.0": "L", "cvss:EQ6:1.0.0": "L" }, { @@ -11614,7 +11185,7 @@ "cvss:IR_NoX:1.1.1": "H", "cvss:VI:3.0.0": "N", "cvss:AR_NoX:1.1.1": "L", - "cvss:VA:3.0.0": "H", + "cvss:VA:3.0.0": "L", "cvss:EQ6:1.0.0": "L" }, { @@ -11623,7 +11194,7 @@ "cvss:IR_NoX:1.1.1": "H", "cvss:VI:3.0.0": "N", "cvss:AR_NoX:1.1.1": "L", - "cvss:VA:3.0.0": "H", + "cvss:VA:3.0.0": "L", "cvss:EQ6:1.0.0": "L" }, { @@ -11632,7 +11203,7 @@ "cvss:IR_NoX:1.1.1": "L", "cvss:VI:3.0.0": "L", "cvss:AR_NoX:1.1.1": "L", - "cvss:VA:3.0.0": "H", + "cvss:VA:3.0.0": "L", "cvss:EQ6:1.0.0": "L" }, { @@ -11641,7 +11212,7 @@ "cvss:IR_NoX:1.1.1": "L", "cvss:VI:3.0.0": "L", "cvss:AR_NoX:1.1.1": "L", - "cvss:VA:3.0.0": "H", + "cvss:VA:3.0.0": "L", "cvss:EQ6:1.0.0": "L" }, { @@ -11650,7 +11221,7 @@ "cvss:IR_NoX:1.1.1": "L", "cvss:VI:3.0.0": "L", "cvss:AR_NoX:1.1.1": "L", - "cvss:VA:3.0.0": "H", + "cvss:VA:3.0.0": "L", "cvss:EQ6:1.0.0": "L" }, { @@ -11659,7 +11230,7 @@ "cvss:IR_NoX:1.1.1": "M", "cvss:VI:3.0.0": "L", "cvss:AR_NoX:1.1.1": "L", - "cvss:VA:3.0.0": "H", + "cvss:VA:3.0.0": "L", "cvss:EQ6:1.0.0": "L" }, { @@ -11668,7 +11239,7 @@ "cvss:IR_NoX:1.1.1": "M", "cvss:VI:3.0.0": "L", "cvss:AR_NoX:1.1.1": "L", - "cvss:VA:3.0.0": "H", + "cvss:VA:3.0.0": "L", "cvss:EQ6:1.0.0": "L" }, { @@ -11677,7 +11248,7 @@ "cvss:IR_NoX:1.1.1": "H", "cvss:VI:3.0.0": "L", "cvss:AR_NoX:1.1.1": "L", - "cvss:VA:3.0.0": "H", + "cvss:VA:3.0.0": "L", "cvss:EQ6:1.0.0": "L" }, { @@ -11686,7 +11257,7 @@ "cvss:IR_NoX:1.1.1": "L", "cvss:VI:3.0.0": "H", "cvss:AR_NoX:1.1.1": "L", - "cvss:VA:3.0.0": "H", + "cvss:VA:3.0.0": "L", "cvss:EQ6:1.0.0": "L" }, { @@ -11695,7 +11266,7 @@ "cvss:IR_NoX:1.1.1": "L", "cvss:VI:3.0.0": "H", "cvss:AR_NoX:1.1.1": "L", - "cvss:VA:3.0.0": "H", + "cvss:VA:3.0.0": "L", "cvss:EQ6:1.0.0": "L" }, { @@ -11704,7 +11275,7 @@ "cvss:IR_NoX:1.1.1": "M", "cvss:VI:3.0.0": "H", "cvss:AR_NoX:1.1.1": "L", - "cvss:VA:3.0.0": "H", + "cvss:VA:3.0.0": "L", "cvss:EQ6:1.0.0": "L" }, { @@ -11713,7 +11284,7 @@ "cvss:IR_NoX:1.1.1": "L", "cvss:VI:3.0.0": "N", "cvss:AR_NoX:1.1.1": "M", - "cvss:VA:3.0.0": "H", + "cvss:VA:3.0.0": "L", "cvss:EQ6:1.0.0": "L" }, { @@ -11722,7 +11293,7 @@ "cvss:IR_NoX:1.1.1": "L", "cvss:VI:3.0.0": "N", "cvss:AR_NoX:1.1.1": "M", - "cvss:VA:3.0.0": "H", + "cvss:VA:3.0.0": "L", "cvss:EQ6:1.0.0": "L" }, { @@ -11731,7 +11302,7 @@ "cvss:IR_NoX:1.1.1": "L", "cvss:VI:3.0.0": "N", "cvss:AR_NoX:1.1.1": "M", - "cvss:VA:3.0.0": "H", + "cvss:VA:3.0.0": "L", "cvss:EQ6:1.0.0": "L" }, { @@ -11740,7 +11311,7 @@ "cvss:IR_NoX:1.1.1": "M", "cvss:VI:3.0.0": "N", "cvss:AR_NoX:1.1.1": "M", - "cvss:VA:3.0.0": "H", + "cvss:VA:3.0.0": "L", "cvss:EQ6:1.0.0": "L" }, { @@ -11749,7 +11320,7 @@ "cvss:IR_NoX:1.1.1": "M", "cvss:VI:3.0.0": "N", "cvss:AR_NoX:1.1.1": "M", - "cvss:VA:3.0.0": "H", + "cvss:VA:3.0.0": "L", "cvss:EQ6:1.0.0": "L" }, { @@ -11758,7 +11329,7 @@ "cvss:IR_NoX:1.1.1": "H", "cvss:VI:3.0.0": "N", "cvss:AR_NoX:1.1.1": "M", - "cvss:VA:3.0.0": "H", + "cvss:VA:3.0.0": "L", "cvss:EQ6:1.0.0": "L" }, { @@ -11767,7 +11338,7 @@ "cvss:IR_NoX:1.1.1": "L", "cvss:VI:3.0.0": "L", "cvss:AR_NoX:1.1.1": "M", - "cvss:VA:3.0.0": "H", + "cvss:VA:3.0.0": "L", "cvss:EQ6:1.0.0": "L" }, { @@ -11776,7 +11347,7 @@ "cvss:IR_NoX:1.1.1": "L", "cvss:VI:3.0.0": "L", "cvss:AR_NoX:1.1.1": "M", - "cvss:VA:3.0.0": "H", + "cvss:VA:3.0.0": "L", "cvss:EQ6:1.0.0": "L" }, { @@ -11785,7 +11356,7 @@ "cvss:IR_NoX:1.1.1": "M", "cvss:VI:3.0.0": "L", "cvss:AR_NoX:1.1.1": "M", - "cvss:VA:3.0.0": "H", + "cvss:VA:3.0.0": "L", "cvss:EQ6:1.0.0": "L" }, { @@ -11794,7 +11365,7 @@ "cvss:IR_NoX:1.1.1": "L", "cvss:VI:3.0.0": "H", "cvss:AR_NoX:1.1.1": "M", - "cvss:VA:3.0.0": "H", + "cvss:VA:3.0.0": "L", "cvss:EQ6:1.0.0": "L" }, { @@ -11803,8 +11374,8 @@ "cvss:IR_NoX:1.1.1": "L", "cvss:VI:3.0.0": "N", "cvss:AR_NoX:1.1.1": "H", - "cvss:VA:3.0.0": "H", - "cvss:EQ6:1.0.0": "H" + "cvss:VA:3.0.0": "L", + "cvss:EQ6:1.0.0": "L" }, { "cvss:CR_NoX:1.1.1": "L", @@ -11812,8 +11383,8 @@ "cvss:IR_NoX:1.1.1": "L", "cvss:VI:3.0.0": "N", "cvss:AR_NoX:1.1.1": "H", - "cvss:VA:3.0.0": "H", - "cvss:EQ6:1.0.0": "H" + "cvss:VA:3.0.0": "L", + "cvss:EQ6:1.0.0": "L" }, { "cvss:CR_NoX:1.1.1": "L", @@ -11821,8 +11392,8 @@ "cvss:IR_NoX:1.1.1": "M", "cvss:VI:3.0.0": "N", "cvss:AR_NoX:1.1.1": "H", - "cvss:VA:3.0.0": "H", - "cvss:EQ6:1.0.0": "H" + "cvss:VA:3.0.0": "L", + "cvss:EQ6:1.0.0": "L" }, { "cvss:CR_NoX:1.1.1": "L", @@ -11830,97 +11401,142 @@ "cvss:IR_NoX:1.1.1": "L", "cvss:VI:3.0.0": "L", "cvss:AR_NoX:1.1.1": "H", - "cvss:VA:3.0.0": "H", - "cvss:EQ6:1.0.0": "H" + "cvss:VA:3.0.0": "L", + "cvss:EQ6:1.0.0": "L" }, { "cvss:CR_NoX:1.1.1": "H", - "cvss:VC:3.0.0": "H", - "cvss:IR_NoX:1.1.1": "H", + "cvss:VC:3.0.0": "N", + "cvss:IR_NoX:1.1.1": "L", "cvss:VI:3.0.0": "N", "cvss:AR_NoX:1.1.1": "L", - "cvss:VA:3.0.0": "N", - "cvss:EQ6:1.0.0": "H" + "cvss:VA:3.0.0": "H", + "cvss:EQ6:1.0.0": "L" }, { - "cvss:CR_NoX:1.1.1": "H", + "cvss:CR_NoX:1.1.1": "M", + "cvss:VC:3.0.0": "L", + "cvss:IR_NoX:1.1.1": "L", + "cvss:VI:3.0.0": "N", + "cvss:AR_NoX:1.1.1": "L", + "cvss:VA:3.0.0": "H", + "cvss:EQ6:1.0.0": "L" + }, + { + "cvss:CR_NoX:1.1.1": "L", "cvss:VC:3.0.0": "H", + "cvss:IR_NoX:1.1.1": "L", + "cvss:VI:3.0.0": "N", + "cvss:AR_NoX:1.1.1": "L", + "cvss:VA:3.0.0": "H", + "cvss:EQ6:1.0.0": "L" + }, + { + "cvss:CR_NoX:1.1.1": "M", + "cvss:VC:3.0.0": "N", "cvss:IR_NoX:1.1.1": "M", - "cvss:VI:3.0.0": "L", + "cvss:VI:3.0.0": "N", "cvss:AR_NoX:1.1.1": "L", - "cvss:VA:3.0.0": "N", - "cvss:EQ6:1.0.0": "H" + "cvss:VA:3.0.0": "H", + "cvss:EQ6:1.0.0": "L" }, { - "cvss:CR_NoX:1.1.1": "H", + "cvss:CR_NoX:1.1.1": "L", "cvss:VC:3.0.0": "L", - "cvss:IR_NoX:1.1.1": "H", - "cvss:VI:3.0.0": "L", + "cvss:IR_NoX:1.1.1": "M", + "cvss:VI:3.0.0": "N", "cvss:AR_NoX:1.1.1": "L", - "cvss:VA:3.0.0": "N", + "cvss:VA:3.0.0": "H", "cvss:EQ6:1.0.0": "L" }, { - "cvss:CR_NoX:1.1.1": "M", - "cvss:VC:3.0.0": "H", + "cvss:CR_NoX:1.1.1": "L", + "cvss:VC:3.0.0": "N", "cvss:IR_NoX:1.1.1": "H", - "cvss:VI:3.0.0": "L", + "cvss:VI:3.0.0": "N", "cvss:AR_NoX:1.1.1": "L", - "cvss:VA:3.0.0": "N", + "cvss:VA:3.0.0": "H", "cvss:EQ6:1.0.0": "L" }, { - "cvss:CR_NoX:1.1.1": "H", - "cvss:VC:3.0.0": "H", + "cvss:CR_NoX:1.1.1": "M", + "cvss:VC:3.0.0": "N", "cvss:IR_NoX:1.1.1": "L", - "cvss:VI:3.0.0": "H", + "cvss:VI:3.0.0": "L", "cvss:AR_NoX:1.1.1": "L", - "cvss:VA:3.0.0": "N", - "cvss:EQ6:1.0.0": "H" + "cvss:VA:3.0.0": "H", + "cvss:EQ6:1.0.0": "L" }, { - "cvss:CR_NoX:1.1.1": "H", + "cvss:CR_NoX:1.1.1": "L", "cvss:VC:3.0.0": "L", - "cvss:IR_NoX:1.1.1": "M", - "cvss:VI:3.0.0": "H", + "cvss:IR_NoX:1.1.1": "L", + "cvss:VI:3.0.0": "L", "cvss:AR_NoX:1.1.1": "L", - "cvss:VA:3.0.0": "N", + "cvss:VA:3.0.0": "H", "cvss:EQ6:1.0.0": "L" }, { - "cvss:CR_NoX:1.1.1": "M", - "cvss:VC:3.0.0": "H", + "cvss:CR_NoX:1.1.1": "L", + "cvss:VC:3.0.0": "N", "cvss:IR_NoX:1.1.1": "M", - "cvss:VI:3.0.0": "H", + "cvss:VI:3.0.0": "L", "cvss:AR_NoX:1.1.1": "L", - "cvss:VA:3.0.0": "N", + "cvss:VA:3.0.0": "H", "cvss:EQ6:1.0.0": "L" }, { - "cvss:CR_NoX:1.1.1": "H", + "cvss:CR_NoX:1.1.1": "L", "cvss:VC:3.0.0": "N", - "cvss:IR_NoX:1.1.1": "H", + "cvss:IR_NoX:1.1.1": "L", "cvss:VI:3.0.0": "H", "cvss:AR_NoX:1.1.1": "L", - "cvss:VA:3.0.0": "N", - "cvss:EQ6:1.0.0": "H" + "cvss:VA:3.0.0": "H", + "cvss:EQ6:1.0.0": "L" }, { "cvss:CR_NoX:1.1.1": "M", + "cvss:VC:3.0.0": "N", + "cvss:IR_NoX:1.1.1": "L", + "cvss:VI:3.0.0": "N", + "cvss:AR_NoX:1.1.1": "M", + "cvss:VA:3.0.0": "H", + "cvss:EQ6:1.0.0": "L" + }, + { + "cvss:CR_NoX:1.1.1": "L", "cvss:VC:3.0.0": "L", - "cvss:IR_NoX:1.1.1": "H", - "cvss:VI:3.0.0": "H", - "cvss:AR_NoX:1.1.1": "L", - "cvss:VA:3.0.0": "N", - "cvss:EQ6:1.0.0": "H" + "cvss:IR_NoX:1.1.1": "L", + "cvss:VI:3.0.0": "N", + "cvss:AR_NoX:1.1.1": "M", + "cvss:VA:3.0.0": "H", + "cvss:EQ6:1.0.0": "L" }, { "cvss:CR_NoX:1.1.1": "L", - "cvss:VC:3.0.0": "H", - "cvss:IR_NoX:1.1.1": "H", - "cvss:VI:3.0.0": "H", - "cvss:AR_NoX:1.1.1": "L", - "cvss:VA:3.0.0": "N", + "cvss:VC:3.0.0": "N", + "cvss:IR_NoX:1.1.1": "M", + "cvss:VI:3.0.0": "N", + "cvss:AR_NoX:1.1.1": "M", + "cvss:VA:3.0.0": "H", + "cvss:EQ6:1.0.0": "L" + }, + { + "cvss:CR_NoX:1.1.1": "L", + "cvss:VC:3.0.0": "N", + "cvss:IR_NoX:1.1.1": "L", + "cvss:VI:3.0.0": "L", + "cvss:AR_NoX:1.1.1": "M", + "cvss:VA:3.0.0": "H", + "cvss:EQ6:1.0.0": "L" + }, + { + "cvss:CR_NoX:1.1.1": "L", + "cvss:VC:3.0.0": "N", + "cvss:IR_NoX:1.1.1": "L", + "cvss:VI:3.0.0": "N", + "cvss:AR_NoX:1.1.1": "H", + "cvss:VA:3.0.0": "H", "cvss:EQ6:1.0.0": "H" }, { @@ -11928,7 +11544,7 @@ "cvss:VC:3.0.0": "H", "cvss:IR_NoX:1.1.1": "M", "cvss:VI:3.0.0": "N", - "cvss:AR_NoX:1.1.1": "M", + "cvss:AR_NoX:1.1.1": "L", "cvss:VA:3.0.0": "N", "cvss:EQ6:1.0.0": "H" }, @@ -11937,7 +11553,7 @@ "cvss:VC:3.0.0": "L", "cvss:IR_NoX:1.1.1": "H", "cvss:VI:3.0.0": "N", - "cvss:AR_NoX:1.1.1": "M", + "cvss:AR_NoX:1.1.1": "L", "cvss:VA:3.0.0": "N", "cvss:EQ6:1.0.0": "L" }, @@ -11946,7 +11562,7 @@ "cvss:VC:3.0.0": "H", "cvss:IR_NoX:1.1.1": "H", "cvss:VI:3.0.0": "N", - "cvss:AR_NoX:1.1.1": "M", + "cvss:AR_NoX:1.1.1": "L", "cvss:VA:3.0.0": "N", "cvss:EQ6:1.0.0": "L" }, @@ -11955,7 +11571,7 @@ "cvss:VC:3.0.0": "H", "cvss:IR_NoX:1.1.1": "L", "cvss:VI:3.0.0": "L", - "cvss:AR_NoX:1.1.1": "M", + "cvss:AR_NoX:1.1.1": "L", "cvss:VA:3.0.0": "N", "cvss:EQ6:1.0.0": "H" }, @@ -11964,7 +11580,7 @@ "cvss:VC:3.0.0": "L", "cvss:IR_NoX:1.1.1": "M", "cvss:VI:3.0.0": "L", - "cvss:AR_NoX:1.1.1": "M", + "cvss:AR_NoX:1.1.1": "L", "cvss:VA:3.0.0": "N", "cvss:EQ6:1.0.0": "L" }, @@ -11973,7 +11589,7 @@ "cvss:VC:3.0.0": "H", "cvss:IR_NoX:1.1.1": "M", "cvss:VI:3.0.0": "L", - "cvss:AR_NoX:1.1.1": "M", + "cvss:AR_NoX:1.1.1": "L", "cvss:VA:3.0.0": "N", "cvss:EQ6:1.0.0": "L" }, @@ -11982,7 +11598,7 @@ "cvss:VC:3.0.0": "N", "cvss:IR_NoX:1.1.1": "H", "cvss:VI:3.0.0": "L", - "cvss:AR_NoX:1.1.1": "M", + "cvss:AR_NoX:1.1.1": "L", "cvss:VA:3.0.0": "N", "cvss:EQ6:1.0.0": "L" }, @@ -11991,7 +11607,7 @@ "cvss:VC:3.0.0": "L", "cvss:IR_NoX:1.1.1": "H", "cvss:VI:3.0.0": "L", - "cvss:AR_NoX:1.1.1": "M", + "cvss:AR_NoX:1.1.1": "L", "cvss:VA:3.0.0": "N", "cvss:EQ6:1.0.0": "L" }, @@ -12000,7 +11616,7 @@ "cvss:VC:3.0.0": "H", "cvss:IR_NoX:1.1.1": "H", "cvss:VI:3.0.0": "L", - "cvss:AR_NoX:1.1.1": "M", + "cvss:AR_NoX:1.1.1": "L", "cvss:VA:3.0.0": "N", "cvss:EQ6:1.0.0": "L" }, @@ -12009,7 +11625,7 @@ "cvss:VC:3.0.0": "L", "cvss:IR_NoX:1.1.1": "L", "cvss:VI:3.0.0": "H", - "cvss:AR_NoX:1.1.1": "M", + "cvss:AR_NoX:1.1.1": "L", "cvss:VA:3.0.0": "N", "cvss:EQ6:1.0.0": "L" }, @@ -12018,7 +11634,7 @@ "cvss:VC:3.0.0": "H", "cvss:IR_NoX:1.1.1": "L", "cvss:VI:3.0.0": "H", - "cvss:AR_NoX:1.1.1": "M", + "cvss:AR_NoX:1.1.1": "L", "cvss:VA:3.0.0": "N", "cvss:EQ6:1.0.0": "L" }, @@ -12027,7 +11643,7 @@ "cvss:VC:3.0.0": "N", "cvss:IR_NoX:1.1.1": "M", "cvss:VI:3.0.0": "H", - "cvss:AR_NoX:1.1.1": "M", + "cvss:AR_NoX:1.1.1": "L", "cvss:VA:3.0.0": "N", "cvss:EQ6:1.0.0": "L" }, @@ -12036,7 +11652,7 @@ "cvss:VC:3.0.0": "L", "cvss:IR_NoX:1.1.1": "M", "cvss:VI:3.0.0": "H", - "cvss:AR_NoX:1.1.1": "M", + "cvss:AR_NoX:1.1.1": "L", "cvss:VA:3.0.0": "N", "cvss:EQ6:1.0.0": "L" }, @@ -12045,7 +11661,7 @@ "cvss:VC:3.0.0": "H", "cvss:IR_NoX:1.1.1": "M", "cvss:VI:3.0.0": "H", - "cvss:AR_NoX:1.1.1": "M", + "cvss:AR_NoX:1.1.1": "L", "cvss:VA:3.0.0": "N", "cvss:EQ6:1.0.0": "L" }, @@ -12054,7 +11670,7 @@ "cvss:VC:3.0.0": "N", "cvss:IR_NoX:1.1.1": "H", "cvss:VI:3.0.0": "H", - "cvss:AR_NoX:1.1.1": "M", + "cvss:AR_NoX:1.1.1": "L", "cvss:VA:3.0.0": "N", "cvss:EQ6:1.0.0": "H" }, @@ -12063,7 +11679,7 @@ "cvss:VC:3.0.0": "L", "cvss:IR_NoX:1.1.1": "H", "cvss:VI:3.0.0": "H", - "cvss:AR_NoX:1.1.1": "M", + "cvss:AR_NoX:1.1.1": "L", "cvss:VA:3.0.0": "N", "cvss:EQ6:1.0.0": "H" }, @@ -12072,7 +11688,7 @@ "cvss:VC:3.0.0": "H", "cvss:IR_NoX:1.1.1": "L", "cvss:VI:3.0.0": "N", - "cvss:AR_NoX:1.1.1": "H", + "cvss:AR_NoX:1.1.1": "M", "cvss:VA:3.0.0": "N", "cvss:EQ6:1.0.0": "H" }, @@ -12081,7 +11697,7 @@ "cvss:VC:3.0.0": "L", "cvss:IR_NoX:1.1.1": "M", "cvss:VI:3.0.0": "N", - "cvss:AR_NoX:1.1.1": "H", + "cvss:AR_NoX:1.1.1": "M", "cvss:VA:3.0.0": "N", "cvss:EQ6:1.0.0": "L" }, @@ -12090,7 +11706,7 @@ "cvss:VC:3.0.0": "H", "cvss:IR_NoX:1.1.1": "M", "cvss:VI:3.0.0": "N", - "cvss:AR_NoX:1.1.1": "H", + "cvss:AR_NoX:1.1.1": "M", "cvss:VA:3.0.0": "N", "cvss:EQ6:1.0.0": "L" }, @@ -12099,7 +11715,7 @@ "cvss:VC:3.0.0": "N", "cvss:IR_NoX:1.1.1": "H", "cvss:VI:3.0.0": "N", - "cvss:AR_NoX:1.1.1": "H", + "cvss:AR_NoX:1.1.1": "M", "cvss:VA:3.0.0": "N", "cvss:EQ6:1.0.0": "L" }, @@ -12108,7 +11724,7 @@ "cvss:VC:3.0.0": "L", "cvss:IR_NoX:1.1.1": "H", "cvss:VI:3.0.0": "N", - "cvss:AR_NoX:1.1.1": "H", + "cvss:AR_NoX:1.1.1": "M", "cvss:VA:3.0.0": "N", "cvss:EQ6:1.0.0": "L" }, @@ -12117,7 +11733,7 @@ "cvss:VC:3.0.0": "H", "cvss:IR_NoX:1.1.1": "H", "cvss:VI:3.0.0": "N", - "cvss:AR_NoX:1.1.1": "H", + "cvss:AR_NoX:1.1.1": "M", "cvss:VA:3.0.0": "N", "cvss:EQ6:1.0.0": "L" }, @@ -12126,7 +11742,7 @@ "cvss:VC:3.0.0": "L", "cvss:IR_NoX:1.1.1": "L", "cvss:VI:3.0.0": "L", - "cvss:AR_NoX:1.1.1": "H", + "cvss:AR_NoX:1.1.1": "M", "cvss:VA:3.0.0": "N", "cvss:EQ6:1.0.0": "L" }, @@ -12135,7 +11751,7 @@ "cvss:VC:3.0.0": "H", "cvss:IR_NoX:1.1.1": "L", "cvss:VI:3.0.0": "L", - "cvss:AR_NoX:1.1.1": "H", + "cvss:AR_NoX:1.1.1": "M", "cvss:VA:3.0.0": "N", "cvss:EQ6:1.0.0": "L" }, @@ -12144,7 +11760,7 @@ "cvss:VC:3.0.0": "N", "cvss:IR_NoX:1.1.1": "M", "cvss:VI:3.0.0": "L", - "cvss:AR_NoX:1.1.1": "H", + "cvss:AR_NoX:1.1.1": "M", "cvss:VA:3.0.0": "N", "cvss:EQ6:1.0.0": "L" }, @@ -12153,7 +11769,7 @@ "cvss:VC:3.0.0": "L", "cvss:IR_NoX:1.1.1": "M", "cvss:VI:3.0.0": "L", - "cvss:AR_NoX:1.1.1": "H", + "cvss:AR_NoX:1.1.1": "M", "cvss:VA:3.0.0": "N", "cvss:EQ6:1.0.0": "L" }, @@ -12162,7 +11778,7 @@ "cvss:VC:3.0.0": "H", "cvss:IR_NoX:1.1.1": "M", "cvss:VI:3.0.0": "L", - "cvss:AR_NoX:1.1.1": "H", + "cvss:AR_NoX:1.1.1": "M", "cvss:VA:3.0.0": "N", "cvss:EQ6:1.0.0": "L" }, @@ -12171,7 +11787,7 @@ "cvss:VC:3.0.0": "N", "cvss:IR_NoX:1.1.1": "H", "cvss:VI:3.0.0": "L", - "cvss:AR_NoX:1.1.1": "H", + "cvss:AR_NoX:1.1.1": "M", "cvss:VA:3.0.0": "N", "cvss:EQ6:1.0.0": "L" }, @@ -12180,7 +11796,7 @@ "cvss:VC:3.0.0": "L", "cvss:IR_NoX:1.1.1": "H", "cvss:VI:3.0.0": "L", - "cvss:AR_NoX:1.1.1": "H", + "cvss:AR_NoX:1.1.1": "M", "cvss:VA:3.0.0": "N", "cvss:EQ6:1.0.0": "L" }, @@ -12189,7 +11805,7 @@ "cvss:VC:3.0.0": "N", "cvss:IR_NoX:1.1.1": "L", "cvss:VI:3.0.0": "H", - "cvss:AR_NoX:1.1.1": "H", + "cvss:AR_NoX:1.1.1": "M", "cvss:VA:3.0.0": "N", "cvss:EQ6:1.0.0": "L" }, @@ -12198,7 +11814,7 @@ "cvss:VC:3.0.0": "L", "cvss:IR_NoX:1.1.1": "L", "cvss:VI:3.0.0": "H", - "cvss:AR_NoX:1.1.1": "H", + "cvss:AR_NoX:1.1.1": "M", "cvss:VA:3.0.0": "N", "cvss:EQ6:1.0.0": "L" }, @@ -12207,7 +11823,7 @@ "cvss:VC:3.0.0": "H", "cvss:IR_NoX:1.1.1": "L", "cvss:VI:3.0.0": "H", - "cvss:AR_NoX:1.1.1": "H", + "cvss:AR_NoX:1.1.1": "M", "cvss:VA:3.0.0": "N", "cvss:EQ6:1.0.0": "L" }, @@ -12216,7 +11832,7 @@ "cvss:VC:3.0.0": "N", "cvss:IR_NoX:1.1.1": "M", "cvss:VI:3.0.0": "H", - "cvss:AR_NoX:1.1.1": "H", + "cvss:AR_NoX:1.1.1": "M", "cvss:VA:3.0.0": "N", "cvss:EQ6:1.0.0": "L" }, @@ -12225,7 +11841,7 @@ "cvss:VC:3.0.0": "L", "cvss:IR_NoX:1.1.1": "M", "cvss:VI:3.0.0": "H", - "cvss:AR_NoX:1.1.1": "H", + "cvss:AR_NoX:1.1.1": "M", "cvss:VA:3.0.0": "N", "cvss:EQ6:1.0.0": "L" }, @@ -12234,160 +11850,160 @@ "cvss:VC:3.0.0": "N", "cvss:IR_NoX:1.1.1": "H", "cvss:VI:3.0.0": "H", - "cvss:AR_NoX:1.1.1": "H", + "cvss:AR_NoX:1.1.1": "M", "cvss:VA:3.0.0": "N", "cvss:EQ6:1.0.0": "H" }, - { - "cvss:CR_NoX:1.1.1": "H", - "cvss:VC:3.0.0": "H", - "cvss:IR_NoX:1.1.1": "M", - "cvss:VI:3.0.0": "N", - "cvss:AR_NoX:1.1.1": "L", - "cvss:VA:3.0.0": "L", - "cvss:EQ6:1.0.0": "H" - }, { "cvss:CR_NoX:1.1.1": "H", "cvss:VC:3.0.0": "L", - "cvss:IR_NoX:1.1.1": "H", + "cvss:IR_NoX:1.1.1": "L", "cvss:VI:3.0.0": "N", - "cvss:AR_NoX:1.1.1": "L", - "cvss:VA:3.0.0": "L", + "cvss:AR_NoX:1.1.1": "H", + "cvss:VA:3.0.0": "N", "cvss:EQ6:1.0.0": "L" }, { "cvss:CR_NoX:1.1.1": "M", "cvss:VC:3.0.0": "H", - "cvss:IR_NoX:1.1.1": "H", + "cvss:IR_NoX:1.1.1": "L", "cvss:VI:3.0.0": "N", - "cvss:AR_NoX:1.1.1": "L", - "cvss:VA:3.0.0": "L", + "cvss:AR_NoX:1.1.1": "H", + "cvss:VA:3.0.0": "N", "cvss:EQ6:1.0.0": "L" }, { "cvss:CR_NoX:1.1.1": "H", - "cvss:VC:3.0.0": "H", - "cvss:IR_NoX:1.1.1": "L", - "cvss:VI:3.0.0": "L", - "cvss:AR_NoX:1.1.1": "L", - "cvss:VA:3.0.0": "L", - "cvss:EQ6:1.0.0": "H" + "cvss:VC:3.0.0": "N", + "cvss:IR_NoX:1.1.1": "M", + "cvss:VI:3.0.0": "N", + "cvss:AR_NoX:1.1.1": "H", + "cvss:VA:3.0.0": "N", + "cvss:EQ6:1.0.0": "L" }, { - "cvss:CR_NoX:1.1.1": "H", + "cvss:CR_NoX:1.1.1": "M", "cvss:VC:3.0.0": "L", "cvss:IR_NoX:1.1.1": "M", - "cvss:VI:3.0.0": "L", - "cvss:AR_NoX:1.1.1": "L", - "cvss:VA:3.0.0": "L", + "cvss:VI:3.0.0": "N", + "cvss:AR_NoX:1.1.1": "H", + "cvss:VA:3.0.0": "N", "cvss:EQ6:1.0.0": "L" }, { - "cvss:CR_NoX:1.1.1": "M", + "cvss:CR_NoX:1.1.1": "L", "cvss:VC:3.0.0": "H", "cvss:IR_NoX:1.1.1": "M", - "cvss:VI:3.0.0": "L", - "cvss:AR_NoX:1.1.1": "L", - "cvss:VA:3.0.0": "L", + "cvss:VI:3.0.0": "N", + "cvss:AR_NoX:1.1.1": "H", + "cvss:VA:3.0.0": "N", "cvss:EQ6:1.0.0": "L" }, { - "cvss:CR_NoX:1.1.1": "H", + "cvss:CR_NoX:1.1.1": "M", "cvss:VC:3.0.0": "N", "cvss:IR_NoX:1.1.1": "H", - "cvss:VI:3.0.0": "L", - "cvss:AR_NoX:1.1.1": "L", - "cvss:VA:3.0.0": "L", + "cvss:VI:3.0.0": "N", + "cvss:AR_NoX:1.1.1": "H", + "cvss:VA:3.0.0": "N", "cvss:EQ6:1.0.0": "L" }, { - "cvss:CR_NoX:1.1.1": "M", + "cvss:CR_NoX:1.1.1": "L", "cvss:VC:3.0.0": "L", "cvss:IR_NoX:1.1.1": "H", - "cvss:VI:3.0.0": "L", - "cvss:AR_NoX:1.1.1": "L", - "cvss:VA:3.0.0": "L", + "cvss:VI:3.0.0": "N", + "cvss:AR_NoX:1.1.1": "H", + "cvss:VA:3.0.0": "N", "cvss:EQ6:1.0.0": "L" }, { - "cvss:CR_NoX:1.1.1": "L", - "cvss:VC:3.0.0": "H", - "cvss:IR_NoX:1.1.1": "H", + "cvss:CR_NoX:1.1.1": "H", + "cvss:VC:3.0.0": "N", + "cvss:IR_NoX:1.1.1": "L", "cvss:VI:3.0.0": "L", - "cvss:AR_NoX:1.1.1": "L", - "cvss:VA:3.0.0": "L", + "cvss:AR_NoX:1.1.1": "H", + "cvss:VA:3.0.0": "N", "cvss:EQ6:1.0.0": "L" }, { - "cvss:CR_NoX:1.1.1": "H", + "cvss:CR_NoX:1.1.1": "M", "cvss:VC:3.0.0": "L", "cvss:IR_NoX:1.1.1": "L", - "cvss:VI:3.0.0": "H", - "cvss:AR_NoX:1.1.1": "L", - "cvss:VA:3.0.0": "L", + "cvss:VI:3.0.0": "L", + "cvss:AR_NoX:1.1.1": "H", + "cvss:VA:3.0.0": "N", "cvss:EQ6:1.0.0": "L" }, { - "cvss:CR_NoX:1.1.1": "M", + "cvss:CR_NoX:1.1.1": "L", "cvss:VC:3.0.0": "H", "cvss:IR_NoX:1.1.1": "L", - "cvss:VI:3.0.0": "H", - "cvss:AR_NoX:1.1.1": "L", - "cvss:VA:3.0.0": "L", + "cvss:VI:3.0.0": "L", + "cvss:AR_NoX:1.1.1": "H", + "cvss:VA:3.0.0": "N", "cvss:EQ6:1.0.0": "L" }, { - "cvss:CR_NoX:1.1.1": "H", + "cvss:CR_NoX:1.1.1": "M", "cvss:VC:3.0.0": "N", "cvss:IR_NoX:1.1.1": "M", - "cvss:VI:3.0.0": "H", - "cvss:AR_NoX:1.1.1": "L", - "cvss:VA:3.0.0": "L", + "cvss:VI:3.0.0": "L", + "cvss:AR_NoX:1.1.1": "H", + "cvss:VA:3.0.0": "N", "cvss:EQ6:1.0.0": "L" }, { - "cvss:CR_NoX:1.1.1": "M", + "cvss:CR_NoX:1.1.1": "L", "cvss:VC:3.0.0": "L", "cvss:IR_NoX:1.1.1": "M", - "cvss:VI:3.0.0": "H", - "cvss:AR_NoX:1.1.1": "L", - "cvss:VA:3.0.0": "L", + "cvss:VI:3.0.0": "L", + "cvss:AR_NoX:1.1.1": "H", + "cvss:VA:3.0.0": "N", "cvss:EQ6:1.0.0": "L" }, { "cvss:CR_NoX:1.1.1": "L", - "cvss:VC:3.0.0": "H", - "cvss:IR_NoX:1.1.1": "M", - "cvss:VI:3.0.0": "H", - "cvss:AR_NoX:1.1.1": "L", - "cvss:VA:3.0.0": "L", + "cvss:VC:3.0.0": "N", + "cvss:IR_NoX:1.1.1": "H", + "cvss:VI:3.0.0": "L", + "cvss:AR_NoX:1.1.1": "H", + "cvss:VA:3.0.0": "N", "cvss:EQ6:1.0.0": "L" }, { "cvss:CR_NoX:1.1.1": "M", "cvss:VC:3.0.0": "N", - "cvss:IR_NoX:1.1.1": "H", + "cvss:IR_NoX:1.1.1": "L", "cvss:VI:3.0.0": "H", - "cvss:AR_NoX:1.1.1": "L", - "cvss:VA:3.0.0": "L", - "cvss:EQ6:1.0.0": "H" + "cvss:AR_NoX:1.1.1": "H", + "cvss:VA:3.0.0": "N", + "cvss:EQ6:1.0.0": "L" }, { "cvss:CR_NoX:1.1.1": "L", "cvss:VC:3.0.0": "L", - "cvss:IR_NoX:1.1.1": "H", + "cvss:IR_NoX:1.1.1": "L", "cvss:VI:3.0.0": "H", - "cvss:AR_NoX:1.1.1": "L", - "cvss:VA:3.0.0": "L", - "cvss:EQ6:1.0.0": "H" + "cvss:AR_NoX:1.1.1": "H", + "cvss:VA:3.0.0": "N", + "cvss:EQ6:1.0.0": "L" + }, + { + "cvss:CR_NoX:1.1.1": "L", + "cvss:VC:3.0.0": "N", + "cvss:IR_NoX:1.1.1": "M", + "cvss:VI:3.0.0": "H", + "cvss:AR_NoX:1.1.1": "H", + "cvss:VA:3.0.0": "N", + "cvss:EQ6:1.0.0": "L" }, { "cvss:CR_NoX:1.1.1": "H", "cvss:VC:3.0.0": "H", "cvss:IR_NoX:1.1.1": "L", "cvss:VI:3.0.0": "N", - "cvss:AR_NoX:1.1.1": "M", + "cvss:AR_NoX:1.1.1": "L", "cvss:VA:3.0.0": "L", "cvss:EQ6:1.0.0": "H" }, @@ -12396,7 +12012,7 @@ "cvss:VC:3.0.0": "L", "cvss:IR_NoX:1.1.1": "M", "cvss:VI:3.0.0": "N", - "cvss:AR_NoX:1.1.1": "M", + "cvss:AR_NoX:1.1.1": "L", "cvss:VA:3.0.0": "L", "cvss:EQ6:1.0.0": "L" }, @@ -12405,7 +12021,7 @@ "cvss:VC:3.0.0": "H", "cvss:IR_NoX:1.1.1": "M", "cvss:VI:3.0.0": "N", - "cvss:AR_NoX:1.1.1": "M", + "cvss:AR_NoX:1.1.1": "L", "cvss:VA:3.0.0": "L", "cvss:EQ6:1.0.0": "L" }, @@ -12414,7 +12030,7 @@ "cvss:VC:3.0.0": "N", "cvss:IR_NoX:1.1.1": "H", "cvss:VI:3.0.0": "N", - "cvss:AR_NoX:1.1.1": "M", + "cvss:AR_NoX:1.1.1": "L", "cvss:VA:3.0.0": "L", "cvss:EQ6:1.0.0": "L" }, @@ -12423,7 +12039,7 @@ "cvss:VC:3.0.0": "L", "cvss:IR_NoX:1.1.1": "H", "cvss:VI:3.0.0": "N", - "cvss:AR_NoX:1.1.1": "M", + "cvss:AR_NoX:1.1.1": "L", "cvss:VA:3.0.0": "L", "cvss:EQ6:1.0.0": "L" }, @@ -12432,7 +12048,7 @@ "cvss:VC:3.0.0": "H", "cvss:IR_NoX:1.1.1": "H", "cvss:VI:3.0.0": "N", - "cvss:AR_NoX:1.1.1": "M", + "cvss:AR_NoX:1.1.1": "L", "cvss:VA:3.0.0": "L", "cvss:EQ6:1.0.0": "L" }, @@ -12441,7 +12057,7 @@ "cvss:VC:3.0.0": "L", "cvss:IR_NoX:1.1.1": "L", "cvss:VI:3.0.0": "L", - "cvss:AR_NoX:1.1.1": "M", + "cvss:AR_NoX:1.1.1": "L", "cvss:VA:3.0.0": "L", "cvss:EQ6:1.0.0": "L" }, @@ -12450,7 +12066,7 @@ "cvss:VC:3.0.0": "H", "cvss:IR_NoX:1.1.1": "L", "cvss:VI:3.0.0": "L", - "cvss:AR_NoX:1.1.1": "M", + "cvss:AR_NoX:1.1.1": "L", "cvss:VA:3.0.0": "L", "cvss:EQ6:1.0.0": "L" }, @@ -12459,7 +12075,7 @@ "cvss:VC:3.0.0": "N", "cvss:IR_NoX:1.1.1": "M", "cvss:VI:3.0.0": "L", - "cvss:AR_NoX:1.1.1": "M", + "cvss:AR_NoX:1.1.1": "L", "cvss:VA:3.0.0": "L", "cvss:EQ6:1.0.0": "L" }, @@ -12468,7 +12084,7 @@ "cvss:VC:3.0.0": "L", "cvss:IR_NoX:1.1.1": "M", "cvss:VI:3.0.0": "L", - "cvss:AR_NoX:1.1.1": "M", + "cvss:AR_NoX:1.1.1": "L", "cvss:VA:3.0.0": "L", "cvss:EQ6:1.0.0": "L" }, @@ -12477,7 +12093,7 @@ "cvss:VC:3.0.0": "H", "cvss:IR_NoX:1.1.1": "M", "cvss:VI:3.0.0": "L", - "cvss:AR_NoX:1.1.1": "M", + "cvss:AR_NoX:1.1.1": "L", "cvss:VA:3.0.0": "L", "cvss:EQ6:1.0.0": "L" }, @@ -12486,7 +12102,7 @@ "cvss:VC:3.0.0": "N", "cvss:IR_NoX:1.1.1": "H", "cvss:VI:3.0.0": "L", - "cvss:AR_NoX:1.1.1": "M", + "cvss:AR_NoX:1.1.1": "L", "cvss:VA:3.0.0": "L", "cvss:EQ6:1.0.0": "L" }, @@ -12495,7 +12111,7 @@ "cvss:VC:3.0.0": "L", "cvss:IR_NoX:1.1.1": "H", "cvss:VI:3.0.0": "L", - "cvss:AR_NoX:1.1.1": "M", + "cvss:AR_NoX:1.1.1": "L", "cvss:VA:3.0.0": "L", "cvss:EQ6:1.0.0": "L" }, @@ -12504,7 +12120,7 @@ "cvss:VC:3.0.0": "N", "cvss:IR_NoX:1.1.1": "L", "cvss:VI:3.0.0": "H", - "cvss:AR_NoX:1.1.1": "M", + "cvss:AR_NoX:1.1.1": "L", "cvss:VA:3.0.0": "L", "cvss:EQ6:1.0.0": "L" }, @@ -12513,7 +12129,7 @@ "cvss:VC:3.0.0": "L", "cvss:IR_NoX:1.1.1": "L", "cvss:VI:3.0.0": "H", - "cvss:AR_NoX:1.1.1": "M", + "cvss:AR_NoX:1.1.1": "L", "cvss:VA:3.0.0": "L", "cvss:EQ6:1.0.0": "L" }, @@ -12522,7 +12138,7 @@ "cvss:VC:3.0.0": "H", "cvss:IR_NoX:1.1.1": "L", "cvss:VI:3.0.0": "H", - "cvss:AR_NoX:1.1.1": "M", + "cvss:AR_NoX:1.1.1": "L", "cvss:VA:3.0.0": "L", "cvss:EQ6:1.0.0": "L" }, @@ -12531,7 +12147,7 @@ "cvss:VC:3.0.0": "N", "cvss:IR_NoX:1.1.1": "M", "cvss:VI:3.0.0": "H", - "cvss:AR_NoX:1.1.1": "M", + "cvss:AR_NoX:1.1.1": "L", "cvss:VA:3.0.0": "L", "cvss:EQ6:1.0.0": "L" }, @@ -12540,7 +12156,7 @@ "cvss:VC:3.0.0": "L", "cvss:IR_NoX:1.1.1": "M", "cvss:VI:3.0.0": "H", - "cvss:AR_NoX:1.1.1": "M", + "cvss:AR_NoX:1.1.1": "L", "cvss:VA:3.0.0": "L", "cvss:EQ6:1.0.0": "L" }, @@ -12549,7 +12165,7 @@ "cvss:VC:3.0.0": "N", "cvss:IR_NoX:1.1.1": "H", "cvss:VI:3.0.0": "H", - "cvss:AR_NoX:1.1.1": "M", + "cvss:AR_NoX:1.1.1": "L", "cvss:VA:3.0.0": "L", "cvss:EQ6:1.0.0": "H" }, @@ -12558,7 +12174,7 @@ "cvss:VC:3.0.0": "L", "cvss:IR_NoX:1.1.1": "L", "cvss:VI:3.0.0": "N", - "cvss:AR_NoX:1.1.1": "H", + "cvss:AR_NoX:1.1.1": "M", "cvss:VA:3.0.0": "L", "cvss:EQ6:1.0.0": "L" }, @@ -12567,7 +12183,7 @@ "cvss:VC:3.0.0": "H", "cvss:IR_NoX:1.1.1": "L", "cvss:VI:3.0.0": "N", - "cvss:AR_NoX:1.1.1": "H", + "cvss:AR_NoX:1.1.1": "M", "cvss:VA:3.0.0": "L", "cvss:EQ6:1.0.0": "L" }, @@ -12576,7 +12192,7 @@ "cvss:VC:3.0.0": "N", "cvss:IR_NoX:1.1.1": "M", "cvss:VI:3.0.0": "N", - "cvss:AR_NoX:1.1.1": "H", + "cvss:AR_NoX:1.1.1": "M", "cvss:VA:3.0.0": "L", "cvss:EQ6:1.0.0": "L" }, @@ -12585,7 +12201,7 @@ "cvss:VC:3.0.0": "L", "cvss:IR_NoX:1.1.1": "M", "cvss:VI:3.0.0": "N", - "cvss:AR_NoX:1.1.1": "H", + "cvss:AR_NoX:1.1.1": "M", "cvss:VA:3.0.0": "L", "cvss:EQ6:1.0.0": "L" }, @@ -12594,7 +12210,7 @@ "cvss:VC:3.0.0": "H", "cvss:IR_NoX:1.1.1": "M", "cvss:VI:3.0.0": "N", - "cvss:AR_NoX:1.1.1": "H", + "cvss:AR_NoX:1.1.1": "M", "cvss:VA:3.0.0": "L", "cvss:EQ6:1.0.0": "L" }, @@ -12603,7 +12219,7 @@ "cvss:VC:3.0.0": "N", "cvss:IR_NoX:1.1.1": "H", "cvss:VI:3.0.0": "N", - "cvss:AR_NoX:1.1.1": "H", + "cvss:AR_NoX:1.1.1": "M", "cvss:VA:3.0.0": "L", "cvss:EQ6:1.0.0": "L" }, @@ -12612,7 +12228,7 @@ "cvss:VC:3.0.0": "L", "cvss:IR_NoX:1.1.1": "H", "cvss:VI:3.0.0": "N", - "cvss:AR_NoX:1.1.1": "H", + "cvss:AR_NoX:1.1.1": "M", "cvss:VA:3.0.0": "L", "cvss:EQ6:1.0.0": "L" }, @@ -12621,7 +12237,7 @@ "cvss:VC:3.0.0": "N", "cvss:IR_NoX:1.1.1": "L", "cvss:VI:3.0.0": "L", - "cvss:AR_NoX:1.1.1": "H", + "cvss:AR_NoX:1.1.1": "M", "cvss:VA:3.0.0": "L", "cvss:EQ6:1.0.0": "L" }, @@ -12630,7 +12246,7 @@ "cvss:VC:3.0.0": "L", "cvss:IR_NoX:1.1.1": "L", "cvss:VI:3.0.0": "L", - "cvss:AR_NoX:1.1.1": "H", + "cvss:AR_NoX:1.1.1": "M", "cvss:VA:3.0.0": "L", "cvss:EQ6:1.0.0": "L" }, @@ -12639,7 +12255,7 @@ "cvss:VC:3.0.0": "H", "cvss:IR_NoX:1.1.1": "L", "cvss:VI:3.0.0": "L", - "cvss:AR_NoX:1.1.1": "H", + "cvss:AR_NoX:1.1.1": "M", "cvss:VA:3.0.0": "L", "cvss:EQ6:1.0.0": "L" }, @@ -12648,7 +12264,7 @@ "cvss:VC:3.0.0": "N", "cvss:IR_NoX:1.1.1": "M", "cvss:VI:3.0.0": "L", - "cvss:AR_NoX:1.1.1": "H", + "cvss:AR_NoX:1.1.1": "M", "cvss:VA:3.0.0": "L", "cvss:EQ6:1.0.0": "L" }, @@ -12657,7 +12273,7 @@ "cvss:VC:3.0.0": "L", "cvss:IR_NoX:1.1.1": "M", "cvss:VI:3.0.0": "L", - "cvss:AR_NoX:1.1.1": "H", + "cvss:AR_NoX:1.1.1": "M", "cvss:VA:3.0.0": "L", "cvss:EQ6:1.0.0": "L" }, @@ -12666,7 +12282,7 @@ "cvss:VC:3.0.0": "N", "cvss:IR_NoX:1.1.1": "H", "cvss:VI:3.0.0": "L", - "cvss:AR_NoX:1.1.1": "H", + "cvss:AR_NoX:1.1.1": "M", "cvss:VA:3.0.0": "L", "cvss:EQ6:1.0.0": "L" }, @@ -12675,7 +12291,7 @@ "cvss:VC:3.0.0": "N", "cvss:IR_NoX:1.1.1": "L", "cvss:VI:3.0.0": "H", - "cvss:AR_NoX:1.1.1": "H", + "cvss:AR_NoX:1.1.1": "M", "cvss:VA:3.0.0": "L", "cvss:EQ6:1.0.0": "L" }, @@ -12684,7 +12300,7 @@ "cvss:VC:3.0.0": "L", "cvss:IR_NoX:1.1.1": "L", "cvss:VI:3.0.0": "H", - "cvss:AR_NoX:1.1.1": "H", + "cvss:AR_NoX:1.1.1": "M", "cvss:VA:3.0.0": "L", "cvss:EQ6:1.0.0": "L" }, @@ -12693,205 +12309,124 @@ "cvss:VC:3.0.0": "N", "cvss:IR_NoX:1.1.1": "M", "cvss:VI:3.0.0": "H", - "cvss:AR_NoX:1.1.1": "H", + "cvss:AR_NoX:1.1.1": "M", "cvss:VA:3.0.0": "L", "cvss:EQ6:1.0.0": "L" }, { "cvss:CR_NoX:1.1.1": "H", - "cvss:VC:3.0.0": "H", + "cvss:VC:3.0.0": "N", "cvss:IR_NoX:1.1.1": "L", "cvss:VI:3.0.0": "N", - "cvss:AR_NoX:1.1.1": "L", - "cvss:VA:3.0.0": "H", - "cvss:EQ6:1.0.0": "H" + "cvss:AR_NoX:1.1.1": "H", + "cvss:VA:3.0.0": "L", + "cvss:EQ6:1.0.0": "L" }, { - "cvss:CR_NoX:1.1.1": "H", + "cvss:CR_NoX:1.1.1": "M", "cvss:VC:3.0.0": "L", - "cvss:IR_NoX:1.1.1": "M", + "cvss:IR_NoX:1.1.1": "L", "cvss:VI:3.0.0": "N", - "cvss:AR_NoX:1.1.1": "L", - "cvss:VA:3.0.0": "H", + "cvss:AR_NoX:1.1.1": "H", + "cvss:VA:3.0.0": "L", "cvss:EQ6:1.0.0": "L" }, { - "cvss:CR_NoX:1.1.1": "M", + "cvss:CR_NoX:1.1.1": "L", "cvss:VC:3.0.0": "H", - "cvss:IR_NoX:1.1.1": "M", + "cvss:IR_NoX:1.1.1": "L", "cvss:VI:3.0.0": "N", - "cvss:AR_NoX:1.1.1": "L", - "cvss:VA:3.0.0": "H", + "cvss:AR_NoX:1.1.1": "H", + "cvss:VA:3.0.0": "L", "cvss:EQ6:1.0.0": "L" }, { - "cvss:CR_NoX:1.1.1": "H", + "cvss:CR_NoX:1.1.1": "M", "cvss:VC:3.0.0": "N", - "cvss:IR_NoX:1.1.1": "H", + "cvss:IR_NoX:1.1.1": "M", "cvss:VI:3.0.0": "N", - "cvss:AR_NoX:1.1.1": "L", - "cvss:VA:3.0.0": "H", + "cvss:AR_NoX:1.1.1": "H", + "cvss:VA:3.0.0": "L", "cvss:EQ6:1.0.0": "L" }, { - "cvss:CR_NoX:1.1.1": "M", + "cvss:CR_NoX:1.1.1": "L", "cvss:VC:3.0.0": "L", - "cvss:IR_NoX:1.1.1": "H", + "cvss:IR_NoX:1.1.1": "M", "cvss:VI:3.0.0": "N", - "cvss:AR_NoX:1.1.1": "L", - "cvss:VA:3.0.0": "H", + "cvss:AR_NoX:1.1.1": "H", + "cvss:VA:3.0.0": "L", "cvss:EQ6:1.0.0": "L" }, { "cvss:CR_NoX:1.1.1": "L", - "cvss:VC:3.0.0": "H", + "cvss:VC:3.0.0": "N", "cvss:IR_NoX:1.1.1": "H", "cvss:VI:3.0.0": "N", - "cvss:AR_NoX:1.1.1": "L", - "cvss:VA:3.0.0": "H", + "cvss:AR_NoX:1.1.1": "H", + "cvss:VA:3.0.0": "L", "cvss:EQ6:1.0.0": "L" }, { - "cvss:CR_NoX:1.1.1": "H", - "cvss:VC:3.0.0": "L", + "cvss:CR_NoX:1.1.1": "M", + "cvss:VC:3.0.0": "N", "cvss:IR_NoX:1.1.1": "L", "cvss:VI:3.0.0": "L", - "cvss:AR_NoX:1.1.1": "L", - "cvss:VA:3.0.0": "H", + "cvss:AR_NoX:1.1.1": "H", + "cvss:VA:3.0.0": "L", "cvss:EQ6:1.0.0": "L" }, { - "cvss:CR_NoX:1.1.1": "M", - "cvss:VC:3.0.0": "H", + "cvss:CR_NoX:1.1.1": "L", + "cvss:VC:3.0.0": "L", "cvss:IR_NoX:1.1.1": "L", "cvss:VI:3.0.0": "L", - "cvss:AR_NoX:1.1.1": "L", - "cvss:VA:3.0.0": "H", + "cvss:AR_NoX:1.1.1": "H", + "cvss:VA:3.0.0": "L", "cvss:EQ6:1.0.0": "L" }, { - "cvss:CR_NoX:1.1.1": "H", + "cvss:CR_NoX:1.1.1": "L", "cvss:VC:3.0.0": "N", "cvss:IR_NoX:1.1.1": "M", "cvss:VI:3.0.0": "L", - "cvss:AR_NoX:1.1.1": "L", - "cvss:VA:3.0.0": "H", + "cvss:AR_NoX:1.1.1": "H", + "cvss:VA:3.0.0": "L", "cvss:EQ6:1.0.0": "L" }, { - "cvss:CR_NoX:1.1.1": "M", + "cvss:CR_NoX:1.1.1": "L", + "cvss:VC:3.0.0": "N", + "cvss:IR_NoX:1.1.1": "L", + "cvss:VI:3.0.0": "H", + "cvss:AR_NoX:1.1.1": "H", + "cvss:VA:3.0.0": "L", + "cvss:EQ6:1.0.0": "L" + }, + { + "cvss:CR_NoX:1.1.1": "H", "cvss:VC:3.0.0": "L", - "cvss:IR_NoX:1.1.1": "M", - "cvss:VI:3.0.0": "L", + "cvss:IR_NoX:1.1.1": "L", + "cvss:VI:3.0.0": "N", "cvss:AR_NoX:1.1.1": "L", "cvss:VA:3.0.0": "H", "cvss:EQ6:1.0.0": "L" }, { - "cvss:CR_NoX:1.1.1": "L", + "cvss:CR_NoX:1.1.1": "M", "cvss:VC:3.0.0": "H", - "cvss:IR_NoX:1.1.1": "M", - "cvss:VI:3.0.0": "L", + "cvss:IR_NoX:1.1.1": "L", + "cvss:VI:3.0.0": "N", "cvss:AR_NoX:1.1.1": "L", "cvss:VA:3.0.0": "H", "cvss:EQ6:1.0.0": "L" }, - { - "cvss:CR_NoX:1.1.1": "M", - "cvss:VC:3.0.0": "N", - "cvss:IR_NoX:1.1.1": "H", - "cvss:VI:3.0.0": "L", - "cvss:AR_NoX:1.1.1": "L", - "cvss:VA:3.0.0": "H", - "cvss:EQ6:1.0.0": "L" - }, - { - "cvss:CR_NoX:1.1.1": "L", - "cvss:VC:3.0.0": "L", - "cvss:IR_NoX:1.1.1": "H", - "cvss:VI:3.0.0": "L", - "cvss:AR_NoX:1.1.1": "L", - "cvss:VA:3.0.0": "H", - "cvss:EQ6:1.0.0": "L" - }, - { - "cvss:CR_NoX:1.1.1": "H", - "cvss:VC:3.0.0": "N", - "cvss:IR_NoX:1.1.1": "L", - "cvss:VI:3.0.0": "H", - "cvss:AR_NoX:1.1.1": "L", - "cvss:VA:3.0.0": "H", - "cvss:EQ6:1.0.0": "L" - }, - { - "cvss:CR_NoX:1.1.1": "M", - "cvss:VC:3.0.0": "L", - "cvss:IR_NoX:1.1.1": "L", - "cvss:VI:3.0.0": "H", - "cvss:AR_NoX:1.1.1": "L", - "cvss:VA:3.0.0": "H", - "cvss:EQ6:1.0.0": "L" - }, - { - "cvss:CR_NoX:1.1.1": "L", - "cvss:VC:3.0.0": "H", - "cvss:IR_NoX:1.1.1": "L", - "cvss:VI:3.0.0": "H", - "cvss:AR_NoX:1.1.1": "L", - "cvss:VA:3.0.0": "H", - "cvss:EQ6:1.0.0": "L" - }, - { - "cvss:CR_NoX:1.1.1": "M", - "cvss:VC:3.0.0": "N", - "cvss:IR_NoX:1.1.1": "M", - "cvss:VI:3.0.0": "H", - "cvss:AR_NoX:1.1.1": "L", - "cvss:VA:3.0.0": "H", - "cvss:EQ6:1.0.0": "L" - }, - { - "cvss:CR_NoX:1.1.1": "L", - "cvss:VC:3.0.0": "L", - "cvss:IR_NoX:1.1.1": "M", - "cvss:VI:3.0.0": "H", - "cvss:AR_NoX:1.1.1": "L", - "cvss:VA:3.0.0": "H", - "cvss:EQ6:1.0.0": "L" - }, - { - "cvss:CR_NoX:1.1.1": "L", - "cvss:VC:3.0.0": "N", - "cvss:IR_NoX:1.1.1": "H", - "cvss:VI:3.0.0": "H", - "cvss:AR_NoX:1.1.1": "L", - "cvss:VA:3.0.0": "H", - "cvss:EQ6:1.0.0": "H" - }, - { - "cvss:CR_NoX:1.1.1": "H", - "cvss:VC:3.0.0": "L", - "cvss:IR_NoX:1.1.1": "L", - "cvss:VI:3.0.0": "N", - "cvss:AR_NoX:1.1.1": "M", - "cvss:VA:3.0.0": "H", - "cvss:EQ6:1.0.0": "L" - }, - { - "cvss:CR_NoX:1.1.1": "M", - "cvss:VC:3.0.0": "H", - "cvss:IR_NoX:1.1.1": "L", - "cvss:VI:3.0.0": "N", - "cvss:AR_NoX:1.1.1": "M", - "cvss:VA:3.0.0": "H", - "cvss:EQ6:1.0.0": "L" - }, { "cvss:CR_NoX:1.1.1": "H", "cvss:VC:3.0.0": "N", "cvss:IR_NoX:1.1.1": "M", "cvss:VI:3.0.0": "N", - "cvss:AR_NoX:1.1.1": "M", + "cvss:AR_NoX:1.1.1": "L", "cvss:VA:3.0.0": "H", "cvss:EQ6:1.0.0": "L" }, @@ -12900,7 +12435,7 @@ "cvss:VC:3.0.0": "L", "cvss:IR_NoX:1.1.1": "M", "cvss:VI:3.0.0": "N", - "cvss:AR_NoX:1.1.1": "M", + "cvss:AR_NoX:1.1.1": "L", "cvss:VA:3.0.0": "H", "cvss:EQ6:1.0.0": "L" }, @@ -12909,7 +12444,7 @@ "cvss:VC:3.0.0": "H", "cvss:IR_NoX:1.1.1": "M", "cvss:VI:3.0.0": "N", - "cvss:AR_NoX:1.1.1": "M", + "cvss:AR_NoX:1.1.1": "L", "cvss:VA:3.0.0": "H", "cvss:EQ6:1.0.0": "L" }, @@ -12918,7 +12453,7 @@ "cvss:VC:3.0.0": "N", "cvss:IR_NoX:1.1.1": "H", "cvss:VI:3.0.0": "N", - "cvss:AR_NoX:1.1.1": "M", + "cvss:AR_NoX:1.1.1": "L", "cvss:VA:3.0.0": "H", "cvss:EQ6:1.0.0": "L" }, @@ -12927,7 +12462,7 @@ "cvss:VC:3.0.0": "L", "cvss:IR_NoX:1.1.1": "H", "cvss:VI:3.0.0": "N", - "cvss:AR_NoX:1.1.1": "M", + "cvss:AR_NoX:1.1.1": "L", "cvss:VA:3.0.0": "H", "cvss:EQ6:1.0.0": "L" }, @@ -12936,7 +12471,7 @@ "cvss:VC:3.0.0": "N", "cvss:IR_NoX:1.1.1": "L", "cvss:VI:3.0.0": "L", - "cvss:AR_NoX:1.1.1": "M", + "cvss:AR_NoX:1.1.1": "L", "cvss:VA:3.0.0": "H", "cvss:EQ6:1.0.0": "L" }, @@ -12945,7 +12480,7 @@ "cvss:VC:3.0.0": "L", "cvss:IR_NoX:1.1.1": "L", "cvss:VI:3.0.0": "L", - "cvss:AR_NoX:1.1.1": "M", + "cvss:AR_NoX:1.1.1": "L", "cvss:VA:3.0.0": "H", "cvss:EQ6:1.0.0": "L" }, @@ -12954,7 +12489,7 @@ "cvss:VC:3.0.0": "H", "cvss:IR_NoX:1.1.1": "L", "cvss:VI:3.0.0": "L", - "cvss:AR_NoX:1.1.1": "M", + "cvss:AR_NoX:1.1.1": "L", "cvss:VA:3.0.0": "H", "cvss:EQ6:1.0.0": "L" }, @@ -12963,7 +12498,7 @@ "cvss:VC:3.0.0": "N", "cvss:IR_NoX:1.1.1": "M", "cvss:VI:3.0.0": "L", - "cvss:AR_NoX:1.1.1": "M", + "cvss:AR_NoX:1.1.1": "L", "cvss:VA:3.0.0": "H", "cvss:EQ6:1.0.0": "L" }, @@ -12972,7 +12507,7 @@ "cvss:VC:3.0.0": "L", "cvss:IR_NoX:1.1.1": "M", "cvss:VI:3.0.0": "L", - "cvss:AR_NoX:1.1.1": "M", + "cvss:AR_NoX:1.1.1": "L", "cvss:VA:3.0.0": "H", "cvss:EQ6:1.0.0": "L" }, @@ -12981,7 +12516,7 @@ "cvss:VC:3.0.0": "N", "cvss:IR_NoX:1.1.1": "H", "cvss:VI:3.0.0": "L", - "cvss:AR_NoX:1.1.1": "M", + "cvss:AR_NoX:1.1.1": "L", "cvss:VA:3.0.0": "H", "cvss:EQ6:1.0.0": "L" }, @@ -12990,7 +12525,7 @@ "cvss:VC:3.0.0": "N", "cvss:IR_NoX:1.1.1": "L", "cvss:VI:3.0.0": "H", - "cvss:AR_NoX:1.1.1": "M", + "cvss:AR_NoX:1.1.1": "L", "cvss:VA:3.0.0": "H", "cvss:EQ6:1.0.0": "L" }, @@ -12999,7 +12534,7 @@ "cvss:VC:3.0.0": "L", "cvss:IR_NoX:1.1.1": "L", "cvss:VI:3.0.0": "H", - "cvss:AR_NoX:1.1.1": "M", + "cvss:AR_NoX:1.1.1": "L", "cvss:VA:3.0.0": "H", "cvss:EQ6:1.0.0": "L" }, @@ -13008,7 +12543,7 @@ "cvss:VC:3.0.0": "N", "cvss:IR_NoX:1.1.1": "M", "cvss:VI:3.0.0": "H", - "cvss:AR_NoX:1.1.1": "M", + "cvss:AR_NoX:1.1.1": "L", "cvss:VA:3.0.0": "H", "cvss:EQ6:1.0.0": "L" }, @@ -13017,125 +12552,125 @@ "cvss:VC:3.0.0": "N", "cvss:IR_NoX:1.1.1": "L", "cvss:VI:3.0.0": "N", - "cvss:AR_NoX:1.1.1": "H", + "cvss:AR_NoX:1.1.1": "M", "cvss:VA:3.0.0": "H", - "cvss:EQ6:1.0.0": "H" + "cvss:EQ6:1.0.0": "L" }, { "cvss:CR_NoX:1.1.1": "M", "cvss:VC:3.0.0": "L", "cvss:IR_NoX:1.1.1": "L", "cvss:VI:3.0.0": "N", - "cvss:AR_NoX:1.1.1": "H", + "cvss:AR_NoX:1.1.1": "M", "cvss:VA:3.0.0": "H", - "cvss:EQ6:1.0.0": "H" + "cvss:EQ6:1.0.0": "L" }, { "cvss:CR_NoX:1.1.1": "L", "cvss:VC:3.0.0": "H", "cvss:IR_NoX:1.1.1": "L", "cvss:VI:3.0.0": "N", - "cvss:AR_NoX:1.1.1": "H", + "cvss:AR_NoX:1.1.1": "M", "cvss:VA:3.0.0": "H", - "cvss:EQ6:1.0.0": "H" + "cvss:EQ6:1.0.0": "L" }, { "cvss:CR_NoX:1.1.1": "M", "cvss:VC:3.0.0": "N", "cvss:IR_NoX:1.1.1": "M", "cvss:VI:3.0.0": "N", - "cvss:AR_NoX:1.1.1": "H", + "cvss:AR_NoX:1.1.1": "M", "cvss:VA:3.0.0": "H", - "cvss:EQ6:1.0.0": "H" + "cvss:EQ6:1.0.0": "L" }, { "cvss:CR_NoX:1.1.1": "L", "cvss:VC:3.0.0": "L", "cvss:IR_NoX:1.1.1": "M", "cvss:VI:3.0.0": "N", - "cvss:AR_NoX:1.1.1": "H", + "cvss:AR_NoX:1.1.1": "M", "cvss:VA:3.0.0": "H", - "cvss:EQ6:1.0.0": "H" + "cvss:EQ6:1.0.0": "L" }, { "cvss:CR_NoX:1.1.1": "L", "cvss:VC:3.0.0": "N", "cvss:IR_NoX:1.1.1": "H", "cvss:VI:3.0.0": "N", - "cvss:AR_NoX:1.1.1": "H", + "cvss:AR_NoX:1.1.1": "M", "cvss:VA:3.0.0": "H", - "cvss:EQ6:1.0.0": "H" + "cvss:EQ6:1.0.0": "L" }, { "cvss:CR_NoX:1.1.1": "M", "cvss:VC:3.0.0": "N", "cvss:IR_NoX:1.1.1": "L", "cvss:VI:3.0.0": "L", - "cvss:AR_NoX:1.1.1": "H", + "cvss:AR_NoX:1.1.1": "M", "cvss:VA:3.0.0": "H", - "cvss:EQ6:1.0.0": "H" + "cvss:EQ6:1.0.0": "L" }, { "cvss:CR_NoX:1.1.1": "L", "cvss:VC:3.0.0": "L", "cvss:IR_NoX:1.1.1": "L", "cvss:VI:3.0.0": "L", - "cvss:AR_NoX:1.1.1": "H", + "cvss:AR_NoX:1.1.1": "M", "cvss:VA:3.0.0": "H", - "cvss:EQ6:1.0.0": "H" + "cvss:EQ6:1.0.0": "L" }, { "cvss:CR_NoX:1.1.1": "L", "cvss:VC:3.0.0": "N", "cvss:IR_NoX:1.1.1": "M", "cvss:VI:3.0.0": "L", - "cvss:AR_NoX:1.1.1": "H", + "cvss:AR_NoX:1.1.1": "M", "cvss:VA:3.0.0": "H", - "cvss:EQ6:1.0.0": "H" + "cvss:EQ6:1.0.0": "L" }, { "cvss:CR_NoX:1.1.1": "L", "cvss:VC:3.0.0": "N", "cvss:IR_NoX:1.1.1": "L", "cvss:VI:3.0.0": "H", - "cvss:AR_NoX:1.1.1": "H", + "cvss:AR_NoX:1.1.1": "M", "cvss:VA:3.0.0": "H", - "cvss:EQ6:1.0.0": "H" + "cvss:EQ6:1.0.0": "L" }, { - "cvss:CR_NoX:1.1.1": "H", - "cvss:VC:3.0.0": "H", - "cvss:IR_NoX:1.1.1": "H", - "cvss:VI:3.0.0": "L", - "cvss:AR_NoX:1.1.1": "L", - "cvss:VA:3.0.0": "N", + "cvss:CR_NoX:1.1.1": "M", + "cvss:VC:3.0.0": "N", + "cvss:IR_NoX:1.1.1": "L", + "cvss:VI:3.0.0": "N", + "cvss:AR_NoX:1.1.1": "H", + "cvss:VA:3.0.0": "H", "cvss:EQ6:1.0.0": "H" }, { - "cvss:CR_NoX:1.1.1": "H", - "cvss:VC:3.0.0": "H", - "cvss:IR_NoX:1.1.1": "M", - "cvss:VI:3.0.0": "H", - "cvss:AR_NoX:1.1.1": "L", - "cvss:VA:3.0.0": "N", + "cvss:CR_NoX:1.1.1": "L", + "cvss:VC:3.0.0": "L", + "cvss:IR_NoX:1.1.1": "L", + "cvss:VI:3.0.0": "N", + "cvss:AR_NoX:1.1.1": "H", + "cvss:VA:3.0.0": "H", "cvss:EQ6:1.0.0": "H" }, { - "cvss:CR_NoX:1.1.1": "H", - "cvss:VC:3.0.0": "L", - "cvss:IR_NoX:1.1.1": "H", - "cvss:VI:3.0.0": "H", - "cvss:AR_NoX:1.1.1": "L", - "cvss:VA:3.0.0": "N", + "cvss:CR_NoX:1.1.1": "L", + "cvss:VC:3.0.0": "N", + "cvss:IR_NoX:1.1.1": "M", + "cvss:VI:3.0.0": "N", + "cvss:AR_NoX:1.1.1": "H", + "cvss:VA:3.0.0": "H", "cvss:EQ6:1.0.0": "H" }, { - "cvss:CR_NoX:1.1.1": "M", - "cvss:VC:3.0.0": "H", - "cvss:IR_NoX:1.1.1": "H", - "cvss:VI:3.0.0": "H", - "cvss:AR_NoX:1.1.1": "L", - "cvss:VA:3.0.0": "N", + "cvss:CR_NoX:1.1.1": "L", + "cvss:VC:3.0.0": "N", + "cvss:IR_NoX:1.1.1": "L", + "cvss:VI:3.0.0": "L", + "cvss:AR_NoX:1.1.1": "H", + "cvss:VA:3.0.0": "H", "cvss:EQ6:1.0.0": "H" }, { @@ -13143,7 +12678,7 @@ "cvss:VC:3.0.0": "H", "cvss:IR_NoX:1.1.1": "H", "cvss:VI:3.0.0": "N", - "cvss:AR_NoX:1.1.1": "M", + "cvss:AR_NoX:1.1.1": "L", "cvss:VA:3.0.0": "N", "cvss:EQ6:1.0.0": "H" }, @@ -13152,7 +12687,7 @@ "cvss:VC:3.0.0": "H", "cvss:IR_NoX:1.1.1": "M", "cvss:VI:3.0.0": "L", - "cvss:AR_NoX:1.1.1": "M", + "cvss:AR_NoX:1.1.1": "L", "cvss:VA:3.0.0": "N", "cvss:EQ6:1.0.0": "H" }, @@ -13161,7 +12696,7 @@ "cvss:VC:3.0.0": "L", "cvss:IR_NoX:1.1.1": "H", "cvss:VI:3.0.0": "L", - "cvss:AR_NoX:1.1.1": "M", + "cvss:AR_NoX:1.1.1": "L", "cvss:VA:3.0.0": "N", "cvss:EQ6:1.0.0": "L" }, @@ -13170,7 +12705,7 @@ "cvss:VC:3.0.0": "H", "cvss:IR_NoX:1.1.1": "H", "cvss:VI:3.0.0": "L", - "cvss:AR_NoX:1.1.1": "M", + "cvss:AR_NoX:1.1.1": "L", "cvss:VA:3.0.0": "N", "cvss:EQ6:1.0.0": "L" }, @@ -13179,7 +12714,7 @@ "cvss:VC:3.0.0": "H", "cvss:IR_NoX:1.1.1": "L", "cvss:VI:3.0.0": "H", - "cvss:AR_NoX:1.1.1": "M", + "cvss:AR_NoX:1.1.1": "L", "cvss:VA:3.0.0": "N", "cvss:EQ6:1.0.0": "H" }, @@ -13188,7 +12723,7 @@ "cvss:VC:3.0.0": "L", "cvss:IR_NoX:1.1.1": "M", "cvss:VI:3.0.0": "H", - "cvss:AR_NoX:1.1.1": "M", + "cvss:AR_NoX:1.1.1": "L", "cvss:VA:3.0.0": "N", "cvss:EQ6:1.0.0": "L" }, @@ -13197,7 +12732,7 @@ "cvss:VC:3.0.0": "H", "cvss:IR_NoX:1.1.1": "M", "cvss:VI:3.0.0": "H", - "cvss:AR_NoX:1.1.1": "M", + "cvss:AR_NoX:1.1.1": "L", "cvss:VA:3.0.0": "N", "cvss:EQ6:1.0.0": "L" }, @@ -13206,7 +12741,7 @@ "cvss:VC:3.0.0": "N", "cvss:IR_NoX:1.1.1": "H", "cvss:VI:3.0.0": "H", - "cvss:AR_NoX:1.1.1": "M", + "cvss:AR_NoX:1.1.1": "L", "cvss:VA:3.0.0": "N", "cvss:EQ6:1.0.0": "H" }, @@ -13215,7 +12750,7 @@ "cvss:VC:3.0.0": "L", "cvss:IR_NoX:1.1.1": "H", "cvss:VI:3.0.0": "H", - "cvss:AR_NoX:1.1.1": "M", + "cvss:AR_NoX:1.1.1": "L", "cvss:VA:3.0.0": "N", "cvss:EQ6:1.0.0": "H" }, @@ -13224,7 +12759,7 @@ "cvss:VC:3.0.0": "H", "cvss:IR_NoX:1.1.1": "H", "cvss:VI:3.0.0": "H", - "cvss:AR_NoX:1.1.1": "M", + "cvss:AR_NoX:1.1.1": "L", "cvss:VA:3.0.0": "N", "cvss:EQ6:1.0.0": "H" }, @@ -13233,7 +12768,7 @@ "cvss:VC:3.0.0": "H", "cvss:IR_NoX:1.1.1": "M", "cvss:VI:3.0.0": "N", - "cvss:AR_NoX:1.1.1": "H", + "cvss:AR_NoX:1.1.1": "M", "cvss:VA:3.0.0": "N", "cvss:EQ6:1.0.0": "H" }, @@ -13242,7 +12777,7 @@ "cvss:VC:3.0.0": "L", "cvss:IR_NoX:1.1.1": "H", "cvss:VI:3.0.0": "N", - "cvss:AR_NoX:1.1.1": "H", + "cvss:AR_NoX:1.1.1": "M", "cvss:VA:3.0.0": "N", "cvss:EQ6:1.0.0": "L" }, @@ -13251,7 +12786,7 @@ "cvss:VC:3.0.0": "H", "cvss:IR_NoX:1.1.1": "H", "cvss:VI:3.0.0": "N", - "cvss:AR_NoX:1.1.1": "H", + "cvss:AR_NoX:1.1.1": "M", "cvss:VA:3.0.0": "N", "cvss:EQ6:1.0.0": "L" }, @@ -13260,7 +12795,7 @@ "cvss:VC:3.0.0": "H", "cvss:IR_NoX:1.1.1": "L", "cvss:VI:3.0.0": "L", - "cvss:AR_NoX:1.1.1": "H", + "cvss:AR_NoX:1.1.1": "M", "cvss:VA:3.0.0": "N", "cvss:EQ6:1.0.0": "H" }, @@ -13269,7 +12804,7 @@ "cvss:VC:3.0.0": "L", "cvss:IR_NoX:1.1.1": "M", "cvss:VI:3.0.0": "L", - "cvss:AR_NoX:1.1.1": "H", + "cvss:AR_NoX:1.1.1": "M", "cvss:VA:3.0.0": "N", "cvss:EQ6:1.0.0": "L" }, @@ -13278,7 +12813,7 @@ "cvss:VC:3.0.0": "H", "cvss:IR_NoX:1.1.1": "M", "cvss:VI:3.0.0": "L", - "cvss:AR_NoX:1.1.1": "H", + "cvss:AR_NoX:1.1.1": "M", "cvss:VA:3.0.0": "N", "cvss:EQ6:1.0.0": "L" }, @@ -13287,7 +12822,7 @@ "cvss:VC:3.0.0": "N", "cvss:IR_NoX:1.1.1": "H", "cvss:VI:3.0.0": "L", - "cvss:AR_NoX:1.1.1": "H", + "cvss:AR_NoX:1.1.1": "M", "cvss:VA:3.0.0": "N", "cvss:EQ6:1.0.0": "L" }, @@ -13296,7 +12831,7 @@ "cvss:VC:3.0.0": "L", "cvss:IR_NoX:1.1.1": "H", "cvss:VI:3.0.0": "L", - "cvss:AR_NoX:1.1.1": "H", + "cvss:AR_NoX:1.1.1": "M", "cvss:VA:3.0.0": "N", "cvss:EQ6:1.0.0": "L" }, @@ -13305,7 +12840,7 @@ "cvss:VC:3.0.0": "H", "cvss:IR_NoX:1.1.1": "H", "cvss:VI:3.0.0": "L", - "cvss:AR_NoX:1.1.1": "H", + "cvss:AR_NoX:1.1.1": "M", "cvss:VA:3.0.0": "N", "cvss:EQ6:1.0.0": "L" }, @@ -13314,7 +12849,7 @@ "cvss:VC:3.0.0": "L", "cvss:IR_NoX:1.1.1": "L", "cvss:VI:3.0.0": "H", - "cvss:AR_NoX:1.1.1": "H", + "cvss:AR_NoX:1.1.1": "M", "cvss:VA:3.0.0": "N", "cvss:EQ6:1.0.0": "L" }, @@ -13323,7 +12858,7 @@ "cvss:VC:3.0.0": "H", "cvss:IR_NoX:1.1.1": "L", "cvss:VI:3.0.0": "H", - "cvss:AR_NoX:1.1.1": "H", + "cvss:AR_NoX:1.1.1": "M", "cvss:VA:3.0.0": "N", "cvss:EQ6:1.0.0": "L" }, @@ -13332,7 +12867,7 @@ "cvss:VC:3.0.0": "N", "cvss:IR_NoX:1.1.1": "M", "cvss:VI:3.0.0": "H", - "cvss:AR_NoX:1.1.1": "H", + "cvss:AR_NoX:1.1.1": "M", "cvss:VA:3.0.0": "N", "cvss:EQ6:1.0.0": "L" }, @@ -13341,7 +12876,7 @@ "cvss:VC:3.0.0": "L", "cvss:IR_NoX:1.1.1": "M", "cvss:VI:3.0.0": "H", - "cvss:AR_NoX:1.1.1": "H", + "cvss:AR_NoX:1.1.1": "M", "cvss:VA:3.0.0": "N", "cvss:EQ6:1.0.0": "L" }, @@ -13350,7 +12885,7 @@ "cvss:VC:3.0.0": "H", "cvss:IR_NoX:1.1.1": "M", "cvss:VI:3.0.0": "H", - "cvss:AR_NoX:1.1.1": "H", + "cvss:AR_NoX:1.1.1": "M", "cvss:VA:3.0.0": "N", "cvss:EQ6:1.0.0": "L" }, @@ -13359,7 +12894,7 @@ "cvss:VC:3.0.0": "N", "cvss:IR_NoX:1.1.1": "H", "cvss:VI:3.0.0": "H", - "cvss:AR_NoX:1.1.1": "H", + "cvss:AR_NoX:1.1.1": "M", "cvss:VA:3.0.0": "N", "cvss:EQ6:1.0.0": "H" }, @@ -13368,98 +12903,179 @@ "cvss:VC:3.0.0": "L", "cvss:IR_NoX:1.1.1": "H", "cvss:VI:3.0.0": "H", - "cvss:AR_NoX:1.1.1": "H", + "cvss:AR_NoX:1.1.1": "M", "cvss:VA:3.0.0": "N", "cvss:EQ6:1.0.0": "H" }, { "cvss:CR_NoX:1.1.1": "H", "cvss:VC:3.0.0": "H", - "cvss:IR_NoX:1.1.1": "H", + "cvss:IR_NoX:1.1.1": "L", "cvss:VI:3.0.0": "N", - "cvss:AR_NoX:1.1.1": "L", - "cvss:VA:3.0.0": "L", + "cvss:AR_NoX:1.1.1": "H", + "cvss:VA:3.0.0": "N", "cvss:EQ6:1.0.0": "H" }, { "cvss:CR_NoX:1.1.1": "H", + "cvss:VC:3.0.0": "L", + "cvss:IR_NoX:1.1.1": "M", + "cvss:VI:3.0.0": "N", + "cvss:AR_NoX:1.1.1": "H", + "cvss:VA:3.0.0": "N", + "cvss:EQ6:1.0.0": "L" + }, + { + "cvss:CR_NoX:1.1.1": "M", "cvss:VC:3.0.0": "H", "cvss:IR_NoX:1.1.1": "M", - "cvss:VI:3.0.0": "L", - "cvss:AR_NoX:1.1.1": "L", - "cvss:VA:3.0.0": "L", - "cvss:EQ6:1.0.0": "H" + "cvss:VI:3.0.0": "N", + "cvss:AR_NoX:1.1.1": "H", + "cvss:VA:3.0.0": "N", + "cvss:EQ6:1.0.0": "L" }, { "cvss:CR_NoX:1.1.1": "H", - "cvss:VC:3.0.0": "L", + "cvss:VC:3.0.0": "N", "cvss:IR_NoX:1.1.1": "H", - "cvss:VI:3.0.0": "L", - "cvss:AR_NoX:1.1.1": "L", - "cvss:VA:3.0.0": "L", + "cvss:VI:3.0.0": "N", + "cvss:AR_NoX:1.1.1": "H", + "cvss:VA:3.0.0": "N", "cvss:EQ6:1.0.0": "L" }, { "cvss:CR_NoX:1.1.1": "M", + "cvss:VC:3.0.0": "L", + "cvss:IR_NoX:1.1.1": "H", + "cvss:VI:3.0.0": "N", + "cvss:AR_NoX:1.1.1": "H", + "cvss:VA:3.0.0": "N", + "cvss:EQ6:1.0.0": "L" + }, + { + "cvss:CR_NoX:1.1.1": "L", "cvss:VC:3.0.0": "H", "cvss:IR_NoX:1.1.1": "H", - "cvss:VI:3.0.0": "L", - "cvss:AR_NoX:1.1.1": "L", - "cvss:VA:3.0.0": "L", + "cvss:VI:3.0.0": "N", + "cvss:AR_NoX:1.1.1": "H", + "cvss:VA:3.0.0": "N", "cvss:EQ6:1.0.0": "L" }, { "cvss:CR_NoX:1.1.1": "H", + "cvss:VC:3.0.0": "L", + "cvss:IR_NoX:1.1.1": "L", + "cvss:VI:3.0.0": "L", + "cvss:AR_NoX:1.1.1": "H", + "cvss:VA:3.0.0": "N", + "cvss:EQ6:1.0.0": "L" + }, + { + "cvss:CR_NoX:1.1.1": "M", "cvss:VC:3.0.0": "H", "cvss:IR_NoX:1.1.1": "L", - "cvss:VI:3.0.0": "H", - "cvss:AR_NoX:1.1.1": "L", - "cvss:VA:3.0.0": "L", - "cvss:EQ6:1.0.0": "H" + "cvss:VI:3.0.0": "L", + "cvss:AR_NoX:1.1.1": "H", + "cvss:VA:3.0.0": "N", + "cvss:EQ6:1.0.0": "L" }, { "cvss:CR_NoX:1.1.1": "H", - "cvss:VC:3.0.0": "L", + "cvss:VC:3.0.0": "N", "cvss:IR_NoX:1.1.1": "M", - "cvss:VI:3.0.0": "H", - "cvss:AR_NoX:1.1.1": "L", - "cvss:VA:3.0.0": "L", + "cvss:VI:3.0.0": "L", + "cvss:AR_NoX:1.1.1": "H", + "cvss:VA:3.0.0": "N", "cvss:EQ6:1.0.0": "L" }, { "cvss:CR_NoX:1.1.1": "M", + "cvss:VC:3.0.0": "L", + "cvss:IR_NoX:1.1.1": "M", + "cvss:VI:3.0.0": "L", + "cvss:AR_NoX:1.1.1": "H", + "cvss:VA:3.0.0": "N", + "cvss:EQ6:1.0.0": "L" + }, + { + "cvss:CR_NoX:1.1.1": "L", "cvss:VC:3.0.0": "H", "cvss:IR_NoX:1.1.1": "M", - "cvss:VI:3.0.0": "H", - "cvss:AR_NoX:1.1.1": "L", - "cvss:VA:3.0.0": "L", + "cvss:VI:3.0.0": "L", + "cvss:AR_NoX:1.1.1": "H", + "cvss:VA:3.0.0": "N", "cvss:EQ6:1.0.0": "L" }, { - "cvss:CR_NoX:1.1.1": "H", + "cvss:CR_NoX:1.1.1": "M", "cvss:VC:3.0.0": "N", "cvss:IR_NoX:1.1.1": "H", + "cvss:VI:3.0.0": "L", + "cvss:AR_NoX:1.1.1": "H", + "cvss:VA:3.0.0": "N", + "cvss:EQ6:1.0.0": "L" + }, + { + "cvss:CR_NoX:1.1.1": "L", + "cvss:VC:3.0.0": "L", + "cvss:IR_NoX:1.1.1": "H", + "cvss:VI:3.0.0": "L", + "cvss:AR_NoX:1.1.1": "H", + "cvss:VA:3.0.0": "N", + "cvss:EQ6:1.0.0": "L" + }, + { + "cvss:CR_NoX:1.1.1": "H", + "cvss:VC:3.0.0": "N", + "cvss:IR_NoX:1.1.1": "L", "cvss:VI:3.0.0": "H", - "cvss:AR_NoX:1.1.1": "L", - "cvss:VA:3.0.0": "L", - "cvss:EQ6:1.0.0": "H" + "cvss:AR_NoX:1.1.1": "H", + "cvss:VA:3.0.0": "N", + "cvss:EQ6:1.0.0": "L" }, { "cvss:CR_NoX:1.1.1": "M", "cvss:VC:3.0.0": "L", - "cvss:IR_NoX:1.1.1": "H", + "cvss:IR_NoX:1.1.1": "L", "cvss:VI:3.0.0": "H", - "cvss:AR_NoX:1.1.1": "L", - "cvss:VA:3.0.0": "L", - "cvss:EQ6:1.0.0": "H" + "cvss:AR_NoX:1.1.1": "H", + "cvss:VA:3.0.0": "N", + "cvss:EQ6:1.0.0": "L" }, { "cvss:CR_NoX:1.1.1": "L", "cvss:VC:3.0.0": "H", + "cvss:IR_NoX:1.1.1": "L", + "cvss:VI:3.0.0": "H", + "cvss:AR_NoX:1.1.1": "H", + "cvss:VA:3.0.0": "N", + "cvss:EQ6:1.0.0": "L" + }, + { + "cvss:CR_NoX:1.1.1": "M", + "cvss:VC:3.0.0": "N", + "cvss:IR_NoX:1.1.1": "M", + "cvss:VI:3.0.0": "H", + "cvss:AR_NoX:1.1.1": "H", + "cvss:VA:3.0.0": "N", + "cvss:EQ6:1.0.0": "L" + }, + { + "cvss:CR_NoX:1.1.1": "L", + "cvss:VC:3.0.0": "L", + "cvss:IR_NoX:1.1.1": "M", + "cvss:VI:3.0.0": "H", + "cvss:AR_NoX:1.1.1": "H", + "cvss:VA:3.0.0": "N", + "cvss:EQ6:1.0.0": "L" + }, + { + "cvss:CR_NoX:1.1.1": "L", + "cvss:VC:3.0.0": "N", "cvss:IR_NoX:1.1.1": "H", "cvss:VI:3.0.0": "H", - "cvss:AR_NoX:1.1.1": "L", - "cvss:VA:3.0.0": "L", + "cvss:AR_NoX:1.1.1": "H", + "cvss:VA:3.0.0": "N", "cvss:EQ6:1.0.0": "H" }, { @@ -13467,7 +13083,7 @@ "cvss:VC:3.0.0": "H", "cvss:IR_NoX:1.1.1": "M", "cvss:VI:3.0.0": "N", - "cvss:AR_NoX:1.1.1": "M", + "cvss:AR_NoX:1.1.1": "L", "cvss:VA:3.0.0": "L", "cvss:EQ6:1.0.0": "H" }, @@ -13476,7 +13092,7 @@ "cvss:VC:3.0.0": "L", "cvss:IR_NoX:1.1.1": "H", "cvss:VI:3.0.0": "N", - "cvss:AR_NoX:1.1.1": "M", + "cvss:AR_NoX:1.1.1": "L", "cvss:VA:3.0.0": "L", "cvss:EQ6:1.0.0": "L" }, @@ -13485,7 +13101,7 @@ "cvss:VC:3.0.0": "H", "cvss:IR_NoX:1.1.1": "H", "cvss:VI:3.0.0": "N", - "cvss:AR_NoX:1.1.1": "M", + "cvss:AR_NoX:1.1.1": "L", "cvss:VA:3.0.0": "L", "cvss:EQ6:1.0.0": "L" }, @@ -13494,7 +13110,7 @@ "cvss:VC:3.0.0": "H", "cvss:IR_NoX:1.1.1": "L", "cvss:VI:3.0.0": "L", - "cvss:AR_NoX:1.1.1": "M", + "cvss:AR_NoX:1.1.1": "L", "cvss:VA:3.0.0": "L", "cvss:EQ6:1.0.0": "H" }, @@ -13503,7 +13119,7 @@ "cvss:VC:3.0.0": "L", "cvss:IR_NoX:1.1.1": "M", "cvss:VI:3.0.0": "L", - "cvss:AR_NoX:1.1.1": "M", + "cvss:AR_NoX:1.1.1": "L", "cvss:VA:3.0.0": "L", "cvss:EQ6:1.0.0": "L" }, @@ -13512,7 +13128,7 @@ "cvss:VC:3.0.0": "H", "cvss:IR_NoX:1.1.1": "M", "cvss:VI:3.0.0": "L", - "cvss:AR_NoX:1.1.1": "M", + "cvss:AR_NoX:1.1.1": "L", "cvss:VA:3.0.0": "L", "cvss:EQ6:1.0.0": "L" }, @@ -13521,7 +13137,7 @@ "cvss:VC:3.0.0": "N", "cvss:IR_NoX:1.1.1": "H", "cvss:VI:3.0.0": "L", - "cvss:AR_NoX:1.1.1": "M", + "cvss:AR_NoX:1.1.1": "L", "cvss:VA:3.0.0": "L", "cvss:EQ6:1.0.0": "L" }, @@ -13530,7 +13146,7 @@ "cvss:VC:3.0.0": "L", "cvss:IR_NoX:1.1.1": "H", "cvss:VI:3.0.0": "L", - "cvss:AR_NoX:1.1.1": "M", + "cvss:AR_NoX:1.1.1": "L", "cvss:VA:3.0.0": "L", "cvss:EQ6:1.0.0": "L" }, @@ -13539,7 +13155,7 @@ "cvss:VC:3.0.0": "H", "cvss:IR_NoX:1.1.1": "H", "cvss:VI:3.0.0": "L", - "cvss:AR_NoX:1.1.1": "M", + "cvss:AR_NoX:1.1.1": "L", "cvss:VA:3.0.0": "L", "cvss:EQ6:1.0.0": "L" }, @@ -13548,7 +13164,7 @@ "cvss:VC:3.0.0": "L", "cvss:IR_NoX:1.1.1": "L", "cvss:VI:3.0.0": "H", - "cvss:AR_NoX:1.1.1": "M", + "cvss:AR_NoX:1.1.1": "L", "cvss:VA:3.0.0": "L", "cvss:EQ6:1.0.0": "L" }, @@ -13557,7 +13173,7 @@ "cvss:VC:3.0.0": "H", "cvss:IR_NoX:1.1.1": "L", "cvss:VI:3.0.0": "H", - "cvss:AR_NoX:1.1.1": "M", + "cvss:AR_NoX:1.1.1": "L", "cvss:VA:3.0.0": "L", "cvss:EQ6:1.0.0": "L" }, @@ -13566,7 +13182,7 @@ "cvss:VC:3.0.0": "N", "cvss:IR_NoX:1.1.1": "M", "cvss:VI:3.0.0": "H", - "cvss:AR_NoX:1.1.1": "M", + "cvss:AR_NoX:1.1.1": "L", "cvss:VA:3.0.0": "L", "cvss:EQ6:1.0.0": "L" }, @@ -13575,7 +13191,7 @@ "cvss:VC:3.0.0": "L", "cvss:IR_NoX:1.1.1": "M", "cvss:VI:3.0.0": "H", - "cvss:AR_NoX:1.1.1": "M", + "cvss:AR_NoX:1.1.1": "L", "cvss:VA:3.0.0": "L", "cvss:EQ6:1.0.0": "L" }, @@ -13584,7 +13200,7 @@ "cvss:VC:3.0.0": "H", "cvss:IR_NoX:1.1.1": "M", "cvss:VI:3.0.0": "H", - "cvss:AR_NoX:1.1.1": "M", + "cvss:AR_NoX:1.1.1": "L", "cvss:VA:3.0.0": "L", "cvss:EQ6:1.0.0": "L" }, @@ -13593,7 +13209,7 @@ "cvss:VC:3.0.0": "N", "cvss:IR_NoX:1.1.1": "H", "cvss:VI:3.0.0": "H", - "cvss:AR_NoX:1.1.1": "M", + "cvss:AR_NoX:1.1.1": "L", "cvss:VA:3.0.0": "L", "cvss:EQ6:1.0.0": "H" }, @@ -13602,7 +13218,7 @@ "cvss:VC:3.0.0": "L", "cvss:IR_NoX:1.1.1": "H", "cvss:VI:3.0.0": "H", - "cvss:AR_NoX:1.1.1": "M", + "cvss:AR_NoX:1.1.1": "L", "cvss:VA:3.0.0": "L", "cvss:EQ6:1.0.0": "H" }, @@ -13611,7 +13227,7 @@ "cvss:VC:3.0.0": "H", "cvss:IR_NoX:1.1.1": "L", "cvss:VI:3.0.0": "N", - "cvss:AR_NoX:1.1.1": "H", + "cvss:AR_NoX:1.1.1": "M", "cvss:VA:3.0.0": "L", "cvss:EQ6:1.0.0": "H" }, @@ -13620,7 +13236,7 @@ "cvss:VC:3.0.0": "L", "cvss:IR_NoX:1.1.1": "M", "cvss:VI:3.0.0": "N", - "cvss:AR_NoX:1.1.1": "H", + "cvss:AR_NoX:1.1.1": "M", "cvss:VA:3.0.0": "L", "cvss:EQ6:1.0.0": "L" }, @@ -13629,7 +13245,7 @@ "cvss:VC:3.0.0": "H", "cvss:IR_NoX:1.1.1": "M", "cvss:VI:3.0.0": "N", - "cvss:AR_NoX:1.1.1": "H", + "cvss:AR_NoX:1.1.1": "M", "cvss:VA:3.0.0": "L", "cvss:EQ6:1.0.0": "L" }, @@ -13638,7 +13254,7 @@ "cvss:VC:3.0.0": "N", "cvss:IR_NoX:1.1.1": "H", "cvss:VI:3.0.0": "N", - "cvss:AR_NoX:1.1.1": "H", + "cvss:AR_NoX:1.1.1": "M", "cvss:VA:3.0.0": "L", "cvss:EQ6:1.0.0": "L" }, @@ -13647,7 +13263,7 @@ "cvss:VC:3.0.0": "L", "cvss:IR_NoX:1.1.1": "H", "cvss:VI:3.0.0": "N", - "cvss:AR_NoX:1.1.1": "H", + "cvss:AR_NoX:1.1.1": "M", "cvss:VA:3.0.0": "L", "cvss:EQ6:1.0.0": "L" }, @@ -13656,7 +13272,7 @@ "cvss:VC:3.0.0": "H", "cvss:IR_NoX:1.1.1": "H", "cvss:VI:3.0.0": "N", - "cvss:AR_NoX:1.1.1": "H", + "cvss:AR_NoX:1.1.1": "M", "cvss:VA:3.0.0": "L", "cvss:EQ6:1.0.0": "L" }, @@ -13665,7 +13281,7 @@ "cvss:VC:3.0.0": "L", "cvss:IR_NoX:1.1.1": "L", "cvss:VI:3.0.0": "L", - "cvss:AR_NoX:1.1.1": "H", + "cvss:AR_NoX:1.1.1": "M", "cvss:VA:3.0.0": "L", "cvss:EQ6:1.0.0": "L" }, @@ -13674,7 +13290,7 @@ "cvss:VC:3.0.0": "H", "cvss:IR_NoX:1.1.1": "L", "cvss:VI:3.0.0": "L", - "cvss:AR_NoX:1.1.1": "H", + "cvss:AR_NoX:1.1.1": "M", "cvss:VA:3.0.0": "L", "cvss:EQ6:1.0.0": "L" }, @@ -13683,7 +13299,7 @@ "cvss:VC:3.0.0": "N", "cvss:IR_NoX:1.1.1": "M", "cvss:VI:3.0.0": "L", - "cvss:AR_NoX:1.1.1": "H", + "cvss:AR_NoX:1.1.1": "M", "cvss:VA:3.0.0": "L", "cvss:EQ6:1.0.0": "L" }, @@ -13692,7 +13308,7 @@ "cvss:VC:3.0.0": "L", "cvss:IR_NoX:1.1.1": "M", "cvss:VI:3.0.0": "L", - "cvss:AR_NoX:1.1.1": "H", + "cvss:AR_NoX:1.1.1": "M", "cvss:VA:3.0.0": "L", "cvss:EQ6:1.0.0": "L" }, @@ -13701,7 +13317,7 @@ "cvss:VC:3.0.0": "H", "cvss:IR_NoX:1.1.1": "M", "cvss:VI:3.0.0": "L", - "cvss:AR_NoX:1.1.1": "H", + "cvss:AR_NoX:1.1.1": "M", "cvss:VA:3.0.0": "L", "cvss:EQ6:1.0.0": "L" }, @@ -13710,7 +13326,7 @@ "cvss:VC:3.0.0": "N", "cvss:IR_NoX:1.1.1": "H", "cvss:VI:3.0.0": "L", - "cvss:AR_NoX:1.1.1": "H", + "cvss:AR_NoX:1.1.1": "M", "cvss:VA:3.0.0": "L", "cvss:EQ6:1.0.0": "L" }, @@ -13719,7 +13335,7 @@ "cvss:VC:3.0.0": "L", "cvss:IR_NoX:1.1.1": "H", "cvss:VI:3.0.0": "L", - "cvss:AR_NoX:1.1.1": "H", + "cvss:AR_NoX:1.1.1": "M", "cvss:VA:3.0.0": "L", "cvss:EQ6:1.0.0": "L" }, @@ -13728,7 +13344,7 @@ "cvss:VC:3.0.0": "N", "cvss:IR_NoX:1.1.1": "L", "cvss:VI:3.0.0": "H", - "cvss:AR_NoX:1.1.1": "H", + "cvss:AR_NoX:1.1.1": "M", "cvss:VA:3.0.0": "L", "cvss:EQ6:1.0.0": "L" }, @@ -13737,7 +13353,7 @@ "cvss:VC:3.0.0": "L", "cvss:IR_NoX:1.1.1": "L", "cvss:VI:3.0.0": "H", - "cvss:AR_NoX:1.1.1": "H", + "cvss:AR_NoX:1.1.1": "M", "cvss:VA:3.0.0": "L", "cvss:EQ6:1.0.0": "L" }, @@ -13746,7 +13362,7 @@ "cvss:VC:3.0.0": "H", "cvss:IR_NoX:1.1.1": "L", "cvss:VI:3.0.0": "H", - "cvss:AR_NoX:1.1.1": "H", + "cvss:AR_NoX:1.1.1": "M", "cvss:VA:3.0.0": "L", "cvss:EQ6:1.0.0": "L" }, @@ -13755,7 +13371,7 @@ "cvss:VC:3.0.0": "N", "cvss:IR_NoX:1.1.1": "M", "cvss:VI:3.0.0": "H", - "cvss:AR_NoX:1.1.1": "H", + "cvss:AR_NoX:1.1.1": "M", "cvss:VA:3.0.0": "L", "cvss:EQ6:1.0.0": "L" }, @@ -13764,7 +13380,7 @@ "cvss:VC:3.0.0": "L", "cvss:IR_NoX:1.1.1": "M", "cvss:VI:3.0.0": "H", - "cvss:AR_NoX:1.1.1": "H", + "cvss:AR_NoX:1.1.1": "M", "cvss:VA:3.0.0": "L", "cvss:EQ6:1.0.0": "L" }, @@ -13773,160 +13389,160 @@ "cvss:VC:3.0.0": "N", "cvss:IR_NoX:1.1.1": "H", "cvss:VI:3.0.0": "H", - "cvss:AR_NoX:1.1.1": "H", + "cvss:AR_NoX:1.1.1": "M", "cvss:VA:3.0.0": "L", "cvss:EQ6:1.0.0": "H" }, - { - "cvss:CR_NoX:1.1.1": "H", - "cvss:VC:3.0.0": "H", - "cvss:IR_NoX:1.1.1": "M", - "cvss:VI:3.0.0": "N", - "cvss:AR_NoX:1.1.1": "L", - "cvss:VA:3.0.0": "H", - "cvss:EQ6:1.0.0": "H" - }, { "cvss:CR_NoX:1.1.1": "H", "cvss:VC:3.0.0": "L", - "cvss:IR_NoX:1.1.1": "H", + "cvss:IR_NoX:1.1.1": "L", "cvss:VI:3.0.0": "N", - "cvss:AR_NoX:1.1.1": "L", - "cvss:VA:3.0.0": "H", + "cvss:AR_NoX:1.1.1": "H", + "cvss:VA:3.0.0": "L", "cvss:EQ6:1.0.0": "L" }, { "cvss:CR_NoX:1.1.1": "M", "cvss:VC:3.0.0": "H", - "cvss:IR_NoX:1.1.1": "H", + "cvss:IR_NoX:1.1.1": "L", "cvss:VI:3.0.0": "N", - "cvss:AR_NoX:1.1.1": "L", - "cvss:VA:3.0.0": "H", + "cvss:AR_NoX:1.1.1": "H", + "cvss:VA:3.0.0": "L", "cvss:EQ6:1.0.0": "L" }, { "cvss:CR_NoX:1.1.1": "H", - "cvss:VC:3.0.0": "H", - "cvss:IR_NoX:1.1.1": "L", - "cvss:VI:3.0.0": "L", - "cvss:AR_NoX:1.1.1": "L", - "cvss:VA:3.0.0": "H", - "cvss:EQ6:1.0.0": "H" + "cvss:VC:3.0.0": "N", + "cvss:IR_NoX:1.1.1": "M", + "cvss:VI:3.0.0": "N", + "cvss:AR_NoX:1.1.1": "H", + "cvss:VA:3.0.0": "L", + "cvss:EQ6:1.0.0": "L" }, { - "cvss:CR_NoX:1.1.1": "H", + "cvss:CR_NoX:1.1.1": "M", "cvss:VC:3.0.0": "L", "cvss:IR_NoX:1.1.1": "M", - "cvss:VI:3.0.0": "L", - "cvss:AR_NoX:1.1.1": "L", - "cvss:VA:3.0.0": "H", + "cvss:VI:3.0.0": "N", + "cvss:AR_NoX:1.1.1": "H", + "cvss:VA:3.0.0": "L", "cvss:EQ6:1.0.0": "L" }, { - "cvss:CR_NoX:1.1.1": "M", + "cvss:CR_NoX:1.1.1": "L", "cvss:VC:3.0.0": "H", "cvss:IR_NoX:1.1.1": "M", - "cvss:VI:3.0.0": "L", - "cvss:AR_NoX:1.1.1": "L", - "cvss:VA:3.0.0": "H", + "cvss:VI:3.0.0": "N", + "cvss:AR_NoX:1.1.1": "H", + "cvss:VA:3.0.0": "L", "cvss:EQ6:1.0.0": "L" }, { - "cvss:CR_NoX:1.1.1": "H", + "cvss:CR_NoX:1.1.1": "M", "cvss:VC:3.0.0": "N", "cvss:IR_NoX:1.1.1": "H", - "cvss:VI:3.0.0": "L", - "cvss:AR_NoX:1.1.1": "L", - "cvss:VA:3.0.0": "H", + "cvss:VI:3.0.0": "N", + "cvss:AR_NoX:1.1.1": "H", + "cvss:VA:3.0.0": "L", "cvss:EQ6:1.0.0": "L" }, { - "cvss:CR_NoX:1.1.1": "M", + "cvss:CR_NoX:1.1.1": "L", "cvss:VC:3.0.0": "L", "cvss:IR_NoX:1.1.1": "H", - "cvss:VI:3.0.0": "L", - "cvss:AR_NoX:1.1.1": "L", - "cvss:VA:3.0.0": "H", + "cvss:VI:3.0.0": "N", + "cvss:AR_NoX:1.1.1": "H", + "cvss:VA:3.0.0": "L", "cvss:EQ6:1.0.0": "L" }, { - "cvss:CR_NoX:1.1.1": "L", - "cvss:VC:3.0.0": "H", - "cvss:IR_NoX:1.1.1": "H", + "cvss:CR_NoX:1.1.1": "H", + "cvss:VC:3.0.0": "N", + "cvss:IR_NoX:1.1.1": "L", "cvss:VI:3.0.0": "L", - "cvss:AR_NoX:1.1.1": "L", - "cvss:VA:3.0.0": "H", + "cvss:AR_NoX:1.1.1": "H", + "cvss:VA:3.0.0": "L", "cvss:EQ6:1.0.0": "L" }, { - "cvss:CR_NoX:1.1.1": "H", + "cvss:CR_NoX:1.1.1": "M", "cvss:VC:3.0.0": "L", "cvss:IR_NoX:1.1.1": "L", - "cvss:VI:3.0.0": "H", - "cvss:AR_NoX:1.1.1": "L", - "cvss:VA:3.0.0": "H", + "cvss:VI:3.0.0": "L", + "cvss:AR_NoX:1.1.1": "H", + "cvss:VA:3.0.0": "L", "cvss:EQ6:1.0.0": "L" }, { - "cvss:CR_NoX:1.1.1": "M", + "cvss:CR_NoX:1.1.1": "L", "cvss:VC:3.0.0": "H", "cvss:IR_NoX:1.1.1": "L", - "cvss:VI:3.0.0": "H", - "cvss:AR_NoX:1.1.1": "L", - "cvss:VA:3.0.0": "H", + "cvss:VI:3.0.0": "L", + "cvss:AR_NoX:1.1.1": "H", + "cvss:VA:3.0.0": "L", "cvss:EQ6:1.0.0": "L" }, { - "cvss:CR_NoX:1.1.1": "H", + "cvss:CR_NoX:1.1.1": "M", "cvss:VC:3.0.0": "N", "cvss:IR_NoX:1.1.1": "M", - "cvss:VI:3.0.0": "H", - "cvss:AR_NoX:1.1.1": "L", - "cvss:VA:3.0.0": "H", + "cvss:VI:3.0.0": "L", + "cvss:AR_NoX:1.1.1": "H", + "cvss:VA:3.0.0": "L", "cvss:EQ6:1.0.0": "L" }, { - "cvss:CR_NoX:1.1.1": "M", + "cvss:CR_NoX:1.1.1": "L", "cvss:VC:3.0.0": "L", "cvss:IR_NoX:1.1.1": "M", - "cvss:VI:3.0.0": "H", - "cvss:AR_NoX:1.1.1": "L", - "cvss:VA:3.0.0": "H", + "cvss:VI:3.0.0": "L", + "cvss:AR_NoX:1.1.1": "H", + "cvss:VA:3.0.0": "L", "cvss:EQ6:1.0.0": "L" }, { "cvss:CR_NoX:1.1.1": "L", - "cvss:VC:3.0.0": "H", - "cvss:IR_NoX:1.1.1": "M", - "cvss:VI:3.0.0": "H", - "cvss:AR_NoX:1.1.1": "L", - "cvss:VA:3.0.0": "H", + "cvss:VC:3.0.0": "N", + "cvss:IR_NoX:1.1.1": "H", + "cvss:VI:3.0.0": "L", + "cvss:AR_NoX:1.1.1": "H", + "cvss:VA:3.0.0": "L", "cvss:EQ6:1.0.0": "L" }, { "cvss:CR_NoX:1.1.1": "M", "cvss:VC:3.0.0": "N", - "cvss:IR_NoX:1.1.1": "H", + "cvss:IR_NoX:1.1.1": "L", "cvss:VI:3.0.0": "H", - "cvss:AR_NoX:1.1.1": "L", - "cvss:VA:3.0.0": "H", - "cvss:EQ6:1.0.0": "H" + "cvss:AR_NoX:1.1.1": "H", + "cvss:VA:3.0.0": "L", + "cvss:EQ6:1.0.0": "L" }, { "cvss:CR_NoX:1.1.1": "L", "cvss:VC:3.0.0": "L", - "cvss:IR_NoX:1.1.1": "H", + "cvss:IR_NoX:1.1.1": "L", "cvss:VI:3.0.0": "H", - "cvss:AR_NoX:1.1.1": "L", - "cvss:VA:3.0.0": "H", - "cvss:EQ6:1.0.0": "H" + "cvss:AR_NoX:1.1.1": "H", + "cvss:VA:3.0.0": "L", + "cvss:EQ6:1.0.0": "L" + }, + { + "cvss:CR_NoX:1.1.1": "L", + "cvss:VC:3.0.0": "N", + "cvss:IR_NoX:1.1.1": "M", + "cvss:VI:3.0.0": "H", + "cvss:AR_NoX:1.1.1": "H", + "cvss:VA:3.0.0": "L", + "cvss:EQ6:1.0.0": "L" }, { "cvss:CR_NoX:1.1.1": "H", "cvss:VC:3.0.0": "H", "cvss:IR_NoX:1.1.1": "L", "cvss:VI:3.0.0": "N", - "cvss:AR_NoX:1.1.1": "M", + "cvss:AR_NoX:1.1.1": "L", "cvss:VA:3.0.0": "H", "cvss:EQ6:1.0.0": "H" }, @@ -13935,7 +13551,7 @@ "cvss:VC:3.0.0": "L", "cvss:IR_NoX:1.1.1": "M", "cvss:VI:3.0.0": "N", - "cvss:AR_NoX:1.1.1": "M", + "cvss:AR_NoX:1.1.1": "L", "cvss:VA:3.0.0": "H", "cvss:EQ6:1.0.0": "L" }, @@ -13944,7 +13560,7 @@ "cvss:VC:3.0.0": "H", "cvss:IR_NoX:1.1.1": "M", "cvss:VI:3.0.0": "N", - "cvss:AR_NoX:1.1.1": "M", + "cvss:AR_NoX:1.1.1": "L", "cvss:VA:3.0.0": "H", "cvss:EQ6:1.0.0": "L" }, @@ -13953,7 +13569,7 @@ "cvss:VC:3.0.0": "N", "cvss:IR_NoX:1.1.1": "H", "cvss:VI:3.0.0": "N", - "cvss:AR_NoX:1.1.1": "M", + "cvss:AR_NoX:1.1.1": "L", "cvss:VA:3.0.0": "H", "cvss:EQ6:1.0.0": "L" }, @@ -13962,7 +13578,7 @@ "cvss:VC:3.0.0": "L", "cvss:IR_NoX:1.1.1": "H", "cvss:VI:3.0.0": "N", - "cvss:AR_NoX:1.1.1": "M", + "cvss:AR_NoX:1.1.1": "L", "cvss:VA:3.0.0": "H", "cvss:EQ6:1.0.0": "L" }, @@ -13971,7 +13587,7 @@ "cvss:VC:3.0.0": "H", "cvss:IR_NoX:1.1.1": "H", "cvss:VI:3.0.0": "N", - "cvss:AR_NoX:1.1.1": "M", + "cvss:AR_NoX:1.1.1": "L", "cvss:VA:3.0.0": "H", "cvss:EQ6:1.0.0": "L" }, @@ -13980,7 +13596,7 @@ "cvss:VC:3.0.0": "L", "cvss:IR_NoX:1.1.1": "L", "cvss:VI:3.0.0": "L", - "cvss:AR_NoX:1.1.1": "M", + "cvss:AR_NoX:1.1.1": "L", "cvss:VA:3.0.0": "H", "cvss:EQ6:1.0.0": "L" }, @@ -13989,7 +13605,7 @@ "cvss:VC:3.0.0": "H", "cvss:IR_NoX:1.1.1": "L", "cvss:VI:3.0.0": "L", - "cvss:AR_NoX:1.1.1": "M", + "cvss:AR_NoX:1.1.1": "L", "cvss:VA:3.0.0": "H", "cvss:EQ6:1.0.0": "L" }, @@ -13998,7 +13614,7 @@ "cvss:VC:3.0.0": "N", "cvss:IR_NoX:1.1.1": "M", "cvss:VI:3.0.0": "L", - "cvss:AR_NoX:1.1.1": "M", + "cvss:AR_NoX:1.1.1": "L", "cvss:VA:3.0.0": "H", "cvss:EQ6:1.0.0": "L" }, @@ -14007,7 +13623,7 @@ "cvss:VC:3.0.0": "L", "cvss:IR_NoX:1.1.1": "M", "cvss:VI:3.0.0": "L", - "cvss:AR_NoX:1.1.1": "M", + "cvss:AR_NoX:1.1.1": "L", "cvss:VA:3.0.0": "H", "cvss:EQ6:1.0.0": "L" }, @@ -14016,7 +13632,7 @@ "cvss:VC:3.0.0": "H", "cvss:IR_NoX:1.1.1": "M", "cvss:VI:3.0.0": "L", - "cvss:AR_NoX:1.1.1": "M", + "cvss:AR_NoX:1.1.1": "L", "cvss:VA:3.0.0": "H", "cvss:EQ6:1.0.0": "L" }, @@ -14025,7 +13641,7 @@ "cvss:VC:3.0.0": "N", "cvss:IR_NoX:1.1.1": "H", "cvss:VI:3.0.0": "L", - "cvss:AR_NoX:1.1.1": "M", + "cvss:AR_NoX:1.1.1": "L", "cvss:VA:3.0.0": "H", "cvss:EQ6:1.0.0": "L" }, @@ -14034,7 +13650,7 @@ "cvss:VC:3.0.0": "L", "cvss:IR_NoX:1.1.1": "H", "cvss:VI:3.0.0": "L", - "cvss:AR_NoX:1.1.1": "M", + "cvss:AR_NoX:1.1.1": "L", "cvss:VA:3.0.0": "H", "cvss:EQ6:1.0.0": "L" }, @@ -14043,7 +13659,7 @@ "cvss:VC:3.0.0": "N", "cvss:IR_NoX:1.1.1": "L", "cvss:VI:3.0.0": "H", - "cvss:AR_NoX:1.1.1": "M", + "cvss:AR_NoX:1.1.1": "L", "cvss:VA:3.0.0": "H", "cvss:EQ6:1.0.0": "L" }, @@ -14052,7 +13668,7 @@ "cvss:VC:3.0.0": "L", "cvss:IR_NoX:1.1.1": "L", "cvss:VI:3.0.0": "H", - "cvss:AR_NoX:1.1.1": "M", + "cvss:AR_NoX:1.1.1": "L", "cvss:VA:3.0.0": "H", "cvss:EQ6:1.0.0": "L" }, @@ -14061,7 +13677,7 @@ "cvss:VC:3.0.0": "H", "cvss:IR_NoX:1.1.1": "L", "cvss:VI:3.0.0": "H", - "cvss:AR_NoX:1.1.1": "M", + "cvss:AR_NoX:1.1.1": "L", "cvss:VA:3.0.0": "H", "cvss:EQ6:1.0.0": "L" }, @@ -14070,7 +13686,7 @@ "cvss:VC:3.0.0": "N", "cvss:IR_NoX:1.1.1": "M", "cvss:VI:3.0.0": "H", - "cvss:AR_NoX:1.1.1": "M", + "cvss:AR_NoX:1.1.1": "L", "cvss:VA:3.0.0": "H", "cvss:EQ6:1.0.0": "L" }, @@ -14079,7 +13695,7 @@ "cvss:VC:3.0.0": "L", "cvss:IR_NoX:1.1.1": "M", "cvss:VI:3.0.0": "H", - "cvss:AR_NoX:1.1.1": "M", + "cvss:AR_NoX:1.1.1": "L", "cvss:VA:3.0.0": "H", "cvss:EQ6:1.0.0": "L" }, @@ -14088,7 +13704,7 @@ "cvss:VC:3.0.0": "N", "cvss:IR_NoX:1.1.1": "H", "cvss:VI:3.0.0": "H", - "cvss:AR_NoX:1.1.1": "M", + "cvss:AR_NoX:1.1.1": "L", "cvss:VA:3.0.0": "H", "cvss:EQ6:1.0.0": "H" }, @@ -14097,278 +13713,233 @@ "cvss:VC:3.0.0": "L", "cvss:IR_NoX:1.1.1": "L", "cvss:VI:3.0.0": "N", - "cvss:AR_NoX:1.1.1": "H", + "cvss:AR_NoX:1.1.1": "M", "cvss:VA:3.0.0": "H", - "cvss:EQ6:1.0.0": "H" + "cvss:EQ6:1.0.0": "L" }, { "cvss:CR_NoX:1.1.1": "M", "cvss:VC:3.0.0": "H", "cvss:IR_NoX:1.1.1": "L", "cvss:VI:3.0.0": "N", - "cvss:AR_NoX:1.1.1": "H", + "cvss:AR_NoX:1.1.1": "M", "cvss:VA:3.0.0": "H", - "cvss:EQ6:1.0.0": "H" + "cvss:EQ6:1.0.0": "L" }, { "cvss:CR_NoX:1.1.1": "H", "cvss:VC:3.0.0": "N", "cvss:IR_NoX:1.1.1": "M", "cvss:VI:3.0.0": "N", - "cvss:AR_NoX:1.1.1": "H", + "cvss:AR_NoX:1.1.1": "M", "cvss:VA:3.0.0": "H", - "cvss:EQ6:1.0.0": "H" + "cvss:EQ6:1.0.0": "L" }, { "cvss:CR_NoX:1.1.1": "M", "cvss:VC:3.0.0": "L", "cvss:IR_NoX:1.1.1": "M", "cvss:VI:3.0.0": "N", - "cvss:AR_NoX:1.1.1": "H", + "cvss:AR_NoX:1.1.1": "M", "cvss:VA:3.0.0": "H", - "cvss:EQ6:1.0.0": "H" + "cvss:EQ6:1.0.0": "L" }, { "cvss:CR_NoX:1.1.1": "L", "cvss:VC:3.0.0": "H", "cvss:IR_NoX:1.1.1": "M", "cvss:VI:3.0.0": "N", - "cvss:AR_NoX:1.1.1": "H", + "cvss:AR_NoX:1.1.1": "M", "cvss:VA:3.0.0": "H", - "cvss:EQ6:1.0.0": "H" + "cvss:EQ6:1.0.0": "L" }, { "cvss:CR_NoX:1.1.1": "M", "cvss:VC:3.0.0": "N", "cvss:IR_NoX:1.1.1": "H", "cvss:VI:3.0.0": "N", - "cvss:AR_NoX:1.1.1": "H", + "cvss:AR_NoX:1.1.1": "M", "cvss:VA:3.0.0": "H", - "cvss:EQ6:1.0.0": "H" + "cvss:EQ6:1.0.0": "L" }, { "cvss:CR_NoX:1.1.1": "L", "cvss:VC:3.0.0": "L", "cvss:IR_NoX:1.1.1": "H", "cvss:VI:3.0.0": "N", - "cvss:AR_NoX:1.1.1": "H", + "cvss:AR_NoX:1.1.1": "M", "cvss:VA:3.0.0": "H", - "cvss:EQ6:1.0.0": "H" + "cvss:EQ6:1.0.0": "L" }, { "cvss:CR_NoX:1.1.1": "H", "cvss:VC:3.0.0": "N", "cvss:IR_NoX:1.1.1": "L", "cvss:VI:3.0.0": "L", - "cvss:AR_NoX:1.1.1": "H", + "cvss:AR_NoX:1.1.1": "M", "cvss:VA:3.0.0": "H", - "cvss:EQ6:1.0.0": "H" + "cvss:EQ6:1.0.0": "L" }, { "cvss:CR_NoX:1.1.1": "M", "cvss:VC:3.0.0": "L", "cvss:IR_NoX:1.1.1": "L", "cvss:VI:3.0.0": "L", - "cvss:AR_NoX:1.1.1": "H", + "cvss:AR_NoX:1.1.1": "M", "cvss:VA:3.0.0": "H", - "cvss:EQ6:1.0.0": "H" + "cvss:EQ6:1.0.0": "L" }, { "cvss:CR_NoX:1.1.1": "L", "cvss:VC:3.0.0": "H", "cvss:IR_NoX:1.1.1": "L", "cvss:VI:3.0.0": "L", - "cvss:AR_NoX:1.1.1": "H", + "cvss:AR_NoX:1.1.1": "M", "cvss:VA:3.0.0": "H", - "cvss:EQ6:1.0.0": "H" + "cvss:EQ6:1.0.0": "L" }, { "cvss:CR_NoX:1.1.1": "M", "cvss:VC:3.0.0": "N", "cvss:IR_NoX:1.1.1": "M", "cvss:VI:3.0.0": "L", - "cvss:AR_NoX:1.1.1": "H", + "cvss:AR_NoX:1.1.1": "M", "cvss:VA:3.0.0": "H", - "cvss:EQ6:1.0.0": "H" + "cvss:EQ6:1.0.0": "L" }, { "cvss:CR_NoX:1.1.1": "L", "cvss:VC:3.0.0": "L", "cvss:IR_NoX:1.1.1": "M", "cvss:VI:3.0.0": "L", - "cvss:AR_NoX:1.1.1": "H", + "cvss:AR_NoX:1.1.1": "M", "cvss:VA:3.0.0": "H", - "cvss:EQ6:1.0.0": "H" + "cvss:EQ6:1.0.0": "L" }, { "cvss:CR_NoX:1.1.1": "L", "cvss:VC:3.0.0": "N", "cvss:IR_NoX:1.1.1": "H", "cvss:VI:3.0.0": "L", - "cvss:AR_NoX:1.1.1": "H", + "cvss:AR_NoX:1.1.1": "M", "cvss:VA:3.0.0": "H", - "cvss:EQ6:1.0.0": "H" + "cvss:EQ6:1.0.0": "L" }, { "cvss:CR_NoX:1.1.1": "M", "cvss:VC:3.0.0": "N", "cvss:IR_NoX:1.1.1": "L", "cvss:VI:3.0.0": "H", - "cvss:AR_NoX:1.1.1": "H", + "cvss:AR_NoX:1.1.1": "M", "cvss:VA:3.0.0": "H", - "cvss:EQ6:1.0.0": "H" + "cvss:EQ6:1.0.0": "L" }, { "cvss:CR_NoX:1.1.1": "L", "cvss:VC:3.0.0": "L", "cvss:IR_NoX:1.1.1": "L", "cvss:VI:3.0.0": "H", - "cvss:AR_NoX:1.1.1": "H", + "cvss:AR_NoX:1.1.1": "M", "cvss:VA:3.0.0": "H", - "cvss:EQ6:1.0.0": "H" + "cvss:EQ6:1.0.0": "L" }, { "cvss:CR_NoX:1.1.1": "L", "cvss:VC:3.0.0": "N", "cvss:IR_NoX:1.1.1": "M", "cvss:VI:3.0.0": "H", - "cvss:AR_NoX:1.1.1": "H", + "cvss:AR_NoX:1.1.1": "M", "cvss:VA:3.0.0": "H", - "cvss:EQ6:1.0.0": "H" + "cvss:EQ6:1.0.0": "L" }, { "cvss:CR_NoX:1.1.1": "H", - "cvss:VC:3.0.0": "H", - "cvss:IR_NoX:1.1.1": "H", - "cvss:VI:3.0.0": "H", - "cvss:AR_NoX:1.1.1": "L", - "cvss:VA:3.0.0": "N", + "cvss:VC:3.0.0": "N", + "cvss:IR_NoX:1.1.1": "L", + "cvss:VI:3.0.0": "N", + "cvss:AR_NoX:1.1.1": "H", + "cvss:VA:3.0.0": "H", "cvss:EQ6:1.0.0": "H" }, { - "cvss:CR_NoX:1.1.1": "H", - "cvss:VC:3.0.0": "H", - "cvss:IR_NoX:1.1.1": "H", - "cvss:VI:3.0.0": "L", - "cvss:AR_NoX:1.1.1": "M", - "cvss:VA:3.0.0": "N", + "cvss:CR_NoX:1.1.1": "M", + "cvss:VC:3.0.0": "L", + "cvss:IR_NoX:1.1.1": "L", + "cvss:VI:3.0.0": "N", + "cvss:AR_NoX:1.1.1": "H", + "cvss:VA:3.0.0": "H", "cvss:EQ6:1.0.0": "H" }, { - "cvss:CR_NoX:1.1.1": "H", + "cvss:CR_NoX:1.1.1": "L", "cvss:VC:3.0.0": "H", - "cvss:IR_NoX:1.1.1": "M", - "cvss:VI:3.0.0": "H", - "cvss:AR_NoX:1.1.1": "M", - "cvss:VA:3.0.0": "N", + "cvss:IR_NoX:1.1.1": "L", + "cvss:VI:3.0.0": "N", + "cvss:AR_NoX:1.1.1": "H", + "cvss:VA:3.0.0": "H", "cvss:EQ6:1.0.0": "H" }, { - "cvss:CR_NoX:1.1.1": "H", - "cvss:VC:3.0.0": "L", - "cvss:IR_NoX:1.1.1": "H", - "cvss:VI:3.0.0": "H", - "cvss:AR_NoX:1.1.1": "M", - "cvss:VA:3.0.0": "N", + "cvss:CR_NoX:1.1.1": "M", + "cvss:VC:3.0.0": "N", + "cvss:IR_NoX:1.1.1": "M", + "cvss:VI:3.0.0": "N", + "cvss:AR_NoX:1.1.1": "H", + "cvss:VA:3.0.0": "H", "cvss:EQ6:1.0.0": "H" }, { - "cvss:CR_NoX:1.1.1": "M", - "cvss:VC:3.0.0": "H", - "cvss:IR_NoX:1.1.1": "H", - "cvss:VI:3.0.0": "H", - "cvss:AR_NoX:1.1.1": "M", - "cvss:VA:3.0.0": "N", + "cvss:CR_NoX:1.1.1": "L", + "cvss:VC:3.0.0": "L", + "cvss:IR_NoX:1.1.1": "M", + "cvss:VI:3.0.0": "N", + "cvss:AR_NoX:1.1.1": "H", + "cvss:VA:3.0.0": "H", "cvss:EQ6:1.0.0": "H" }, { - "cvss:CR_NoX:1.1.1": "H", - "cvss:VC:3.0.0": "H", + "cvss:CR_NoX:1.1.1": "L", + "cvss:VC:3.0.0": "N", "cvss:IR_NoX:1.1.1": "H", "cvss:VI:3.0.0": "N", "cvss:AR_NoX:1.1.1": "H", - "cvss:VA:3.0.0": "N", + "cvss:VA:3.0.0": "H", "cvss:EQ6:1.0.0": "H" }, { - "cvss:CR_NoX:1.1.1": "H", - "cvss:VC:3.0.0": "H", - "cvss:IR_NoX:1.1.1": "M", + "cvss:CR_NoX:1.1.1": "M", + "cvss:VC:3.0.0": "N", + "cvss:IR_NoX:1.1.1": "L", "cvss:VI:3.0.0": "L", "cvss:AR_NoX:1.1.1": "H", - "cvss:VA:3.0.0": "N", + "cvss:VA:3.0.0": "H", "cvss:EQ6:1.0.0": "H" }, { - "cvss:CR_NoX:1.1.1": "H", + "cvss:CR_NoX:1.1.1": "L", "cvss:VC:3.0.0": "L", - "cvss:IR_NoX:1.1.1": "H", - "cvss:VI:3.0.0": "L", - "cvss:AR_NoX:1.1.1": "H", - "cvss:VA:3.0.0": "N", - "cvss:EQ6:1.0.0": "L" - }, - { - "cvss:CR_NoX:1.1.1": "M", - "cvss:VC:3.0.0": "H", - "cvss:IR_NoX:1.1.1": "H", - "cvss:VI:3.0.0": "L", - "cvss:AR_NoX:1.1.1": "H", - "cvss:VA:3.0.0": "N", - "cvss:EQ6:1.0.0": "L" - }, - { - "cvss:CR_NoX:1.1.1": "H", - "cvss:VC:3.0.0": "H", "cvss:IR_NoX:1.1.1": "L", - "cvss:VI:3.0.0": "H", + "cvss:VI:3.0.0": "L", "cvss:AR_NoX:1.1.1": "H", - "cvss:VA:3.0.0": "N", + "cvss:VA:3.0.0": "H", "cvss:EQ6:1.0.0": "H" }, { - "cvss:CR_NoX:1.1.1": "H", - "cvss:VC:3.0.0": "L", - "cvss:IR_NoX:1.1.1": "M", - "cvss:VI:3.0.0": "H", - "cvss:AR_NoX:1.1.1": "H", - "cvss:VA:3.0.0": "N", - "cvss:EQ6:1.0.0": "L" - }, - { - "cvss:CR_NoX:1.1.1": "M", - "cvss:VC:3.0.0": "H", - "cvss:IR_NoX:1.1.1": "M", - "cvss:VI:3.0.0": "H", - "cvss:AR_NoX:1.1.1": "H", - "cvss:VA:3.0.0": "N", - "cvss:EQ6:1.0.0": "L" - }, - { - "cvss:CR_NoX:1.1.1": "H", + "cvss:CR_NoX:1.1.1": "L", "cvss:VC:3.0.0": "N", - "cvss:IR_NoX:1.1.1": "H", - "cvss:VI:3.0.0": "H", - "cvss:AR_NoX:1.1.1": "H", - "cvss:VA:3.0.0": "N", - "cvss:EQ6:1.0.0": "H" - }, - { - "cvss:CR_NoX:1.1.1": "M", - "cvss:VC:3.0.0": "L", - "cvss:IR_NoX:1.1.1": "H", - "cvss:VI:3.0.0": "H", + "cvss:IR_NoX:1.1.1": "M", + "cvss:VI:3.0.0": "L", "cvss:AR_NoX:1.1.1": "H", - "cvss:VA:3.0.0": "N", + "cvss:VA:3.0.0": "H", "cvss:EQ6:1.0.0": "H" }, { "cvss:CR_NoX:1.1.1": "L", - "cvss:VC:3.0.0": "H", - "cvss:IR_NoX:1.1.1": "H", + "cvss:VC:3.0.0": "N", + "cvss:IR_NoX:1.1.1": "L", "cvss:VI:3.0.0": "H", "cvss:AR_NoX:1.1.1": "H", - "cvss:VA:3.0.0": "N", + "cvss:VA:3.0.0": "H", "cvss:EQ6:1.0.0": "H" }, { @@ -14377,7 +13948,7 @@ "cvss:IR_NoX:1.1.1": "H", "cvss:VI:3.0.0": "L", "cvss:AR_NoX:1.1.1": "L", - "cvss:VA:3.0.0": "L", + "cvss:VA:3.0.0": "N", "cvss:EQ6:1.0.0": "H" }, { @@ -14386,7 +13957,7 @@ "cvss:IR_NoX:1.1.1": "M", "cvss:VI:3.0.0": "H", "cvss:AR_NoX:1.1.1": "L", - "cvss:VA:3.0.0": "L", + "cvss:VA:3.0.0": "N", "cvss:EQ6:1.0.0": "H" }, { @@ -14395,7 +13966,7 @@ "cvss:IR_NoX:1.1.1": "H", "cvss:VI:3.0.0": "H", "cvss:AR_NoX:1.1.1": "L", - "cvss:VA:3.0.0": "L", + "cvss:VA:3.0.0": "N", "cvss:EQ6:1.0.0": "H" }, { @@ -14404,7 +13975,7 @@ "cvss:IR_NoX:1.1.1": "H", "cvss:VI:3.0.0": "H", "cvss:AR_NoX:1.1.1": "L", - "cvss:VA:3.0.0": "L", + "cvss:VA:3.0.0": "N", "cvss:EQ6:1.0.0": "H" }, { @@ -14413,7 +13984,7 @@ "cvss:IR_NoX:1.1.1": "H", "cvss:VI:3.0.0": "N", "cvss:AR_NoX:1.1.1": "M", - "cvss:VA:3.0.0": "L", + "cvss:VA:3.0.0": "N", "cvss:EQ6:1.0.0": "H" }, { @@ -14422,7 +13993,7 @@ "cvss:IR_NoX:1.1.1": "M", "cvss:VI:3.0.0": "L", "cvss:AR_NoX:1.1.1": "M", - "cvss:VA:3.0.0": "L", + "cvss:VA:3.0.0": "N", "cvss:EQ6:1.0.0": "H" }, { @@ -14431,7 +14002,7 @@ "cvss:IR_NoX:1.1.1": "H", "cvss:VI:3.0.0": "L", "cvss:AR_NoX:1.1.1": "M", - "cvss:VA:3.0.0": "L", + "cvss:VA:3.0.0": "N", "cvss:EQ6:1.0.0": "L" }, { @@ -14440,7 +14011,7 @@ "cvss:IR_NoX:1.1.1": "H", "cvss:VI:3.0.0": "L", "cvss:AR_NoX:1.1.1": "M", - "cvss:VA:3.0.0": "L", + "cvss:VA:3.0.0": "N", "cvss:EQ6:1.0.0": "L" }, { @@ -14449,7 +14020,7 @@ "cvss:IR_NoX:1.1.1": "L", "cvss:VI:3.0.0": "H", "cvss:AR_NoX:1.1.1": "M", - "cvss:VA:3.0.0": "L", + "cvss:VA:3.0.0": "N", "cvss:EQ6:1.0.0": "H" }, { @@ -14458,7 +14029,7 @@ "cvss:IR_NoX:1.1.1": "M", "cvss:VI:3.0.0": "H", "cvss:AR_NoX:1.1.1": "M", - "cvss:VA:3.0.0": "L", + "cvss:VA:3.0.0": "N", "cvss:EQ6:1.0.0": "L" }, { @@ -14467,7 +14038,7 @@ "cvss:IR_NoX:1.1.1": "M", "cvss:VI:3.0.0": "H", "cvss:AR_NoX:1.1.1": "M", - "cvss:VA:3.0.0": "L", + "cvss:VA:3.0.0": "N", "cvss:EQ6:1.0.0": "L" }, { @@ -14476,7 +14047,7 @@ "cvss:IR_NoX:1.1.1": "H", "cvss:VI:3.0.0": "H", "cvss:AR_NoX:1.1.1": "M", - "cvss:VA:3.0.0": "L", + "cvss:VA:3.0.0": "N", "cvss:EQ6:1.0.0": "H" }, { @@ -14485,7 +14056,7 @@ "cvss:IR_NoX:1.1.1": "H", "cvss:VI:3.0.0": "H", "cvss:AR_NoX:1.1.1": "M", - "cvss:VA:3.0.0": "L", + "cvss:VA:3.0.0": "N", "cvss:EQ6:1.0.0": "H" }, { @@ -14494,7 +14065,7 @@ "cvss:IR_NoX:1.1.1": "H", "cvss:VI:3.0.0": "H", "cvss:AR_NoX:1.1.1": "M", - "cvss:VA:3.0.0": "L", + "cvss:VA:3.0.0": "N", "cvss:EQ6:1.0.0": "H" }, { @@ -14503,7 +14074,7 @@ "cvss:IR_NoX:1.1.1": "M", "cvss:VI:3.0.0": "N", "cvss:AR_NoX:1.1.1": "H", - "cvss:VA:3.0.0": "L", + "cvss:VA:3.0.0": "N", "cvss:EQ6:1.0.0": "H" }, { @@ -14512,7 +14083,7 @@ "cvss:IR_NoX:1.1.1": "H", "cvss:VI:3.0.0": "N", "cvss:AR_NoX:1.1.1": "H", - "cvss:VA:3.0.0": "L", + "cvss:VA:3.0.0": "N", "cvss:EQ6:1.0.0": "L" }, { @@ -14521,7 +14092,7 @@ "cvss:IR_NoX:1.1.1": "H", "cvss:VI:3.0.0": "N", "cvss:AR_NoX:1.1.1": "H", - "cvss:VA:3.0.0": "L", + "cvss:VA:3.0.0": "N", "cvss:EQ6:1.0.0": "L" }, { @@ -14530,7 +14101,7 @@ "cvss:IR_NoX:1.1.1": "L", "cvss:VI:3.0.0": "L", "cvss:AR_NoX:1.1.1": "H", - "cvss:VA:3.0.0": "L", + "cvss:VA:3.0.0": "N", "cvss:EQ6:1.0.0": "H" }, { @@ -14539,7 +14110,7 @@ "cvss:IR_NoX:1.1.1": "M", "cvss:VI:3.0.0": "L", "cvss:AR_NoX:1.1.1": "H", - "cvss:VA:3.0.0": "L", + "cvss:VA:3.0.0": "N", "cvss:EQ6:1.0.0": "L" }, { @@ -14548,7 +14119,7 @@ "cvss:IR_NoX:1.1.1": "M", "cvss:VI:3.0.0": "L", "cvss:AR_NoX:1.1.1": "H", - "cvss:VA:3.0.0": "L", + "cvss:VA:3.0.0": "N", "cvss:EQ6:1.0.0": "L" }, { @@ -14557,7 +14128,7 @@ "cvss:IR_NoX:1.1.1": "H", "cvss:VI:3.0.0": "L", "cvss:AR_NoX:1.1.1": "H", - "cvss:VA:3.0.0": "L", + "cvss:VA:3.0.0": "N", "cvss:EQ6:1.0.0": "L" }, { @@ -14566,7 +14137,7 @@ "cvss:IR_NoX:1.1.1": "H", "cvss:VI:3.0.0": "L", "cvss:AR_NoX:1.1.1": "H", - "cvss:VA:3.0.0": "L", + "cvss:VA:3.0.0": "N", "cvss:EQ6:1.0.0": "L" }, { @@ -14575,7 +14146,7 @@ "cvss:IR_NoX:1.1.1": "H", "cvss:VI:3.0.0": "L", "cvss:AR_NoX:1.1.1": "H", - "cvss:VA:3.0.0": "L", + "cvss:VA:3.0.0": "N", "cvss:EQ6:1.0.0": "L" }, { @@ -14584,7 +14155,7 @@ "cvss:IR_NoX:1.1.1": "L", "cvss:VI:3.0.0": "H", "cvss:AR_NoX:1.1.1": "H", - "cvss:VA:3.0.0": "L", + "cvss:VA:3.0.0": "N", "cvss:EQ6:1.0.0": "L" }, { @@ -14593,7 +14164,7 @@ "cvss:IR_NoX:1.1.1": "L", "cvss:VI:3.0.0": "H", "cvss:AR_NoX:1.1.1": "H", - "cvss:VA:3.0.0": "L", + "cvss:VA:3.0.0": "N", "cvss:EQ6:1.0.0": "L" }, { @@ -14602,7 +14173,7 @@ "cvss:IR_NoX:1.1.1": "M", "cvss:VI:3.0.0": "H", "cvss:AR_NoX:1.1.1": "H", - "cvss:VA:3.0.0": "L", + "cvss:VA:3.0.0": "N", "cvss:EQ6:1.0.0": "L" }, { @@ -14611,7 +14182,7 @@ "cvss:IR_NoX:1.1.1": "M", "cvss:VI:3.0.0": "H", "cvss:AR_NoX:1.1.1": "H", - "cvss:VA:3.0.0": "L", + "cvss:VA:3.0.0": "N", "cvss:EQ6:1.0.0": "L" }, { @@ -14620,7 +14191,7 @@ "cvss:IR_NoX:1.1.1": "M", "cvss:VI:3.0.0": "H", "cvss:AR_NoX:1.1.1": "H", - "cvss:VA:3.0.0": "L", + "cvss:VA:3.0.0": "N", "cvss:EQ6:1.0.0": "L" }, { @@ -14629,7 +14200,7 @@ "cvss:IR_NoX:1.1.1": "H", "cvss:VI:3.0.0": "H", "cvss:AR_NoX:1.1.1": "H", - "cvss:VA:3.0.0": "L", + "cvss:VA:3.0.0": "N", "cvss:EQ6:1.0.0": "H" }, { @@ -14638,7 +14209,7 @@ "cvss:IR_NoX:1.1.1": "H", "cvss:VI:3.0.0": "H", "cvss:AR_NoX:1.1.1": "H", - "cvss:VA:3.0.0": "L", + "cvss:VA:3.0.0": "N", "cvss:EQ6:1.0.0": "H" }, { @@ -14647,7 +14218,7 @@ "cvss:IR_NoX:1.1.1": "H", "cvss:VI:3.0.0": "N", "cvss:AR_NoX:1.1.1": "L", - "cvss:VA:3.0.0": "H", + "cvss:VA:3.0.0": "L", "cvss:EQ6:1.0.0": "H" }, { @@ -14656,7 +14227,7 @@ "cvss:IR_NoX:1.1.1": "M", "cvss:VI:3.0.0": "L", "cvss:AR_NoX:1.1.1": "L", - "cvss:VA:3.0.0": "H", + "cvss:VA:3.0.0": "L", "cvss:EQ6:1.0.0": "H" }, { @@ -14665,7 +14236,7 @@ "cvss:IR_NoX:1.1.1": "H", "cvss:VI:3.0.0": "L", "cvss:AR_NoX:1.1.1": "L", - "cvss:VA:3.0.0": "H", + "cvss:VA:3.0.0": "L", "cvss:EQ6:1.0.0": "L" }, { @@ -14674,7 +14245,7 @@ "cvss:IR_NoX:1.1.1": "H", "cvss:VI:3.0.0": "L", "cvss:AR_NoX:1.1.1": "L", - "cvss:VA:3.0.0": "H", + "cvss:VA:3.0.0": "L", "cvss:EQ6:1.0.0": "L" }, { @@ -14683,7 +14254,7 @@ "cvss:IR_NoX:1.1.1": "L", "cvss:VI:3.0.0": "H", "cvss:AR_NoX:1.1.1": "L", - "cvss:VA:3.0.0": "H", + "cvss:VA:3.0.0": "L", "cvss:EQ6:1.0.0": "H" }, { @@ -14692,7 +14263,7 @@ "cvss:IR_NoX:1.1.1": "M", "cvss:VI:3.0.0": "H", "cvss:AR_NoX:1.1.1": "L", - "cvss:VA:3.0.0": "H", + "cvss:VA:3.0.0": "L", "cvss:EQ6:1.0.0": "L" }, { @@ -14701,7 +14272,7 @@ "cvss:IR_NoX:1.1.1": "M", "cvss:VI:3.0.0": "H", "cvss:AR_NoX:1.1.1": "L", - "cvss:VA:3.0.0": "H", + "cvss:VA:3.0.0": "L", "cvss:EQ6:1.0.0": "L" }, { @@ -14710,7 +14281,7 @@ "cvss:IR_NoX:1.1.1": "H", "cvss:VI:3.0.0": "H", "cvss:AR_NoX:1.1.1": "L", - "cvss:VA:3.0.0": "H", + "cvss:VA:3.0.0": "L", "cvss:EQ6:1.0.0": "H" }, { @@ -14719,7 +14290,7 @@ "cvss:IR_NoX:1.1.1": "H", "cvss:VI:3.0.0": "H", "cvss:AR_NoX:1.1.1": "L", - "cvss:VA:3.0.0": "H", + "cvss:VA:3.0.0": "L", "cvss:EQ6:1.0.0": "H" }, { @@ -14728,7 +14299,7 @@ "cvss:IR_NoX:1.1.1": "H", "cvss:VI:3.0.0": "H", "cvss:AR_NoX:1.1.1": "L", - "cvss:VA:3.0.0": "H", + "cvss:VA:3.0.0": "L", "cvss:EQ6:1.0.0": "H" }, { @@ -14737,7 +14308,7 @@ "cvss:IR_NoX:1.1.1": "M", "cvss:VI:3.0.0": "N", "cvss:AR_NoX:1.1.1": "M", - "cvss:VA:3.0.0": "H", + "cvss:VA:3.0.0": "L", "cvss:EQ6:1.0.0": "H" }, { @@ -14746,7 +14317,7 @@ "cvss:IR_NoX:1.1.1": "H", "cvss:VI:3.0.0": "N", "cvss:AR_NoX:1.1.1": "M", - "cvss:VA:3.0.0": "H", + "cvss:VA:3.0.0": "L", "cvss:EQ6:1.0.0": "L" }, { @@ -14755,7 +14326,7 @@ "cvss:IR_NoX:1.1.1": "H", "cvss:VI:3.0.0": "N", "cvss:AR_NoX:1.1.1": "M", - "cvss:VA:3.0.0": "H", + "cvss:VA:3.0.0": "L", "cvss:EQ6:1.0.0": "L" }, { @@ -14764,7 +14335,7 @@ "cvss:IR_NoX:1.1.1": "L", "cvss:VI:3.0.0": "L", "cvss:AR_NoX:1.1.1": "M", - "cvss:VA:3.0.0": "H", + "cvss:VA:3.0.0": "L", "cvss:EQ6:1.0.0": "H" }, { @@ -14773,7 +14344,7 @@ "cvss:IR_NoX:1.1.1": "M", "cvss:VI:3.0.0": "L", "cvss:AR_NoX:1.1.1": "M", - "cvss:VA:3.0.0": "H", + "cvss:VA:3.0.0": "L", "cvss:EQ6:1.0.0": "L" }, { @@ -14782,7 +14353,7 @@ "cvss:IR_NoX:1.1.1": "M", "cvss:VI:3.0.0": "L", "cvss:AR_NoX:1.1.1": "M", - "cvss:VA:3.0.0": "H", + "cvss:VA:3.0.0": "L", "cvss:EQ6:1.0.0": "L" }, { @@ -14791,7 +14362,7 @@ "cvss:IR_NoX:1.1.1": "H", "cvss:VI:3.0.0": "L", "cvss:AR_NoX:1.1.1": "M", - "cvss:VA:3.0.0": "H", + "cvss:VA:3.0.0": "L", "cvss:EQ6:1.0.0": "L" }, { @@ -14800,7 +14371,7 @@ "cvss:IR_NoX:1.1.1": "H", "cvss:VI:3.0.0": "L", "cvss:AR_NoX:1.1.1": "M", - "cvss:VA:3.0.0": "H", + "cvss:VA:3.0.0": "L", "cvss:EQ6:1.0.0": "L" }, { @@ -14809,7 +14380,7 @@ "cvss:IR_NoX:1.1.1": "H", "cvss:VI:3.0.0": "L", "cvss:AR_NoX:1.1.1": "M", - "cvss:VA:3.0.0": "H", + "cvss:VA:3.0.0": "L", "cvss:EQ6:1.0.0": "L" }, { @@ -14818,7 +14389,7 @@ "cvss:IR_NoX:1.1.1": "L", "cvss:VI:3.0.0": "H", "cvss:AR_NoX:1.1.1": "M", - "cvss:VA:3.0.0": "H", + "cvss:VA:3.0.0": "L", "cvss:EQ6:1.0.0": "L" }, { @@ -14827,7 +14398,7 @@ "cvss:IR_NoX:1.1.1": "L", "cvss:VI:3.0.0": "H", "cvss:AR_NoX:1.1.1": "M", - "cvss:VA:3.0.0": "H", + "cvss:VA:3.0.0": "L", "cvss:EQ6:1.0.0": "L" }, { @@ -14836,7 +14407,7 @@ "cvss:IR_NoX:1.1.1": "M", "cvss:VI:3.0.0": "H", "cvss:AR_NoX:1.1.1": "M", - "cvss:VA:3.0.0": "H", + "cvss:VA:3.0.0": "L", "cvss:EQ6:1.0.0": "L" }, { @@ -14845,7 +14416,7 @@ "cvss:IR_NoX:1.1.1": "M", "cvss:VI:3.0.0": "H", "cvss:AR_NoX:1.1.1": "M", - "cvss:VA:3.0.0": "H", + "cvss:VA:3.0.0": "L", "cvss:EQ6:1.0.0": "L" }, { @@ -14854,7 +14425,7 @@ "cvss:IR_NoX:1.1.1": "M", "cvss:VI:3.0.0": "H", "cvss:AR_NoX:1.1.1": "M", - "cvss:VA:3.0.0": "H", + "cvss:VA:3.0.0": "L", "cvss:EQ6:1.0.0": "L" }, { @@ -14863,7 +14434,7 @@ "cvss:IR_NoX:1.1.1": "H", "cvss:VI:3.0.0": "H", "cvss:AR_NoX:1.1.1": "M", - "cvss:VA:3.0.0": "H", + "cvss:VA:3.0.0": "L", "cvss:EQ6:1.0.0": "H" }, { @@ -14872,7 +14443,7 @@ "cvss:IR_NoX:1.1.1": "H", "cvss:VI:3.0.0": "H", "cvss:AR_NoX:1.1.1": "M", - "cvss:VA:3.0.0": "H", + "cvss:VA:3.0.0": "L", "cvss:EQ6:1.0.0": "H" }, { @@ -14881,7 +14452,7 @@ "cvss:IR_NoX:1.1.1": "L", "cvss:VI:3.0.0": "N", "cvss:AR_NoX:1.1.1": "H", - "cvss:VA:3.0.0": "H", + "cvss:VA:3.0.0": "L", "cvss:EQ6:1.0.0": "H" }, { @@ -14890,8 +14461,8 @@ "cvss:IR_NoX:1.1.1": "M", "cvss:VI:3.0.0": "N", "cvss:AR_NoX:1.1.1": "H", - "cvss:VA:3.0.0": "H", - "cvss:EQ6:1.0.0": "H" + "cvss:VA:3.0.0": "L", + "cvss:EQ6:1.0.0": "L" }, { "cvss:CR_NoX:1.1.1": "M", @@ -14899,8 +14470,8 @@ "cvss:IR_NoX:1.1.1": "M", "cvss:VI:3.0.0": "N", "cvss:AR_NoX:1.1.1": "H", - "cvss:VA:3.0.0": "H", - "cvss:EQ6:1.0.0": "H" + "cvss:VA:3.0.0": "L", + "cvss:EQ6:1.0.0": "L" }, { "cvss:CR_NoX:1.1.1": "H", @@ -14908,8 +14479,8 @@ "cvss:IR_NoX:1.1.1": "H", "cvss:VI:3.0.0": "N", "cvss:AR_NoX:1.1.1": "H", - "cvss:VA:3.0.0": "H", - "cvss:EQ6:1.0.0": "H" + "cvss:VA:3.0.0": "L", + "cvss:EQ6:1.0.0": "L" }, { "cvss:CR_NoX:1.1.1": "M", @@ -14917,8 +14488,8 @@ "cvss:IR_NoX:1.1.1": "H", "cvss:VI:3.0.0": "N", "cvss:AR_NoX:1.1.1": "H", - "cvss:VA:3.0.0": "H", - "cvss:EQ6:1.0.0": "H" + "cvss:VA:3.0.0": "L", + "cvss:EQ6:1.0.0": "L" }, { "cvss:CR_NoX:1.1.1": "L", @@ -14926,8 +14497,8 @@ "cvss:IR_NoX:1.1.1": "H", "cvss:VI:3.0.0": "N", "cvss:AR_NoX:1.1.1": "H", - "cvss:VA:3.0.0": "H", - "cvss:EQ6:1.0.0": "H" + "cvss:VA:3.0.0": "L", + "cvss:EQ6:1.0.0": "L" }, { "cvss:CR_NoX:1.1.1": "H", @@ -14935,8 +14506,8 @@ "cvss:IR_NoX:1.1.1": "L", "cvss:VI:3.0.0": "L", "cvss:AR_NoX:1.1.1": "H", - "cvss:VA:3.0.0": "H", - "cvss:EQ6:1.0.0": "H" + "cvss:VA:3.0.0": "L", + "cvss:EQ6:1.0.0": "L" }, { "cvss:CR_NoX:1.1.1": "M", @@ -14944,8 +14515,8 @@ "cvss:IR_NoX:1.1.1": "L", "cvss:VI:3.0.0": "L", "cvss:AR_NoX:1.1.1": "H", - "cvss:VA:3.0.0": "H", - "cvss:EQ6:1.0.0": "H" + "cvss:VA:3.0.0": "L", + "cvss:EQ6:1.0.0": "L" }, { "cvss:CR_NoX:1.1.1": "H", @@ -14953,8 +14524,8 @@ "cvss:IR_NoX:1.1.1": "M", "cvss:VI:3.0.0": "L", "cvss:AR_NoX:1.1.1": "H", - "cvss:VA:3.0.0": "H", - "cvss:EQ6:1.0.0": "H" + "cvss:VA:3.0.0": "L", + "cvss:EQ6:1.0.0": "L" }, { "cvss:CR_NoX:1.1.1": "M", @@ -14962,8 +14533,8 @@ "cvss:IR_NoX:1.1.1": "M", "cvss:VI:3.0.0": "L", "cvss:AR_NoX:1.1.1": "H", - "cvss:VA:3.0.0": "H", - "cvss:EQ6:1.0.0": "H" + "cvss:VA:3.0.0": "L", + "cvss:EQ6:1.0.0": "L" }, { "cvss:CR_NoX:1.1.1": "L", @@ -14971,8 +14542,8 @@ "cvss:IR_NoX:1.1.1": "M", "cvss:VI:3.0.0": "L", "cvss:AR_NoX:1.1.1": "H", - "cvss:VA:3.0.0": "H", - "cvss:EQ6:1.0.0": "H" + "cvss:VA:3.0.0": "L", + "cvss:EQ6:1.0.0": "L" }, { "cvss:CR_NoX:1.1.1": "M", @@ -14980,8 +14551,8 @@ "cvss:IR_NoX:1.1.1": "H", "cvss:VI:3.0.0": "L", "cvss:AR_NoX:1.1.1": "H", - "cvss:VA:3.0.0": "H", - "cvss:EQ6:1.0.0": "H" + "cvss:VA:3.0.0": "L", + "cvss:EQ6:1.0.0": "L" }, { "cvss:CR_NoX:1.1.1": "L", @@ -14989,8 +14560,8 @@ "cvss:IR_NoX:1.1.1": "H", "cvss:VI:3.0.0": "L", "cvss:AR_NoX:1.1.1": "H", - "cvss:VA:3.0.0": "H", - "cvss:EQ6:1.0.0": "H" + "cvss:VA:3.0.0": "L", + "cvss:EQ6:1.0.0": "L" }, { "cvss:CR_NoX:1.1.1": "H", @@ -14998,8 +14569,8 @@ "cvss:IR_NoX:1.1.1": "L", "cvss:VI:3.0.0": "H", "cvss:AR_NoX:1.1.1": "H", - "cvss:VA:3.0.0": "H", - "cvss:EQ6:1.0.0": "H" + "cvss:VA:3.0.0": "L", + "cvss:EQ6:1.0.0": "L" }, { "cvss:CR_NoX:1.1.1": "M", @@ -15007,8 +14578,8 @@ "cvss:IR_NoX:1.1.1": "L", "cvss:VI:3.0.0": "H", "cvss:AR_NoX:1.1.1": "H", - "cvss:VA:3.0.0": "H", - "cvss:EQ6:1.0.0": "H" + "cvss:VA:3.0.0": "L", + "cvss:EQ6:1.0.0": "L" }, { "cvss:CR_NoX:1.1.1": "L", @@ -15016,8 +14587,8 @@ "cvss:IR_NoX:1.1.1": "L", "cvss:VI:3.0.0": "H", "cvss:AR_NoX:1.1.1": "H", - "cvss:VA:3.0.0": "H", - "cvss:EQ6:1.0.0": "H" + "cvss:VA:3.0.0": "L", + "cvss:EQ6:1.0.0": "L" }, { "cvss:CR_NoX:1.1.1": "M", @@ -15025,8 +14596,8 @@ "cvss:IR_NoX:1.1.1": "M", "cvss:VI:3.0.0": "H", "cvss:AR_NoX:1.1.1": "H", - "cvss:VA:3.0.0": "H", - "cvss:EQ6:1.0.0": "H" + "cvss:VA:3.0.0": "L", + "cvss:EQ6:1.0.0": "L" }, { "cvss:CR_NoX:1.1.1": "L", @@ -15034,8 +14605,8 @@ "cvss:IR_NoX:1.1.1": "M", "cvss:VI:3.0.0": "H", "cvss:AR_NoX:1.1.1": "H", - "cvss:VA:3.0.0": "H", - "cvss:EQ6:1.0.0": "H" + "cvss:VA:3.0.0": "L", + "cvss:EQ6:1.0.0": "L" }, { "cvss:CR_NoX:1.1.1": "L", @@ -15043,210 +14614,138 @@ "cvss:IR_NoX:1.1.1": "H", "cvss:VI:3.0.0": "H", "cvss:AR_NoX:1.1.1": "H", - "cvss:VA:3.0.0": "H", - "cvss:EQ6:1.0.0": "H" - }, - { - "cvss:CR_NoX:1.1.1": "H", - "cvss:VC:3.0.0": "H", - "cvss:IR_NoX:1.1.1": "H", - "cvss:VI:3.0.0": "H", - "cvss:AR_NoX:1.1.1": "M", - "cvss:VA:3.0.0": "N", - "cvss:EQ6:1.0.0": "H" - }, - { - "cvss:CR_NoX:1.1.1": "H", - "cvss:VC:3.0.0": "H", - "cvss:IR_NoX:1.1.1": "H", - "cvss:VI:3.0.0": "L", - "cvss:AR_NoX:1.1.1": "H", - "cvss:VA:3.0.0": "N", + "cvss:VA:3.0.0": "L", "cvss:EQ6:1.0.0": "H" }, { "cvss:CR_NoX:1.1.1": "H", "cvss:VC:3.0.0": "H", "cvss:IR_NoX:1.1.1": "M", - "cvss:VI:3.0.0": "H", - "cvss:AR_NoX:1.1.1": "H", - "cvss:VA:3.0.0": "N", + "cvss:VI:3.0.0": "N", + "cvss:AR_NoX:1.1.1": "L", + "cvss:VA:3.0.0": "H", "cvss:EQ6:1.0.0": "H" }, { "cvss:CR_NoX:1.1.1": "H", "cvss:VC:3.0.0": "L", "cvss:IR_NoX:1.1.1": "H", - "cvss:VI:3.0.0": "H", - "cvss:AR_NoX:1.1.1": "H", - "cvss:VA:3.0.0": "N", - "cvss:EQ6:1.0.0": "H" + "cvss:VI:3.0.0": "N", + "cvss:AR_NoX:1.1.1": "L", + "cvss:VA:3.0.0": "H", + "cvss:EQ6:1.0.0": "L" }, { "cvss:CR_NoX:1.1.1": "M", "cvss:VC:3.0.0": "H", "cvss:IR_NoX:1.1.1": "H", - "cvss:VI:3.0.0": "H", - "cvss:AR_NoX:1.1.1": "H", - "cvss:VA:3.0.0": "N", - "cvss:EQ6:1.0.0": "H" - }, - { - "cvss:CR_NoX:1.1.1": "H", - "cvss:VC:3.0.0": "H", - "cvss:IR_NoX:1.1.1": "H", - "cvss:VI:3.0.0": "H", + "cvss:VI:3.0.0": "N", "cvss:AR_NoX:1.1.1": "L", - "cvss:VA:3.0.0": "L", - "cvss:EQ6:1.0.0": "H" + "cvss:VA:3.0.0": "H", + "cvss:EQ6:1.0.0": "L" }, { "cvss:CR_NoX:1.1.1": "H", "cvss:VC:3.0.0": "H", - "cvss:IR_NoX:1.1.1": "H", + "cvss:IR_NoX:1.1.1": "L", "cvss:VI:3.0.0": "L", - "cvss:AR_NoX:1.1.1": "M", - "cvss:VA:3.0.0": "L", - "cvss:EQ6:1.0.0": "H" - }, - { - "cvss:CR_NoX:1.1.1": "H", - "cvss:VC:3.0.0": "H", - "cvss:IR_NoX:1.1.1": "M", - "cvss:VI:3.0.0": "H", - "cvss:AR_NoX:1.1.1": "M", - "cvss:VA:3.0.0": "L", + "cvss:AR_NoX:1.1.1": "L", + "cvss:VA:3.0.0": "H", "cvss:EQ6:1.0.0": "H" }, { "cvss:CR_NoX:1.1.1": "H", "cvss:VC:3.0.0": "L", - "cvss:IR_NoX:1.1.1": "H", - "cvss:VI:3.0.0": "H", - "cvss:AR_NoX:1.1.1": "M", - "cvss:VA:3.0.0": "L", - "cvss:EQ6:1.0.0": "H" + "cvss:IR_NoX:1.1.1": "M", + "cvss:VI:3.0.0": "L", + "cvss:AR_NoX:1.1.1": "L", + "cvss:VA:3.0.0": "H", + "cvss:EQ6:1.0.0": "L" }, { "cvss:CR_NoX:1.1.1": "M", "cvss:VC:3.0.0": "H", - "cvss:IR_NoX:1.1.1": "H", - "cvss:VI:3.0.0": "H", - "cvss:AR_NoX:1.1.1": "M", - "cvss:VA:3.0.0": "L", - "cvss:EQ6:1.0.0": "H" - }, - { - "cvss:CR_NoX:1.1.1": "H", - "cvss:VC:3.0.0": "H", - "cvss:IR_NoX:1.1.1": "H", - "cvss:VI:3.0.0": "N", - "cvss:AR_NoX:1.1.1": "H", - "cvss:VA:3.0.0": "L", - "cvss:EQ6:1.0.0": "H" - }, - { - "cvss:CR_NoX:1.1.1": "H", - "cvss:VC:3.0.0": "H", "cvss:IR_NoX:1.1.1": "M", "cvss:VI:3.0.0": "L", - "cvss:AR_NoX:1.1.1": "H", - "cvss:VA:3.0.0": "L", - "cvss:EQ6:1.0.0": "H" + "cvss:AR_NoX:1.1.1": "L", + "cvss:VA:3.0.0": "H", + "cvss:EQ6:1.0.0": "L" }, { "cvss:CR_NoX:1.1.1": "H", - "cvss:VC:3.0.0": "L", + "cvss:VC:3.0.0": "N", "cvss:IR_NoX:1.1.1": "H", "cvss:VI:3.0.0": "L", - "cvss:AR_NoX:1.1.1": "H", - "cvss:VA:3.0.0": "L", + "cvss:AR_NoX:1.1.1": "L", + "cvss:VA:3.0.0": "H", "cvss:EQ6:1.0.0": "L" }, { "cvss:CR_NoX:1.1.1": "M", - "cvss:VC:3.0.0": "H", + "cvss:VC:3.0.0": "L", "cvss:IR_NoX:1.1.1": "H", "cvss:VI:3.0.0": "L", - "cvss:AR_NoX:1.1.1": "H", - "cvss:VA:3.0.0": "L", + "cvss:AR_NoX:1.1.1": "L", + "cvss:VA:3.0.0": "H", "cvss:EQ6:1.0.0": "L" }, { - "cvss:CR_NoX:1.1.1": "H", + "cvss:CR_NoX:1.1.1": "L", "cvss:VC:3.0.0": "H", - "cvss:IR_NoX:1.1.1": "L", - "cvss:VI:3.0.0": "H", - "cvss:AR_NoX:1.1.1": "H", - "cvss:VA:3.0.0": "L", - "cvss:EQ6:1.0.0": "H" + "cvss:IR_NoX:1.1.1": "H", + "cvss:VI:3.0.0": "L", + "cvss:AR_NoX:1.1.1": "L", + "cvss:VA:3.0.0": "H", + "cvss:EQ6:1.0.0": "L" }, { "cvss:CR_NoX:1.1.1": "H", "cvss:VC:3.0.0": "L", - "cvss:IR_NoX:1.1.1": "M", + "cvss:IR_NoX:1.1.1": "L", "cvss:VI:3.0.0": "H", - "cvss:AR_NoX:1.1.1": "H", - "cvss:VA:3.0.0": "L", + "cvss:AR_NoX:1.1.1": "L", + "cvss:VA:3.0.0": "H", "cvss:EQ6:1.0.0": "L" }, { "cvss:CR_NoX:1.1.1": "M", "cvss:VC:3.0.0": "H", - "cvss:IR_NoX:1.1.1": "M", + "cvss:IR_NoX:1.1.1": "L", "cvss:VI:3.0.0": "H", - "cvss:AR_NoX:1.1.1": "H", - "cvss:VA:3.0.0": "L", + "cvss:AR_NoX:1.1.1": "L", + "cvss:VA:3.0.0": "H", "cvss:EQ6:1.0.0": "L" }, { "cvss:CR_NoX:1.1.1": "H", "cvss:VC:3.0.0": "N", - "cvss:IR_NoX:1.1.1": "H", + "cvss:IR_NoX:1.1.1": "M", "cvss:VI:3.0.0": "H", - "cvss:AR_NoX:1.1.1": "H", - "cvss:VA:3.0.0": "L", - "cvss:EQ6:1.0.0": "H" + "cvss:AR_NoX:1.1.1": "L", + "cvss:VA:3.0.0": "H", + "cvss:EQ6:1.0.0": "L" }, { "cvss:CR_NoX:1.1.1": "M", "cvss:VC:3.0.0": "L", - "cvss:IR_NoX:1.1.1": "H", - "cvss:VI:3.0.0": "H", - "cvss:AR_NoX:1.1.1": "H", - "cvss:VA:3.0.0": "L", - "cvss:EQ6:1.0.0": "H" - }, - { - "cvss:CR_NoX:1.1.1": "L", - "cvss:VC:3.0.0": "H", - "cvss:IR_NoX:1.1.1": "H", + "cvss:IR_NoX:1.1.1": "M", "cvss:VI:3.0.0": "H", - "cvss:AR_NoX:1.1.1": "H", - "cvss:VA:3.0.0": "L", - "cvss:EQ6:1.0.0": "H" - }, - { - "cvss:CR_NoX:1.1.1": "H", - "cvss:VC:3.0.0": "H", - "cvss:IR_NoX:1.1.1": "H", - "cvss:VI:3.0.0": "L", "cvss:AR_NoX:1.1.1": "L", "cvss:VA:3.0.0": "H", - "cvss:EQ6:1.0.0": "H" + "cvss:EQ6:1.0.0": "L" }, { - "cvss:CR_NoX:1.1.1": "H", + "cvss:CR_NoX:1.1.1": "L", "cvss:VC:3.0.0": "H", "cvss:IR_NoX:1.1.1": "M", "cvss:VI:3.0.0": "H", "cvss:AR_NoX:1.1.1": "L", "cvss:VA:3.0.0": "H", - "cvss:EQ6:1.0.0": "H" + "cvss:EQ6:1.0.0": "L" }, { - "cvss:CR_NoX:1.1.1": "H", - "cvss:VC:3.0.0": "L", + "cvss:CR_NoX:1.1.1": "M", + "cvss:VC:3.0.0": "N", "cvss:IR_NoX:1.1.1": "H", "cvss:VI:3.0.0": "H", "cvss:AR_NoX:1.1.1": "L", @@ -15254,8 +14753,8 @@ "cvss:EQ6:1.0.0": "H" }, { - "cvss:CR_NoX:1.1.1": "M", - "cvss:VC:3.0.0": "H", + "cvss:CR_NoX:1.1.1": "L", + "cvss:VC:3.0.0": "L", "cvss:IR_NoX:1.1.1": "H", "cvss:VI:3.0.0": "H", "cvss:AR_NoX:1.1.1": "L", @@ -15265,7 +14764,7 @@ { "cvss:CR_NoX:1.1.1": "H", "cvss:VC:3.0.0": "H", - "cvss:IR_NoX:1.1.1": "H", + "cvss:IR_NoX:1.1.1": "L", "cvss:VI:3.0.0": "N", "cvss:AR_NoX:1.1.1": "M", "cvss:VA:3.0.0": "H", @@ -15273,45 +14772,54 @@ }, { "cvss:CR_NoX:1.1.1": "H", + "cvss:VC:3.0.0": "L", + "cvss:IR_NoX:1.1.1": "M", + "cvss:VI:3.0.0": "N", + "cvss:AR_NoX:1.1.1": "M", + "cvss:VA:3.0.0": "H", + "cvss:EQ6:1.0.0": "L" + }, + { + "cvss:CR_NoX:1.1.1": "M", "cvss:VC:3.0.0": "H", "cvss:IR_NoX:1.1.1": "M", - "cvss:VI:3.0.0": "L", + "cvss:VI:3.0.0": "N", "cvss:AR_NoX:1.1.1": "M", "cvss:VA:3.0.0": "H", - "cvss:EQ6:1.0.0": "H" + "cvss:EQ6:1.0.0": "L" }, { "cvss:CR_NoX:1.1.1": "H", - "cvss:VC:3.0.0": "L", + "cvss:VC:3.0.0": "N", "cvss:IR_NoX:1.1.1": "H", - "cvss:VI:3.0.0": "L", + "cvss:VI:3.0.0": "N", "cvss:AR_NoX:1.1.1": "M", "cvss:VA:3.0.0": "H", "cvss:EQ6:1.0.0": "L" }, { "cvss:CR_NoX:1.1.1": "M", - "cvss:VC:3.0.0": "H", + "cvss:VC:3.0.0": "L", "cvss:IR_NoX:1.1.1": "H", - "cvss:VI:3.0.0": "L", + "cvss:VI:3.0.0": "N", "cvss:AR_NoX:1.1.1": "M", "cvss:VA:3.0.0": "H", "cvss:EQ6:1.0.0": "L" }, { - "cvss:CR_NoX:1.1.1": "H", + "cvss:CR_NoX:1.1.1": "L", "cvss:VC:3.0.0": "H", - "cvss:IR_NoX:1.1.1": "L", - "cvss:VI:3.0.0": "H", + "cvss:IR_NoX:1.1.1": "H", + "cvss:VI:3.0.0": "N", "cvss:AR_NoX:1.1.1": "M", "cvss:VA:3.0.0": "H", - "cvss:EQ6:1.0.0": "H" + "cvss:EQ6:1.0.0": "L" }, { "cvss:CR_NoX:1.1.1": "H", "cvss:VC:3.0.0": "L", - "cvss:IR_NoX:1.1.1": "M", - "cvss:VI:3.0.0": "H", + "cvss:IR_NoX:1.1.1": "L", + "cvss:VI:3.0.0": "L", "cvss:AR_NoX:1.1.1": "M", "cvss:VA:3.0.0": "H", "cvss:EQ6:1.0.0": "L" @@ -15319,8 +14827,8 @@ { "cvss:CR_NoX:1.1.1": "M", "cvss:VC:3.0.0": "H", - "cvss:IR_NoX:1.1.1": "M", - "cvss:VI:3.0.0": "H", + "cvss:IR_NoX:1.1.1": "L", + "cvss:VI:3.0.0": "L", "cvss:AR_NoX:1.1.1": "M", "cvss:VA:3.0.0": "H", "cvss:EQ6:1.0.0": "L" @@ -15328,108 +14836,99 @@ { "cvss:CR_NoX:1.1.1": "H", "cvss:VC:3.0.0": "N", - "cvss:IR_NoX:1.1.1": "H", - "cvss:VI:3.0.0": "H", + "cvss:IR_NoX:1.1.1": "M", + "cvss:VI:3.0.0": "L", "cvss:AR_NoX:1.1.1": "M", "cvss:VA:3.0.0": "H", - "cvss:EQ6:1.0.0": "H" + "cvss:EQ6:1.0.0": "L" }, { "cvss:CR_NoX:1.1.1": "M", "cvss:VC:3.0.0": "L", - "cvss:IR_NoX:1.1.1": "H", - "cvss:VI:3.0.0": "H", + "cvss:IR_NoX:1.1.1": "M", + "cvss:VI:3.0.0": "L", "cvss:AR_NoX:1.1.1": "M", "cvss:VA:3.0.0": "H", - "cvss:EQ6:1.0.0": "H" + "cvss:EQ6:1.0.0": "L" }, { "cvss:CR_NoX:1.1.1": "L", "cvss:VC:3.0.0": "H", + "cvss:IR_NoX:1.1.1": "M", + "cvss:VI:3.0.0": "L", + "cvss:AR_NoX:1.1.1": "M", + "cvss:VA:3.0.0": "H", + "cvss:EQ6:1.0.0": "L" + }, + { + "cvss:CR_NoX:1.1.1": "M", + "cvss:VC:3.0.0": "N", "cvss:IR_NoX:1.1.1": "H", - "cvss:VI:3.0.0": "H", + "cvss:VI:3.0.0": "L", "cvss:AR_NoX:1.1.1": "M", "cvss:VA:3.0.0": "H", - "cvss:EQ6:1.0.0": "H" + "cvss:EQ6:1.0.0": "L" }, { - "cvss:CR_NoX:1.1.1": "H", - "cvss:VC:3.0.0": "H", - "cvss:IR_NoX:1.1.1": "M", - "cvss:VI:3.0.0": "N", - "cvss:AR_NoX:1.1.1": "H", - "cvss:VA:3.0.0": "H", - "cvss:EQ6:1.0.0": "H" - }, - { - "cvss:CR_NoX:1.1.1": "H", + "cvss:CR_NoX:1.1.1": "L", "cvss:VC:3.0.0": "L", "cvss:IR_NoX:1.1.1": "H", - "cvss:VI:3.0.0": "N", - "cvss:AR_NoX:1.1.1": "H", - "cvss:VA:3.0.0": "H", - "cvss:EQ6:1.0.0": "H" - }, - { - "cvss:CR_NoX:1.1.1": "M", - "cvss:VC:3.0.0": "H", - "cvss:IR_NoX:1.1.1": "H", - "cvss:VI:3.0.0": "N", - "cvss:AR_NoX:1.1.1": "H", + "cvss:VI:3.0.0": "L", + "cvss:AR_NoX:1.1.1": "M", "cvss:VA:3.0.0": "H", - "cvss:EQ6:1.0.0": "H" + "cvss:EQ6:1.0.0": "L" }, { "cvss:CR_NoX:1.1.1": "H", - "cvss:VC:3.0.0": "H", + "cvss:VC:3.0.0": "N", "cvss:IR_NoX:1.1.1": "L", - "cvss:VI:3.0.0": "L", - "cvss:AR_NoX:1.1.1": "H", + "cvss:VI:3.0.0": "H", + "cvss:AR_NoX:1.1.1": "M", "cvss:VA:3.0.0": "H", - "cvss:EQ6:1.0.0": "H" + "cvss:EQ6:1.0.0": "L" }, { - "cvss:CR_NoX:1.1.1": "H", + "cvss:CR_NoX:1.1.1": "M", "cvss:VC:3.0.0": "L", - "cvss:IR_NoX:1.1.1": "M", - "cvss:VI:3.0.0": "L", - "cvss:AR_NoX:1.1.1": "H", + "cvss:IR_NoX:1.1.1": "L", + "cvss:VI:3.0.0": "H", + "cvss:AR_NoX:1.1.1": "M", "cvss:VA:3.0.0": "H", - "cvss:EQ6:1.0.0": "H" + "cvss:EQ6:1.0.0": "L" }, { - "cvss:CR_NoX:1.1.1": "M", + "cvss:CR_NoX:1.1.1": "L", "cvss:VC:3.0.0": "H", - "cvss:IR_NoX:1.1.1": "M", - "cvss:VI:3.0.0": "L", - "cvss:AR_NoX:1.1.1": "H", + "cvss:IR_NoX:1.1.1": "L", + "cvss:VI:3.0.0": "H", + "cvss:AR_NoX:1.1.1": "M", "cvss:VA:3.0.0": "H", - "cvss:EQ6:1.0.0": "H" + "cvss:EQ6:1.0.0": "L" }, { - "cvss:CR_NoX:1.1.1": "H", + "cvss:CR_NoX:1.1.1": "M", "cvss:VC:3.0.0": "N", - "cvss:IR_NoX:1.1.1": "H", - "cvss:VI:3.0.0": "L", - "cvss:AR_NoX:1.1.1": "H", + "cvss:IR_NoX:1.1.1": "M", + "cvss:VI:3.0.0": "H", + "cvss:AR_NoX:1.1.1": "M", "cvss:VA:3.0.0": "H", - "cvss:EQ6:1.0.0": "H" + "cvss:EQ6:1.0.0": "L" }, { - "cvss:CR_NoX:1.1.1": "M", + "cvss:CR_NoX:1.1.1": "L", "cvss:VC:3.0.0": "L", - "cvss:IR_NoX:1.1.1": "H", - "cvss:VI:3.0.0": "L", - "cvss:AR_NoX:1.1.1": "H", + "cvss:IR_NoX:1.1.1": "M", + "cvss:VI:3.0.0": "H", + "cvss:AR_NoX:1.1.1": "M", "cvss:VA:3.0.0": "H", - "cvss:EQ6:1.0.0": "H" + "cvss:EQ6:1.0.0": "L" }, { "cvss:CR_NoX:1.1.1": "L", - "cvss:VC:3.0.0": "H", + "cvss:VC:3.0.0": "N", "cvss:IR_NoX:1.1.1": "H", - "cvss:VI:3.0.0": "L", - "cvss:AR_NoX:1.1.1": "H", + "cvss:VI:3.0.0": "H", + "cvss:AR_NoX:1.1.1": "M", "cvss:VA:3.0.0": "H", "cvss:EQ6:1.0.0": "H" }, @@ -15437,7 +14936,7 @@ "cvss:CR_NoX:1.1.1": "H", "cvss:VC:3.0.0": "L", "cvss:IR_NoX:1.1.1": "L", - "cvss:VI:3.0.0": "H", + "cvss:VI:3.0.0": "N", "cvss:AR_NoX:1.1.1": "H", "cvss:VA:3.0.0": "H", "cvss:EQ6:1.0.0": "H" @@ -15446,7 +14945,7 @@ "cvss:CR_NoX:1.1.1": "M", "cvss:VC:3.0.0": "H", "cvss:IR_NoX:1.1.1": "L", - "cvss:VI:3.0.0": "H", + "cvss:VI:3.0.0": "N", "cvss:AR_NoX:1.1.1": "H", "cvss:VA:3.0.0": "H", "cvss:EQ6:1.0.0": "H" @@ -15455,7 +14954,7 @@ "cvss:CR_NoX:1.1.1": "H", "cvss:VC:3.0.0": "N", "cvss:IR_NoX:1.1.1": "M", - "cvss:VI:3.0.0": "H", + "cvss:VI:3.0.0": "N", "cvss:AR_NoX:1.1.1": "H", "cvss:VA:3.0.0": "H", "cvss:EQ6:1.0.0": "H" @@ -15464,7 +14963,7 @@ "cvss:CR_NoX:1.1.1": "M", "cvss:VC:3.0.0": "L", "cvss:IR_NoX:1.1.1": "M", - "cvss:VI:3.0.0": "H", + "cvss:VI:3.0.0": "N", "cvss:AR_NoX:1.1.1": "H", "cvss:VA:3.0.0": "H", "cvss:EQ6:1.0.0": "H" @@ -15473,7 +14972,7 @@ "cvss:CR_NoX:1.1.1": "L", "cvss:VC:3.0.0": "H", "cvss:IR_NoX:1.1.1": "M", - "cvss:VI:3.0.0": "H", + "cvss:VI:3.0.0": "N", "cvss:AR_NoX:1.1.1": "H", "cvss:VA:3.0.0": "H", "cvss:EQ6:1.0.0": "H" @@ -15482,7 +14981,7 @@ "cvss:CR_NoX:1.1.1": "M", "cvss:VC:3.0.0": "N", "cvss:IR_NoX:1.1.1": "H", - "cvss:VI:3.0.0": "H", + "cvss:VI:3.0.0": "N", "cvss:AR_NoX:1.1.1": "H", "cvss:VA:3.0.0": "H", "cvss:EQ6:1.0.0": "H" @@ -15491,63 +14990,90 @@ "cvss:CR_NoX:1.1.1": "L", "cvss:VC:3.0.0": "L", "cvss:IR_NoX:1.1.1": "H", - "cvss:VI:3.0.0": "H", + "cvss:VI:3.0.0": "N", "cvss:AR_NoX:1.1.1": "H", "cvss:VA:3.0.0": "H", "cvss:EQ6:1.0.0": "H" }, { "cvss:CR_NoX:1.1.1": "H", - "cvss:VC:3.0.0": "H", - "cvss:IR_NoX:1.1.1": "H", - "cvss:VI:3.0.0": "H", + "cvss:VC:3.0.0": "N", + "cvss:IR_NoX:1.1.1": "L", + "cvss:VI:3.0.0": "L", "cvss:AR_NoX:1.1.1": "H", - "cvss:VA:3.0.0": "N", + "cvss:VA:3.0.0": "H", "cvss:EQ6:1.0.0": "H" }, { - "cvss:CR_NoX:1.1.1": "H", - "cvss:VC:3.0.0": "H", - "cvss:IR_NoX:1.1.1": "H", - "cvss:VI:3.0.0": "H", - "cvss:AR_NoX:1.1.1": "M", - "cvss:VA:3.0.0": "L", + "cvss:CR_NoX:1.1.1": "M", + "cvss:VC:3.0.0": "L", + "cvss:IR_NoX:1.1.1": "L", + "cvss:VI:3.0.0": "L", + "cvss:AR_NoX:1.1.1": "H", + "cvss:VA:3.0.0": "H", "cvss:EQ6:1.0.0": "H" }, { - "cvss:CR_NoX:1.1.1": "H", + "cvss:CR_NoX:1.1.1": "L", "cvss:VC:3.0.0": "H", - "cvss:IR_NoX:1.1.1": "H", + "cvss:IR_NoX:1.1.1": "L", "cvss:VI:3.0.0": "L", "cvss:AR_NoX:1.1.1": "H", - "cvss:VA:3.0.0": "L", + "cvss:VA:3.0.0": "H", "cvss:EQ6:1.0.0": "H" }, { - "cvss:CR_NoX:1.1.1": "H", - "cvss:VC:3.0.0": "H", + "cvss:CR_NoX:1.1.1": "M", + "cvss:VC:3.0.0": "N", "cvss:IR_NoX:1.1.1": "M", - "cvss:VI:3.0.0": "H", + "cvss:VI:3.0.0": "L", "cvss:AR_NoX:1.1.1": "H", - "cvss:VA:3.0.0": "L", + "cvss:VA:3.0.0": "H", "cvss:EQ6:1.0.0": "H" }, { - "cvss:CR_NoX:1.1.1": "H", + "cvss:CR_NoX:1.1.1": "L", "cvss:VC:3.0.0": "L", + "cvss:IR_NoX:1.1.1": "M", + "cvss:VI:3.0.0": "L", + "cvss:AR_NoX:1.1.1": "H", + "cvss:VA:3.0.0": "H", + "cvss:EQ6:1.0.0": "H" + }, + { + "cvss:CR_NoX:1.1.1": "L", + "cvss:VC:3.0.0": "N", "cvss:IR_NoX:1.1.1": "H", - "cvss:VI:3.0.0": "H", + "cvss:VI:3.0.0": "L", "cvss:AR_NoX:1.1.1": "H", - "cvss:VA:3.0.0": "L", + "cvss:VA:3.0.0": "H", "cvss:EQ6:1.0.0": "H" }, { "cvss:CR_NoX:1.1.1": "M", - "cvss:VC:3.0.0": "H", - "cvss:IR_NoX:1.1.1": "H", + "cvss:VC:3.0.0": "N", + "cvss:IR_NoX:1.1.1": "L", "cvss:VI:3.0.0": "H", "cvss:AR_NoX:1.1.1": "H", - "cvss:VA:3.0.0": "L", + "cvss:VA:3.0.0": "H", + "cvss:EQ6:1.0.0": "H" + }, + { + "cvss:CR_NoX:1.1.1": "L", + "cvss:VC:3.0.0": "L", + "cvss:IR_NoX:1.1.1": "L", + "cvss:VI:3.0.0": "H", + "cvss:AR_NoX:1.1.1": "H", + "cvss:VA:3.0.0": "H", + "cvss:EQ6:1.0.0": "H" + }, + { + "cvss:CR_NoX:1.1.1": "L", + "cvss:VC:3.0.0": "N", + "cvss:IR_NoX:1.1.1": "M", + "cvss:VI:3.0.0": "H", + "cvss:AR_NoX:1.1.1": "H", + "cvss:VA:3.0.0": "H", "cvss:EQ6:1.0.0": "H" }, { @@ -15556,7 +15082,7 @@ "cvss:IR_NoX:1.1.1": "H", "cvss:VI:3.0.0": "H", "cvss:AR_NoX:1.1.1": "L", - "cvss:VA:3.0.0": "H", + "cvss:VA:3.0.0": "N", "cvss:EQ6:1.0.0": "H" }, { @@ -15565,7 +15091,7 @@ "cvss:IR_NoX:1.1.1": "H", "cvss:VI:3.0.0": "L", "cvss:AR_NoX:1.1.1": "M", - "cvss:VA:3.0.0": "H", + "cvss:VA:3.0.0": "N", "cvss:EQ6:1.0.0": "H" }, { @@ -15574,7 +15100,7 @@ "cvss:IR_NoX:1.1.1": "M", "cvss:VI:3.0.0": "H", "cvss:AR_NoX:1.1.1": "M", - "cvss:VA:3.0.0": "H", + "cvss:VA:3.0.0": "N", "cvss:EQ6:1.0.0": "H" }, { @@ -15583,7 +15109,7 @@ "cvss:IR_NoX:1.1.1": "H", "cvss:VI:3.0.0": "H", "cvss:AR_NoX:1.1.1": "M", - "cvss:VA:3.0.0": "H", + "cvss:VA:3.0.0": "N", "cvss:EQ6:1.0.0": "H" }, { @@ -15592,7 +15118,7 @@ "cvss:IR_NoX:1.1.1": "H", "cvss:VI:3.0.0": "H", "cvss:AR_NoX:1.1.1": "M", - "cvss:VA:3.0.0": "H", + "cvss:VA:3.0.0": "N", "cvss:EQ6:1.0.0": "H" }, { @@ -15601,7 +15127,7 @@ "cvss:IR_NoX:1.1.1": "H", "cvss:VI:3.0.0": "N", "cvss:AR_NoX:1.1.1": "H", - "cvss:VA:3.0.0": "H", + "cvss:VA:3.0.0": "N", "cvss:EQ6:1.0.0": "H" }, { @@ -15610,7 +15136,7 @@ "cvss:IR_NoX:1.1.1": "M", "cvss:VI:3.0.0": "L", "cvss:AR_NoX:1.1.1": "H", - "cvss:VA:3.0.0": "H", + "cvss:VA:3.0.0": "N", "cvss:EQ6:1.0.0": "H" }, { @@ -15619,8 +15145,8 @@ "cvss:IR_NoX:1.1.1": "H", "cvss:VI:3.0.0": "L", "cvss:AR_NoX:1.1.1": "H", - "cvss:VA:3.0.0": "H", - "cvss:EQ6:1.0.0": "H" + "cvss:VA:3.0.0": "N", + "cvss:EQ6:1.0.0": "L" }, { "cvss:CR_NoX:1.1.1": "M", @@ -15628,8 +15154,8 @@ "cvss:IR_NoX:1.1.1": "H", "cvss:VI:3.0.0": "L", "cvss:AR_NoX:1.1.1": "H", - "cvss:VA:3.0.0": "H", - "cvss:EQ6:1.0.0": "H" + "cvss:VA:3.0.0": "N", + "cvss:EQ6:1.0.0": "L" }, { "cvss:CR_NoX:1.1.1": "H", @@ -15637,7 +15163,7 @@ "cvss:IR_NoX:1.1.1": "L", "cvss:VI:3.0.0": "H", "cvss:AR_NoX:1.1.1": "H", - "cvss:VA:3.0.0": "H", + "cvss:VA:3.0.0": "N", "cvss:EQ6:1.0.0": "H" }, { @@ -15646,8 +15172,8 @@ "cvss:IR_NoX:1.1.1": "M", "cvss:VI:3.0.0": "H", "cvss:AR_NoX:1.1.1": "H", - "cvss:VA:3.0.0": "H", - "cvss:EQ6:1.0.0": "H" + "cvss:VA:3.0.0": "N", + "cvss:EQ6:1.0.0": "L" }, { "cvss:CR_NoX:1.1.1": "M", @@ -15655,8 +15181,8 @@ "cvss:IR_NoX:1.1.1": "M", "cvss:VI:3.0.0": "H", "cvss:AR_NoX:1.1.1": "H", - "cvss:VA:3.0.0": "H", - "cvss:EQ6:1.0.0": "H" + "cvss:VA:3.0.0": "N", + "cvss:EQ6:1.0.0": "L" }, { "cvss:CR_NoX:1.1.1": "H", @@ -15664,7 +15190,7 @@ "cvss:IR_NoX:1.1.1": "H", "cvss:VI:3.0.0": "H", "cvss:AR_NoX:1.1.1": "H", - "cvss:VA:3.0.0": "H", + "cvss:VA:3.0.0": "N", "cvss:EQ6:1.0.0": "H" }, { @@ -15673,7 +15199,7 @@ "cvss:IR_NoX:1.1.1": "H", "cvss:VI:3.0.0": "H", "cvss:AR_NoX:1.1.1": "H", - "cvss:VA:3.0.0": "H", + "cvss:VA:3.0.0": "N", "cvss:EQ6:1.0.0": "H" }, { @@ -15682,453 +15208,1767 @@ "cvss:IR_NoX:1.1.1": "H", "cvss:VI:3.0.0": "H", "cvss:AR_NoX:1.1.1": "H", - "cvss:VA:3.0.0": "H", + "cvss:VA:3.0.0": "N", "cvss:EQ6:1.0.0": "H" }, { "cvss:CR_NoX:1.1.1": "H", "cvss:VC:3.0.0": "H", "cvss:IR_NoX:1.1.1": "H", + "cvss:VI:3.0.0": "L", + "cvss:AR_NoX:1.1.1": "L", + "cvss:VA:3.0.0": "L", + "cvss:EQ6:1.0.0": "H" + }, + { + "cvss:CR_NoX:1.1.1": "H", + "cvss:VC:3.0.0": "H", + "cvss:IR_NoX:1.1.1": "M", "cvss:VI:3.0.0": "H", - "cvss:AR_NoX:1.1.1": "H", + "cvss:AR_NoX:1.1.1": "L", "cvss:VA:3.0.0": "L", "cvss:EQ6:1.0.0": "H" }, { "cvss:CR_NoX:1.1.1": "H", + "cvss:VC:3.0.0": "L", + "cvss:IR_NoX:1.1.1": "H", + "cvss:VI:3.0.0": "H", + "cvss:AR_NoX:1.1.1": "L", + "cvss:VA:3.0.0": "L", + "cvss:EQ6:1.0.0": "H" + }, + { + "cvss:CR_NoX:1.1.1": "M", "cvss:VC:3.0.0": "H", "cvss:IR_NoX:1.1.1": "H", "cvss:VI:3.0.0": "H", - "cvss:AR_NoX:1.1.1": "M", - "cvss:VA:3.0.0": "H", + "cvss:AR_NoX:1.1.1": "L", + "cvss:VA:3.0.0": "L", "cvss:EQ6:1.0.0": "H" }, { "cvss:CR_NoX:1.1.1": "H", "cvss:VC:3.0.0": "H", "cvss:IR_NoX:1.1.1": "H", - "cvss:VI:3.0.0": "L", - "cvss:AR_NoX:1.1.1": "H", - "cvss:VA:3.0.0": "H", + "cvss:VI:3.0.0": "N", + "cvss:AR_NoX:1.1.1": "M", + "cvss:VA:3.0.0": "L", "cvss:EQ6:1.0.0": "H" }, { "cvss:CR_NoX:1.1.1": "H", "cvss:VC:3.0.0": "H", "cvss:IR_NoX:1.1.1": "M", - "cvss:VI:3.0.0": "H", - "cvss:AR_NoX:1.1.1": "H", - "cvss:VA:3.0.0": "H", + "cvss:VI:3.0.0": "L", + "cvss:AR_NoX:1.1.1": "M", + "cvss:VA:3.0.0": "L", "cvss:EQ6:1.0.0": "H" }, { "cvss:CR_NoX:1.1.1": "H", "cvss:VC:3.0.0": "L", "cvss:IR_NoX:1.1.1": "H", - "cvss:VI:3.0.0": "H", - "cvss:AR_NoX:1.1.1": "H", - "cvss:VA:3.0.0": "H", - "cvss:EQ6:1.0.0": "H" + "cvss:VI:3.0.0": "L", + "cvss:AR_NoX:1.1.1": "M", + "cvss:VA:3.0.0": "L", + "cvss:EQ6:1.0.0": "L" }, { "cvss:CR_NoX:1.1.1": "M", "cvss:VC:3.0.0": "H", "cvss:IR_NoX:1.1.1": "H", - "cvss:VI:3.0.0": "H", - "cvss:AR_NoX:1.1.1": "H", - "cvss:VA:3.0.0": "H", - "cvss:EQ6:1.0.0": "H" - }, - { - "cvss:CR_NoX:1.1.1": "H", + "cvss:VI:3.0.0": "L", + "cvss:AR_NoX:1.1.1": "M", + "cvss:VA:3.0.0": "L", + "cvss:EQ6:1.0.0": "L" + }, + { + "cvss:CR_NoX:1.1.1": "H", "cvss:VC:3.0.0": "H", - "cvss:IR_NoX:1.1.1": "H", + "cvss:IR_NoX:1.1.1": "L", "cvss:VI:3.0.0": "H", - "cvss:AR_NoX:1.1.1": "H", - "cvss:VA:3.0.0": "H", + "cvss:AR_NoX:1.1.1": "M", + "cvss:VA:3.0.0": "L", "cvss:EQ6:1.0.0": "H" - } - ] - } - } - } - }, - "DT_CVSS4_EQ3": { - "key": "DT_CVSS4_EQ3", - "versions": { - "1.0.0": { - "version": "1.0.0", - "obj": { - "namespace": "cvss", - "key": "DT_CVSS4_EQ3", - "version": "1.0.0", - "name": "CVSS v4 Equivalence Set 3", - "definition": "This decision table models equivalence set 3 from CVSS v4.", - "schemaVersion": "2.0.0", - "decision_points": { - "cvss:VC:3.0.0": { - "namespace": "cvss", - "key": "VC", - "version": "3.0.0", - "name": "Confidentiality Impact to the Vulnerable System", - "definition": "This metric measures the impact to the confidentiality of the information managed by the system due to a successfully exploited vulnerability. Confidentiality refers to limiting information access and disclosure to only authorized users, as well as preventing access by, or disclosure to, unauthorized ones.", - "schemaVersion": "2.0.0", - "values": [ - { - "key": "N", - "name": "None", - "definition": "There is no loss of confidentiality within the impacted component." - }, - { - "key": "L", - "name": "Low", - "definition": "There is some loss of confidentiality. Access to some restricted information is obtained, but the attacker does not have control over what information is obtained, or the amount or kind of loss is constrained. The information disclosure does not cause a direct, serious loss to the impacted component." - }, - { - "key": "H", - "name": "High", - "definition": "There is total loss of confidentiality, resulting in all resources within the impacted component being divulged to the attacker. Alternatively, access to only some restricted information is obtained, but the disclosed information presents a direct, serious impact. For example, an attacker steals the administrator's password, or private encryption keys of a web server." - } - ] - }, - "cvss:VI:3.0.0": { - "namespace": "cvss", - "key": "VI", - "version": "3.0.0", - "name": "Integrity Impact to the Vulnerable System", - "definition": "This metric measures the impact to integrity of a successfully exploited vulnerability.", - "schemaVersion": "2.0.0", - "values": [ - { - "key": "N", - "name": "None", - "definition": "There is no loss of integrity within the Vulnerable System." - }, - { - "key": "L", - "name": "Low", - "definition": "Modification of data is possible, but the attacker does not have control over the consequence of a modification, or the amount of modification is limited. The data modification does not have a direct, serious impact to the Vulnerable System." - }, - { - "key": "H", - "name": "High", - "definition": "There is a total loss of integrity, or a complete loss of protection." - } - ] - }, - "cvss:VA:3.0.0": { - "namespace": "cvss", - "key": "VA", - "version": "3.0.0", - "name": "Availability Impact to the Vulnerable System", - "definition": "This metric measures the impact to the availability of the impacted system resulting from a successfully exploited vulnerability.", - "schemaVersion": "2.0.0", - "values": [ - { - "key": "N", - "name": "None", - "definition": "There is no impact to availability within the Vulnerable System." - }, - { - "key": "L", - "name": "Low", - "definition": "There is reduced performance or interruptions in resource availability. Even if repeated exploitation of the vulnerability is possible, the attacker does not have the ability to completely deny service to legitimate users. The resources in the Vulnerable System are either partially available all of the time, or fully available only some of the time, but overall there is no direct, serious consequence to the Vulnerable System." - }, - { - "key": "H", - "name": "High", - "definition": "There is total loss of availability, resulting in the attacker being able to fully deny access to resources in the impacted component; this loss is either sustained (while the attacker continues to deliver the attack) or persistent (the condition persists even after the attack has completed)." - } - ] - }, - "cvss:EQ3:1.0.0": { - "namespace": "cvss", - "key": "EQ3", - "version": "1.0.0", - "name": "Equivalence Set 3", - "definition": "VC/VI/VA with 3 levels specified in Table 26", - "schemaVersion": "2.0.0", - "values": [ - { - "key": "L", - "name": "Low", - "definition": "2: not (VC:H or VI:H or VA:H)" - }, - { - "key": "M", - "name": "Medium", - "definition": "1: not (VC:H and VI:H) and (VC:H or VI:H or VA:H)" - }, - { - "key": "H", - "name": "High", - "definition": "0: VC:H and VI:H" - } - ] - } - }, - "outcome": "cvss:EQ3:1.0.0", - "mapping": [ - { - "cvss:VC:3.0.0": "N", - "cvss:VI:3.0.0": "N", - "cvss:VA:3.0.0": "N", - "cvss:EQ3:1.0.0": "L" }, { + "cvss:CR_NoX:1.1.1": "H", "cvss:VC:3.0.0": "L", - "cvss:VI:3.0.0": "N", - "cvss:VA:3.0.0": "N", - "cvss:EQ3:1.0.0": "L" + "cvss:IR_NoX:1.1.1": "M", + "cvss:VI:3.0.0": "H", + "cvss:AR_NoX:1.1.1": "M", + "cvss:VA:3.0.0": "L", + "cvss:EQ6:1.0.0": "L" }, { - "cvss:VC:3.0.0": "N", - "cvss:VI:3.0.0": "L", - "cvss:VA:3.0.0": "N", - "cvss:EQ3:1.0.0": "L" + "cvss:CR_NoX:1.1.1": "M", + "cvss:VC:3.0.0": "H", + "cvss:IR_NoX:1.1.1": "M", + "cvss:VI:3.0.0": "H", + "cvss:AR_NoX:1.1.1": "M", + "cvss:VA:3.0.0": "L", + "cvss:EQ6:1.0.0": "L" }, { + "cvss:CR_NoX:1.1.1": "H", "cvss:VC:3.0.0": "N", - "cvss:VI:3.0.0": "N", + "cvss:IR_NoX:1.1.1": "H", + "cvss:VI:3.0.0": "H", + "cvss:AR_NoX:1.1.1": "M", "cvss:VA:3.0.0": "L", - "cvss:EQ3:1.0.0": "L" - }, - { - "cvss:VC:3.0.0": "H", - "cvss:VI:3.0.0": "N", - "cvss:VA:3.0.0": "N", - "cvss:EQ3:1.0.0": "M" + "cvss:EQ6:1.0.0": "H" }, { + "cvss:CR_NoX:1.1.1": "M", "cvss:VC:3.0.0": "L", - "cvss:VI:3.0.0": "L", - "cvss:VA:3.0.0": "N", - "cvss:EQ3:1.0.0": "L" + "cvss:IR_NoX:1.1.1": "H", + "cvss:VI:3.0.0": "H", + "cvss:AR_NoX:1.1.1": "M", + "cvss:VA:3.0.0": "L", + "cvss:EQ6:1.0.0": "H" }, { - "cvss:VC:3.0.0": "N", + "cvss:CR_NoX:1.1.1": "L", + "cvss:VC:3.0.0": "H", + "cvss:IR_NoX:1.1.1": "H", "cvss:VI:3.0.0": "H", - "cvss:VA:3.0.0": "N", - "cvss:EQ3:1.0.0": "M" + "cvss:AR_NoX:1.1.1": "M", + "cvss:VA:3.0.0": "L", + "cvss:EQ6:1.0.0": "H" }, { - "cvss:VC:3.0.0": "L", + "cvss:CR_NoX:1.1.1": "H", + "cvss:VC:3.0.0": "H", + "cvss:IR_NoX:1.1.1": "M", "cvss:VI:3.0.0": "N", + "cvss:AR_NoX:1.1.1": "H", "cvss:VA:3.0.0": "L", - "cvss:EQ3:1.0.0": "L" + "cvss:EQ6:1.0.0": "H" }, { - "cvss:VC:3.0.0": "N", - "cvss:VI:3.0.0": "L", + "cvss:CR_NoX:1.1.1": "H", + "cvss:VC:3.0.0": "L", + "cvss:IR_NoX:1.1.1": "H", + "cvss:VI:3.0.0": "N", + "cvss:AR_NoX:1.1.1": "H", "cvss:VA:3.0.0": "L", - "cvss:EQ3:1.0.0": "L" + "cvss:EQ6:1.0.0": "L" }, { - "cvss:VC:3.0.0": "N", + "cvss:CR_NoX:1.1.1": "M", + "cvss:VC:3.0.0": "H", + "cvss:IR_NoX:1.1.1": "H", "cvss:VI:3.0.0": "N", - "cvss:VA:3.0.0": "H", - "cvss:EQ3:1.0.0": "M" + "cvss:AR_NoX:1.1.1": "H", + "cvss:VA:3.0.0": "L", + "cvss:EQ6:1.0.0": "L" }, { + "cvss:CR_NoX:1.1.1": "H", "cvss:VC:3.0.0": "H", + "cvss:IR_NoX:1.1.1": "L", "cvss:VI:3.0.0": "L", - "cvss:VA:3.0.0": "N", - "cvss:EQ3:1.0.0": "M" + "cvss:AR_NoX:1.1.1": "H", + "cvss:VA:3.0.0": "L", + "cvss:EQ6:1.0.0": "H" }, { + "cvss:CR_NoX:1.1.1": "H", "cvss:VC:3.0.0": "L", - "cvss:VI:3.0.0": "H", - "cvss:VA:3.0.0": "N", - "cvss:EQ3:1.0.0": "M" + "cvss:IR_NoX:1.1.1": "M", + "cvss:VI:3.0.0": "L", + "cvss:AR_NoX:1.1.1": "H", + "cvss:VA:3.0.0": "L", + "cvss:EQ6:1.0.0": "L" }, { + "cvss:CR_NoX:1.1.1": "M", "cvss:VC:3.0.0": "H", - "cvss:VI:3.0.0": "N", + "cvss:IR_NoX:1.1.1": "M", + "cvss:VI:3.0.0": "L", + "cvss:AR_NoX:1.1.1": "H", "cvss:VA:3.0.0": "L", - "cvss:EQ3:1.0.0": "M" + "cvss:EQ6:1.0.0": "L" }, { - "cvss:VC:3.0.0": "L", + "cvss:CR_NoX:1.1.1": "H", + "cvss:VC:3.0.0": "N", + "cvss:IR_NoX:1.1.1": "H", "cvss:VI:3.0.0": "L", + "cvss:AR_NoX:1.1.1": "H", "cvss:VA:3.0.0": "L", - "cvss:EQ3:1.0.0": "L" + "cvss:EQ6:1.0.0": "L" }, { - "cvss:VC:3.0.0": "N", - "cvss:VI:3.0.0": "H", + "cvss:CR_NoX:1.1.1": "M", + "cvss:VC:3.0.0": "L", + "cvss:IR_NoX:1.1.1": "H", + "cvss:VI:3.0.0": "L", + "cvss:AR_NoX:1.1.1": "H", "cvss:VA:3.0.0": "L", - "cvss:EQ3:1.0.0": "M" + "cvss:EQ6:1.0.0": "L" }, { - "cvss:VC:3.0.0": "L", - "cvss:VI:3.0.0": "N", - "cvss:VA:3.0.0": "H", - "cvss:EQ3:1.0.0": "M" + "cvss:CR_NoX:1.1.1": "L", + "cvss:VC:3.0.0": "H", + "cvss:IR_NoX:1.1.1": "H", + "cvss:VI:3.0.0": "L", + "cvss:AR_NoX:1.1.1": "H", + "cvss:VA:3.0.0": "L", + "cvss:EQ6:1.0.0": "L" }, { - "cvss:VC:3.0.0": "N", - "cvss:VI:3.0.0": "L", - "cvss:VA:3.0.0": "H", - "cvss:EQ3:1.0.0": "M" + "cvss:CR_NoX:1.1.1": "H", + "cvss:VC:3.0.0": "L", + "cvss:IR_NoX:1.1.1": "L", + "cvss:VI:3.0.0": "H", + "cvss:AR_NoX:1.1.1": "H", + "cvss:VA:3.0.0": "L", + "cvss:EQ6:1.0.0": "L" }, { + "cvss:CR_NoX:1.1.1": "M", "cvss:VC:3.0.0": "H", + "cvss:IR_NoX:1.1.1": "L", "cvss:VI:3.0.0": "H", - "cvss:VA:3.0.0": "N", - "cvss:EQ3:1.0.0": "H" + "cvss:AR_NoX:1.1.1": "H", + "cvss:VA:3.0.0": "L", + "cvss:EQ6:1.0.0": "L" + }, + { + "cvss:CR_NoX:1.1.1": "H", + "cvss:VC:3.0.0": "N", + "cvss:IR_NoX:1.1.1": "M", + "cvss:VI:3.0.0": "H", + "cvss:AR_NoX:1.1.1": "H", + "cvss:VA:3.0.0": "L", + "cvss:EQ6:1.0.0": "L" + }, + { + "cvss:CR_NoX:1.1.1": "M", + "cvss:VC:3.0.0": "L", + "cvss:IR_NoX:1.1.1": "M", + "cvss:VI:3.0.0": "H", + "cvss:AR_NoX:1.1.1": "H", + "cvss:VA:3.0.0": "L", + "cvss:EQ6:1.0.0": "L" }, { + "cvss:CR_NoX:1.1.1": "L", "cvss:VC:3.0.0": "H", - "cvss:VI:3.0.0": "L", + "cvss:IR_NoX:1.1.1": "M", + "cvss:VI:3.0.0": "H", + "cvss:AR_NoX:1.1.1": "H", "cvss:VA:3.0.0": "L", - "cvss:EQ3:1.0.0": "M" + "cvss:EQ6:1.0.0": "L" + }, + { + "cvss:CR_NoX:1.1.1": "M", + "cvss:VC:3.0.0": "N", + "cvss:IR_NoX:1.1.1": "H", + "cvss:VI:3.0.0": "H", + "cvss:AR_NoX:1.1.1": "H", + "cvss:VA:3.0.0": "L", + "cvss:EQ6:1.0.0": "H" }, { + "cvss:CR_NoX:1.1.1": "L", "cvss:VC:3.0.0": "L", + "cvss:IR_NoX:1.1.1": "H", "cvss:VI:3.0.0": "H", + "cvss:AR_NoX:1.1.1": "H", "cvss:VA:3.0.0": "L", - "cvss:EQ3:1.0.0": "M" + "cvss:EQ6:1.0.0": "H" }, { + "cvss:CR_NoX:1.1.1": "H", "cvss:VC:3.0.0": "H", + "cvss:IR_NoX:1.1.1": "H", "cvss:VI:3.0.0": "N", + "cvss:AR_NoX:1.1.1": "L", "cvss:VA:3.0.0": "H", - "cvss:EQ3:1.0.0": "M" + "cvss:EQ6:1.0.0": "H" + }, + { + "cvss:CR_NoX:1.1.1": "H", + "cvss:VC:3.0.0": "H", + "cvss:IR_NoX:1.1.1": "M", + "cvss:VI:3.0.0": "L", + "cvss:AR_NoX:1.1.1": "L", + "cvss:VA:3.0.0": "H", + "cvss:EQ6:1.0.0": "H" }, { + "cvss:CR_NoX:1.1.1": "H", "cvss:VC:3.0.0": "L", + "cvss:IR_NoX:1.1.1": "H", "cvss:VI:3.0.0": "L", + "cvss:AR_NoX:1.1.1": "L", "cvss:VA:3.0.0": "H", - "cvss:EQ3:1.0.0": "M" + "cvss:EQ6:1.0.0": "L" }, { - "cvss:VC:3.0.0": "N", - "cvss:VI:3.0.0": "H", + "cvss:CR_NoX:1.1.1": "M", + "cvss:VC:3.0.0": "H", + "cvss:IR_NoX:1.1.1": "H", + "cvss:VI:3.0.0": "L", + "cvss:AR_NoX:1.1.1": "L", "cvss:VA:3.0.0": "H", - "cvss:EQ3:1.0.0": "M" + "cvss:EQ6:1.0.0": "L" }, { + "cvss:CR_NoX:1.1.1": "H", "cvss:VC:3.0.0": "H", + "cvss:IR_NoX:1.1.1": "L", "cvss:VI:3.0.0": "H", - "cvss:VA:3.0.0": "L", - "cvss:EQ3:1.0.0": "H" + "cvss:AR_NoX:1.1.1": "L", + "cvss:VA:3.0.0": "H", + "cvss:EQ6:1.0.0": "H" + }, + { + "cvss:CR_NoX:1.1.1": "H", + "cvss:VC:3.0.0": "L", + "cvss:IR_NoX:1.1.1": "M", + "cvss:VI:3.0.0": "H", + "cvss:AR_NoX:1.1.1": "L", + "cvss:VA:3.0.0": "H", + "cvss:EQ6:1.0.0": "L" }, { + "cvss:CR_NoX:1.1.1": "M", "cvss:VC:3.0.0": "H", - "cvss:VI:3.0.0": "L", + "cvss:IR_NoX:1.1.1": "M", + "cvss:VI:3.0.0": "H", + "cvss:AR_NoX:1.1.1": "L", "cvss:VA:3.0.0": "H", - "cvss:EQ3:1.0.0": "M" + "cvss:EQ6:1.0.0": "L" + }, + { + "cvss:CR_NoX:1.1.1": "H", + "cvss:VC:3.0.0": "N", + "cvss:IR_NoX:1.1.1": "H", + "cvss:VI:3.0.0": "H", + "cvss:AR_NoX:1.1.1": "L", + "cvss:VA:3.0.0": "H", + "cvss:EQ6:1.0.0": "H" }, { + "cvss:CR_NoX:1.1.1": "M", "cvss:VC:3.0.0": "L", + "cvss:IR_NoX:1.1.1": "H", "cvss:VI:3.0.0": "H", + "cvss:AR_NoX:1.1.1": "L", "cvss:VA:3.0.0": "H", - "cvss:EQ3:1.0.0": "M" + "cvss:EQ6:1.0.0": "H" }, { + "cvss:CR_NoX:1.1.1": "L", "cvss:VC:3.0.0": "H", + "cvss:IR_NoX:1.1.1": "H", "cvss:VI:3.0.0": "H", + "cvss:AR_NoX:1.1.1": "L", "cvss:VA:3.0.0": "H", - "cvss:EQ3:1.0.0": "H" - } - ] - } - } - } - }, - "DT_CVSS4_EQ2": { - "key": "DT_CVSS4_EQ2", - "versions": { - "1.0.0": { - "version": "1.0.0", - "obj": { - "namespace": "cvss", - "key": "DT_CVSS4_EQ2", - "version": "1.0.0", - "name": "CVSS v4 Equivalence Set 2", - "definition": "This decision table models equivalence set 2 from CVSS v4. Factors include Attack Complexity (AC) and Attack Requirements (AT).", - "schemaVersion": "2.0.0", - "decision_points": { - "cvss:AC:3.0.1": { - "namespace": "cvss", - "key": "AC", - "version": "3.0.1", - "name": "Attack Complexity", - "definition": "This metric captures measurable actions that must be taken by the attacker to actively evade or circumvent existing built-in security-enhancing conditions in order to obtain a working exploit. ", - "schemaVersion": "2.0.0", - "values": [ - { - "key": "H", - "name": "High", - "definition": "The successful attack depends on the evasion or circumvention of security-enhancing techniques in place that would otherwise hinder the attack. These include: Evasion of exploit mitigation techniques. The attacker must have additional methods available to bypass security measures in place." - }, - { - "key": "L", - "name": "Low", - "definition": "The attacker must take no measurable action to exploit the vulnerability. The attack requires no target-specific circumvention to exploit the vulnerability. An attacker can expect repeatable success against the vulnerable system. " - } - ] + "cvss:EQ6:1.0.0": "H" }, - "cvss:AT:1.0.0": { - "namespace": "cvss", - "key": "AT", - "version": "1.0.0", - "name": "Attack Requirements", - "definition": "This metric captures the prerequisite deployment and execution conditions or variables of the vulnerable system that enable the attack.", - "schemaVersion": "2.0.0", - "values": [ - { - "key": "P", - "name": "Present", - "definition": "The successful attack depends on the presence of specific deployment and execution conditions of the vulnerable system that enable the attack." - }, - { - "key": "N", - "name": "None", - "definition": "The successful attack does not depend on the deployment and execution conditions of the vulnerable system. The attacker can expect to be able to reach the vulnerability and execute the exploit under all or most instances of the vulnerability." - } - ] + { + "cvss:CR_NoX:1.1.1": "H", + "cvss:VC:3.0.0": "H", + "cvss:IR_NoX:1.1.1": "M", + "cvss:VI:3.0.0": "N", + "cvss:AR_NoX:1.1.1": "M", + "cvss:VA:3.0.0": "H", + "cvss:EQ6:1.0.0": "H" }, - "cvss:EQ2:1.0.0": { - "namespace": "cvss", - "key": "EQ2", - "version": "1.0.0", - "name": "Equivalence Set 2", - "definition": "AC/AT with 2 levels specified in Table 25", - "schemaVersion": "2.0.0", - "values": [ - { - "key": "L", - "name": "Low", - "definition": "1: not (AC:L and AT:N)" - }, - { - "key": "H", - "name": "High", - "definition": "0: AC:L and AT:N" - } - ] - } - }, - "outcome": "cvss:EQ2:1.0.0", - "mapping": [ { - "cvss:AC:3.0.1": "H", - "cvss:AT:1.0.0": "P", - "cvss:EQ2:1.0.0": "L" + "cvss:CR_NoX:1.1.1": "H", + "cvss:VC:3.0.0": "L", + "cvss:IR_NoX:1.1.1": "H", + "cvss:VI:3.0.0": "N", + "cvss:AR_NoX:1.1.1": "M", + "cvss:VA:3.0.0": "H", + "cvss:EQ6:1.0.0": "L" }, { - "cvss:AC:3.0.1": "L", - "cvss:AT:1.0.0": "P", - "cvss:EQ2:1.0.0": "L" + "cvss:CR_NoX:1.1.1": "M", + "cvss:VC:3.0.0": "H", + "cvss:IR_NoX:1.1.1": "H", + "cvss:VI:3.0.0": "N", + "cvss:AR_NoX:1.1.1": "M", + "cvss:VA:3.0.0": "H", + "cvss:EQ6:1.0.0": "L" }, { - "cvss:AC:3.0.1": "H", - "cvss:AT:1.0.0": "N", - "cvss:EQ2:1.0.0": "L" + "cvss:CR_NoX:1.1.1": "H", + "cvss:VC:3.0.0": "H", + "cvss:IR_NoX:1.1.1": "L", + "cvss:VI:3.0.0": "L", + "cvss:AR_NoX:1.1.1": "M", + "cvss:VA:3.0.0": "H", + "cvss:EQ6:1.0.0": "H" }, { - "cvss:AC:3.0.1": "L", + "cvss:CR_NoX:1.1.1": "H", + "cvss:VC:3.0.0": "L", + "cvss:IR_NoX:1.1.1": "M", + "cvss:VI:3.0.0": "L", + "cvss:AR_NoX:1.1.1": "M", + "cvss:VA:3.0.0": "H", + "cvss:EQ6:1.0.0": "L" + }, + { + "cvss:CR_NoX:1.1.1": "M", + "cvss:VC:3.0.0": "H", + "cvss:IR_NoX:1.1.1": "M", + "cvss:VI:3.0.0": "L", + "cvss:AR_NoX:1.1.1": "M", + "cvss:VA:3.0.0": "H", + "cvss:EQ6:1.0.0": "L" + }, + { + "cvss:CR_NoX:1.1.1": "H", + "cvss:VC:3.0.0": "N", + "cvss:IR_NoX:1.1.1": "H", + "cvss:VI:3.0.0": "L", + "cvss:AR_NoX:1.1.1": "M", + "cvss:VA:3.0.0": "H", + "cvss:EQ6:1.0.0": "L" + }, + { + "cvss:CR_NoX:1.1.1": "M", + "cvss:VC:3.0.0": "L", + "cvss:IR_NoX:1.1.1": "H", + "cvss:VI:3.0.0": "L", + "cvss:AR_NoX:1.1.1": "M", + "cvss:VA:3.0.0": "H", + "cvss:EQ6:1.0.0": "L" + }, + { + "cvss:CR_NoX:1.1.1": "L", + "cvss:VC:3.0.0": "H", + "cvss:IR_NoX:1.1.1": "H", + "cvss:VI:3.0.0": "L", + "cvss:AR_NoX:1.1.1": "M", + "cvss:VA:3.0.0": "H", + "cvss:EQ6:1.0.0": "L" + }, + { + "cvss:CR_NoX:1.1.1": "H", + "cvss:VC:3.0.0": "L", + "cvss:IR_NoX:1.1.1": "L", + "cvss:VI:3.0.0": "H", + "cvss:AR_NoX:1.1.1": "M", + "cvss:VA:3.0.0": "H", + "cvss:EQ6:1.0.0": "L" + }, + { + "cvss:CR_NoX:1.1.1": "M", + "cvss:VC:3.0.0": "H", + "cvss:IR_NoX:1.1.1": "L", + "cvss:VI:3.0.0": "H", + "cvss:AR_NoX:1.1.1": "M", + "cvss:VA:3.0.0": "H", + "cvss:EQ6:1.0.0": "L" + }, + { + "cvss:CR_NoX:1.1.1": "H", + "cvss:VC:3.0.0": "N", + "cvss:IR_NoX:1.1.1": "M", + "cvss:VI:3.0.0": "H", + "cvss:AR_NoX:1.1.1": "M", + "cvss:VA:3.0.0": "H", + "cvss:EQ6:1.0.0": "L" + }, + { + "cvss:CR_NoX:1.1.1": "M", + "cvss:VC:3.0.0": "L", + "cvss:IR_NoX:1.1.1": "M", + "cvss:VI:3.0.0": "H", + "cvss:AR_NoX:1.1.1": "M", + "cvss:VA:3.0.0": "H", + "cvss:EQ6:1.0.0": "L" + }, + { + "cvss:CR_NoX:1.1.1": "L", + "cvss:VC:3.0.0": "H", + "cvss:IR_NoX:1.1.1": "M", + "cvss:VI:3.0.0": "H", + "cvss:AR_NoX:1.1.1": "M", + "cvss:VA:3.0.0": "H", + "cvss:EQ6:1.0.0": "L" + }, + { + "cvss:CR_NoX:1.1.1": "M", + "cvss:VC:3.0.0": "N", + "cvss:IR_NoX:1.1.1": "H", + "cvss:VI:3.0.0": "H", + "cvss:AR_NoX:1.1.1": "M", + "cvss:VA:3.0.0": "H", + "cvss:EQ6:1.0.0": "H" + }, + { + "cvss:CR_NoX:1.1.1": "L", + "cvss:VC:3.0.0": "L", + "cvss:IR_NoX:1.1.1": "H", + "cvss:VI:3.0.0": "H", + "cvss:AR_NoX:1.1.1": "M", + "cvss:VA:3.0.0": "H", + "cvss:EQ6:1.0.0": "H" + }, + { + "cvss:CR_NoX:1.1.1": "H", + "cvss:VC:3.0.0": "H", + "cvss:IR_NoX:1.1.1": "L", + "cvss:VI:3.0.0": "N", + "cvss:AR_NoX:1.1.1": "H", + "cvss:VA:3.0.0": "H", + "cvss:EQ6:1.0.0": "H" + }, + { + "cvss:CR_NoX:1.1.1": "H", + "cvss:VC:3.0.0": "L", + "cvss:IR_NoX:1.1.1": "M", + "cvss:VI:3.0.0": "N", + "cvss:AR_NoX:1.1.1": "H", + "cvss:VA:3.0.0": "H", + "cvss:EQ6:1.0.0": "H" + }, + { + "cvss:CR_NoX:1.1.1": "M", + "cvss:VC:3.0.0": "H", + "cvss:IR_NoX:1.1.1": "M", + "cvss:VI:3.0.0": "N", + "cvss:AR_NoX:1.1.1": "H", + "cvss:VA:3.0.0": "H", + "cvss:EQ6:1.0.0": "H" + }, + { + "cvss:CR_NoX:1.1.1": "H", + "cvss:VC:3.0.0": "N", + "cvss:IR_NoX:1.1.1": "H", + "cvss:VI:3.0.0": "N", + "cvss:AR_NoX:1.1.1": "H", + "cvss:VA:3.0.0": "H", + "cvss:EQ6:1.0.0": "H" + }, + { + "cvss:CR_NoX:1.1.1": "M", + "cvss:VC:3.0.0": "L", + "cvss:IR_NoX:1.1.1": "H", + "cvss:VI:3.0.0": "N", + "cvss:AR_NoX:1.1.1": "H", + "cvss:VA:3.0.0": "H", + "cvss:EQ6:1.0.0": "H" + }, + { + "cvss:CR_NoX:1.1.1": "L", + "cvss:VC:3.0.0": "H", + "cvss:IR_NoX:1.1.1": "H", + "cvss:VI:3.0.0": "N", + "cvss:AR_NoX:1.1.1": "H", + "cvss:VA:3.0.0": "H", + "cvss:EQ6:1.0.0": "H" + }, + { + "cvss:CR_NoX:1.1.1": "H", + "cvss:VC:3.0.0": "L", + "cvss:IR_NoX:1.1.1": "L", + "cvss:VI:3.0.0": "L", + "cvss:AR_NoX:1.1.1": "H", + "cvss:VA:3.0.0": "H", + "cvss:EQ6:1.0.0": "H" + }, + { + "cvss:CR_NoX:1.1.1": "M", + "cvss:VC:3.0.0": "H", + "cvss:IR_NoX:1.1.1": "L", + "cvss:VI:3.0.0": "L", + "cvss:AR_NoX:1.1.1": "H", + "cvss:VA:3.0.0": "H", + "cvss:EQ6:1.0.0": "H" + }, + { + "cvss:CR_NoX:1.1.1": "H", + "cvss:VC:3.0.0": "N", + "cvss:IR_NoX:1.1.1": "M", + "cvss:VI:3.0.0": "L", + "cvss:AR_NoX:1.1.1": "H", + "cvss:VA:3.0.0": "H", + "cvss:EQ6:1.0.0": "H" + }, + { + "cvss:CR_NoX:1.1.1": "M", + "cvss:VC:3.0.0": "L", + "cvss:IR_NoX:1.1.1": "M", + "cvss:VI:3.0.0": "L", + "cvss:AR_NoX:1.1.1": "H", + "cvss:VA:3.0.0": "H", + "cvss:EQ6:1.0.0": "H" + }, + { + "cvss:CR_NoX:1.1.1": "L", + "cvss:VC:3.0.0": "H", + "cvss:IR_NoX:1.1.1": "M", + "cvss:VI:3.0.0": "L", + "cvss:AR_NoX:1.1.1": "H", + "cvss:VA:3.0.0": "H", + "cvss:EQ6:1.0.0": "H" + }, + { + "cvss:CR_NoX:1.1.1": "M", + "cvss:VC:3.0.0": "N", + "cvss:IR_NoX:1.1.1": "H", + "cvss:VI:3.0.0": "L", + "cvss:AR_NoX:1.1.1": "H", + "cvss:VA:3.0.0": "H", + "cvss:EQ6:1.0.0": "H" + }, + { + "cvss:CR_NoX:1.1.1": "L", + "cvss:VC:3.0.0": "L", + "cvss:IR_NoX:1.1.1": "H", + "cvss:VI:3.0.0": "L", + "cvss:AR_NoX:1.1.1": "H", + "cvss:VA:3.0.0": "H", + "cvss:EQ6:1.0.0": "H" + }, + { + "cvss:CR_NoX:1.1.1": "H", + "cvss:VC:3.0.0": "N", + "cvss:IR_NoX:1.1.1": "L", + "cvss:VI:3.0.0": "H", + "cvss:AR_NoX:1.1.1": "H", + "cvss:VA:3.0.0": "H", + "cvss:EQ6:1.0.0": "H" + }, + { + "cvss:CR_NoX:1.1.1": "M", + "cvss:VC:3.0.0": "L", + "cvss:IR_NoX:1.1.1": "L", + "cvss:VI:3.0.0": "H", + "cvss:AR_NoX:1.1.1": "H", + "cvss:VA:3.0.0": "H", + "cvss:EQ6:1.0.0": "H" + }, + { + "cvss:CR_NoX:1.1.1": "L", + "cvss:VC:3.0.0": "H", + "cvss:IR_NoX:1.1.1": "L", + "cvss:VI:3.0.0": "H", + "cvss:AR_NoX:1.1.1": "H", + "cvss:VA:3.0.0": "H", + "cvss:EQ6:1.0.0": "H" + }, + { + "cvss:CR_NoX:1.1.1": "M", + "cvss:VC:3.0.0": "N", + "cvss:IR_NoX:1.1.1": "M", + "cvss:VI:3.0.0": "H", + "cvss:AR_NoX:1.1.1": "H", + "cvss:VA:3.0.0": "H", + "cvss:EQ6:1.0.0": "H" + }, + { + "cvss:CR_NoX:1.1.1": "L", + "cvss:VC:3.0.0": "L", + "cvss:IR_NoX:1.1.1": "M", + "cvss:VI:3.0.0": "H", + "cvss:AR_NoX:1.1.1": "H", + "cvss:VA:3.0.0": "H", + "cvss:EQ6:1.0.0": "H" + }, + { + "cvss:CR_NoX:1.1.1": "L", + "cvss:VC:3.0.0": "N", + "cvss:IR_NoX:1.1.1": "H", + "cvss:VI:3.0.0": "H", + "cvss:AR_NoX:1.1.1": "H", + "cvss:VA:3.0.0": "H", + "cvss:EQ6:1.0.0": "H" + }, + { + "cvss:CR_NoX:1.1.1": "H", + "cvss:VC:3.0.0": "H", + "cvss:IR_NoX:1.1.1": "H", + "cvss:VI:3.0.0": "H", + "cvss:AR_NoX:1.1.1": "M", + "cvss:VA:3.0.0": "N", + "cvss:EQ6:1.0.0": "H" + }, + { + "cvss:CR_NoX:1.1.1": "H", + "cvss:VC:3.0.0": "H", + "cvss:IR_NoX:1.1.1": "H", + "cvss:VI:3.0.0": "L", + "cvss:AR_NoX:1.1.1": "H", + "cvss:VA:3.0.0": "N", + "cvss:EQ6:1.0.0": "H" + }, + { + "cvss:CR_NoX:1.1.1": "H", + "cvss:VC:3.0.0": "H", + "cvss:IR_NoX:1.1.1": "M", + "cvss:VI:3.0.0": "H", + "cvss:AR_NoX:1.1.1": "H", + "cvss:VA:3.0.0": "N", + "cvss:EQ6:1.0.0": "H" + }, + { + "cvss:CR_NoX:1.1.1": "H", + "cvss:VC:3.0.0": "L", + "cvss:IR_NoX:1.1.1": "H", + "cvss:VI:3.0.0": "H", + "cvss:AR_NoX:1.1.1": "H", + "cvss:VA:3.0.0": "N", + "cvss:EQ6:1.0.0": "H" + }, + { + "cvss:CR_NoX:1.1.1": "M", + "cvss:VC:3.0.0": "H", + "cvss:IR_NoX:1.1.1": "H", + "cvss:VI:3.0.0": "H", + "cvss:AR_NoX:1.1.1": "H", + "cvss:VA:3.0.0": "N", + "cvss:EQ6:1.0.0": "H" + }, + { + "cvss:CR_NoX:1.1.1": "H", + "cvss:VC:3.0.0": "H", + "cvss:IR_NoX:1.1.1": "H", + "cvss:VI:3.0.0": "H", + "cvss:AR_NoX:1.1.1": "L", + "cvss:VA:3.0.0": "L", + "cvss:EQ6:1.0.0": "H" + }, + { + "cvss:CR_NoX:1.1.1": "H", + "cvss:VC:3.0.0": "H", + "cvss:IR_NoX:1.1.1": "H", + "cvss:VI:3.0.0": "L", + "cvss:AR_NoX:1.1.1": "M", + "cvss:VA:3.0.0": "L", + "cvss:EQ6:1.0.0": "H" + }, + { + "cvss:CR_NoX:1.1.1": "H", + "cvss:VC:3.0.0": "H", + "cvss:IR_NoX:1.1.1": "M", + "cvss:VI:3.0.0": "H", + "cvss:AR_NoX:1.1.1": "M", + "cvss:VA:3.0.0": "L", + "cvss:EQ6:1.0.0": "H" + }, + { + "cvss:CR_NoX:1.1.1": "H", + "cvss:VC:3.0.0": "L", + "cvss:IR_NoX:1.1.1": "H", + "cvss:VI:3.0.0": "H", + "cvss:AR_NoX:1.1.1": "M", + "cvss:VA:3.0.0": "L", + "cvss:EQ6:1.0.0": "H" + }, + { + "cvss:CR_NoX:1.1.1": "M", + "cvss:VC:3.0.0": "H", + "cvss:IR_NoX:1.1.1": "H", + "cvss:VI:3.0.0": "H", + "cvss:AR_NoX:1.1.1": "M", + "cvss:VA:3.0.0": "L", + "cvss:EQ6:1.0.0": "H" + }, + { + "cvss:CR_NoX:1.1.1": "H", + "cvss:VC:3.0.0": "H", + "cvss:IR_NoX:1.1.1": "H", + "cvss:VI:3.0.0": "N", + "cvss:AR_NoX:1.1.1": "H", + "cvss:VA:3.0.0": "L", + "cvss:EQ6:1.0.0": "H" + }, + { + "cvss:CR_NoX:1.1.1": "H", + "cvss:VC:3.0.0": "H", + "cvss:IR_NoX:1.1.1": "M", + "cvss:VI:3.0.0": "L", + "cvss:AR_NoX:1.1.1": "H", + "cvss:VA:3.0.0": "L", + "cvss:EQ6:1.0.0": "H" + }, + { + "cvss:CR_NoX:1.1.1": "H", + "cvss:VC:3.0.0": "L", + "cvss:IR_NoX:1.1.1": "H", + "cvss:VI:3.0.0": "L", + "cvss:AR_NoX:1.1.1": "H", + "cvss:VA:3.0.0": "L", + "cvss:EQ6:1.0.0": "L" + }, + { + "cvss:CR_NoX:1.1.1": "M", + "cvss:VC:3.0.0": "H", + "cvss:IR_NoX:1.1.1": "H", + "cvss:VI:3.0.0": "L", + "cvss:AR_NoX:1.1.1": "H", + "cvss:VA:3.0.0": "L", + "cvss:EQ6:1.0.0": "L" + }, + { + "cvss:CR_NoX:1.1.1": "H", + "cvss:VC:3.0.0": "H", + "cvss:IR_NoX:1.1.1": "L", + "cvss:VI:3.0.0": "H", + "cvss:AR_NoX:1.1.1": "H", + "cvss:VA:3.0.0": "L", + "cvss:EQ6:1.0.0": "H" + }, + { + "cvss:CR_NoX:1.1.1": "H", + "cvss:VC:3.0.0": "L", + "cvss:IR_NoX:1.1.1": "M", + "cvss:VI:3.0.0": "H", + "cvss:AR_NoX:1.1.1": "H", + "cvss:VA:3.0.0": "L", + "cvss:EQ6:1.0.0": "L" + }, + { + "cvss:CR_NoX:1.1.1": "M", + "cvss:VC:3.0.0": "H", + "cvss:IR_NoX:1.1.1": "M", + "cvss:VI:3.0.0": "H", + "cvss:AR_NoX:1.1.1": "H", + "cvss:VA:3.0.0": "L", + "cvss:EQ6:1.0.0": "L" + }, + { + "cvss:CR_NoX:1.1.1": "H", + "cvss:VC:3.0.0": "N", + "cvss:IR_NoX:1.1.1": "H", + "cvss:VI:3.0.0": "H", + "cvss:AR_NoX:1.1.1": "H", + "cvss:VA:3.0.0": "L", + "cvss:EQ6:1.0.0": "H" + }, + { + "cvss:CR_NoX:1.1.1": "M", + "cvss:VC:3.0.0": "L", + "cvss:IR_NoX:1.1.1": "H", + "cvss:VI:3.0.0": "H", + "cvss:AR_NoX:1.1.1": "H", + "cvss:VA:3.0.0": "L", + "cvss:EQ6:1.0.0": "H" + }, + { + "cvss:CR_NoX:1.1.1": "L", + "cvss:VC:3.0.0": "H", + "cvss:IR_NoX:1.1.1": "H", + "cvss:VI:3.0.0": "H", + "cvss:AR_NoX:1.1.1": "H", + "cvss:VA:3.0.0": "L", + "cvss:EQ6:1.0.0": "H" + }, + { + "cvss:CR_NoX:1.1.1": "H", + "cvss:VC:3.0.0": "H", + "cvss:IR_NoX:1.1.1": "H", + "cvss:VI:3.0.0": "L", + "cvss:AR_NoX:1.1.1": "L", + "cvss:VA:3.0.0": "H", + "cvss:EQ6:1.0.0": "H" + }, + { + "cvss:CR_NoX:1.1.1": "H", + "cvss:VC:3.0.0": "H", + "cvss:IR_NoX:1.1.1": "M", + "cvss:VI:3.0.0": "H", + "cvss:AR_NoX:1.1.1": "L", + "cvss:VA:3.0.0": "H", + "cvss:EQ6:1.0.0": "H" + }, + { + "cvss:CR_NoX:1.1.1": "H", + "cvss:VC:3.0.0": "L", + "cvss:IR_NoX:1.1.1": "H", + "cvss:VI:3.0.0": "H", + "cvss:AR_NoX:1.1.1": "L", + "cvss:VA:3.0.0": "H", + "cvss:EQ6:1.0.0": "H" + }, + { + "cvss:CR_NoX:1.1.1": "M", + "cvss:VC:3.0.0": "H", + "cvss:IR_NoX:1.1.1": "H", + "cvss:VI:3.0.0": "H", + "cvss:AR_NoX:1.1.1": "L", + "cvss:VA:3.0.0": "H", + "cvss:EQ6:1.0.0": "H" + }, + { + "cvss:CR_NoX:1.1.1": "H", + "cvss:VC:3.0.0": "H", + "cvss:IR_NoX:1.1.1": "H", + "cvss:VI:3.0.0": "N", + "cvss:AR_NoX:1.1.1": "M", + "cvss:VA:3.0.0": "H", + "cvss:EQ6:1.0.0": "H" + }, + { + "cvss:CR_NoX:1.1.1": "H", + "cvss:VC:3.0.0": "H", + "cvss:IR_NoX:1.1.1": "M", + "cvss:VI:3.0.0": "L", + "cvss:AR_NoX:1.1.1": "M", + "cvss:VA:3.0.0": "H", + "cvss:EQ6:1.0.0": "H" + }, + { + "cvss:CR_NoX:1.1.1": "H", + "cvss:VC:3.0.0": "L", + "cvss:IR_NoX:1.1.1": "H", + "cvss:VI:3.0.0": "L", + "cvss:AR_NoX:1.1.1": "M", + "cvss:VA:3.0.0": "H", + "cvss:EQ6:1.0.0": "L" + }, + { + "cvss:CR_NoX:1.1.1": "M", + "cvss:VC:3.0.0": "H", + "cvss:IR_NoX:1.1.1": "H", + "cvss:VI:3.0.0": "L", + "cvss:AR_NoX:1.1.1": "M", + "cvss:VA:3.0.0": "H", + "cvss:EQ6:1.0.0": "L" + }, + { + "cvss:CR_NoX:1.1.1": "H", + "cvss:VC:3.0.0": "H", + "cvss:IR_NoX:1.1.1": "L", + "cvss:VI:3.0.0": "H", + "cvss:AR_NoX:1.1.1": "M", + "cvss:VA:3.0.0": "H", + "cvss:EQ6:1.0.0": "H" + }, + { + "cvss:CR_NoX:1.1.1": "H", + "cvss:VC:3.0.0": "L", + "cvss:IR_NoX:1.1.1": "M", + "cvss:VI:3.0.0": "H", + "cvss:AR_NoX:1.1.1": "M", + "cvss:VA:3.0.0": "H", + "cvss:EQ6:1.0.0": "L" + }, + { + "cvss:CR_NoX:1.1.1": "M", + "cvss:VC:3.0.0": "H", + "cvss:IR_NoX:1.1.1": "M", + "cvss:VI:3.0.0": "H", + "cvss:AR_NoX:1.1.1": "M", + "cvss:VA:3.0.0": "H", + "cvss:EQ6:1.0.0": "L" + }, + { + "cvss:CR_NoX:1.1.1": "H", + "cvss:VC:3.0.0": "N", + "cvss:IR_NoX:1.1.1": "H", + "cvss:VI:3.0.0": "H", + "cvss:AR_NoX:1.1.1": "M", + "cvss:VA:3.0.0": "H", + "cvss:EQ6:1.0.0": "H" + }, + { + "cvss:CR_NoX:1.1.1": "M", + "cvss:VC:3.0.0": "L", + "cvss:IR_NoX:1.1.1": "H", + "cvss:VI:3.0.0": "H", + "cvss:AR_NoX:1.1.1": "M", + "cvss:VA:3.0.0": "H", + "cvss:EQ6:1.0.0": "H" + }, + { + "cvss:CR_NoX:1.1.1": "L", + "cvss:VC:3.0.0": "H", + "cvss:IR_NoX:1.1.1": "H", + "cvss:VI:3.0.0": "H", + "cvss:AR_NoX:1.1.1": "M", + "cvss:VA:3.0.0": "H", + "cvss:EQ6:1.0.0": "H" + }, + { + "cvss:CR_NoX:1.1.1": "H", + "cvss:VC:3.0.0": "H", + "cvss:IR_NoX:1.1.1": "M", + "cvss:VI:3.0.0": "N", + "cvss:AR_NoX:1.1.1": "H", + "cvss:VA:3.0.0": "H", + "cvss:EQ6:1.0.0": "H" + }, + { + "cvss:CR_NoX:1.1.1": "H", + "cvss:VC:3.0.0": "L", + "cvss:IR_NoX:1.1.1": "H", + "cvss:VI:3.0.0": "N", + "cvss:AR_NoX:1.1.1": "H", + "cvss:VA:3.0.0": "H", + "cvss:EQ6:1.0.0": "H" + }, + { + "cvss:CR_NoX:1.1.1": "M", + "cvss:VC:3.0.0": "H", + "cvss:IR_NoX:1.1.1": "H", + "cvss:VI:3.0.0": "N", + "cvss:AR_NoX:1.1.1": "H", + "cvss:VA:3.0.0": "H", + "cvss:EQ6:1.0.0": "H" + }, + { + "cvss:CR_NoX:1.1.1": "H", + "cvss:VC:3.0.0": "H", + "cvss:IR_NoX:1.1.1": "L", + "cvss:VI:3.0.0": "L", + "cvss:AR_NoX:1.1.1": "H", + "cvss:VA:3.0.0": "H", + "cvss:EQ6:1.0.0": "H" + }, + { + "cvss:CR_NoX:1.1.1": "H", + "cvss:VC:3.0.0": "L", + "cvss:IR_NoX:1.1.1": "M", + "cvss:VI:3.0.0": "L", + "cvss:AR_NoX:1.1.1": "H", + "cvss:VA:3.0.0": "H", + "cvss:EQ6:1.0.0": "H" + }, + { + "cvss:CR_NoX:1.1.1": "M", + "cvss:VC:3.0.0": "H", + "cvss:IR_NoX:1.1.1": "M", + "cvss:VI:3.0.0": "L", + "cvss:AR_NoX:1.1.1": "H", + "cvss:VA:3.0.0": "H", + "cvss:EQ6:1.0.0": "H" + }, + { + "cvss:CR_NoX:1.1.1": "H", + "cvss:VC:3.0.0": "N", + "cvss:IR_NoX:1.1.1": "H", + "cvss:VI:3.0.0": "L", + "cvss:AR_NoX:1.1.1": "H", + "cvss:VA:3.0.0": "H", + "cvss:EQ6:1.0.0": "H" + }, + { + "cvss:CR_NoX:1.1.1": "M", + "cvss:VC:3.0.0": "L", + "cvss:IR_NoX:1.1.1": "H", + "cvss:VI:3.0.0": "L", + "cvss:AR_NoX:1.1.1": "H", + "cvss:VA:3.0.0": "H", + "cvss:EQ6:1.0.0": "H" + }, + { + "cvss:CR_NoX:1.1.1": "L", + "cvss:VC:3.0.0": "H", + "cvss:IR_NoX:1.1.1": "H", + "cvss:VI:3.0.0": "L", + "cvss:AR_NoX:1.1.1": "H", + "cvss:VA:3.0.0": "H", + "cvss:EQ6:1.0.0": "H" + }, + { + "cvss:CR_NoX:1.1.1": "H", + "cvss:VC:3.0.0": "L", + "cvss:IR_NoX:1.1.1": "L", + "cvss:VI:3.0.0": "H", + "cvss:AR_NoX:1.1.1": "H", + "cvss:VA:3.0.0": "H", + "cvss:EQ6:1.0.0": "H" + }, + { + "cvss:CR_NoX:1.1.1": "M", + "cvss:VC:3.0.0": "H", + "cvss:IR_NoX:1.1.1": "L", + "cvss:VI:3.0.0": "H", + "cvss:AR_NoX:1.1.1": "H", + "cvss:VA:3.0.0": "H", + "cvss:EQ6:1.0.0": "H" + }, + { + "cvss:CR_NoX:1.1.1": "H", + "cvss:VC:3.0.0": "N", + "cvss:IR_NoX:1.1.1": "M", + "cvss:VI:3.0.0": "H", + "cvss:AR_NoX:1.1.1": "H", + "cvss:VA:3.0.0": "H", + "cvss:EQ6:1.0.0": "H" + }, + { + "cvss:CR_NoX:1.1.1": "M", + "cvss:VC:3.0.0": "L", + "cvss:IR_NoX:1.1.1": "M", + "cvss:VI:3.0.0": "H", + "cvss:AR_NoX:1.1.1": "H", + "cvss:VA:3.0.0": "H", + "cvss:EQ6:1.0.0": "H" + }, + { + "cvss:CR_NoX:1.1.1": "L", + "cvss:VC:3.0.0": "H", + "cvss:IR_NoX:1.1.1": "M", + "cvss:VI:3.0.0": "H", + "cvss:AR_NoX:1.1.1": "H", + "cvss:VA:3.0.0": "H", + "cvss:EQ6:1.0.0": "H" + }, + { + "cvss:CR_NoX:1.1.1": "M", + "cvss:VC:3.0.0": "N", + "cvss:IR_NoX:1.1.1": "H", + "cvss:VI:3.0.0": "H", + "cvss:AR_NoX:1.1.1": "H", + "cvss:VA:3.0.0": "H", + "cvss:EQ6:1.0.0": "H" + }, + { + "cvss:CR_NoX:1.1.1": "L", + "cvss:VC:3.0.0": "L", + "cvss:IR_NoX:1.1.1": "H", + "cvss:VI:3.0.0": "H", + "cvss:AR_NoX:1.1.1": "H", + "cvss:VA:3.0.0": "H", + "cvss:EQ6:1.0.0": "H" + }, + { + "cvss:CR_NoX:1.1.1": "H", + "cvss:VC:3.0.0": "H", + "cvss:IR_NoX:1.1.1": "H", + "cvss:VI:3.0.0": "H", + "cvss:AR_NoX:1.1.1": "H", + "cvss:VA:3.0.0": "N", + "cvss:EQ6:1.0.0": "H" + }, + { + "cvss:CR_NoX:1.1.1": "H", + "cvss:VC:3.0.0": "H", + "cvss:IR_NoX:1.1.1": "H", + "cvss:VI:3.0.0": "H", + "cvss:AR_NoX:1.1.1": "M", + "cvss:VA:3.0.0": "L", + "cvss:EQ6:1.0.0": "H" + }, + { + "cvss:CR_NoX:1.1.1": "H", + "cvss:VC:3.0.0": "H", + "cvss:IR_NoX:1.1.1": "H", + "cvss:VI:3.0.0": "L", + "cvss:AR_NoX:1.1.1": "H", + "cvss:VA:3.0.0": "L", + "cvss:EQ6:1.0.0": "H" + }, + { + "cvss:CR_NoX:1.1.1": "H", + "cvss:VC:3.0.0": "H", + "cvss:IR_NoX:1.1.1": "M", + "cvss:VI:3.0.0": "H", + "cvss:AR_NoX:1.1.1": "H", + "cvss:VA:3.0.0": "L", + "cvss:EQ6:1.0.0": "H" + }, + { + "cvss:CR_NoX:1.1.1": "H", + "cvss:VC:3.0.0": "L", + "cvss:IR_NoX:1.1.1": "H", + "cvss:VI:3.0.0": "H", + "cvss:AR_NoX:1.1.1": "H", + "cvss:VA:3.0.0": "L", + "cvss:EQ6:1.0.0": "H" + }, + { + "cvss:CR_NoX:1.1.1": "M", + "cvss:VC:3.0.0": "H", + "cvss:IR_NoX:1.1.1": "H", + "cvss:VI:3.0.0": "H", + "cvss:AR_NoX:1.1.1": "H", + "cvss:VA:3.0.0": "L", + "cvss:EQ6:1.0.0": "H" + }, + { + "cvss:CR_NoX:1.1.1": "H", + "cvss:VC:3.0.0": "H", + "cvss:IR_NoX:1.1.1": "H", + "cvss:VI:3.0.0": "H", + "cvss:AR_NoX:1.1.1": "L", + "cvss:VA:3.0.0": "H", + "cvss:EQ6:1.0.0": "H" + }, + { + "cvss:CR_NoX:1.1.1": "H", + "cvss:VC:3.0.0": "H", + "cvss:IR_NoX:1.1.1": "H", + "cvss:VI:3.0.0": "L", + "cvss:AR_NoX:1.1.1": "M", + "cvss:VA:3.0.0": "H", + "cvss:EQ6:1.0.0": "H" + }, + { + "cvss:CR_NoX:1.1.1": "H", + "cvss:VC:3.0.0": "H", + "cvss:IR_NoX:1.1.1": "M", + "cvss:VI:3.0.0": "H", + "cvss:AR_NoX:1.1.1": "M", + "cvss:VA:3.0.0": "H", + "cvss:EQ6:1.0.0": "H" + }, + { + "cvss:CR_NoX:1.1.1": "H", + "cvss:VC:3.0.0": "L", + "cvss:IR_NoX:1.1.1": "H", + "cvss:VI:3.0.0": "H", + "cvss:AR_NoX:1.1.1": "M", + "cvss:VA:3.0.0": "H", + "cvss:EQ6:1.0.0": "H" + }, + { + "cvss:CR_NoX:1.1.1": "M", + "cvss:VC:3.0.0": "H", + "cvss:IR_NoX:1.1.1": "H", + "cvss:VI:3.0.0": "H", + "cvss:AR_NoX:1.1.1": "M", + "cvss:VA:3.0.0": "H", + "cvss:EQ6:1.0.0": "H" + }, + { + "cvss:CR_NoX:1.1.1": "H", + "cvss:VC:3.0.0": "H", + "cvss:IR_NoX:1.1.1": "H", + "cvss:VI:3.0.0": "N", + "cvss:AR_NoX:1.1.1": "H", + "cvss:VA:3.0.0": "H", + "cvss:EQ6:1.0.0": "H" + }, + { + "cvss:CR_NoX:1.1.1": "H", + "cvss:VC:3.0.0": "H", + "cvss:IR_NoX:1.1.1": "M", + "cvss:VI:3.0.0": "L", + "cvss:AR_NoX:1.1.1": "H", + "cvss:VA:3.0.0": "H", + "cvss:EQ6:1.0.0": "H" + }, + { + "cvss:CR_NoX:1.1.1": "H", + "cvss:VC:3.0.0": "L", + "cvss:IR_NoX:1.1.1": "H", + "cvss:VI:3.0.0": "L", + "cvss:AR_NoX:1.1.1": "H", + "cvss:VA:3.0.0": "H", + "cvss:EQ6:1.0.0": "H" + }, + { + "cvss:CR_NoX:1.1.1": "M", + "cvss:VC:3.0.0": "H", + "cvss:IR_NoX:1.1.1": "H", + "cvss:VI:3.0.0": "L", + "cvss:AR_NoX:1.1.1": "H", + "cvss:VA:3.0.0": "H", + "cvss:EQ6:1.0.0": "H" + }, + { + "cvss:CR_NoX:1.1.1": "H", + "cvss:VC:3.0.0": "H", + "cvss:IR_NoX:1.1.1": "L", + "cvss:VI:3.0.0": "H", + "cvss:AR_NoX:1.1.1": "H", + "cvss:VA:3.0.0": "H", + "cvss:EQ6:1.0.0": "H" + }, + { + "cvss:CR_NoX:1.1.1": "H", + "cvss:VC:3.0.0": "L", + "cvss:IR_NoX:1.1.1": "M", + "cvss:VI:3.0.0": "H", + "cvss:AR_NoX:1.1.1": "H", + "cvss:VA:3.0.0": "H", + "cvss:EQ6:1.0.0": "H" + }, + { + "cvss:CR_NoX:1.1.1": "M", + "cvss:VC:3.0.0": "H", + "cvss:IR_NoX:1.1.1": "M", + "cvss:VI:3.0.0": "H", + "cvss:AR_NoX:1.1.1": "H", + "cvss:VA:3.0.0": "H", + "cvss:EQ6:1.0.0": "H" + }, + { + "cvss:CR_NoX:1.1.1": "H", + "cvss:VC:3.0.0": "N", + "cvss:IR_NoX:1.1.1": "H", + "cvss:VI:3.0.0": "H", + "cvss:AR_NoX:1.1.1": "H", + "cvss:VA:3.0.0": "H", + "cvss:EQ6:1.0.0": "H" + }, + { + "cvss:CR_NoX:1.1.1": "M", + "cvss:VC:3.0.0": "L", + "cvss:IR_NoX:1.1.1": "H", + "cvss:VI:3.0.0": "H", + "cvss:AR_NoX:1.1.1": "H", + "cvss:VA:3.0.0": "H", + "cvss:EQ6:1.0.0": "H" + }, + { + "cvss:CR_NoX:1.1.1": "L", + "cvss:VC:3.0.0": "H", + "cvss:IR_NoX:1.1.1": "H", + "cvss:VI:3.0.0": "H", + "cvss:AR_NoX:1.1.1": "H", + "cvss:VA:3.0.0": "H", + "cvss:EQ6:1.0.0": "H" + }, + { + "cvss:CR_NoX:1.1.1": "H", + "cvss:VC:3.0.0": "H", + "cvss:IR_NoX:1.1.1": "H", + "cvss:VI:3.0.0": "H", + "cvss:AR_NoX:1.1.1": "H", + "cvss:VA:3.0.0": "L", + "cvss:EQ6:1.0.0": "H" + }, + { + "cvss:CR_NoX:1.1.1": "H", + "cvss:VC:3.0.0": "H", + "cvss:IR_NoX:1.1.1": "H", + "cvss:VI:3.0.0": "H", + "cvss:AR_NoX:1.1.1": "M", + "cvss:VA:3.0.0": "H", + "cvss:EQ6:1.0.0": "H" + }, + { + "cvss:CR_NoX:1.1.1": "H", + "cvss:VC:3.0.0": "H", + "cvss:IR_NoX:1.1.1": "H", + "cvss:VI:3.0.0": "L", + "cvss:AR_NoX:1.1.1": "H", + "cvss:VA:3.0.0": "H", + "cvss:EQ6:1.0.0": "H" + }, + { + "cvss:CR_NoX:1.1.1": "H", + "cvss:VC:3.0.0": "H", + "cvss:IR_NoX:1.1.1": "M", + "cvss:VI:3.0.0": "H", + "cvss:AR_NoX:1.1.1": "H", + "cvss:VA:3.0.0": "H", + "cvss:EQ6:1.0.0": "H" + }, + { + "cvss:CR_NoX:1.1.1": "H", + "cvss:VC:3.0.0": "L", + "cvss:IR_NoX:1.1.1": "H", + "cvss:VI:3.0.0": "H", + "cvss:AR_NoX:1.1.1": "H", + "cvss:VA:3.0.0": "H", + "cvss:EQ6:1.0.0": "H" + }, + { + "cvss:CR_NoX:1.1.1": "M", + "cvss:VC:3.0.0": "H", + "cvss:IR_NoX:1.1.1": "H", + "cvss:VI:3.0.0": "H", + "cvss:AR_NoX:1.1.1": "H", + "cvss:VA:3.0.0": "H", + "cvss:EQ6:1.0.0": "H" + }, + { + "cvss:CR_NoX:1.1.1": "H", + "cvss:VC:3.0.0": "H", + "cvss:IR_NoX:1.1.1": "H", + "cvss:VI:3.0.0": "H", + "cvss:AR_NoX:1.1.1": "H", + "cvss:VA:3.0.0": "H", + "cvss:EQ6:1.0.0": "H" + } + ] + } + } + } + }, + "DT_CVSS4_EQ3": { + "key": "DT_CVSS4_EQ3", + "versions": { + "1.0.0": { + "version": "1.0.0", + "obj": { + "namespace": "cvss", + "key": "DT_CVSS4_EQ3", + "version": "1.0.0", + "name": "CVSS v4 Equivalence Set 3", + "definition": "This decision table models equivalence set 3 from CVSS v4.", + "schemaVersion": "2.0.0", + "decision_points": { + "cvss:VC:3.0.0": { + "namespace": "cvss", + "key": "VC", + "version": "3.0.0", + "name": "Confidentiality Impact to the Vulnerable System", + "definition": "This metric measures the impact to the confidentiality of the information managed by the system due to a successfully exploited vulnerability. Confidentiality refers to limiting information access and disclosure to only authorized users, as well as preventing access by, or disclosure to, unauthorized ones.", + "schemaVersion": "2.0.0", + "values": [ + { + "key": "N", + "name": "None", + "definition": "There is no loss of confidentiality within the impacted component." + }, + { + "key": "L", + "name": "Low", + "definition": "There is some loss of confidentiality. Access to some restricted information is obtained, but the attacker does not have control over what information is obtained, or the amount or kind of loss is constrained. The information disclosure does not cause a direct, serious loss to the impacted component." + }, + { + "key": "H", + "name": "High", + "definition": "There is total loss of confidentiality, resulting in all resources within the impacted component being divulged to the attacker. Alternatively, access to only some restricted information is obtained, but the disclosed information presents a direct, serious impact. For example, an attacker steals the administrator's password, or private encryption keys of a web server." + } + ] + }, + "cvss:VI:3.0.0": { + "namespace": "cvss", + "key": "VI", + "version": "3.0.0", + "name": "Integrity Impact to the Vulnerable System", + "definition": "This metric measures the impact to integrity of a successfully exploited vulnerability.", + "schemaVersion": "2.0.0", + "values": [ + { + "key": "N", + "name": "None", + "definition": "There is no loss of integrity within the Vulnerable System." + }, + { + "key": "L", + "name": "Low", + "definition": "Modification of data is possible, but the attacker does not have control over the consequence of a modification, or the amount of modification is limited. The data modification does not have a direct, serious impact to the Vulnerable System." + }, + { + "key": "H", + "name": "High", + "definition": "There is a total loss of integrity, or a complete loss of protection." + } + ] + }, + "cvss:VA:3.0.0": { + "namespace": "cvss", + "key": "VA", + "version": "3.0.0", + "name": "Availability Impact to the Vulnerable System", + "definition": "This metric measures the impact to the availability of the impacted system resulting from a successfully exploited vulnerability.", + "schemaVersion": "2.0.0", + "values": [ + { + "key": "N", + "name": "None", + "definition": "There is no impact to availability within the Vulnerable System." + }, + { + "key": "L", + "name": "Low", + "definition": "There is reduced performance or interruptions in resource availability. Even if repeated exploitation of the vulnerability is possible, the attacker does not have the ability to completely deny service to legitimate users. The resources in the Vulnerable System are either partially available all of the time, or fully available only some of the time, but overall there is no direct, serious consequence to the Vulnerable System." + }, + { + "key": "H", + "name": "High", + "definition": "There is total loss of availability, resulting in the attacker being able to fully deny access to resources in the impacted component; this loss is either sustained (while the attacker continues to deliver the attack) or persistent (the condition persists even after the attack has completed)." + } + ] + }, + "cvss:EQ3:1.0.0": { + "namespace": "cvss", + "key": "EQ3", + "version": "1.0.0", + "name": "Equivalence Set 3", + "definition": "VC/VI/VA with 3 levels specified in Table 26", + "schemaVersion": "2.0.0", + "values": [ + { + "key": "L", + "name": "Low", + "definition": "2: not (VC:H or VI:H or VA:H)" + }, + { + "key": "M", + "name": "Medium", + "definition": "1: not (VC:H and VI:H) and (VC:H or VI:H or VA:H)" + }, + { + "key": "H", + "name": "High", + "definition": "0: VC:H and VI:H" + } + ] + } + }, + "outcome": "cvss:EQ3:1.0.0", + "mapping": [ + { + "cvss:VC:3.0.0": "N", + "cvss:VI:3.0.0": "N", + "cvss:VA:3.0.0": "N", + "cvss:EQ3:1.0.0": "L" + }, + { + "cvss:VC:3.0.0": "L", + "cvss:VI:3.0.0": "N", + "cvss:VA:3.0.0": "N", + "cvss:EQ3:1.0.0": "L" + }, + { + "cvss:VC:3.0.0": "N", + "cvss:VI:3.0.0": "L", + "cvss:VA:3.0.0": "N", + "cvss:EQ3:1.0.0": "L" + }, + { + "cvss:VC:3.0.0": "N", + "cvss:VI:3.0.0": "N", + "cvss:VA:3.0.0": "L", + "cvss:EQ3:1.0.0": "L" + }, + { + "cvss:VC:3.0.0": "H", + "cvss:VI:3.0.0": "N", + "cvss:VA:3.0.0": "N", + "cvss:EQ3:1.0.0": "M" + }, + { + "cvss:VC:3.0.0": "L", + "cvss:VI:3.0.0": "L", + "cvss:VA:3.0.0": "N", + "cvss:EQ3:1.0.0": "L" + }, + { + "cvss:VC:3.0.0": "N", + "cvss:VI:3.0.0": "H", + "cvss:VA:3.0.0": "N", + "cvss:EQ3:1.0.0": "M" + }, + { + "cvss:VC:3.0.0": "L", + "cvss:VI:3.0.0": "N", + "cvss:VA:3.0.0": "L", + "cvss:EQ3:1.0.0": "L" + }, + { + "cvss:VC:3.0.0": "N", + "cvss:VI:3.0.0": "L", + "cvss:VA:3.0.0": "L", + "cvss:EQ3:1.0.0": "L" + }, + { + "cvss:VC:3.0.0": "N", + "cvss:VI:3.0.0": "N", + "cvss:VA:3.0.0": "H", + "cvss:EQ3:1.0.0": "M" + }, + { + "cvss:VC:3.0.0": "H", + "cvss:VI:3.0.0": "L", + "cvss:VA:3.0.0": "N", + "cvss:EQ3:1.0.0": "M" + }, + { + "cvss:VC:3.0.0": "L", + "cvss:VI:3.0.0": "H", + "cvss:VA:3.0.0": "N", + "cvss:EQ3:1.0.0": "M" + }, + { + "cvss:VC:3.0.0": "H", + "cvss:VI:3.0.0": "N", + "cvss:VA:3.0.0": "L", + "cvss:EQ3:1.0.0": "M" + }, + { + "cvss:VC:3.0.0": "L", + "cvss:VI:3.0.0": "L", + "cvss:VA:3.0.0": "L", + "cvss:EQ3:1.0.0": "L" + }, + { + "cvss:VC:3.0.0": "N", + "cvss:VI:3.0.0": "H", + "cvss:VA:3.0.0": "L", + "cvss:EQ3:1.0.0": "M" + }, + { + "cvss:VC:3.0.0": "L", + "cvss:VI:3.0.0": "N", + "cvss:VA:3.0.0": "H", + "cvss:EQ3:1.0.0": "M" + }, + { + "cvss:VC:3.0.0": "N", + "cvss:VI:3.0.0": "L", + "cvss:VA:3.0.0": "H", + "cvss:EQ3:1.0.0": "M" + }, + { + "cvss:VC:3.0.0": "H", + "cvss:VI:3.0.0": "H", + "cvss:VA:3.0.0": "N", + "cvss:EQ3:1.0.0": "H" + }, + { + "cvss:VC:3.0.0": "H", + "cvss:VI:3.0.0": "L", + "cvss:VA:3.0.0": "L", + "cvss:EQ3:1.0.0": "M" + }, + { + "cvss:VC:3.0.0": "L", + "cvss:VI:3.0.0": "H", + "cvss:VA:3.0.0": "L", + "cvss:EQ3:1.0.0": "M" + }, + { + "cvss:VC:3.0.0": "H", + "cvss:VI:3.0.0": "N", + "cvss:VA:3.0.0": "H", + "cvss:EQ3:1.0.0": "M" + }, + { + "cvss:VC:3.0.0": "L", + "cvss:VI:3.0.0": "L", + "cvss:VA:3.0.0": "H", + "cvss:EQ3:1.0.0": "M" + }, + { + "cvss:VC:3.0.0": "N", + "cvss:VI:3.0.0": "H", + "cvss:VA:3.0.0": "H", + "cvss:EQ3:1.0.0": "M" + }, + { + "cvss:VC:3.0.0": "H", + "cvss:VI:3.0.0": "H", + "cvss:VA:3.0.0": "L", + "cvss:EQ3:1.0.0": "H" + }, + { + "cvss:VC:3.0.0": "H", + "cvss:VI:3.0.0": "L", + "cvss:VA:3.0.0": "H", + "cvss:EQ3:1.0.0": "M" + }, + { + "cvss:VC:3.0.0": "L", + "cvss:VI:3.0.0": "H", + "cvss:VA:3.0.0": "H", + "cvss:EQ3:1.0.0": "M" + }, + { + "cvss:VC:3.0.0": "H", + "cvss:VI:3.0.0": "H", + "cvss:VA:3.0.0": "H", + "cvss:EQ3:1.0.0": "H" + } + ] + } + } + } + }, + "DT_CVSS4_EQ2": { + "key": "DT_CVSS4_EQ2", + "versions": { + "1.0.0": { + "version": "1.0.0", + "obj": { + "namespace": "cvss", + "key": "DT_CVSS4_EQ2", + "version": "1.0.0", + "name": "CVSS v4 Equivalence Set 2", + "definition": "This decision table models equivalence set 2 from CVSS v4. Factors include Attack Complexity (AC) and Attack Requirements (AT).", + "schemaVersion": "2.0.0", + "decision_points": { + "cvss:AC:3.0.1": { + "namespace": "cvss", + "key": "AC", + "version": "3.0.1", + "name": "Attack Complexity", + "definition": "This metric captures measurable actions that must be taken by the attacker to actively evade or circumvent existing built-in security-enhancing conditions in order to obtain a working exploit. ", + "schemaVersion": "2.0.0", + "values": [ + { + "key": "H", + "name": "High", + "definition": "The successful attack depends on the evasion or circumvention of security-enhancing techniques in place that would otherwise hinder the attack. These include: Evasion of exploit mitigation techniques. The attacker must have additional methods available to bypass security measures in place." + }, + { + "key": "L", + "name": "Low", + "definition": "The attacker must take no measurable action to exploit the vulnerability. The attack requires no target-specific circumvention to exploit the vulnerability. An attacker can expect repeatable success against the vulnerable system. " + } + ] + }, + "cvss:AT:1.0.0": { + "namespace": "cvss", + "key": "AT", + "version": "1.0.0", + "name": "Attack Requirements", + "definition": "This metric captures the prerequisite deployment and execution conditions or variables of the vulnerable system that enable the attack.", + "schemaVersion": "2.0.0", + "values": [ + { + "key": "P", + "name": "Present", + "definition": "The successful attack depends on the presence of specific deployment and execution conditions of the vulnerable system that enable the attack." + }, + { + "key": "N", + "name": "None", + "definition": "The successful attack does not depend on the deployment and execution conditions of the vulnerable system. The attacker can expect to be able to reach the vulnerability and execute the exploit under all or most instances of the vulnerability." + } + ] + }, + "cvss:EQ2:1.0.0": { + "namespace": "cvss", + "key": "EQ2", + "version": "1.0.0", + "name": "Equivalence Set 2", + "definition": "AC/AT with 2 levels specified in Table 25", + "schemaVersion": "2.0.0", + "values": [ + { + "key": "L", + "name": "Low", + "definition": "1: not (AC:L and AT:N)" + }, + { + "key": "H", + "name": "High", + "definition": "0: AC:L and AT:N" + } + ] + } + }, + "outcome": "cvss:EQ2:1.0.0", + "mapping": [ + { + "cvss:AC:3.0.1": "H", + "cvss:AT:1.0.0": "P", + "cvss:EQ2:1.0.0": "L" + }, + { + "cvss:AC:3.0.1": "L", + "cvss:AT:1.0.0": "P", + "cvss:EQ2:1.0.0": "L" + }, + { + "cvss:AC:3.0.1": "H", + "cvss:AT:1.0.0": "N", + "cvss:EQ2:1.0.0": "L" + }, + { + "cvss:AC:3.0.1": "L", "cvss:AT:1.0.0": "N", "cvss:EQ2:1.0.0": "H" } @@ -16152,187 +16992,502 @@ "decision_points": { "cvss:EQ1:1.0.0": { "namespace": "cvss", - "key": "EQ1", + "key": "EQ1", + "version": "1.0.0", + "name": "Equivalence Set 1", + "definition": "AV/PR/UI with 3 levels specified in Table 24", + "schemaVersion": "2.0.0", + "values": [ + { + "key": "L", + "name": "Low", + "definition": "2: AV:P or not(AV:N or PR:N or UI:N)" + }, + { + "key": "M", + "name": "Medium", + "definition": "1: (AV:N or PR:N or UI:N) and not (AV:N and PR:N and UI:N) and not AV:P" + }, + { + "key": "H", + "name": "High", + "definition": "0: AV:N and PR:N and UI:N" + } + ] + }, + "cvss:EQ2:1.0.0": { + "namespace": "cvss", + "key": "EQ2", + "version": "1.0.0", + "name": "Equivalence Set 2", + "definition": "AC/AT with 2 levels specified in Table 25", + "schemaVersion": "2.0.0", + "values": [ + { + "key": "L", + "name": "Low", + "definition": "1: not (AC:L and AT:N)" + }, + { + "key": "H", + "name": "High", + "definition": "0: AC:L and AT:N" + } + ] + }, + "cvss:EQ3:1.0.0": { + "namespace": "cvss", + "key": "EQ3", + "version": "1.0.0", + "name": "Equivalence Set 3", + "definition": "VC/VI/VA with 3 levels specified in Table 26", + "schemaVersion": "2.0.0", + "values": [ + { + "key": "L", + "name": "Low", + "definition": "2: not (VC:H or VI:H or VA:H)" + }, + { + "key": "M", + "name": "Medium", + "definition": "1: not (VC:H and VI:H) and (VC:H or VI:H or VA:H)" + }, + { + "key": "H", + "name": "High", + "definition": "0: VC:H and VI:H" + } + ] + }, + "cvss:EQ4:1.0.0": { + "namespace": "cvss", + "key": "EQ4", "version": "1.0.0", - "name": "Equivalence Set 1", - "definition": "AV/PR/UI with 3 levels specified in Table 24", + "name": "Equivalence Set 4", + "definition": "SC/SI/SA with 3 levels specified in Table 27", "schemaVersion": "2.0.0", "values": [ { "key": "L", "name": "Low", - "definition": "2: AV:P or not(AV:N or PR:N or UI:N)" + "definition": "2: not (MSI:S or MSA:S) and not (SC:H or SI:H or SA:H)" }, { "key": "M", "name": "Medium", - "definition": "1: (AV:N or PR:N or UI:N) and not (AV:N and PR:N and UI:N) and not AV:P" + "definition": "1: not (MSI:S or MSA:S) and (SC:H or SI:H or SA:H)" }, { "key": "H", "name": "High", - "definition": "0: AV:N and PR:N and UI:N" + "definition": "0: MSI:S or MSA:S" + } + ] + }, + "cvss:EQ5:1.0.0": { + "namespace": "cvss", + "key": "EQ5", + "version": "1.0.0", + "name": "Equivalence Set 5", + "definition": "E with 3 levels specified in Table 28", + "schemaVersion": "2.0.0", + "values": [ + { + "key": "L", + "name": "Low", + "definition": "2: E:U" + }, + { + "key": "M", + "name": "Medium", + "definition": "1: E:P" + }, + { + "key": "H", + "name": "High", + "definition": "0: E:A" + } + ] + }, + "cvss:EQ6:1.0.0": { + "namespace": "cvss", + "key": "EQ6", + "version": "1.0.0", + "name": "Equivalence Set 6", + "definition": "VC/VI/VA+CR/CI/CA with 2 levels specified in Table 29", + "schemaVersion": "2.0.0", + "values": [ + { + "key": "L", + "name": "Low", + "definition": "1: not (CR:H and VC:H) and not (IR:H and VI:H) and not (AR:H and VA:H)" + }, + { + "key": "H", + "name": "High", + "definition": "0: (CR:H and VC:H) or (IR:H and VI:H) or (AR:H and VA:H)" } ] }, - "cvss:EQ2:1.0.0": { - "namespace": "cvss", - "key": "EQ2", - "version": "1.0.0", - "name": "Equivalence Set 2", - "definition": "AC/AT with 2 levels specified in Table 25", - "schemaVersion": "2.0.0", - "values": [ - { - "key": "L", - "name": "Low", - "definition": "1: not (AC:L and AT:N)" - }, - { - "key": "H", - "name": "High", - "definition": "0: AC:L and AT:N" - } - ] + "cvss:CVSS:1.0.0": { + "namespace": "cvss", + "key": "CVSS", + "version": "1.0.0", + "name": "CVSS Qualitative Severity Rating Scale", + "definition": "The CVSS Qualitative Severity Rating Scale group.", + "schemaVersion": "2.0.0", + "values": [ + { + "key": "N", + "name": "None", + "definition": "None (0.0)" + }, + { + "key": "L", + "name": "Low", + "definition": "Low (0.1-3.9)" + }, + { + "key": "M", + "name": "Medium", + "definition": "Medium (4.0-6.9)" + }, + { + "key": "H", + "name": "High", + "definition": "High (7.0-8.9)" + }, + { + "key": "C", + "name": "Critical", + "definition": "Critical (9.0-10.0)" + } + ] + } + }, + "outcome": "cvss:CVSS:1.0.0", + "mapping": [ + { + "cvss:EQ1:1.0.0": "L", + "cvss:EQ2:1.0.0": "L", + "cvss:EQ3:1.0.0": "L", + "cvss:EQ4:1.0.0": "L", + "cvss:EQ5:1.0.0": "L", + "cvss:EQ6:1.0.0": "L", + "cvss:CVSS:1.0.0": "L" + }, + { + "cvss:EQ1:1.0.0": "M", + "cvss:EQ2:1.0.0": "L", + "cvss:EQ3:1.0.0": "L", + "cvss:EQ4:1.0.0": "L", + "cvss:EQ5:1.0.0": "L", + "cvss:EQ6:1.0.0": "L", + "cvss:CVSS:1.0.0": "L" + }, + { + "cvss:EQ1:1.0.0": "L", + "cvss:EQ2:1.0.0": "H", + "cvss:EQ3:1.0.0": "L", + "cvss:EQ4:1.0.0": "L", + "cvss:EQ5:1.0.0": "L", + "cvss:EQ6:1.0.0": "L", + "cvss:CVSS:1.0.0": "L" + }, + { + "cvss:EQ1:1.0.0": "L", + "cvss:EQ2:1.0.0": "L", + "cvss:EQ3:1.0.0": "M", + "cvss:EQ4:1.0.0": "L", + "cvss:EQ5:1.0.0": "L", + "cvss:EQ6:1.0.0": "L", + "cvss:CVSS:1.0.0": "L" + }, + { + "cvss:EQ1:1.0.0": "L", + "cvss:EQ2:1.0.0": "L", + "cvss:EQ3:1.0.0": "L", + "cvss:EQ4:1.0.0": "M", + "cvss:EQ5:1.0.0": "L", + "cvss:EQ6:1.0.0": "L", + "cvss:CVSS:1.0.0": "L" + }, + { + "cvss:EQ1:1.0.0": "L", + "cvss:EQ2:1.0.0": "L", + "cvss:EQ3:1.0.0": "L", + "cvss:EQ4:1.0.0": "L", + "cvss:EQ5:1.0.0": "M", + "cvss:EQ6:1.0.0": "L", + "cvss:CVSS:1.0.0": "L" + }, + { + "cvss:EQ1:1.0.0": "L", + "cvss:EQ2:1.0.0": "L", + "cvss:EQ3:1.0.0": "L", + "cvss:EQ4:1.0.0": "L", + "cvss:EQ5:1.0.0": "L", + "cvss:EQ6:1.0.0": "H", + "cvss:CVSS:1.0.0": "L" + }, + { + "cvss:EQ1:1.0.0": "H", + "cvss:EQ2:1.0.0": "L", + "cvss:EQ3:1.0.0": "L", + "cvss:EQ4:1.0.0": "L", + "cvss:EQ5:1.0.0": "L", + "cvss:EQ6:1.0.0": "L", + "cvss:CVSS:1.0.0": "L" + }, + { + "cvss:EQ1:1.0.0": "M", + "cvss:EQ2:1.0.0": "H", + "cvss:EQ3:1.0.0": "L", + "cvss:EQ4:1.0.0": "L", + "cvss:EQ5:1.0.0": "L", + "cvss:EQ6:1.0.0": "L", + "cvss:CVSS:1.0.0": "L" + }, + { + "cvss:EQ1:1.0.0": "M", + "cvss:EQ2:1.0.0": "L", + "cvss:EQ3:1.0.0": "M", + "cvss:EQ4:1.0.0": "L", + "cvss:EQ5:1.0.0": "L", + "cvss:EQ6:1.0.0": "L", + "cvss:CVSS:1.0.0": "L" + }, + { + "cvss:EQ1:1.0.0": "L", + "cvss:EQ2:1.0.0": "H", + "cvss:EQ3:1.0.0": "M", + "cvss:EQ4:1.0.0": "L", + "cvss:EQ5:1.0.0": "L", + "cvss:EQ6:1.0.0": "L", + "cvss:CVSS:1.0.0": "L" + }, + { + "cvss:EQ1:1.0.0": "L", + "cvss:EQ2:1.0.0": "L", + "cvss:EQ3:1.0.0": "H", + "cvss:EQ4:1.0.0": "L", + "cvss:EQ5:1.0.0": "L", + "cvss:EQ6:1.0.0": "L", + "cvss:CVSS:1.0.0": "L" + }, + { + "cvss:EQ1:1.0.0": "M", + "cvss:EQ2:1.0.0": "L", + "cvss:EQ3:1.0.0": "L", + "cvss:EQ4:1.0.0": "M", + "cvss:EQ5:1.0.0": "L", + "cvss:EQ6:1.0.0": "L", + "cvss:CVSS:1.0.0": "L" + }, + { + "cvss:EQ1:1.0.0": "L", + "cvss:EQ2:1.0.0": "H", + "cvss:EQ3:1.0.0": "L", + "cvss:EQ4:1.0.0": "M", + "cvss:EQ5:1.0.0": "L", + "cvss:EQ6:1.0.0": "L", + "cvss:CVSS:1.0.0": "L" + }, + { + "cvss:EQ1:1.0.0": "L", + "cvss:EQ2:1.0.0": "L", + "cvss:EQ3:1.0.0": "M", + "cvss:EQ4:1.0.0": "M", + "cvss:EQ5:1.0.0": "L", + "cvss:EQ6:1.0.0": "L", + "cvss:CVSS:1.0.0": "L" + }, + { + "cvss:EQ1:1.0.0": "L", + "cvss:EQ2:1.0.0": "L", + "cvss:EQ3:1.0.0": "L", + "cvss:EQ4:1.0.0": "H", + "cvss:EQ5:1.0.0": "L", + "cvss:EQ6:1.0.0": "L", + "cvss:CVSS:1.0.0": "L" + }, + { + "cvss:EQ1:1.0.0": "M", + "cvss:EQ2:1.0.0": "L", + "cvss:EQ3:1.0.0": "L", + "cvss:EQ4:1.0.0": "L", + "cvss:EQ5:1.0.0": "M", + "cvss:EQ6:1.0.0": "L", + "cvss:CVSS:1.0.0": "L" + }, + { + "cvss:EQ1:1.0.0": "L", + "cvss:EQ2:1.0.0": "H", + "cvss:EQ3:1.0.0": "L", + "cvss:EQ4:1.0.0": "L", + "cvss:EQ5:1.0.0": "M", + "cvss:EQ6:1.0.0": "L", + "cvss:CVSS:1.0.0": "L" + }, + { + "cvss:EQ1:1.0.0": "L", + "cvss:EQ2:1.0.0": "L", + "cvss:EQ3:1.0.0": "M", + "cvss:EQ4:1.0.0": "L", + "cvss:EQ5:1.0.0": "M", + "cvss:EQ6:1.0.0": "L", + "cvss:CVSS:1.0.0": "L" }, - "cvss:EQ3:1.0.0": { - "namespace": "cvss", - "key": "EQ3", - "version": "1.0.0", - "name": "Equivalence Set 3", - "definition": "VC/VI/VA with 3 levels specified in Table 26", - "schemaVersion": "2.0.0", - "values": [ - { - "key": "L", - "name": "Low", - "definition": "2: not (VC:H or VI:H or VA:H)" - }, - { - "key": "M", - "name": "Medium", - "definition": "1: not (VC:H and VI:H) and (VC:H or VI:H or VA:H)" - }, - { - "key": "H", - "name": "High", - "definition": "0: VC:H and VI:H" - } - ] + { + "cvss:EQ1:1.0.0": "L", + "cvss:EQ2:1.0.0": "L", + "cvss:EQ3:1.0.0": "L", + "cvss:EQ4:1.0.0": "M", + "cvss:EQ5:1.0.0": "M", + "cvss:EQ6:1.0.0": "L", + "cvss:CVSS:1.0.0": "L" }, - "cvss:EQ4:1.0.0": { - "namespace": "cvss", - "key": "EQ4", - "version": "1.0.0", - "name": "Equivalence Set 4", - "definition": "SC/SI/SA with 3 levels specified in Table 27", - "schemaVersion": "2.0.0", - "values": [ - { - "key": "L", - "name": "Low", - "definition": "2: not (MSI:S or MSA:S) and not (SC:H or SI:H or SA:H)" - }, - { - "key": "M", - "name": "Medium", - "definition": "1: not (MSI:S or MSA:S) and (SC:H or SI:H or SA:H)" - }, - { - "key": "H", - "name": "High", - "definition": "0: MSI:S or MSA:S" - } - ] + { + "cvss:EQ1:1.0.0": "L", + "cvss:EQ2:1.0.0": "L", + "cvss:EQ3:1.0.0": "L", + "cvss:EQ4:1.0.0": "L", + "cvss:EQ5:1.0.0": "H", + "cvss:EQ6:1.0.0": "L", + "cvss:CVSS:1.0.0": "L" }, - "cvss:EQ5:1.0.0": { - "namespace": "cvss", - "key": "EQ5", - "version": "1.0.0", - "name": "Equivalence Set 5", - "definition": "E with 3 levels specified in Table 28", - "schemaVersion": "2.0.0", - "values": [ - { - "key": "L", - "name": "Low", - "definition": "2: E:U" - }, - { - "key": "M", - "name": "Medium", - "definition": "1: E:P" - }, - { - "key": "H", - "name": "High", - "definition": "0: E:A" - } - ] + { + "cvss:EQ1:1.0.0": "M", + "cvss:EQ2:1.0.0": "L", + "cvss:EQ3:1.0.0": "L", + "cvss:EQ4:1.0.0": "L", + "cvss:EQ5:1.0.0": "L", + "cvss:EQ6:1.0.0": "H", + "cvss:CVSS:1.0.0": "L" }, - "cvss:EQ6:1.0.0": { - "namespace": "cvss", - "key": "EQ6", - "version": "1.0.0", - "name": "Equivalence Set 6", - "definition": "VC/VI/VA+CR/CI/CA with 2 levels specified in Table 29", - "schemaVersion": "2.0.0", - "values": [ - { - "key": "L", - "name": "Low", - "definition": "1: not (CR:H and VC:H) and not (IR:H and VI:H) and not (AR:H and VA:H)" - }, - { - "key": "H", - "name": "High", - "definition": "0: (CR:H and VC:H) or (IR:H and VI:H) or (AR:H and VA:H)" - } - ] + { + "cvss:EQ1:1.0.0": "L", + "cvss:EQ2:1.0.0": "H", + "cvss:EQ3:1.0.0": "L", + "cvss:EQ4:1.0.0": "L", + "cvss:EQ5:1.0.0": "L", + "cvss:EQ6:1.0.0": "H", + "cvss:CVSS:1.0.0": "L" + }, + { + "cvss:EQ1:1.0.0": "L", + "cvss:EQ2:1.0.0": "L", + "cvss:EQ3:1.0.0": "M", + "cvss:EQ4:1.0.0": "L", + "cvss:EQ5:1.0.0": "L", + "cvss:EQ6:1.0.0": "H", + "cvss:CVSS:1.0.0": "L" + }, + { + "cvss:EQ1:1.0.0": "L", + "cvss:EQ2:1.0.0": "L", + "cvss:EQ3:1.0.0": "L", + "cvss:EQ4:1.0.0": "M", + "cvss:EQ5:1.0.0": "L", + "cvss:EQ6:1.0.0": "H", + "cvss:CVSS:1.0.0": "L" + }, + { + "cvss:EQ1:1.0.0": "L", + "cvss:EQ2:1.0.0": "L", + "cvss:EQ3:1.0.0": "L", + "cvss:EQ4:1.0.0": "L", + "cvss:EQ5:1.0.0": "M", + "cvss:EQ6:1.0.0": "H", + "cvss:CVSS:1.0.0": "L" + }, + { + "cvss:EQ1:1.0.0": "H", + "cvss:EQ2:1.0.0": "H", + "cvss:EQ3:1.0.0": "L", + "cvss:EQ4:1.0.0": "L", + "cvss:EQ5:1.0.0": "L", + "cvss:EQ6:1.0.0": "L", + "cvss:CVSS:1.0.0": "L" + }, + { + "cvss:EQ1:1.0.0": "H", + "cvss:EQ2:1.0.0": "L", + "cvss:EQ3:1.0.0": "M", + "cvss:EQ4:1.0.0": "L", + "cvss:EQ5:1.0.0": "L", + "cvss:EQ6:1.0.0": "L", + "cvss:CVSS:1.0.0": "L" + }, + { + "cvss:EQ1:1.0.0": "M", + "cvss:EQ2:1.0.0": "H", + "cvss:EQ3:1.0.0": "M", + "cvss:EQ4:1.0.0": "L", + "cvss:EQ5:1.0.0": "L", + "cvss:EQ6:1.0.0": "L", + "cvss:CVSS:1.0.0": "L" + }, + { + "cvss:EQ1:1.0.0": "M", + "cvss:EQ2:1.0.0": "L", + "cvss:EQ3:1.0.0": "H", + "cvss:EQ4:1.0.0": "L", + "cvss:EQ5:1.0.0": "L", + "cvss:EQ6:1.0.0": "L", + "cvss:CVSS:1.0.0": "L" }, - "cvss:CVSS:1.0.0": { - "namespace": "cvss", - "key": "CVSS", - "version": "1.0.0", - "name": "CVSS Qualitative Severity Rating Scale", - "definition": "The CVSS Qualitative Severity Rating Scale group.", - "schemaVersion": "2.0.0", - "values": [ - { - "key": "N", - "name": "None", - "definition": "None (0.0)" - }, - { - "key": "L", - "name": "Low", - "definition": "Low (0.1-3.9)" - }, - { - "key": "M", - "name": "Medium", - "definition": "Medium (4.0-6.9)" - }, - { - "key": "H", - "name": "High", - "definition": "High (7.0-8.9)" - }, - { - "key": "C", - "name": "Critical", - "definition": "Critical (9.0-10.0)" - } - ] - } - }, - "outcome": "cvss:CVSS:1.0.0", - "mapping": [ { "cvss:EQ1:1.0.0": "L", + "cvss:EQ2:1.0.0": "H", + "cvss:EQ3:1.0.0": "H", + "cvss:EQ4:1.0.0": "L", + "cvss:EQ5:1.0.0": "L", + "cvss:EQ6:1.0.0": "L", + "cvss:CVSS:1.0.0": "L" + }, + { + "cvss:EQ1:1.0.0": "H", "cvss:EQ2:1.0.0": "L", "cvss:EQ3:1.0.0": "L", - "cvss:EQ4:1.0.0": "L", + "cvss:EQ4:1.0.0": "M", + "cvss:EQ5:1.0.0": "L", + "cvss:EQ6:1.0.0": "L", + "cvss:CVSS:1.0.0": "L" + }, + { + "cvss:EQ1:1.0.0": "M", + "cvss:EQ2:1.0.0": "H", + "cvss:EQ3:1.0.0": "L", + "cvss:EQ4:1.0.0": "M", + "cvss:EQ5:1.0.0": "L", + "cvss:EQ6:1.0.0": "L", + "cvss:CVSS:1.0.0": "L" + }, + { + "cvss:EQ1:1.0.0": "M", + "cvss:EQ2:1.0.0": "L", + "cvss:EQ3:1.0.0": "M", + "cvss:EQ4:1.0.0": "M", + "cvss:EQ5:1.0.0": "L", + "cvss:EQ6:1.0.0": "L", + "cvss:CVSS:1.0.0": "L" + }, + { + "cvss:EQ1:1.0.0": "L", + "cvss:EQ2:1.0.0": "H", + "cvss:EQ3:1.0.0": "M", + "cvss:EQ4:1.0.0": "M", + "cvss:EQ5:1.0.0": "L", + "cvss:EQ6:1.0.0": "L", + "cvss:CVSS:1.0.0": "L" + }, + { + "cvss:EQ1:1.0.0": "L", + "cvss:EQ2:1.0.0": "L", + "cvss:EQ3:1.0.0": "H", + "cvss:EQ4:1.0.0": "M", "cvss:EQ5:1.0.0": "L", "cvss:EQ6:1.0.0": "L", "cvss:CVSS:1.0.0": "L" @@ -16341,7 +17496,7 @@ "cvss:EQ1:1.0.0": "M", "cvss:EQ2:1.0.0": "L", "cvss:EQ3:1.0.0": "L", - "cvss:EQ4:1.0.0": "L", + "cvss:EQ4:1.0.0": "H", "cvss:EQ5:1.0.0": "L", "cvss:EQ6:1.0.0": "L", "cvss:CVSS:1.0.0": "L" @@ -16350,7 +17505,7 @@ "cvss:EQ1:1.0.0": "L", "cvss:EQ2:1.0.0": "H", "cvss:EQ3:1.0.0": "L", - "cvss:EQ4:1.0.0": "L", + "cvss:EQ4:1.0.0": "H", "cvss:EQ5:1.0.0": "L", "cvss:EQ6:1.0.0": "L", "cvss:CVSS:1.0.0": "L" @@ -16359,25 +17514,79 @@ "cvss:EQ1:1.0.0": "L", "cvss:EQ2:1.0.0": "L", "cvss:EQ3:1.0.0": "M", - "cvss:EQ4:1.0.0": "L", + "cvss:EQ4:1.0.0": "H", "cvss:EQ5:1.0.0": "L", "cvss:EQ6:1.0.0": "L", "cvss:CVSS:1.0.0": "L" }, + { + "cvss:EQ1:1.0.0": "H", + "cvss:EQ2:1.0.0": "L", + "cvss:EQ3:1.0.0": "L", + "cvss:EQ4:1.0.0": "L", + "cvss:EQ5:1.0.0": "M", + "cvss:EQ6:1.0.0": "L", + "cvss:CVSS:1.0.0": "L" + }, + { + "cvss:EQ1:1.0.0": "M", + "cvss:EQ2:1.0.0": "H", + "cvss:EQ3:1.0.0": "L", + "cvss:EQ4:1.0.0": "L", + "cvss:EQ5:1.0.0": "M", + "cvss:EQ6:1.0.0": "L", + "cvss:CVSS:1.0.0": "L" + }, + { + "cvss:EQ1:1.0.0": "M", + "cvss:EQ2:1.0.0": "L", + "cvss:EQ3:1.0.0": "M", + "cvss:EQ4:1.0.0": "L", + "cvss:EQ5:1.0.0": "M", + "cvss:EQ6:1.0.0": "L", + "cvss:CVSS:1.0.0": "L" + }, + { + "cvss:EQ1:1.0.0": "L", + "cvss:EQ2:1.0.0": "H", + "cvss:EQ3:1.0.0": "M", + "cvss:EQ4:1.0.0": "L", + "cvss:EQ5:1.0.0": "M", + "cvss:EQ6:1.0.0": "L", + "cvss:CVSS:1.0.0": "L" + }, { "cvss:EQ1:1.0.0": "L", "cvss:EQ2:1.0.0": "L", + "cvss:EQ3:1.0.0": "H", + "cvss:EQ4:1.0.0": "L", + "cvss:EQ5:1.0.0": "M", + "cvss:EQ6:1.0.0": "L", + "cvss:CVSS:1.0.0": "L" + }, + { + "cvss:EQ1:1.0.0": "M", + "cvss:EQ2:1.0.0": "L", "cvss:EQ3:1.0.0": "L", "cvss:EQ4:1.0.0": "M", - "cvss:EQ5:1.0.0": "L", + "cvss:EQ5:1.0.0": "M", "cvss:EQ6:1.0.0": "L", "cvss:CVSS:1.0.0": "L" }, { "cvss:EQ1:1.0.0": "L", - "cvss:EQ2:1.0.0": "L", + "cvss:EQ2:1.0.0": "H", "cvss:EQ3:1.0.0": "L", - "cvss:EQ4:1.0.0": "L", + "cvss:EQ4:1.0.0": "M", + "cvss:EQ5:1.0.0": "M", + "cvss:EQ6:1.0.0": "L", + "cvss:CVSS:1.0.0": "L" + }, + { + "cvss:EQ1:1.0.0": "L", + "cvss:EQ2:1.0.0": "L", + "cvss:EQ3:1.0.0": "M", + "cvss:EQ4:1.0.0": "M", "cvss:EQ5:1.0.0": "M", "cvss:EQ6:1.0.0": "L", "cvss:CVSS:1.0.0": "L" @@ -16386,9 +17595,45 @@ "cvss:EQ1:1.0.0": "L", "cvss:EQ2:1.0.0": "L", "cvss:EQ3:1.0.0": "L", + "cvss:EQ4:1.0.0": "H", + "cvss:EQ5:1.0.0": "M", + "cvss:EQ6:1.0.0": "L", + "cvss:CVSS:1.0.0": "L" + }, + { + "cvss:EQ1:1.0.0": "M", + "cvss:EQ2:1.0.0": "L", + "cvss:EQ3:1.0.0": "L", "cvss:EQ4:1.0.0": "L", - "cvss:EQ5:1.0.0": "L", - "cvss:EQ6:1.0.0": "H", + "cvss:EQ5:1.0.0": "H", + "cvss:EQ6:1.0.0": "L", + "cvss:CVSS:1.0.0": "L" + }, + { + "cvss:EQ1:1.0.0": "L", + "cvss:EQ2:1.0.0": "H", + "cvss:EQ3:1.0.0": "L", + "cvss:EQ4:1.0.0": "L", + "cvss:EQ5:1.0.0": "H", + "cvss:EQ6:1.0.0": "L", + "cvss:CVSS:1.0.0": "L" + }, + { + "cvss:EQ1:1.0.0": "L", + "cvss:EQ2:1.0.0": "L", + "cvss:EQ3:1.0.0": "M", + "cvss:EQ4:1.0.0": "L", + "cvss:EQ5:1.0.0": "H", + "cvss:EQ6:1.0.0": "L", + "cvss:CVSS:1.0.0": "L" + }, + { + "cvss:EQ1:1.0.0": "L", + "cvss:EQ2:1.0.0": "L", + "cvss:EQ3:1.0.0": "L", + "cvss:EQ4:1.0.0": "M", + "cvss:EQ5:1.0.0": "H", + "cvss:EQ6:1.0.0": "L", "cvss:CVSS:1.0.0": "L" }, { @@ -16397,7 +17642,7 @@ "cvss:EQ3:1.0.0": "L", "cvss:EQ4:1.0.0": "L", "cvss:EQ5:1.0.0": "L", - "cvss:EQ6:1.0.0": "L", + "cvss:EQ6:1.0.0": "H", "cvss:CVSS:1.0.0": "L" }, { @@ -16406,7 +17651,7 @@ "cvss:EQ3:1.0.0": "L", "cvss:EQ4:1.0.0": "L", "cvss:EQ5:1.0.0": "L", - "cvss:EQ6:1.0.0": "L", + "cvss:EQ6:1.0.0": "H", "cvss:CVSS:1.0.0": "L" }, { @@ -16415,7 +17660,7 @@ "cvss:EQ3:1.0.0": "M", "cvss:EQ4:1.0.0": "L", "cvss:EQ5:1.0.0": "L", - "cvss:EQ6:1.0.0": "L", + "cvss:EQ6:1.0.0": "H", "cvss:CVSS:1.0.0": "L" }, { @@ -16424,7 +17669,7 @@ "cvss:EQ3:1.0.0": "M", "cvss:EQ4:1.0.0": "L", "cvss:EQ5:1.0.0": "L", - "cvss:EQ6:1.0.0": "L", + "cvss:EQ6:1.0.0": "H", "cvss:CVSS:1.0.0": "L" }, { @@ -16433,7 +17678,7 @@ "cvss:EQ3:1.0.0": "H", "cvss:EQ4:1.0.0": "L", "cvss:EQ5:1.0.0": "L", - "cvss:EQ6:1.0.0": "L", + "cvss:EQ6:1.0.0": "H", "cvss:CVSS:1.0.0": "L" }, { @@ -16442,7 +17687,7 @@ "cvss:EQ3:1.0.0": "L", "cvss:EQ4:1.0.0": "M", "cvss:EQ5:1.0.0": "L", - "cvss:EQ6:1.0.0": "L", + "cvss:EQ6:1.0.0": "H", "cvss:CVSS:1.0.0": "L" }, { @@ -16451,7 +17696,7 @@ "cvss:EQ3:1.0.0": "L", "cvss:EQ4:1.0.0": "M", "cvss:EQ5:1.0.0": "L", - "cvss:EQ6:1.0.0": "L", + "cvss:EQ6:1.0.0": "H", "cvss:CVSS:1.0.0": "L" }, { @@ -16460,7 +17705,7 @@ "cvss:EQ3:1.0.0": "M", "cvss:EQ4:1.0.0": "M", "cvss:EQ5:1.0.0": "L", - "cvss:EQ6:1.0.0": "L", + "cvss:EQ6:1.0.0": "H", "cvss:CVSS:1.0.0": "L" }, { @@ -16469,7 +17714,7 @@ "cvss:EQ3:1.0.0": "L", "cvss:EQ4:1.0.0": "H", "cvss:EQ5:1.0.0": "L", - "cvss:EQ6:1.0.0": "L", + "cvss:EQ6:1.0.0": "H", "cvss:CVSS:1.0.0": "L" }, { @@ -16478,7 +17723,7 @@ "cvss:EQ3:1.0.0": "L", "cvss:EQ4:1.0.0": "L", "cvss:EQ5:1.0.0": "M", - "cvss:EQ6:1.0.0": "L", + "cvss:EQ6:1.0.0": "H", "cvss:CVSS:1.0.0": "L" }, { @@ -16487,7 +17732,7 @@ "cvss:EQ3:1.0.0": "L", "cvss:EQ4:1.0.0": "L", "cvss:EQ5:1.0.0": "M", - "cvss:EQ6:1.0.0": "L", + "cvss:EQ6:1.0.0": "H", "cvss:CVSS:1.0.0": "L" }, { @@ -16496,7 +17741,7 @@ "cvss:EQ3:1.0.0": "M", "cvss:EQ4:1.0.0": "L", "cvss:EQ5:1.0.0": "M", - "cvss:EQ6:1.0.0": "L", + "cvss:EQ6:1.0.0": "H", "cvss:CVSS:1.0.0": "L" }, { @@ -16505,7 +17750,7 @@ "cvss:EQ3:1.0.0": "L", "cvss:EQ4:1.0.0": "M", "cvss:EQ5:1.0.0": "M", - "cvss:EQ6:1.0.0": "L", + "cvss:EQ6:1.0.0": "H", "cvss:CVSS:1.0.0": "L" }, { @@ -16514,204 +17759,276 @@ "cvss:EQ3:1.0.0": "L", "cvss:EQ4:1.0.0": "L", "cvss:EQ5:1.0.0": "H", - "cvss:EQ6:1.0.0": "L", + "cvss:EQ6:1.0.0": "H", "cvss:CVSS:1.0.0": "L" }, + { + "cvss:EQ1:1.0.0": "H", + "cvss:EQ2:1.0.0": "H", + "cvss:EQ3:1.0.0": "M", + "cvss:EQ4:1.0.0": "L", + "cvss:EQ5:1.0.0": "L", + "cvss:EQ6:1.0.0": "L", + "cvss:CVSS:1.0.0": "M" + }, + { + "cvss:EQ1:1.0.0": "H", + "cvss:EQ2:1.0.0": "L", + "cvss:EQ3:1.0.0": "H", + "cvss:EQ4:1.0.0": "L", + "cvss:EQ5:1.0.0": "L", + "cvss:EQ6:1.0.0": "L", + "cvss:CVSS:1.0.0": "M" + }, + { + "cvss:EQ1:1.0.0": "M", + "cvss:EQ2:1.0.0": "H", + "cvss:EQ3:1.0.0": "H", + "cvss:EQ4:1.0.0": "L", + "cvss:EQ5:1.0.0": "L", + "cvss:EQ6:1.0.0": "L", + "cvss:CVSS:1.0.0": "M" + }, + { + "cvss:EQ1:1.0.0": "H", + "cvss:EQ2:1.0.0": "H", + "cvss:EQ3:1.0.0": "L", + "cvss:EQ4:1.0.0": "M", + "cvss:EQ5:1.0.0": "L", + "cvss:EQ6:1.0.0": "L", + "cvss:CVSS:1.0.0": "M" + }, + { + "cvss:EQ1:1.0.0": "H", + "cvss:EQ2:1.0.0": "L", + "cvss:EQ3:1.0.0": "M", + "cvss:EQ4:1.0.0": "M", + "cvss:EQ5:1.0.0": "L", + "cvss:EQ6:1.0.0": "L", + "cvss:CVSS:1.0.0": "M" + }, + { + "cvss:EQ1:1.0.0": "M", + "cvss:EQ2:1.0.0": "H", + "cvss:EQ3:1.0.0": "M", + "cvss:EQ4:1.0.0": "M", + "cvss:EQ5:1.0.0": "L", + "cvss:EQ6:1.0.0": "L", + "cvss:CVSS:1.0.0": "M" + }, { "cvss:EQ1:1.0.0": "M", "cvss:EQ2:1.0.0": "L", + "cvss:EQ3:1.0.0": "H", + "cvss:EQ4:1.0.0": "M", + "cvss:EQ5:1.0.0": "L", + "cvss:EQ6:1.0.0": "L", + "cvss:CVSS:1.0.0": "M" + }, + { + "cvss:EQ1:1.0.0": "L", + "cvss:EQ2:1.0.0": "H", + "cvss:EQ3:1.0.0": "H", + "cvss:EQ4:1.0.0": "M", + "cvss:EQ5:1.0.0": "L", + "cvss:EQ6:1.0.0": "L", + "cvss:CVSS:1.0.0": "L" + }, + { + "cvss:EQ1:1.0.0": "H", + "cvss:EQ2:1.0.0": "L", "cvss:EQ3:1.0.0": "L", - "cvss:EQ4:1.0.0": "L", + "cvss:EQ4:1.0.0": "H", "cvss:EQ5:1.0.0": "L", - "cvss:EQ6:1.0.0": "H", - "cvss:CVSS:1.0.0": "L" + "cvss:EQ6:1.0.0": "L", + "cvss:CVSS:1.0.0": "M" }, { - "cvss:EQ1:1.0.0": "L", + "cvss:EQ1:1.0.0": "M", "cvss:EQ2:1.0.0": "H", "cvss:EQ3:1.0.0": "L", - "cvss:EQ4:1.0.0": "L", + "cvss:EQ4:1.0.0": "H", "cvss:EQ5:1.0.0": "L", - "cvss:EQ6:1.0.0": "H", - "cvss:CVSS:1.0.0": "L" + "cvss:EQ6:1.0.0": "L", + "cvss:CVSS:1.0.0": "M" }, { - "cvss:EQ1:1.0.0": "L", + "cvss:EQ1:1.0.0": "M", "cvss:EQ2:1.0.0": "L", "cvss:EQ3:1.0.0": "M", - "cvss:EQ4:1.0.0": "L", + "cvss:EQ4:1.0.0": "H", "cvss:EQ5:1.0.0": "L", - "cvss:EQ6:1.0.0": "H", - "cvss:CVSS:1.0.0": "L" + "cvss:EQ6:1.0.0": "L", + "cvss:CVSS:1.0.0": "M" }, { "cvss:EQ1:1.0.0": "L", - "cvss:EQ2:1.0.0": "L", - "cvss:EQ3:1.0.0": "L", - "cvss:EQ4:1.0.0": "M", + "cvss:EQ2:1.0.0": "H", + "cvss:EQ3:1.0.0": "M", + "cvss:EQ4:1.0.0": "H", "cvss:EQ5:1.0.0": "L", - "cvss:EQ6:1.0.0": "H", - "cvss:CVSS:1.0.0": "L" + "cvss:EQ6:1.0.0": "L", + "cvss:CVSS:1.0.0": "M" }, { "cvss:EQ1:1.0.0": "L", "cvss:EQ2:1.0.0": "L", - "cvss:EQ3:1.0.0": "L", - "cvss:EQ4:1.0.0": "L", - "cvss:EQ5:1.0.0": "M", - "cvss:EQ6:1.0.0": "H", - "cvss:CVSS:1.0.0": "L" + "cvss:EQ3:1.0.0": "H", + "cvss:EQ4:1.0.0": "H", + "cvss:EQ5:1.0.0": "L", + "cvss:EQ6:1.0.0": "L", + "cvss:CVSS:1.0.0": "M" }, { "cvss:EQ1:1.0.0": "H", "cvss:EQ2:1.0.0": "H", "cvss:EQ3:1.0.0": "L", "cvss:EQ4:1.0.0": "L", - "cvss:EQ5:1.0.0": "L", + "cvss:EQ5:1.0.0": "M", "cvss:EQ6:1.0.0": "L", - "cvss:CVSS:1.0.0": "L" + "cvss:CVSS:1.0.0": "M" }, { "cvss:EQ1:1.0.0": "H", "cvss:EQ2:1.0.0": "L", "cvss:EQ3:1.0.0": "M", "cvss:EQ4:1.0.0": "L", - "cvss:EQ5:1.0.0": "L", + "cvss:EQ5:1.0.0": "M", "cvss:EQ6:1.0.0": "L", - "cvss:CVSS:1.0.0": "L" + "cvss:CVSS:1.0.0": "M" }, { "cvss:EQ1:1.0.0": "M", "cvss:EQ2:1.0.0": "H", "cvss:EQ3:1.0.0": "M", "cvss:EQ4:1.0.0": "L", - "cvss:EQ5:1.0.0": "L", + "cvss:EQ5:1.0.0": "M", "cvss:EQ6:1.0.0": "L", - "cvss:CVSS:1.0.0": "L" + "cvss:CVSS:1.0.0": "M" }, { "cvss:EQ1:1.0.0": "M", "cvss:EQ2:1.0.0": "L", "cvss:EQ3:1.0.0": "H", "cvss:EQ4:1.0.0": "L", - "cvss:EQ5:1.0.0": "L", + "cvss:EQ5:1.0.0": "M", "cvss:EQ6:1.0.0": "L", - "cvss:CVSS:1.0.0": "L" + "cvss:CVSS:1.0.0": "M" }, { "cvss:EQ1:1.0.0": "L", "cvss:EQ2:1.0.0": "H", "cvss:EQ3:1.0.0": "H", "cvss:EQ4:1.0.0": "L", - "cvss:EQ5:1.0.0": "L", + "cvss:EQ5:1.0.0": "M", "cvss:EQ6:1.0.0": "L", - "cvss:CVSS:1.0.0": "L" + "cvss:CVSS:1.0.0": "M" }, { "cvss:EQ1:1.0.0": "H", "cvss:EQ2:1.0.0": "L", "cvss:EQ3:1.0.0": "L", "cvss:EQ4:1.0.0": "M", - "cvss:EQ5:1.0.0": "L", + "cvss:EQ5:1.0.0": "M", "cvss:EQ6:1.0.0": "L", - "cvss:CVSS:1.0.0": "L" + "cvss:CVSS:1.0.0": "M" }, { "cvss:EQ1:1.0.0": "M", "cvss:EQ2:1.0.0": "H", "cvss:EQ3:1.0.0": "L", "cvss:EQ4:1.0.0": "M", - "cvss:EQ5:1.0.0": "L", + "cvss:EQ5:1.0.0": "M", "cvss:EQ6:1.0.0": "L", - "cvss:CVSS:1.0.0": "L" + "cvss:CVSS:1.0.0": "M" }, { "cvss:EQ1:1.0.0": "M", "cvss:EQ2:1.0.0": "L", "cvss:EQ3:1.0.0": "M", "cvss:EQ4:1.0.0": "M", - "cvss:EQ5:1.0.0": "L", + "cvss:EQ5:1.0.0": "M", "cvss:EQ6:1.0.0": "L", - "cvss:CVSS:1.0.0": "L" + "cvss:CVSS:1.0.0": "M" }, { "cvss:EQ1:1.0.0": "L", "cvss:EQ2:1.0.0": "H", "cvss:EQ3:1.0.0": "M", "cvss:EQ4:1.0.0": "M", - "cvss:EQ5:1.0.0": "L", + "cvss:EQ5:1.0.0": "M", "cvss:EQ6:1.0.0": "L", - "cvss:CVSS:1.0.0": "L" + "cvss:CVSS:1.0.0": "M" }, { "cvss:EQ1:1.0.0": "L", "cvss:EQ2:1.0.0": "L", "cvss:EQ3:1.0.0": "H", "cvss:EQ4:1.0.0": "M", - "cvss:EQ5:1.0.0": "L", + "cvss:EQ5:1.0.0": "M", "cvss:EQ6:1.0.0": "L", - "cvss:CVSS:1.0.0": "L" + "cvss:CVSS:1.0.0": "M" }, { "cvss:EQ1:1.0.0": "M", "cvss:EQ2:1.0.0": "L", "cvss:EQ3:1.0.0": "L", "cvss:EQ4:1.0.0": "H", - "cvss:EQ5:1.0.0": "L", + "cvss:EQ5:1.0.0": "M", "cvss:EQ6:1.0.0": "L", - "cvss:CVSS:1.0.0": "L" + "cvss:CVSS:1.0.0": "M" }, { "cvss:EQ1:1.0.0": "L", "cvss:EQ2:1.0.0": "H", "cvss:EQ3:1.0.0": "L", "cvss:EQ4:1.0.0": "H", - "cvss:EQ5:1.0.0": "L", + "cvss:EQ5:1.0.0": "M", "cvss:EQ6:1.0.0": "L", - "cvss:CVSS:1.0.0": "L" + "cvss:CVSS:1.0.0": "M" }, { "cvss:EQ1:1.0.0": "L", "cvss:EQ2:1.0.0": "L", "cvss:EQ3:1.0.0": "M", "cvss:EQ4:1.0.0": "H", - "cvss:EQ5:1.0.0": "L", + "cvss:EQ5:1.0.0": "M", "cvss:EQ6:1.0.0": "L", - "cvss:CVSS:1.0.0": "L" + "cvss:CVSS:1.0.0": "M" }, { "cvss:EQ1:1.0.0": "H", "cvss:EQ2:1.0.0": "L", "cvss:EQ3:1.0.0": "L", "cvss:EQ4:1.0.0": "L", - "cvss:EQ5:1.0.0": "M", + "cvss:EQ5:1.0.0": "H", "cvss:EQ6:1.0.0": "L", - "cvss:CVSS:1.0.0": "L" + "cvss:CVSS:1.0.0": "M" }, { "cvss:EQ1:1.0.0": "M", "cvss:EQ2:1.0.0": "H", "cvss:EQ3:1.0.0": "L", "cvss:EQ4:1.0.0": "L", - "cvss:EQ5:1.0.0": "M", + "cvss:EQ5:1.0.0": "H", "cvss:EQ6:1.0.0": "L", - "cvss:CVSS:1.0.0": "L" + "cvss:CVSS:1.0.0": "M" }, { "cvss:EQ1:1.0.0": "M", "cvss:EQ2:1.0.0": "L", "cvss:EQ3:1.0.0": "M", "cvss:EQ4:1.0.0": "L", - "cvss:EQ5:1.0.0": "M", + "cvss:EQ5:1.0.0": "H", "cvss:EQ6:1.0.0": "L", - "cvss:CVSS:1.0.0": "L" + "cvss:CVSS:1.0.0": "M" }, { "cvss:EQ1:1.0.0": "L", "cvss:EQ2:1.0.0": "H", "cvss:EQ3:1.0.0": "M", "cvss:EQ4:1.0.0": "L", - "cvss:EQ5:1.0.0": "M", + "cvss:EQ5:1.0.0": "H", "cvss:EQ6:1.0.0": "L", "cvss:CVSS:1.0.0": "L" }, @@ -16720,88 +18037,169 @@ "cvss:EQ2:1.0.0": "L", "cvss:EQ3:1.0.0": "H", "cvss:EQ4:1.0.0": "L", - "cvss:EQ5:1.0.0": "M", + "cvss:EQ5:1.0.0": "H", "cvss:EQ6:1.0.0": "L", - "cvss:CVSS:1.0.0": "L" + "cvss:CVSS:1.0.0": "M" }, { "cvss:EQ1:1.0.0": "M", "cvss:EQ2:1.0.0": "L", "cvss:EQ3:1.0.0": "L", "cvss:EQ4:1.0.0": "M", - "cvss:EQ5:1.0.0": "M", + "cvss:EQ5:1.0.0": "H", "cvss:EQ6:1.0.0": "L", - "cvss:CVSS:1.0.0": "L" + "cvss:CVSS:1.0.0": "M" }, { "cvss:EQ1:1.0.0": "L", "cvss:EQ2:1.0.0": "H", "cvss:EQ3:1.0.0": "L", "cvss:EQ4:1.0.0": "M", - "cvss:EQ5:1.0.0": "M", + "cvss:EQ5:1.0.0": "H", "cvss:EQ6:1.0.0": "L", - "cvss:CVSS:1.0.0": "L" + "cvss:CVSS:1.0.0": "M" }, { "cvss:EQ1:1.0.0": "L", "cvss:EQ2:1.0.0": "L", "cvss:EQ3:1.0.0": "M", "cvss:EQ4:1.0.0": "M", - "cvss:EQ5:1.0.0": "M", + "cvss:EQ5:1.0.0": "H", "cvss:EQ6:1.0.0": "L", - "cvss:CVSS:1.0.0": "L" + "cvss:CVSS:1.0.0": "M" }, { "cvss:EQ1:1.0.0": "L", "cvss:EQ2:1.0.0": "L", "cvss:EQ3:1.0.0": "L", "cvss:EQ4:1.0.0": "H", - "cvss:EQ5:1.0.0": "M", + "cvss:EQ5:1.0.0": "H", "cvss:EQ6:1.0.0": "L", + "cvss:CVSS:1.0.0": "M" + }, + { + "cvss:EQ1:1.0.0": "H", + "cvss:EQ2:1.0.0": "H", + "cvss:EQ3:1.0.0": "L", + "cvss:EQ4:1.0.0": "L", + "cvss:EQ5:1.0.0": "L", + "cvss:EQ6:1.0.0": "H", "cvss:CVSS:1.0.0": "L" }, + { + "cvss:EQ1:1.0.0": "H", + "cvss:EQ2:1.0.0": "L", + "cvss:EQ3:1.0.0": "M", + "cvss:EQ4:1.0.0": "L", + "cvss:EQ5:1.0.0": "L", + "cvss:EQ6:1.0.0": "H", + "cvss:CVSS:1.0.0": "M" + }, + { + "cvss:EQ1:1.0.0": "M", + "cvss:EQ2:1.0.0": "H", + "cvss:EQ3:1.0.0": "M", + "cvss:EQ4:1.0.0": "L", + "cvss:EQ5:1.0.0": "L", + "cvss:EQ6:1.0.0": "H", + "cvss:CVSS:1.0.0": "M" + }, { "cvss:EQ1:1.0.0": "M", "cvss:EQ2:1.0.0": "L", - "cvss:EQ3:1.0.0": "L", + "cvss:EQ3:1.0.0": "H", "cvss:EQ4:1.0.0": "L", - "cvss:EQ5:1.0.0": "H", - "cvss:EQ6:1.0.0": "L", - "cvss:CVSS:1.0.0": "L" + "cvss:EQ5:1.0.0": "L", + "cvss:EQ6:1.0.0": "H", + "cvss:CVSS:1.0.0": "M" }, { "cvss:EQ1:1.0.0": "L", "cvss:EQ2:1.0.0": "H", - "cvss:EQ3:1.0.0": "L", + "cvss:EQ3:1.0.0": "H", "cvss:EQ4:1.0.0": "L", - "cvss:EQ5:1.0.0": "H", - "cvss:EQ6:1.0.0": "L", + "cvss:EQ5:1.0.0": "L", + "cvss:EQ6:1.0.0": "H", + "cvss:CVSS:1.0.0": "M" + }, + { + "cvss:EQ1:1.0.0": "H", + "cvss:EQ2:1.0.0": "L", + "cvss:EQ3:1.0.0": "L", + "cvss:EQ4:1.0.0": "M", + "cvss:EQ5:1.0.0": "L", + "cvss:EQ6:1.0.0": "H", "cvss:CVSS:1.0.0": "L" }, { - "cvss:EQ1:1.0.0": "L", + "cvss:EQ1:1.0.0": "M", + "cvss:EQ2:1.0.0": "H", + "cvss:EQ3:1.0.0": "L", + "cvss:EQ4:1.0.0": "M", + "cvss:EQ5:1.0.0": "L", + "cvss:EQ6:1.0.0": "H", + "cvss:CVSS:1.0.0": "L" + }, + { + "cvss:EQ1:1.0.0": "M", "cvss:EQ2:1.0.0": "L", "cvss:EQ3:1.0.0": "M", - "cvss:EQ4:1.0.0": "L", - "cvss:EQ5:1.0.0": "H", - "cvss:EQ6:1.0.0": "L", - "cvss:CVSS:1.0.0": "L" + "cvss:EQ4:1.0.0": "M", + "cvss:EQ5:1.0.0": "L", + "cvss:EQ6:1.0.0": "H", + "cvss:CVSS:1.0.0": "M" + }, + { + "cvss:EQ1:1.0.0": "L", + "cvss:EQ2:1.0.0": "H", + "cvss:EQ3:1.0.0": "M", + "cvss:EQ4:1.0.0": "M", + "cvss:EQ5:1.0.0": "L", + "cvss:EQ6:1.0.0": "H", + "cvss:CVSS:1.0.0": "M" }, { "cvss:EQ1:1.0.0": "L", "cvss:EQ2:1.0.0": "L", - "cvss:EQ3:1.0.0": "L", + "cvss:EQ3:1.0.0": "H", "cvss:EQ4:1.0.0": "M", - "cvss:EQ5:1.0.0": "H", - "cvss:EQ6:1.0.0": "L", + "cvss:EQ5:1.0.0": "L", + "cvss:EQ6:1.0.0": "H", + "cvss:CVSS:1.0.0": "M" + }, + { + "cvss:EQ1:1.0.0": "M", + "cvss:EQ2:1.0.0": "L", + "cvss:EQ3:1.0.0": "L", + "cvss:EQ4:1.0.0": "H", + "cvss:EQ5:1.0.0": "L", + "cvss:EQ6:1.0.0": "H", + "cvss:CVSS:1.0.0": "L" + }, + { + "cvss:EQ1:1.0.0": "L", + "cvss:EQ2:1.0.0": "H", + "cvss:EQ3:1.0.0": "L", + "cvss:EQ4:1.0.0": "H", + "cvss:EQ5:1.0.0": "L", + "cvss:EQ6:1.0.0": "H", "cvss:CVSS:1.0.0": "L" }, + { + "cvss:EQ1:1.0.0": "L", + "cvss:EQ2:1.0.0": "L", + "cvss:EQ3:1.0.0": "M", + "cvss:EQ4:1.0.0": "H", + "cvss:EQ5:1.0.0": "L", + "cvss:EQ6:1.0.0": "H", + "cvss:CVSS:1.0.0": "M" + }, { "cvss:EQ1:1.0.0": "H", "cvss:EQ2:1.0.0": "L", "cvss:EQ3:1.0.0": "L", "cvss:EQ4:1.0.0": "L", - "cvss:EQ5:1.0.0": "L", + "cvss:EQ5:1.0.0": "M", "cvss:EQ6:1.0.0": "H", "cvss:CVSS:1.0.0": "L" }, @@ -16810,7 +18208,7 @@ "cvss:EQ2:1.0.0": "H", "cvss:EQ3:1.0.0": "L", "cvss:EQ4:1.0.0": "L", - "cvss:EQ5:1.0.0": "L", + "cvss:EQ5:1.0.0": "M", "cvss:EQ6:1.0.0": "H", "cvss:CVSS:1.0.0": "L" }, @@ -16819,16 +18217,16 @@ "cvss:EQ2:1.0.0": "L", "cvss:EQ3:1.0.0": "M", "cvss:EQ4:1.0.0": "L", - "cvss:EQ5:1.0.0": "L", + "cvss:EQ5:1.0.0": "M", "cvss:EQ6:1.0.0": "H", - "cvss:CVSS:1.0.0": "L" + "cvss:CVSS:1.0.0": "M" }, { "cvss:EQ1:1.0.0": "L", "cvss:EQ2:1.0.0": "H", "cvss:EQ3:1.0.0": "M", "cvss:EQ4:1.0.0": "L", - "cvss:EQ5:1.0.0": "L", + "cvss:EQ5:1.0.0": "M", "cvss:EQ6:1.0.0": "H", "cvss:CVSS:1.0.0": "L" }, @@ -16837,16 +18235,16 @@ "cvss:EQ2:1.0.0": "L", "cvss:EQ3:1.0.0": "H", "cvss:EQ4:1.0.0": "L", - "cvss:EQ5:1.0.0": "L", + "cvss:EQ5:1.0.0": "M", "cvss:EQ6:1.0.0": "H", - "cvss:CVSS:1.0.0": "L" + "cvss:CVSS:1.0.0": "M" }, { "cvss:EQ1:1.0.0": "M", "cvss:EQ2:1.0.0": "L", "cvss:EQ3:1.0.0": "L", "cvss:EQ4:1.0.0": "M", - "cvss:EQ5:1.0.0": "L", + "cvss:EQ5:1.0.0": "M", "cvss:EQ6:1.0.0": "H", "cvss:CVSS:1.0.0": "L" }, @@ -16855,7 +18253,7 @@ "cvss:EQ2:1.0.0": "H", "cvss:EQ3:1.0.0": "L", "cvss:EQ4:1.0.0": "M", - "cvss:EQ5:1.0.0": "L", + "cvss:EQ5:1.0.0": "M", "cvss:EQ6:1.0.0": "H", "cvss:CVSS:1.0.0": "L" }, @@ -16864,16 +18262,16 @@ "cvss:EQ2:1.0.0": "L", "cvss:EQ3:1.0.0": "M", "cvss:EQ4:1.0.0": "M", - "cvss:EQ5:1.0.0": "L", + "cvss:EQ5:1.0.0": "M", "cvss:EQ6:1.0.0": "H", - "cvss:CVSS:1.0.0": "L" + "cvss:CVSS:1.0.0": "M" }, { "cvss:EQ1:1.0.0": "L", "cvss:EQ2:1.0.0": "L", "cvss:EQ3:1.0.0": "L", "cvss:EQ4:1.0.0": "H", - "cvss:EQ5:1.0.0": "L", + "cvss:EQ5:1.0.0": "M", "cvss:EQ6:1.0.0": "H", "cvss:CVSS:1.0.0": "L" }, @@ -16882,7 +18280,7 @@ "cvss:EQ2:1.0.0": "L", "cvss:EQ3:1.0.0": "L", "cvss:EQ4:1.0.0": "L", - "cvss:EQ5:1.0.0": "M", + "cvss:EQ5:1.0.0": "H", "cvss:EQ6:1.0.0": "H", "cvss:CVSS:1.0.0": "L" }, @@ -16891,7 +18289,7 @@ "cvss:EQ2:1.0.0": "H", "cvss:EQ3:1.0.0": "L", "cvss:EQ4:1.0.0": "L", - "cvss:EQ5:1.0.0": "M", + "cvss:EQ5:1.0.0": "H", "cvss:EQ6:1.0.0": "H", "cvss:CVSS:1.0.0": "L" }, @@ -16900,33 +18298,33 @@ "cvss:EQ2:1.0.0": "L", "cvss:EQ3:1.0.0": "M", "cvss:EQ4:1.0.0": "L", - "cvss:EQ5:1.0.0": "M", + "cvss:EQ5:1.0.0": "H", "cvss:EQ6:1.0.0": "H", - "cvss:CVSS:1.0.0": "L" + "cvss:CVSS:1.0.0": "M" }, { "cvss:EQ1:1.0.0": "L", "cvss:EQ2:1.0.0": "L", "cvss:EQ3:1.0.0": "L", "cvss:EQ4:1.0.0": "M", - "cvss:EQ5:1.0.0": "M", + "cvss:EQ5:1.0.0": "H", "cvss:EQ6:1.0.0": "H", "cvss:CVSS:1.0.0": "L" }, { - "cvss:EQ1:1.0.0": "L", - "cvss:EQ2:1.0.0": "L", - "cvss:EQ3:1.0.0": "L", + "cvss:EQ1:1.0.0": "H", + "cvss:EQ2:1.0.0": "H", + "cvss:EQ3:1.0.0": "H", "cvss:EQ4:1.0.0": "L", - "cvss:EQ5:1.0.0": "H", - "cvss:EQ6:1.0.0": "H", - "cvss:CVSS:1.0.0": "L" + "cvss:EQ5:1.0.0": "L", + "cvss:EQ6:1.0.0": "L", + "cvss:CVSS:1.0.0": "M" }, { "cvss:EQ1:1.0.0": "H", "cvss:EQ2:1.0.0": "H", "cvss:EQ3:1.0.0": "M", - "cvss:EQ4:1.0.0": "L", + "cvss:EQ4:1.0.0": "M", "cvss:EQ5:1.0.0": "L", "cvss:EQ6:1.0.0": "L", "cvss:CVSS:1.0.0": "M" @@ -16935,26 +18333,98 @@ "cvss:EQ1:1.0.0": "H", "cvss:EQ2:1.0.0": "L", "cvss:EQ3:1.0.0": "H", - "cvss:EQ4:1.0.0": "L", + "cvss:EQ4:1.0.0": "M", + "cvss:EQ5:1.0.0": "L", + "cvss:EQ6:1.0.0": "L", + "cvss:CVSS:1.0.0": "H" + }, + { + "cvss:EQ1:1.0.0": "M", + "cvss:EQ2:1.0.0": "H", + "cvss:EQ3:1.0.0": "H", + "cvss:EQ4:1.0.0": "M", + "cvss:EQ5:1.0.0": "L", + "cvss:EQ6:1.0.0": "L", + "cvss:CVSS:1.0.0": "M" + }, + { + "cvss:EQ1:1.0.0": "H", + "cvss:EQ2:1.0.0": "H", + "cvss:EQ3:1.0.0": "L", + "cvss:EQ4:1.0.0": "H", + "cvss:EQ5:1.0.0": "L", + "cvss:EQ6:1.0.0": "L", + "cvss:CVSS:1.0.0": "H" + }, + { + "cvss:EQ1:1.0.0": "H", + "cvss:EQ2:1.0.0": "L", + "cvss:EQ3:1.0.0": "M", + "cvss:EQ4:1.0.0": "H", + "cvss:EQ5:1.0.0": "L", + "cvss:EQ6:1.0.0": "L", + "cvss:CVSS:1.0.0": "H" + }, + { + "cvss:EQ1:1.0.0": "M", + "cvss:EQ2:1.0.0": "H", + "cvss:EQ3:1.0.0": "M", + "cvss:EQ4:1.0.0": "H", "cvss:EQ5:1.0.0": "L", "cvss:EQ6:1.0.0": "L", "cvss:CVSS:1.0.0": "M" }, { "cvss:EQ1:1.0.0": "M", + "cvss:EQ2:1.0.0": "L", + "cvss:EQ3:1.0.0": "H", + "cvss:EQ4:1.0.0": "H", + "cvss:EQ5:1.0.0": "L", + "cvss:EQ6:1.0.0": "L", + "cvss:CVSS:1.0.0": "H" + }, + { + "cvss:EQ1:1.0.0": "L", "cvss:EQ2:1.0.0": "H", "cvss:EQ3:1.0.0": "H", - "cvss:EQ4:1.0.0": "L", + "cvss:EQ4:1.0.0": "H", "cvss:EQ5:1.0.0": "L", "cvss:EQ6:1.0.0": "L", "cvss:CVSS:1.0.0": "M" }, + { + "cvss:EQ1:1.0.0": "H", + "cvss:EQ2:1.0.0": "H", + "cvss:EQ3:1.0.0": "M", + "cvss:EQ4:1.0.0": "L", + "cvss:EQ5:1.0.0": "M", + "cvss:EQ6:1.0.0": "L", + "cvss:CVSS:1.0.0": "H" + }, + { + "cvss:EQ1:1.0.0": "H", + "cvss:EQ2:1.0.0": "L", + "cvss:EQ3:1.0.0": "H", + "cvss:EQ4:1.0.0": "L", + "cvss:EQ5:1.0.0": "M", + "cvss:EQ6:1.0.0": "L", + "cvss:CVSS:1.0.0": "H" + }, + { + "cvss:EQ1:1.0.0": "M", + "cvss:EQ2:1.0.0": "H", + "cvss:EQ3:1.0.0": "H", + "cvss:EQ4:1.0.0": "L", + "cvss:EQ5:1.0.0": "M", + "cvss:EQ6:1.0.0": "L", + "cvss:CVSS:1.0.0": "M" + }, { "cvss:EQ1:1.0.0": "H", "cvss:EQ2:1.0.0": "H", "cvss:EQ3:1.0.0": "L", "cvss:EQ4:1.0.0": "M", - "cvss:EQ5:1.0.0": "L", + "cvss:EQ5:1.0.0": "M", "cvss:EQ6:1.0.0": "L", "cvss:CVSS:1.0.0": "M" }, @@ -16963,16 +18433,16 @@ "cvss:EQ2:1.0.0": "L", "cvss:EQ3:1.0.0": "M", "cvss:EQ4:1.0.0": "M", - "cvss:EQ5:1.0.0": "L", + "cvss:EQ5:1.0.0": "M", "cvss:EQ6:1.0.0": "L", - "cvss:CVSS:1.0.0": "M" + "cvss:CVSS:1.0.0": "H" }, { "cvss:EQ1:1.0.0": "M", "cvss:EQ2:1.0.0": "H", "cvss:EQ3:1.0.0": "M", "cvss:EQ4:1.0.0": "M", - "cvss:EQ5:1.0.0": "L", + "cvss:EQ5:1.0.0": "M", "cvss:EQ6:1.0.0": "L", "cvss:CVSS:1.0.0": "M" }, @@ -16981,7 +18451,7 @@ "cvss:EQ2:1.0.0": "L", "cvss:EQ3:1.0.0": "H", "cvss:EQ4:1.0.0": "M", - "cvss:EQ5:1.0.0": "L", + "cvss:EQ5:1.0.0": "M", "cvss:EQ6:1.0.0": "L", "cvss:CVSS:1.0.0": "M" }, @@ -16990,34 +18460,34 @@ "cvss:EQ2:1.0.0": "H", "cvss:EQ3:1.0.0": "H", "cvss:EQ4:1.0.0": "M", - "cvss:EQ5:1.0.0": "L", + "cvss:EQ5:1.0.0": "M", "cvss:EQ6:1.0.0": "L", - "cvss:CVSS:1.0.0": "L" + "cvss:CVSS:1.0.0": "M" }, { "cvss:EQ1:1.0.0": "H", "cvss:EQ2:1.0.0": "L", "cvss:EQ3:1.0.0": "L", "cvss:EQ4:1.0.0": "H", - "cvss:EQ5:1.0.0": "L", + "cvss:EQ5:1.0.0": "M", "cvss:EQ6:1.0.0": "L", - "cvss:CVSS:1.0.0": "M" + "cvss:CVSS:1.0.0": "H" }, { "cvss:EQ1:1.0.0": "M", "cvss:EQ2:1.0.0": "H", "cvss:EQ3:1.0.0": "L", "cvss:EQ4:1.0.0": "H", - "cvss:EQ5:1.0.0": "L", + "cvss:EQ5:1.0.0": "M", "cvss:EQ6:1.0.0": "L", - "cvss:CVSS:1.0.0": "M" + "cvss:CVSS:1.0.0": "H" }, { "cvss:EQ1:1.0.0": "M", "cvss:EQ2:1.0.0": "L", "cvss:EQ3:1.0.0": "M", "cvss:EQ4:1.0.0": "H", - "cvss:EQ5:1.0.0": "L", + "cvss:EQ5:1.0.0": "M", "cvss:EQ6:1.0.0": "L", "cvss:CVSS:1.0.0": "M" }, @@ -17026,7 +18496,7 @@ "cvss:EQ2:1.0.0": "H", "cvss:EQ3:1.0.0": "M", "cvss:EQ4:1.0.0": "H", - "cvss:EQ5:1.0.0": "L", + "cvss:EQ5:1.0.0": "M", "cvss:EQ6:1.0.0": "L", "cvss:CVSS:1.0.0": "M" }, @@ -17035,7 +18505,7 @@ "cvss:EQ2:1.0.0": "L", "cvss:EQ3:1.0.0": "H", "cvss:EQ4:1.0.0": "H", - "cvss:EQ5:1.0.0": "L", + "cvss:EQ5:1.0.0": "M", "cvss:EQ6:1.0.0": "L", "cvss:CVSS:1.0.0": "M" }, @@ -17044,7 +18514,7 @@ "cvss:EQ2:1.0.0": "H", "cvss:EQ3:1.0.0": "L", "cvss:EQ4:1.0.0": "L", - "cvss:EQ5:1.0.0": "M", + "cvss:EQ5:1.0.0": "H", "cvss:EQ6:1.0.0": "L", "cvss:CVSS:1.0.0": "M" }, @@ -17053,16 +18523,16 @@ "cvss:EQ2:1.0.0": "L", "cvss:EQ3:1.0.0": "M", "cvss:EQ4:1.0.0": "L", - "cvss:EQ5:1.0.0": "M", + "cvss:EQ5:1.0.0": "H", "cvss:EQ6:1.0.0": "L", - "cvss:CVSS:1.0.0": "M" + "cvss:CVSS:1.0.0": "H" }, { "cvss:EQ1:1.0.0": "M", "cvss:EQ2:1.0.0": "H", "cvss:EQ3:1.0.0": "M", "cvss:EQ4:1.0.0": "L", - "cvss:EQ5:1.0.0": "M", + "cvss:EQ5:1.0.0": "H", "cvss:EQ6:1.0.0": "L", "cvss:CVSS:1.0.0": "M" }, @@ -17071,7 +18541,7 @@ "cvss:EQ2:1.0.0": "L", "cvss:EQ3:1.0.0": "H", "cvss:EQ4:1.0.0": "L", - "cvss:EQ5:1.0.0": "M", + "cvss:EQ5:1.0.0": "H", "cvss:EQ6:1.0.0": "L", "cvss:CVSS:1.0.0": "M" }, @@ -17080,7 +18550,7 @@ "cvss:EQ2:1.0.0": "H", "cvss:EQ3:1.0.0": "H", "cvss:EQ4:1.0.0": "L", - "cvss:EQ5:1.0.0": "M", + "cvss:EQ5:1.0.0": "H", "cvss:EQ6:1.0.0": "L", "cvss:CVSS:1.0.0": "M" }, @@ -17089,16 +18559,16 @@ "cvss:EQ2:1.0.0": "L", "cvss:EQ3:1.0.0": "L", "cvss:EQ4:1.0.0": "M", - "cvss:EQ5:1.0.0": "M", + "cvss:EQ5:1.0.0": "H", "cvss:EQ6:1.0.0": "L", - "cvss:CVSS:1.0.0": "M" + "cvss:CVSS:1.0.0": "H" }, { "cvss:EQ1:1.0.0": "M", "cvss:EQ2:1.0.0": "H", "cvss:EQ3:1.0.0": "L", "cvss:EQ4:1.0.0": "M", - "cvss:EQ5:1.0.0": "M", + "cvss:EQ5:1.0.0": "H", "cvss:EQ6:1.0.0": "L", "cvss:CVSS:1.0.0": "M" }, @@ -17107,7 +18577,7 @@ "cvss:EQ2:1.0.0": "L", "cvss:EQ3:1.0.0": "M", "cvss:EQ4:1.0.0": "M", - "cvss:EQ5:1.0.0": "M", + "cvss:EQ5:1.0.0": "H", "cvss:EQ6:1.0.0": "L", "cvss:CVSS:1.0.0": "M" }, @@ -17116,7 +18586,7 @@ "cvss:EQ2:1.0.0": "H", "cvss:EQ3:1.0.0": "M", "cvss:EQ4:1.0.0": "M", - "cvss:EQ5:1.0.0": "M", + "cvss:EQ5:1.0.0": "H", "cvss:EQ6:1.0.0": "L", "cvss:CVSS:1.0.0": "M" }, @@ -17125,7 +18595,7 @@ "cvss:EQ2:1.0.0": "L", "cvss:EQ3:1.0.0": "H", "cvss:EQ4:1.0.0": "M", - "cvss:EQ5:1.0.0": "M", + "cvss:EQ5:1.0.0": "H", "cvss:EQ6:1.0.0": "L", "cvss:CVSS:1.0.0": "M" }, @@ -17134,16 +18604,16 @@ "cvss:EQ2:1.0.0": "L", "cvss:EQ3:1.0.0": "L", "cvss:EQ4:1.0.0": "H", - "cvss:EQ5:1.0.0": "M", + "cvss:EQ5:1.0.0": "H", "cvss:EQ6:1.0.0": "L", - "cvss:CVSS:1.0.0": "M" + "cvss:CVSS:1.0.0": "H" }, { "cvss:EQ1:1.0.0": "L", "cvss:EQ2:1.0.0": "H", "cvss:EQ3:1.0.0": "L", "cvss:EQ4:1.0.0": "H", - "cvss:EQ5:1.0.0": "M", + "cvss:EQ5:1.0.0": "H", "cvss:EQ6:1.0.0": "L", "cvss:CVSS:1.0.0": "M" }, @@ -17152,89 +18622,125 @@ "cvss:EQ2:1.0.0": "L", "cvss:EQ3:1.0.0": "M", "cvss:EQ4:1.0.0": "H", - "cvss:EQ5:1.0.0": "M", + "cvss:EQ5:1.0.0": "H", "cvss:EQ6:1.0.0": "L", "cvss:CVSS:1.0.0": "M" }, { "cvss:EQ1:1.0.0": "H", - "cvss:EQ2:1.0.0": "L", - "cvss:EQ3:1.0.0": "L", + "cvss:EQ2:1.0.0": "H", + "cvss:EQ3:1.0.0": "M", "cvss:EQ4:1.0.0": "L", - "cvss:EQ5:1.0.0": "H", - "cvss:EQ6:1.0.0": "L", + "cvss:EQ5:1.0.0": "L", + "cvss:EQ6:1.0.0": "H", "cvss:CVSS:1.0.0": "M" }, + { + "cvss:EQ1:1.0.0": "H", + "cvss:EQ2:1.0.0": "L", + "cvss:EQ3:1.0.0": "H", + "cvss:EQ4:1.0.0": "L", + "cvss:EQ5:1.0.0": "L", + "cvss:EQ6:1.0.0": "H", + "cvss:CVSS:1.0.0": "H" + }, { "cvss:EQ1:1.0.0": "M", "cvss:EQ2:1.0.0": "H", - "cvss:EQ3:1.0.0": "L", + "cvss:EQ3:1.0.0": "H", "cvss:EQ4:1.0.0": "L", - "cvss:EQ5:1.0.0": "H", - "cvss:EQ6:1.0.0": "L", + "cvss:EQ5:1.0.0": "L", + "cvss:EQ6:1.0.0": "H", "cvss:CVSS:1.0.0": "M" }, { - "cvss:EQ1:1.0.0": "M", + "cvss:EQ1:1.0.0": "H", + "cvss:EQ2:1.0.0": "H", + "cvss:EQ3:1.0.0": "L", + "cvss:EQ4:1.0.0": "M", + "cvss:EQ5:1.0.0": "L", + "cvss:EQ6:1.0.0": "H", + "cvss:CVSS:1.0.0": "M" + }, + { + "cvss:EQ1:1.0.0": "H", "cvss:EQ2:1.0.0": "L", "cvss:EQ3:1.0.0": "M", - "cvss:EQ4:1.0.0": "L", - "cvss:EQ5:1.0.0": "H", - "cvss:EQ6:1.0.0": "L", - "cvss:CVSS:1.0.0": "M" + "cvss:EQ4:1.0.0": "M", + "cvss:EQ5:1.0.0": "L", + "cvss:EQ6:1.0.0": "H", + "cvss:CVSS:1.0.0": "H" }, { - "cvss:EQ1:1.0.0": "L", + "cvss:EQ1:1.0.0": "M", "cvss:EQ2:1.0.0": "H", "cvss:EQ3:1.0.0": "M", - "cvss:EQ4:1.0.0": "L", - "cvss:EQ5:1.0.0": "H", - "cvss:EQ6:1.0.0": "L", - "cvss:CVSS:1.0.0": "L" + "cvss:EQ4:1.0.0": "M", + "cvss:EQ5:1.0.0": "L", + "cvss:EQ6:1.0.0": "H", + "cvss:CVSS:1.0.0": "M" }, { - "cvss:EQ1:1.0.0": "L", + "cvss:EQ1:1.0.0": "M", "cvss:EQ2:1.0.0": "L", "cvss:EQ3:1.0.0": "H", - "cvss:EQ4:1.0.0": "L", - "cvss:EQ5:1.0.0": "H", - "cvss:EQ6:1.0.0": "L", + "cvss:EQ4:1.0.0": "M", + "cvss:EQ5:1.0.0": "L", + "cvss:EQ6:1.0.0": "H", "cvss:CVSS:1.0.0": "M" }, { - "cvss:EQ1:1.0.0": "M", + "cvss:EQ1:1.0.0": "L", + "cvss:EQ2:1.0.0": "H", + "cvss:EQ3:1.0.0": "H", + "cvss:EQ4:1.0.0": "M", + "cvss:EQ5:1.0.0": "L", + "cvss:EQ6:1.0.0": "H", + "cvss:CVSS:1.0.0": "M" + }, + { + "cvss:EQ1:1.0.0": "H", "cvss:EQ2:1.0.0": "L", "cvss:EQ3:1.0.0": "L", - "cvss:EQ4:1.0.0": "M", - "cvss:EQ5:1.0.0": "H", - "cvss:EQ6:1.0.0": "L", + "cvss:EQ4:1.0.0": "H", + "cvss:EQ5:1.0.0": "L", + "cvss:EQ6:1.0.0": "H", "cvss:CVSS:1.0.0": "M" }, { - "cvss:EQ1:1.0.0": "L", + "cvss:EQ1:1.0.0": "M", "cvss:EQ2:1.0.0": "H", "cvss:EQ3:1.0.0": "L", - "cvss:EQ4:1.0.0": "M", - "cvss:EQ5:1.0.0": "H", - "cvss:EQ6:1.0.0": "L", + "cvss:EQ4:1.0.0": "H", + "cvss:EQ5:1.0.0": "L", + "cvss:EQ6:1.0.0": "H", + "cvss:CVSS:1.0.0": "M" + }, + { + "cvss:EQ1:1.0.0": "M", + "cvss:EQ2:1.0.0": "L", + "cvss:EQ3:1.0.0": "M", + "cvss:EQ4:1.0.0": "H", + "cvss:EQ5:1.0.0": "L", + "cvss:EQ6:1.0.0": "H", "cvss:CVSS:1.0.0": "M" }, { "cvss:EQ1:1.0.0": "L", - "cvss:EQ2:1.0.0": "L", + "cvss:EQ2:1.0.0": "H", "cvss:EQ3:1.0.0": "M", - "cvss:EQ4:1.0.0": "M", - "cvss:EQ5:1.0.0": "H", - "cvss:EQ6:1.0.0": "L", + "cvss:EQ4:1.0.0": "H", + "cvss:EQ5:1.0.0": "L", + "cvss:EQ6:1.0.0": "H", "cvss:CVSS:1.0.0": "M" }, { "cvss:EQ1:1.0.0": "L", "cvss:EQ2:1.0.0": "L", - "cvss:EQ3:1.0.0": "L", + "cvss:EQ3:1.0.0": "H", "cvss:EQ4:1.0.0": "H", - "cvss:EQ5:1.0.0": "H", - "cvss:EQ6:1.0.0": "L", + "cvss:EQ5:1.0.0": "L", + "cvss:EQ6:1.0.0": "H", "cvss:CVSS:1.0.0": "M" }, { @@ -17242,25 +18748,25 @@ "cvss:EQ2:1.0.0": "H", "cvss:EQ3:1.0.0": "L", "cvss:EQ4:1.0.0": "L", - "cvss:EQ5:1.0.0": "L", + "cvss:EQ5:1.0.0": "M", "cvss:EQ6:1.0.0": "H", - "cvss:CVSS:1.0.0": "L" + "cvss:CVSS:1.0.0": "M" }, { "cvss:EQ1:1.0.0": "H", "cvss:EQ2:1.0.0": "L", "cvss:EQ3:1.0.0": "M", "cvss:EQ4:1.0.0": "L", - "cvss:EQ5:1.0.0": "L", + "cvss:EQ5:1.0.0": "M", "cvss:EQ6:1.0.0": "H", - "cvss:CVSS:1.0.0": "M" + "cvss:CVSS:1.0.0": "H" }, { "cvss:EQ1:1.0.0": "M", "cvss:EQ2:1.0.0": "H", "cvss:EQ3:1.0.0": "M", "cvss:EQ4:1.0.0": "L", - "cvss:EQ5:1.0.0": "L", + "cvss:EQ5:1.0.0": "M", "cvss:EQ6:1.0.0": "H", "cvss:CVSS:1.0.0": "M" }, @@ -17269,7 +18775,7 @@ "cvss:EQ2:1.0.0": "L", "cvss:EQ3:1.0.0": "H", "cvss:EQ4:1.0.0": "L", - "cvss:EQ5:1.0.0": "L", + "cvss:EQ5:1.0.0": "M", "cvss:EQ6:1.0.0": "H", "cvss:CVSS:1.0.0": "M" }, @@ -17278,7 +18784,7 @@ "cvss:EQ2:1.0.0": "H", "cvss:EQ3:1.0.0": "H", "cvss:EQ4:1.0.0": "L", - "cvss:EQ5:1.0.0": "L", + "cvss:EQ5:1.0.0": "M", "cvss:EQ6:1.0.0": "H", "cvss:CVSS:1.0.0": "M" }, @@ -17287,25 +18793,25 @@ "cvss:EQ2:1.0.0": "L", "cvss:EQ3:1.0.0": "L", "cvss:EQ4:1.0.0": "M", - "cvss:EQ5:1.0.0": "L", + "cvss:EQ5:1.0.0": "M", "cvss:EQ6:1.0.0": "H", - "cvss:CVSS:1.0.0": "L" + "cvss:CVSS:1.0.0": "M" }, { "cvss:EQ1:1.0.0": "M", "cvss:EQ2:1.0.0": "H", "cvss:EQ3:1.0.0": "L", "cvss:EQ4:1.0.0": "M", - "cvss:EQ5:1.0.0": "L", + "cvss:EQ5:1.0.0": "M", "cvss:EQ6:1.0.0": "H", - "cvss:CVSS:1.0.0": "L" + "cvss:CVSS:1.0.0": "M" }, { "cvss:EQ1:1.0.0": "M", "cvss:EQ2:1.0.0": "L", "cvss:EQ3:1.0.0": "M", "cvss:EQ4:1.0.0": "M", - "cvss:EQ5:1.0.0": "L", + "cvss:EQ5:1.0.0": "M", "cvss:EQ6:1.0.0": "H", "cvss:CVSS:1.0.0": "M" }, @@ -17314,7 +18820,7 @@ "cvss:EQ2:1.0.0": "H", "cvss:EQ3:1.0.0": "M", "cvss:EQ4:1.0.0": "M", - "cvss:EQ5:1.0.0": "L", + "cvss:EQ5:1.0.0": "M", "cvss:EQ6:1.0.0": "H", "cvss:CVSS:1.0.0": "M" }, @@ -17323,7 +18829,7 @@ "cvss:EQ2:1.0.0": "L", "cvss:EQ3:1.0.0": "H", "cvss:EQ4:1.0.0": "M", - "cvss:EQ5:1.0.0": "L", + "cvss:EQ5:1.0.0": "M", "cvss:EQ6:1.0.0": "H", "cvss:CVSS:1.0.0": "M" }, @@ -17332,25 +18838,25 @@ "cvss:EQ2:1.0.0": "L", "cvss:EQ3:1.0.0": "L", "cvss:EQ4:1.0.0": "H", - "cvss:EQ5:1.0.0": "L", + "cvss:EQ5:1.0.0": "M", "cvss:EQ6:1.0.0": "H", - "cvss:CVSS:1.0.0": "L" + "cvss:CVSS:1.0.0": "M" }, { "cvss:EQ1:1.0.0": "L", "cvss:EQ2:1.0.0": "H", "cvss:EQ3:1.0.0": "L", "cvss:EQ4:1.0.0": "H", - "cvss:EQ5:1.0.0": "L", + "cvss:EQ5:1.0.0": "M", "cvss:EQ6:1.0.0": "H", - "cvss:CVSS:1.0.0": "L" + "cvss:CVSS:1.0.0": "M" }, { "cvss:EQ1:1.0.0": "L", "cvss:EQ2:1.0.0": "L", "cvss:EQ3:1.0.0": "M", "cvss:EQ4:1.0.0": "H", - "cvss:EQ5:1.0.0": "L", + "cvss:EQ5:1.0.0": "M", "cvss:EQ6:1.0.0": "H", "cvss:CVSS:1.0.0": "M" }, @@ -17359,25 +18865,25 @@ "cvss:EQ2:1.0.0": "L", "cvss:EQ3:1.0.0": "L", "cvss:EQ4:1.0.0": "L", - "cvss:EQ5:1.0.0": "M", + "cvss:EQ5:1.0.0": "H", "cvss:EQ6:1.0.0": "H", - "cvss:CVSS:1.0.0": "L" + "cvss:CVSS:1.0.0": "M" }, { "cvss:EQ1:1.0.0": "M", "cvss:EQ2:1.0.0": "H", "cvss:EQ3:1.0.0": "L", "cvss:EQ4:1.0.0": "L", - "cvss:EQ5:1.0.0": "M", + "cvss:EQ5:1.0.0": "H", "cvss:EQ6:1.0.0": "H", - "cvss:CVSS:1.0.0": "L" + "cvss:CVSS:1.0.0": "M" }, { "cvss:EQ1:1.0.0": "M", "cvss:EQ2:1.0.0": "L", "cvss:EQ3:1.0.0": "M", "cvss:EQ4:1.0.0": "L", - "cvss:EQ5:1.0.0": "M", + "cvss:EQ5:1.0.0": "H", "cvss:EQ6:1.0.0": "H", "cvss:CVSS:1.0.0": "M" }, @@ -17386,16 +18892,16 @@ "cvss:EQ2:1.0.0": "H", "cvss:EQ3:1.0.0": "M", "cvss:EQ4:1.0.0": "L", - "cvss:EQ5:1.0.0": "M", + "cvss:EQ5:1.0.0": "H", "cvss:EQ6:1.0.0": "H", - "cvss:CVSS:1.0.0": "L" + "cvss:CVSS:1.0.0": "M" }, { "cvss:EQ1:1.0.0": "L", "cvss:EQ2:1.0.0": "L", "cvss:EQ3:1.0.0": "H", "cvss:EQ4:1.0.0": "L", - "cvss:EQ5:1.0.0": "M", + "cvss:EQ5:1.0.0": "H", "cvss:EQ6:1.0.0": "H", "cvss:CVSS:1.0.0": "M" }, @@ -17404,25 +18910,25 @@ "cvss:EQ2:1.0.0": "L", "cvss:EQ3:1.0.0": "L", "cvss:EQ4:1.0.0": "M", - "cvss:EQ5:1.0.0": "M", + "cvss:EQ5:1.0.0": "H", "cvss:EQ6:1.0.0": "H", - "cvss:CVSS:1.0.0": "L" + "cvss:CVSS:1.0.0": "M" }, { "cvss:EQ1:1.0.0": "L", "cvss:EQ2:1.0.0": "H", "cvss:EQ3:1.0.0": "L", "cvss:EQ4:1.0.0": "M", - "cvss:EQ5:1.0.0": "M", + "cvss:EQ5:1.0.0": "H", "cvss:EQ6:1.0.0": "H", - "cvss:CVSS:1.0.0": "L" + "cvss:CVSS:1.0.0": "M" }, { "cvss:EQ1:1.0.0": "L", "cvss:EQ2:1.0.0": "L", "cvss:EQ3:1.0.0": "M", "cvss:EQ4:1.0.0": "M", - "cvss:EQ5:1.0.0": "M", + "cvss:EQ5:1.0.0": "H", "cvss:EQ6:1.0.0": "H", "cvss:CVSS:1.0.0": "M" }, @@ -17431,70 +18937,70 @@ "cvss:EQ2:1.0.0": "L", "cvss:EQ3:1.0.0": "L", "cvss:EQ4:1.0.0": "H", - "cvss:EQ5:1.0.0": "M", - "cvss:EQ6:1.0.0": "H", - "cvss:CVSS:1.0.0": "L" - }, - { - "cvss:EQ1:1.0.0": "M", - "cvss:EQ2:1.0.0": "L", - "cvss:EQ3:1.0.0": "L", - "cvss:EQ4:1.0.0": "L", "cvss:EQ5:1.0.0": "H", "cvss:EQ6:1.0.0": "H", - "cvss:CVSS:1.0.0": "L" + "cvss:CVSS:1.0.0": "M" }, { - "cvss:EQ1:1.0.0": "L", + "cvss:EQ1:1.0.0": "H", "cvss:EQ2:1.0.0": "H", - "cvss:EQ3:1.0.0": "L", - "cvss:EQ4:1.0.0": "L", - "cvss:EQ5:1.0.0": "H", - "cvss:EQ6:1.0.0": "H", - "cvss:CVSS:1.0.0": "L" + "cvss:EQ3:1.0.0": "H", + "cvss:EQ4:1.0.0": "M", + "cvss:EQ5:1.0.0": "L", + "cvss:EQ6:1.0.0": "L", + "cvss:CVSS:1.0.0": "H" }, { - "cvss:EQ1:1.0.0": "L", - "cvss:EQ2:1.0.0": "L", + "cvss:EQ1:1.0.0": "H", + "cvss:EQ2:1.0.0": "H", "cvss:EQ3:1.0.0": "M", - "cvss:EQ4:1.0.0": "L", - "cvss:EQ5:1.0.0": "H", - "cvss:EQ6:1.0.0": "H", - "cvss:CVSS:1.0.0": "M" + "cvss:EQ4:1.0.0": "H", + "cvss:EQ5:1.0.0": "L", + "cvss:EQ6:1.0.0": "L", + "cvss:CVSS:1.0.0": "H" }, { - "cvss:EQ1:1.0.0": "L", + "cvss:EQ1:1.0.0": "H", "cvss:EQ2:1.0.0": "L", - "cvss:EQ3:1.0.0": "L", - "cvss:EQ4:1.0.0": "M", - "cvss:EQ5:1.0.0": "H", - "cvss:EQ6:1.0.0": "H", - "cvss:CVSS:1.0.0": "L" + "cvss:EQ3:1.0.0": "H", + "cvss:EQ4:1.0.0": "H", + "cvss:EQ5:1.0.0": "L", + "cvss:EQ6:1.0.0": "L", + "cvss:CVSS:1.0.0": "H" + }, + { + "cvss:EQ1:1.0.0": "M", + "cvss:EQ2:1.0.0": "H", + "cvss:EQ3:1.0.0": "H", + "cvss:EQ4:1.0.0": "H", + "cvss:EQ5:1.0.0": "L", + "cvss:EQ6:1.0.0": "L", + "cvss:CVSS:1.0.0": "H" }, { "cvss:EQ1:1.0.0": "H", "cvss:EQ2:1.0.0": "H", "cvss:EQ3:1.0.0": "H", "cvss:EQ4:1.0.0": "L", - "cvss:EQ5:1.0.0": "L", + "cvss:EQ5:1.0.0": "M", "cvss:EQ6:1.0.0": "L", - "cvss:CVSS:1.0.0": "M" + "cvss:CVSS:1.0.0": "H" }, { "cvss:EQ1:1.0.0": "H", "cvss:EQ2:1.0.0": "H", "cvss:EQ3:1.0.0": "M", "cvss:EQ4:1.0.0": "M", - "cvss:EQ5:1.0.0": "L", + "cvss:EQ5:1.0.0": "M", "cvss:EQ6:1.0.0": "L", - "cvss:CVSS:1.0.0": "M" + "cvss:CVSS:1.0.0": "H" }, { "cvss:EQ1:1.0.0": "H", "cvss:EQ2:1.0.0": "L", "cvss:EQ3:1.0.0": "H", "cvss:EQ4:1.0.0": "M", - "cvss:EQ5:1.0.0": "L", + "cvss:EQ5:1.0.0": "M", "cvss:EQ6:1.0.0": "L", "cvss:CVSS:1.0.0": "H" }, @@ -17503,16 +19009,16 @@ "cvss:EQ2:1.0.0": "H", "cvss:EQ3:1.0.0": "H", "cvss:EQ4:1.0.0": "M", - "cvss:EQ5:1.0.0": "L", + "cvss:EQ5:1.0.0": "M", "cvss:EQ6:1.0.0": "L", - "cvss:CVSS:1.0.0": "M" + "cvss:CVSS:1.0.0": "H" }, { "cvss:EQ1:1.0.0": "H", "cvss:EQ2:1.0.0": "H", "cvss:EQ3:1.0.0": "L", "cvss:EQ4:1.0.0": "H", - "cvss:EQ5:1.0.0": "L", + "cvss:EQ5:1.0.0": "M", "cvss:EQ6:1.0.0": "L", "cvss:CVSS:1.0.0": "H" }, @@ -17521,7 +19027,7 @@ "cvss:EQ2:1.0.0": "L", "cvss:EQ3:1.0.0": "M", "cvss:EQ4:1.0.0": "H", - "cvss:EQ5:1.0.0": "L", + "cvss:EQ5:1.0.0": "M", "cvss:EQ6:1.0.0": "L", "cvss:CVSS:1.0.0": "H" }, @@ -17530,16 +19036,16 @@ "cvss:EQ2:1.0.0": "H", "cvss:EQ3:1.0.0": "M", "cvss:EQ4:1.0.0": "H", - "cvss:EQ5:1.0.0": "L", + "cvss:EQ5:1.0.0": "M", "cvss:EQ6:1.0.0": "L", - "cvss:CVSS:1.0.0": "M" + "cvss:CVSS:1.0.0": "H" }, { "cvss:EQ1:1.0.0": "M", "cvss:EQ2:1.0.0": "L", "cvss:EQ3:1.0.0": "H", "cvss:EQ4:1.0.0": "H", - "cvss:EQ5:1.0.0": "L", + "cvss:EQ5:1.0.0": "M", "cvss:EQ6:1.0.0": "L", "cvss:CVSS:1.0.0": "H" }, @@ -17548,16 +19054,16 @@ "cvss:EQ2:1.0.0": "H", "cvss:EQ3:1.0.0": "H", "cvss:EQ4:1.0.0": "H", - "cvss:EQ5:1.0.0": "L", + "cvss:EQ5:1.0.0": "M", "cvss:EQ6:1.0.0": "L", - "cvss:CVSS:1.0.0": "M" + "cvss:CVSS:1.0.0": "H" }, { "cvss:EQ1:1.0.0": "H", "cvss:EQ2:1.0.0": "H", "cvss:EQ3:1.0.0": "M", "cvss:EQ4:1.0.0": "L", - "cvss:EQ5:1.0.0": "M", + "cvss:EQ5:1.0.0": "H", "cvss:EQ6:1.0.0": "L", "cvss:CVSS:1.0.0": "H" }, @@ -17566,7 +19072,7 @@ "cvss:EQ2:1.0.0": "L", "cvss:EQ3:1.0.0": "H", "cvss:EQ4:1.0.0": "L", - "cvss:EQ5:1.0.0": "M", + "cvss:EQ5:1.0.0": "H", "cvss:EQ6:1.0.0": "L", "cvss:CVSS:1.0.0": "H" }, @@ -17575,25 +19081,25 @@ "cvss:EQ2:1.0.0": "H", "cvss:EQ3:1.0.0": "H", "cvss:EQ4:1.0.0": "L", - "cvss:EQ5:1.0.0": "M", + "cvss:EQ5:1.0.0": "H", "cvss:EQ6:1.0.0": "L", - "cvss:CVSS:1.0.0": "M" + "cvss:CVSS:1.0.0": "H" }, { "cvss:EQ1:1.0.0": "H", "cvss:EQ2:1.0.0": "H", "cvss:EQ3:1.0.0": "L", "cvss:EQ4:1.0.0": "M", - "cvss:EQ5:1.0.0": "M", + "cvss:EQ5:1.0.0": "H", "cvss:EQ6:1.0.0": "L", - "cvss:CVSS:1.0.0": "M" + "cvss:CVSS:1.0.0": "H" }, { "cvss:EQ1:1.0.0": "H", "cvss:EQ2:1.0.0": "L", "cvss:EQ3:1.0.0": "M", "cvss:EQ4:1.0.0": "M", - "cvss:EQ5:1.0.0": "M", + "cvss:EQ5:1.0.0": "H", "cvss:EQ6:1.0.0": "L", "cvss:CVSS:1.0.0": "H" }, @@ -17602,34 +19108,34 @@ "cvss:EQ2:1.0.0": "H", "cvss:EQ3:1.0.0": "M", "cvss:EQ4:1.0.0": "M", - "cvss:EQ5:1.0.0": "M", + "cvss:EQ5:1.0.0": "H", "cvss:EQ6:1.0.0": "L", - "cvss:CVSS:1.0.0": "M" + "cvss:CVSS:1.0.0": "H" }, { "cvss:EQ1:1.0.0": "M", "cvss:EQ2:1.0.0": "L", "cvss:EQ3:1.0.0": "H", "cvss:EQ4:1.0.0": "M", - "cvss:EQ5:1.0.0": "M", + "cvss:EQ5:1.0.0": "H", "cvss:EQ6:1.0.0": "L", - "cvss:CVSS:1.0.0": "M" + "cvss:CVSS:1.0.0": "H" }, { "cvss:EQ1:1.0.0": "L", "cvss:EQ2:1.0.0": "H", "cvss:EQ3:1.0.0": "H", "cvss:EQ4:1.0.0": "M", - "cvss:EQ5:1.0.0": "M", + "cvss:EQ5:1.0.0": "H", "cvss:EQ6:1.0.0": "L", - "cvss:CVSS:1.0.0": "M" + "cvss:CVSS:1.0.0": "H" }, { "cvss:EQ1:1.0.0": "H", "cvss:EQ2:1.0.0": "L", "cvss:EQ3:1.0.0": "L", "cvss:EQ4:1.0.0": "H", - "cvss:EQ5:1.0.0": "M", + "cvss:EQ5:1.0.0": "H", "cvss:EQ6:1.0.0": "L", "cvss:CVSS:1.0.0": "H" }, @@ -17638,7 +19144,7 @@ "cvss:EQ2:1.0.0": "H", "cvss:EQ3:1.0.0": "L", "cvss:EQ4:1.0.0": "H", - "cvss:EQ5:1.0.0": "M", + "cvss:EQ5:1.0.0": "H", "cvss:EQ6:1.0.0": "L", "cvss:CVSS:1.0.0": "H" }, @@ -17647,160 +19153,124 @@ "cvss:EQ2:1.0.0": "L", "cvss:EQ3:1.0.0": "M", "cvss:EQ4:1.0.0": "H", - "cvss:EQ5:1.0.0": "M", + "cvss:EQ5:1.0.0": "H", "cvss:EQ6:1.0.0": "L", - "cvss:CVSS:1.0.0": "M" + "cvss:CVSS:1.0.0": "H" }, { "cvss:EQ1:1.0.0": "L", "cvss:EQ2:1.0.0": "H", "cvss:EQ3:1.0.0": "M", "cvss:EQ4:1.0.0": "H", - "cvss:EQ5:1.0.0": "M", + "cvss:EQ5:1.0.0": "H", "cvss:EQ6:1.0.0": "L", - "cvss:CVSS:1.0.0": "M" + "cvss:CVSS:1.0.0": "H" }, { "cvss:EQ1:1.0.0": "L", "cvss:EQ2:1.0.0": "L", "cvss:EQ3:1.0.0": "H", "cvss:EQ4:1.0.0": "H", - "cvss:EQ5:1.0.0": "M", - "cvss:EQ6:1.0.0": "L", - "cvss:CVSS:1.0.0": "M" - }, - { - "cvss:EQ1:1.0.0": "H", - "cvss:EQ2:1.0.0": "H", - "cvss:EQ3:1.0.0": "L", - "cvss:EQ4:1.0.0": "L", "cvss:EQ5:1.0.0": "H", "cvss:EQ6:1.0.0": "L", - "cvss:CVSS:1.0.0": "M" + "cvss:CVSS:1.0.0": "H" }, { "cvss:EQ1:1.0.0": "H", - "cvss:EQ2:1.0.0": "L", - "cvss:EQ3:1.0.0": "M", + "cvss:EQ2:1.0.0": "H", + "cvss:EQ3:1.0.0": "H", "cvss:EQ4:1.0.0": "L", - "cvss:EQ5:1.0.0": "H", - "cvss:EQ6:1.0.0": "L", + "cvss:EQ5:1.0.0": "L", + "cvss:EQ6:1.0.0": "H", "cvss:CVSS:1.0.0": "H" }, { - "cvss:EQ1:1.0.0": "M", + "cvss:EQ1:1.0.0": "H", "cvss:EQ2:1.0.0": "H", "cvss:EQ3:1.0.0": "M", - "cvss:EQ4:1.0.0": "L", - "cvss:EQ5:1.0.0": "H", - "cvss:EQ6:1.0.0": "L", - "cvss:CVSS:1.0.0": "M" + "cvss:EQ4:1.0.0": "M", + "cvss:EQ5:1.0.0": "L", + "cvss:EQ6:1.0.0": "H", + "cvss:CVSS:1.0.0": "H" }, { - "cvss:EQ1:1.0.0": "M", + "cvss:EQ1:1.0.0": "H", "cvss:EQ2:1.0.0": "L", "cvss:EQ3:1.0.0": "H", - "cvss:EQ4:1.0.0": "L", - "cvss:EQ5:1.0.0": "H", - "cvss:EQ6:1.0.0": "L", - "cvss:CVSS:1.0.0": "M" + "cvss:EQ4:1.0.0": "M", + "cvss:EQ5:1.0.0": "L", + "cvss:EQ6:1.0.0": "H", + "cvss:CVSS:1.0.0": "H" }, { - "cvss:EQ1:1.0.0": "L", + "cvss:EQ1:1.0.0": "M", "cvss:EQ2:1.0.0": "H", "cvss:EQ3:1.0.0": "H", - "cvss:EQ4:1.0.0": "L", - "cvss:EQ5:1.0.0": "H", - "cvss:EQ6:1.0.0": "L", - "cvss:CVSS:1.0.0": "M" - }, - { - "cvss:EQ1:1.0.0": "H", - "cvss:EQ2:1.0.0": "L", - "cvss:EQ3:1.0.0": "L", "cvss:EQ4:1.0.0": "M", - "cvss:EQ5:1.0.0": "H", - "cvss:EQ6:1.0.0": "L", + "cvss:EQ5:1.0.0": "L", + "cvss:EQ6:1.0.0": "H", "cvss:CVSS:1.0.0": "H" }, { - "cvss:EQ1:1.0.0": "M", + "cvss:EQ1:1.0.0": "H", "cvss:EQ2:1.0.0": "H", "cvss:EQ3:1.0.0": "L", - "cvss:EQ4:1.0.0": "M", - "cvss:EQ5:1.0.0": "H", - "cvss:EQ6:1.0.0": "L", - "cvss:CVSS:1.0.0": "M" + "cvss:EQ4:1.0.0": "H", + "cvss:EQ5:1.0.0": "L", + "cvss:EQ6:1.0.0": "H", + "cvss:CVSS:1.0.0": "H" }, { - "cvss:EQ1:1.0.0": "M", + "cvss:EQ1:1.0.0": "H", "cvss:EQ2:1.0.0": "L", "cvss:EQ3:1.0.0": "M", - "cvss:EQ4:1.0.0": "M", - "cvss:EQ5:1.0.0": "H", - "cvss:EQ6:1.0.0": "L", - "cvss:CVSS:1.0.0": "M" + "cvss:EQ4:1.0.0": "H", + "cvss:EQ5:1.0.0": "L", + "cvss:EQ6:1.0.0": "H", + "cvss:CVSS:1.0.0": "H" }, { - "cvss:EQ1:1.0.0": "L", + "cvss:EQ1:1.0.0": "M", "cvss:EQ2:1.0.0": "H", "cvss:EQ3:1.0.0": "M", - "cvss:EQ4:1.0.0": "M", - "cvss:EQ5:1.0.0": "H", - "cvss:EQ6:1.0.0": "L", - "cvss:CVSS:1.0.0": "M" - }, - { - "cvss:EQ1:1.0.0": "L", - "cvss:EQ2:1.0.0": "L", - "cvss:EQ3:1.0.0": "H", - "cvss:EQ4:1.0.0": "M", - "cvss:EQ5:1.0.0": "H", - "cvss:EQ6:1.0.0": "L", - "cvss:CVSS:1.0.0": "M" + "cvss:EQ4:1.0.0": "H", + "cvss:EQ5:1.0.0": "L", + "cvss:EQ6:1.0.0": "H", + "cvss:CVSS:1.0.0": "H" }, { "cvss:EQ1:1.0.0": "M", "cvss:EQ2:1.0.0": "L", - "cvss:EQ3:1.0.0": "L", + "cvss:EQ3:1.0.0": "H", "cvss:EQ4:1.0.0": "H", - "cvss:EQ5:1.0.0": "H", - "cvss:EQ6:1.0.0": "L", + "cvss:EQ5:1.0.0": "L", + "cvss:EQ6:1.0.0": "H", "cvss:CVSS:1.0.0": "H" }, { "cvss:EQ1:1.0.0": "L", "cvss:EQ2:1.0.0": "H", - "cvss:EQ3:1.0.0": "L", - "cvss:EQ4:1.0.0": "H", - "cvss:EQ5:1.0.0": "H", - "cvss:EQ6:1.0.0": "L", - "cvss:CVSS:1.0.0": "M" - }, - { - "cvss:EQ1:1.0.0": "L", - "cvss:EQ2:1.0.0": "L", - "cvss:EQ3:1.0.0": "M", + "cvss:EQ3:1.0.0": "H", "cvss:EQ4:1.0.0": "H", - "cvss:EQ5:1.0.0": "H", - "cvss:EQ6:1.0.0": "L", - "cvss:CVSS:1.0.0": "M" + "cvss:EQ5:1.0.0": "L", + "cvss:EQ6:1.0.0": "H", + "cvss:CVSS:1.0.0": "H" }, { "cvss:EQ1:1.0.0": "H", "cvss:EQ2:1.0.0": "H", "cvss:EQ3:1.0.0": "M", "cvss:EQ4:1.0.0": "L", - "cvss:EQ5:1.0.0": "L", + "cvss:EQ5:1.0.0": "M", "cvss:EQ6:1.0.0": "H", - "cvss:CVSS:1.0.0": "M" + "cvss:CVSS:1.0.0": "H" }, { "cvss:EQ1:1.0.0": "H", "cvss:EQ2:1.0.0": "L", "cvss:EQ3:1.0.0": "H", "cvss:EQ4:1.0.0": "L", - "cvss:EQ5:1.0.0": "L", + "cvss:EQ5:1.0.0": "M", "cvss:EQ6:1.0.0": "H", "cvss:CVSS:1.0.0": "H" }, @@ -17809,16 +19279,16 @@ "cvss:EQ2:1.0.0": "H", "cvss:EQ3:1.0.0": "H", "cvss:EQ4:1.0.0": "L", - "cvss:EQ5:1.0.0": "L", + "cvss:EQ5:1.0.0": "M", "cvss:EQ6:1.0.0": "H", - "cvss:CVSS:1.0.0": "M" + "cvss:CVSS:1.0.0": "H" }, { "cvss:EQ1:1.0.0": "H", "cvss:EQ2:1.0.0": "H", "cvss:EQ3:1.0.0": "L", "cvss:EQ4:1.0.0": "M", - "cvss:EQ5:1.0.0": "L", + "cvss:EQ5:1.0.0": "M", "cvss:EQ6:1.0.0": "H", "cvss:CVSS:1.0.0": "M" }, @@ -17827,7 +19297,7 @@ "cvss:EQ2:1.0.0": "L", "cvss:EQ3:1.0.0": "M", "cvss:EQ4:1.0.0": "M", - "cvss:EQ5:1.0.0": "L", + "cvss:EQ5:1.0.0": "M", "cvss:EQ6:1.0.0": "H", "cvss:CVSS:1.0.0": "H" }, @@ -17836,79 +19306,79 @@ "cvss:EQ2:1.0.0": "H", "cvss:EQ3:1.0.0": "M", "cvss:EQ4:1.0.0": "M", - "cvss:EQ5:1.0.0": "L", + "cvss:EQ5:1.0.0": "M", "cvss:EQ6:1.0.0": "H", - "cvss:CVSS:1.0.0": "M" + "cvss:CVSS:1.0.0": "H" }, { "cvss:EQ1:1.0.0": "M", "cvss:EQ2:1.0.0": "L", "cvss:EQ3:1.0.0": "H", "cvss:EQ4:1.0.0": "M", - "cvss:EQ5:1.0.0": "L", + "cvss:EQ5:1.0.0": "M", "cvss:EQ6:1.0.0": "H", - "cvss:CVSS:1.0.0": "M" + "cvss:CVSS:1.0.0": "H" }, { "cvss:EQ1:1.0.0": "L", "cvss:EQ2:1.0.0": "H", "cvss:EQ3:1.0.0": "H", "cvss:EQ4:1.0.0": "M", - "cvss:EQ5:1.0.0": "L", + "cvss:EQ5:1.0.0": "M", "cvss:EQ6:1.0.0": "H", - "cvss:CVSS:1.0.0": "M" + "cvss:CVSS:1.0.0": "H" }, { "cvss:EQ1:1.0.0": "H", "cvss:EQ2:1.0.0": "L", "cvss:EQ3:1.0.0": "L", "cvss:EQ4:1.0.0": "H", - "cvss:EQ5:1.0.0": "L", + "cvss:EQ5:1.0.0": "M", "cvss:EQ6:1.0.0": "H", - "cvss:CVSS:1.0.0": "M" + "cvss:CVSS:1.0.0": "H" }, { "cvss:EQ1:1.0.0": "M", "cvss:EQ2:1.0.0": "H", "cvss:EQ3:1.0.0": "L", "cvss:EQ4:1.0.0": "H", - "cvss:EQ5:1.0.0": "L", + "cvss:EQ5:1.0.0": "M", "cvss:EQ6:1.0.0": "H", - "cvss:CVSS:1.0.0": "M" + "cvss:CVSS:1.0.0": "H" }, { "cvss:EQ1:1.0.0": "M", "cvss:EQ2:1.0.0": "L", "cvss:EQ3:1.0.0": "M", "cvss:EQ4:1.0.0": "H", - "cvss:EQ5:1.0.0": "L", + "cvss:EQ5:1.0.0": "M", "cvss:EQ6:1.0.0": "H", - "cvss:CVSS:1.0.0": "M" + "cvss:CVSS:1.0.0": "H" }, { "cvss:EQ1:1.0.0": "L", "cvss:EQ2:1.0.0": "H", "cvss:EQ3:1.0.0": "M", "cvss:EQ4:1.0.0": "H", - "cvss:EQ5:1.0.0": "L", + "cvss:EQ5:1.0.0": "M", "cvss:EQ6:1.0.0": "H", - "cvss:CVSS:1.0.0": "M" + "cvss:CVSS:1.0.0": "H" }, { "cvss:EQ1:1.0.0": "L", "cvss:EQ2:1.0.0": "L", "cvss:EQ3:1.0.0": "H", "cvss:EQ4:1.0.0": "H", - "cvss:EQ5:1.0.0": "L", + "cvss:EQ5:1.0.0": "M", "cvss:EQ6:1.0.0": "H", - "cvss:CVSS:1.0.0": "M" + "cvss:CVSS:1.0.0": "H" }, { "cvss:EQ1:1.0.0": "H", "cvss:EQ2:1.0.0": "H", "cvss:EQ3:1.0.0": "L", "cvss:EQ4:1.0.0": "L", - "cvss:EQ5:1.0.0": "M", + "cvss:EQ5:1.0.0": "H", "cvss:EQ6:1.0.0": "H", "cvss:CVSS:1.0.0": "M" }, @@ -17917,7 +19387,7 @@ "cvss:EQ2:1.0.0": "L", "cvss:EQ3:1.0.0": "M", "cvss:EQ4:1.0.0": "L", - "cvss:EQ5:1.0.0": "M", + "cvss:EQ5:1.0.0": "H", "cvss:EQ6:1.0.0": "H", "cvss:CVSS:1.0.0": "H" }, @@ -17926,43 +19396,43 @@ "cvss:EQ2:1.0.0": "H", "cvss:EQ3:1.0.0": "M", "cvss:EQ4:1.0.0": "L", - "cvss:EQ5:1.0.0": "M", + "cvss:EQ5:1.0.0": "H", "cvss:EQ6:1.0.0": "H", - "cvss:CVSS:1.0.0": "M" + "cvss:CVSS:1.0.0": "H" }, { "cvss:EQ1:1.0.0": "M", "cvss:EQ2:1.0.0": "L", "cvss:EQ3:1.0.0": "H", "cvss:EQ4:1.0.0": "L", - "cvss:EQ5:1.0.0": "M", + "cvss:EQ5:1.0.0": "H", "cvss:EQ6:1.0.0": "H", - "cvss:CVSS:1.0.0": "M" + "cvss:CVSS:1.0.0": "H" }, { "cvss:EQ1:1.0.0": "L", "cvss:EQ2:1.0.0": "H", "cvss:EQ3:1.0.0": "H", "cvss:EQ4:1.0.0": "L", - "cvss:EQ5:1.0.0": "M", + "cvss:EQ5:1.0.0": "H", "cvss:EQ6:1.0.0": "H", - "cvss:CVSS:1.0.0": "M" + "cvss:CVSS:1.0.0": "H" }, { "cvss:EQ1:1.0.0": "H", "cvss:EQ2:1.0.0": "L", "cvss:EQ3:1.0.0": "L", "cvss:EQ4:1.0.0": "M", - "cvss:EQ5:1.0.0": "M", + "cvss:EQ5:1.0.0": "H", "cvss:EQ6:1.0.0": "H", - "cvss:CVSS:1.0.0": "M" + "cvss:CVSS:1.0.0": "H" }, { "cvss:EQ1:1.0.0": "M", "cvss:EQ2:1.0.0": "H", "cvss:EQ3:1.0.0": "L", "cvss:EQ4:1.0.0": "M", - "cvss:EQ5:1.0.0": "M", + "cvss:EQ5:1.0.0": "H", "cvss:EQ6:1.0.0": "H", "cvss:CVSS:1.0.0": "M" }, @@ -17971,43 +19441,43 @@ "cvss:EQ2:1.0.0": "L", "cvss:EQ3:1.0.0": "M", "cvss:EQ4:1.0.0": "M", - "cvss:EQ5:1.0.0": "M", + "cvss:EQ5:1.0.0": "H", "cvss:EQ6:1.0.0": "H", - "cvss:CVSS:1.0.0": "M" + "cvss:CVSS:1.0.0": "H" }, { "cvss:EQ1:1.0.0": "L", "cvss:EQ2:1.0.0": "H", "cvss:EQ3:1.0.0": "M", "cvss:EQ4:1.0.0": "M", - "cvss:EQ5:1.0.0": "M", + "cvss:EQ5:1.0.0": "H", "cvss:EQ6:1.0.0": "H", - "cvss:CVSS:1.0.0": "M" + "cvss:CVSS:1.0.0": "H" }, { "cvss:EQ1:1.0.0": "L", "cvss:EQ2:1.0.0": "L", "cvss:EQ3:1.0.0": "H", "cvss:EQ4:1.0.0": "M", - "cvss:EQ5:1.0.0": "M", + "cvss:EQ5:1.0.0": "H", "cvss:EQ6:1.0.0": "H", - "cvss:CVSS:1.0.0": "M" + "cvss:CVSS:1.0.0": "H" }, { "cvss:EQ1:1.0.0": "M", "cvss:EQ2:1.0.0": "L", "cvss:EQ3:1.0.0": "L", "cvss:EQ4:1.0.0": "H", - "cvss:EQ5:1.0.0": "M", + "cvss:EQ5:1.0.0": "H", "cvss:EQ6:1.0.0": "H", - "cvss:CVSS:1.0.0": "M" + "cvss:CVSS:1.0.0": "H" }, { "cvss:EQ1:1.0.0": "L", "cvss:EQ2:1.0.0": "H", "cvss:EQ3:1.0.0": "L", "cvss:EQ4:1.0.0": "H", - "cvss:EQ5:1.0.0": "M", + "cvss:EQ5:1.0.0": "H", "cvss:EQ6:1.0.0": "H", "cvss:CVSS:1.0.0": "M" }, @@ -18016,90 +19486,135 @@ "cvss:EQ2:1.0.0": "L", "cvss:EQ3:1.0.0": "M", "cvss:EQ4:1.0.0": "H", - "cvss:EQ5:1.0.0": "M", + "cvss:EQ5:1.0.0": "H", "cvss:EQ6:1.0.0": "H", - "cvss:CVSS:1.0.0": "M" + "cvss:CVSS:1.0.0": "H" + }, + { + "cvss:EQ1:1.0.0": "H", + "cvss:EQ2:1.0.0": "H", + "cvss:EQ3:1.0.0": "H", + "cvss:EQ4:1.0.0": "H", + "cvss:EQ5:1.0.0": "L", + "cvss:EQ6:1.0.0": "L", + "cvss:CVSS:1.0.0": "C" + }, + { + "cvss:EQ1:1.0.0": "H", + "cvss:EQ2:1.0.0": "H", + "cvss:EQ3:1.0.0": "H", + "cvss:EQ4:1.0.0": "M", + "cvss:EQ5:1.0.0": "M", + "cvss:EQ6:1.0.0": "L", + "cvss:CVSS:1.0.0": "H" + }, + { + "cvss:EQ1:1.0.0": "H", + "cvss:EQ2:1.0.0": "H", + "cvss:EQ3:1.0.0": "M", + "cvss:EQ4:1.0.0": "H", + "cvss:EQ5:1.0.0": "M", + "cvss:EQ6:1.0.0": "L", + "cvss:CVSS:1.0.0": "C" }, { "cvss:EQ1:1.0.0": "H", "cvss:EQ2:1.0.0": "L", - "cvss:EQ3:1.0.0": "L", - "cvss:EQ4:1.0.0": "L", - "cvss:EQ5:1.0.0": "H", - "cvss:EQ6:1.0.0": "H", - "cvss:CVSS:1.0.0": "M" + "cvss:EQ3:1.0.0": "H", + "cvss:EQ4:1.0.0": "H", + "cvss:EQ5:1.0.0": "M", + "cvss:EQ6:1.0.0": "L", + "cvss:CVSS:1.0.0": "C" }, { "cvss:EQ1:1.0.0": "M", "cvss:EQ2:1.0.0": "H", - "cvss:EQ3:1.0.0": "L", - "cvss:EQ4:1.0.0": "L", - "cvss:EQ5:1.0.0": "H", - "cvss:EQ6:1.0.0": "H", - "cvss:CVSS:1.0.0": "M" + "cvss:EQ3:1.0.0": "H", + "cvss:EQ4:1.0.0": "H", + "cvss:EQ5:1.0.0": "M", + "cvss:EQ6:1.0.0": "L", + "cvss:CVSS:1.0.0": "H" }, { - "cvss:EQ1:1.0.0": "M", - "cvss:EQ2:1.0.0": "L", - "cvss:EQ3:1.0.0": "M", + "cvss:EQ1:1.0.0": "H", + "cvss:EQ2:1.0.0": "H", + "cvss:EQ3:1.0.0": "H", "cvss:EQ4:1.0.0": "L", "cvss:EQ5:1.0.0": "H", - "cvss:EQ6:1.0.0": "H", - "cvss:CVSS:1.0.0": "M" + "cvss:EQ6:1.0.0": "L", + "cvss:CVSS:1.0.0": "C" }, { - "cvss:EQ1:1.0.0": "L", + "cvss:EQ1:1.0.0": "H", "cvss:EQ2:1.0.0": "H", "cvss:EQ3:1.0.0": "M", - "cvss:EQ4:1.0.0": "L", + "cvss:EQ4:1.0.0": "M", "cvss:EQ5:1.0.0": "H", - "cvss:EQ6:1.0.0": "H", - "cvss:CVSS:1.0.0": "M" + "cvss:EQ6:1.0.0": "L", + "cvss:CVSS:1.0.0": "C" }, { - "cvss:EQ1:1.0.0": "L", + "cvss:EQ1:1.0.0": "H", "cvss:EQ2:1.0.0": "L", "cvss:EQ3:1.0.0": "H", - "cvss:EQ4:1.0.0": "L", + "cvss:EQ4:1.0.0": "M", "cvss:EQ5:1.0.0": "H", - "cvss:EQ6:1.0.0": "H", - "cvss:CVSS:1.0.0": "M" + "cvss:EQ6:1.0.0": "L", + "cvss:CVSS:1.0.0": "C" }, { "cvss:EQ1:1.0.0": "M", - "cvss:EQ2:1.0.0": "L", - "cvss:EQ3:1.0.0": "L", + "cvss:EQ2:1.0.0": "H", + "cvss:EQ3:1.0.0": "H", "cvss:EQ4:1.0.0": "M", "cvss:EQ5:1.0.0": "H", - "cvss:EQ6:1.0.0": "H", - "cvss:CVSS:1.0.0": "M" + "cvss:EQ6:1.0.0": "L", + "cvss:CVSS:1.0.0": "H" }, { - "cvss:EQ1:1.0.0": "L", + "cvss:EQ1:1.0.0": "H", "cvss:EQ2:1.0.0": "H", "cvss:EQ3:1.0.0": "L", - "cvss:EQ4:1.0.0": "M", + "cvss:EQ4:1.0.0": "H", + "cvss:EQ5:1.0.0": "H", + "cvss:EQ6:1.0.0": "L", + "cvss:CVSS:1.0.0": "C" + }, + { + "cvss:EQ1:1.0.0": "H", + "cvss:EQ2:1.0.0": "L", + "cvss:EQ3:1.0.0": "M", + "cvss:EQ4:1.0.0": "H", + "cvss:EQ5:1.0.0": "H", + "cvss:EQ6:1.0.0": "L", + "cvss:CVSS:1.0.0": "C" + }, + { + "cvss:EQ1:1.0.0": "M", + "cvss:EQ2:1.0.0": "H", + "cvss:EQ3:1.0.0": "M", + "cvss:EQ4:1.0.0": "H", "cvss:EQ5:1.0.0": "H", - "cvss:EQ6:1.0.0": "H", - "cvss:CVSS:1.0.0": "M" + "cvss:EQ6:1.0.0": "L", + "cvss:CVSS:1.0.0": "H" }, { - "cvss:EQ1:1.0.0": "L", + "cvss:EQ1:1.0.0": "M", "cvss:EQ2:1.0.0": "L", - "cvss:EQ3:1.0.0": "M", - "cvss:EQ4:1.0.0": "M", + "cvss:EQ3:1.0.0": "H", + "cvss:EQ4:1.0.0": "H", "cvss:EQ5:1.0.0": "H", - "cvss:EQ6:1.0.0": "H", - "cvss:CVSS:1.0.0": "M" + "cvss:EQ6:1.0.0": "L", + "cvss:CVSS:1.0.0": "C" }, { "cvss:EQ1:1.0.0": "L", - "cvss:EQ2:1.0.0": "L", - "cvss:EQ3:1.0.0": "L", + "cvss:EQ2:1.0.0": "H", + "cvss:EQ3:1.0.0": "H", "cvss:EQ4:1.0.0": "H", "cvss:EQ5:1.0.0": "H", - "cvss:EQ6:1.0.0": "H", - "cvss:CVSS:1.0.0": "M" + "cvss:EQ6:1.0.0": "L", + "cvss:CVSS:1.0.0": "H" }, { "cvss:EQ1:1.0.0": "H", @@ -18107,8 +19622,8 @@ "cvss:EQ3:1.0.0": "H", "cvss:EQ4:1.0.0": "M", "cvss:EQ5:1.0.0": "L", - "cvss:EQ6:1.0.0": "L", - "cvss:CVSS:1.0.0": "H" + "cvss:EQ6:1.0.0": "H", + "cvss:CVSS:1.0.0": "C" }, { "cvss:EQ1:1.0.0": "H", @@ -18116,8 +19631,8 @@ "cvss:EQ3:1.0.0": "M", "cvss:EQ4:1.0.0": "H", "cvss:EQ5:1.0.0": "L", - "cvss:EQ6:1.0.0": "L", - "cvss:CVSS:1.0.0": "H" + "cvss:EQ6:1.0.0": "H", + "cvss:CVSS:1.0.0": "C" }, { "cvss:EQ1:1.0.0": "H", @@ -18125,8 +19640,8 @@ "cvss:EQ3:1.0.0": "H", "cvss:EQ4:1.0.0": "H", "cvss:EQ5:1.0.0": "L", - "cvss:EQ6:1.0.0": "L", - "cvss:CVSS:1.0.0": "H" + "cvss:EQ6:1.0.0": "H", + "cvss:CVSS:1.0.0": "C" }, { "cvss:EQ1:1.0.0": "M", @@ -18134,8 +19649,8 @@ "cvss:EQ3:1.0.0": "H", "cvss:EQ4:1.0.0": "H", "cvss:EQ5:1.0.0": "L", - "cvss:EQ6:1.0.0": "L", - "cvss:CVSS:1.0.0": "H" + "cvss:EQ6:1.0.0": "H", + "cvss:CVSS:1.0.0": "C" }, { "cvss:EQ1:1.0.0": "H", @@ -18143,7 +19658,7 @@ "cvss:EQ3:1.0.0": "H", "cvss:EQ4:1.0.0": "L", "cvss:EQ5:1.0.0": "M", - "cvss:EQ6:1.0.0": "L", + "cvss:EQ6:1.0.0": "H", "cvss:CVSS:1.0.0": "H" }, { @@ -18152,7 +19667,7 @@ "cvss:EQ3:1.0.0": "M", "cvss:EQ4:1.0.0": "M", "cvss:EQ5:1.0.0": "M", - "cvss:EQ6:1.0.0": "L", + "cvss:EQ6:1.0.0": "H", "cvss:CVSS:1.0.0": "H" }, { @@ -18161,8 +19676,8 @@ "cvss:EQ3:1.0.0": "H", "cvss:EQ4:1.0.0": "M", "cvss:EQ5:1.0.0": "M", - "cvss:EQ6:1.0.0": "L", - "cvss:CVSS:1.0.0": "H" + "cvss:EQ6:1.0.0": "H", + "cvss:CVSS:1.0.0": "C" }, { "cvss:EQ1:1.0.0": "M", @@ -18170,7 +19685,7 @@ "cvss:EQ3:1.0.0": "H", "cvss:EQ4:1.0.0": "M", "cvss:EQ5:1.0.0": "M", - "cvss:EQ6:1.0.0": "L", + "cvss:EQ6:1.0.0": "H", "cvss:CVSS:1.0.0": "H" }, { @@ -18179,7 +19694,7 @@ "cvss:EQ3:1.0.0": "L", "cvss:EQ4:1.0.0": "H", "cvss:EQ5:1.0.0": "M", - "cvss:EQ6:1.0.0": "L", + "cvss:EQ6:1.0.0": "H", "cvss:CVSS:1.0.0": "H" }, { @@ -18188,8 +19703,8 @@ "cvss:EQ3:1.0.0": "M", "cvss:EQ4:1.0.0": "H", "cvss:EQ5:1.0.0": "M", - "cvss:EQ6:1.0.0": "L", - "cvss:CVSS:1.0.0": "H" + "cvss:EQ6:1.0.0": "H", + "cvss:CVSS:1.0.0": "C" }, { "cvss:EQ1:1.0.0": "M", @@ -18197,7 +19712,7 @@ "cvss:EQ3:1.0.0": "M", "cvss:EQ4:1.0.0": "H", "cvss:EQ5:1.0.0": "M", - "cvss:EQ6:1.0.0": "L", + "cvss:EQ6:1.0.0": "H", "cvss:CVSS:1.0.0": "H" }, { @@ -18206,7 +19721,7 @@ "cvss:EQ3:1.0.0": "H", "cvss:EQ4:1.0.0": "H", "cvss:EQ5:1.0.0": "M", - "cvss:EQ6:1.0.0": "L", + "cvss:EQ6:1.0.0": "H", "cvss:CVSS:1.0.0": "H" }, { @@ -18215,7 +19730,7 @@ "cvss:EQ3:1.0.0": "H", "cvss:EQ4:1.0.0": "H", "cvss:EQ5:1.0.0": "M", - "cvss:EQ6:1.0.0": "L", + "cvss:EQ6:1.0.0": "H", "cvss:CVSS:1.0.0": "H" }, { @@ -18224,7 +19739,7 @@ "cvss:EQ3:1.0.0": "M", "cvss:EQ4:1.0.0": "L", "cvss:EQ5:1.0.0": "H", - "cvss:EQ6:1.0.0": "L", + "cvss:EQ6:1.0.0": "H", "cvss:CVSS:1.0.0": "H" }, { @@ -18233,8 +19748,8 @@ "cvss:EQ3:1.0.0": "H", "cvss:EQ4:1.0.0": "L", "cvss:EQ5:1.0.0": "H", - "cvss:EQ6:1.0.0": "L", - "cvss:CVSS:1.0.0": "H" + "cvss:EQ6:1.0.0": "H", + "cvss:CVSS:1.0.0": "C" }, { "cvss:EQ1:1.0.0": "M", @@ -18242,7 +19757,7 @@ "cvss:EQ3:1.0.0": "H", "cvss:EQ4:1.0.0": "L", "cvss:EQ5:1.0.0": "H", - "cvss:EQ6:1.0.0": "L", + "cvss:EQ6:1.0.0": "H", "cvss:CVSS:1.0.0": "H" }, { @@ -18251,7 +19766,7 @@ "cvss:EQ3:1.0.0": "L", "cvss:EQ4:1.0.0": "M", "cvss:EQ5:1.0.0": "H", - "cvss:EQ6:1.0.0": "L", + "cvss:EQ6:1.0.0": "H", "cvss:CVSS:1.0.0": "H" }, { @@ -18260,8 +19775,8 @@ "cvss:EQ3:1.0.0": "M", "cvss:EQ4:1.0.0": "M", "cvss:EQ5:1.0.0": "H", - "cvss:EQ6:1.0.0": "L", - "cvss:CVSS:1.0.0": "H" + "cvss:EQ6:1.0.0": "H", + "cvss:CVSS:1.0.0": "C" }, { "cvss:EQ1:1.0.0": "M", @@ -18269,7 +19784,7 @@ "cvss:EQ3:1.0.0": "M", "cvss:EQ4:1.0.0": "M", "cvss:EQ5:1.0.0": "H", - "cvss:EQ6:1.0.0": "L", + "cvss:EQ6:1.0.0": "H", "cvss:CVSS:1.0.0": "H" }, { @@ -18278,8 +19793,8 @@ "cvss:EQ3:1.0.0": "H", "cvss:EQ4:1.0.0": "M", "cvss:EQ5:1.0.0": "H", - "cvss:EQ6:1.0.0": "L", - "cvss:CVSS:1.0.0": "H" + "cvss:EQ6:1.0.0": "H", + "cvss:CVSS:1.0.0": "C" }, { "cvss:EQ1:1.0.0": "L", @@ -18287,7 +19802,7 @@ "cvss:EQ3:1.0.0": "H", "cvss:EQ4:1.0.0": "M", "cvss:EQ5:1.0.0": "H", - "cvss:EQ6:1.0.0": "L", + "cvss:EQ6:1.0.0": "H", "cvss:CVSS:1.0.0": "H" }, { @@ -18296,7 +19811,7 @@ "cvss:EQ3:1.0.0": "L", "cvss:EQ4:1.0.0": "H", "cvss:EQ5:1.0.0": "H", - "cvss:EQ6:1.0.0": "L", + "cvss:EQ6:1.0.0": "H", "cvss:CVSS:1.0.0": "H" }, { @@ -18305,7 +19820,7 @@ "cvss:EQ3:1.0.0": "L", "cvss:EQ4:1.0.0": "H", "cvss:EQ5:1.0.0": "H", - "cvss:EQ6:1.0.0": "L", + "cvss:EQ6:1.0.0": "H", "cvss:CVSS:1.0.0": "H" }, { @@ -18314,7 +19829,7 @@ "cvss:EQ3:1.0.0": "M", "cvss:EQ4:1.0.0": "H", "cvss:EQ5:1.0.0": "H", - "cvss:EQ6:1.0.0": "L", + "cvss:EQ6:1.0.0": "H", "cvss:CVSS:1.0.0": "H" }, { @@ -18323,7 +19838,7 @@ "cvss:EQ3:1.0.0": "M", "cvss:EQ4:1.0.0": "H", "cvss:EQ5:1.0.0": "H", - "cvss:EQ6:1.0.0": "L", + "cvss:EQ6:1.0.0": "H", "cvss:CVSS:1.0.0": "H" }, { @@ -18332,2123 +19847,2428 @@ "cvss:EQ3:1.0.0": "H", "cvss:EQ4:1.0.0": "H", "cvss:EQ5:1.0.0": "H", - "cvss:EQ6:1.0.0": "L", + "cvss:EQ6:1.0.0": "H", "cvss:CVSS:1.0.0": "H" }, { "cvss:EQ1:1.0.0": "H", "cvss:EQ2:1.0.0": "H", "cvss:EQ3:1.0.0": "H", - "cvss:EQ4:1.0.0": "L", + "cvss:EQ4:1.0.0": "H", + "cvss:EQ5:1.0.0": "M", + "cvss:EQ6:1.0.0": "L", + "cvss:CVSS:1.0.0": "C" + }, + { + "cvss:EQ1:1.0.0": "H", + "cvss:EQ2:1.0.0": "H", + "cvss:EQ3:1.0.0": "H", + "cvss:EQ4:1.0.0": "M", + "cvss:EQ5:1.0.0": "H", + "cvss:EQ6:1.0.0": "L", + "cvss:CVSS:1.0.0": "C" + }, + { + "cvss:EQ1:1.0.0": "H", + "cvss:EQ2:1.0.0": "H", + "cvss:EQ3:1.0.0": "M", + "cvss:EQ4:1.0.0": "H", + "cvss:EQ5:1.0.0": "H", + "cvss:EQ6:1.0.0": "L", + "cvss:CVSS:1.0.0": "C" + }, + { + "cvss:EQ1:1.0.0": "H", + "cvss:EQ2:1.0.0": "L", + "cvss:EQ3:1.0.0": "H", + "cvss:EQ4:1.0.0": "H", + "cvss:EQ5:1.0.0": "H", + "cvss:EQ6:1.0.0": "L", + "cvss:CVSS:1.0.0": "C" + }, + { + "cvss:EQ1:1.0.0": "M", + "cvss:EQ2:1.0.0": "H", + "cvss:EQ3:1.0.0": "H", + "cvss:EQ4:1.0.0": "H", + "cvss:EQ5:1.0.0": "H", + "cvss:EQ6:1.0.0": "L", + "cvss:CVSS:1.0.0": "C" + }, + { + "cvss:EQ1:1.0.0": "H", + "cvss:EQ2:1.0.0": "H", + "cvss:EQ3:1.0.0": "H", + "cvss:EQ4:1.0.0": "H", "cvss:EQ5:1.0.0": "L", "cvss:EQ6:1.0.0": "H", - "cvss:CVSS:1.0.0": "H" + "cvss:CVSS:1.0.0": "C" + }, + { + "cvss:EQ1:1.0.0": "H", + "cvss:EQ2:1.0.0": "H", + "cvss:EQ3:1.0.0": "H", + "cvss:EQ4:1.0.0": "M", + "cvss:EQ5:1.0.0": "M", + "cvss:EQ6:1.0.0": "H", + "cvss:CVSS:1.0.0": "C" + }, + { + "cvss:EQ1:1.0.0": "H", + "cvss:EQ2:1.0.0": "H", + "cvss:EQ3:1.0.0": "M", + "cvss:EQ4:1.0.0": "H", + "cvss:EQ5:1.0.0": "M", + "cvss:EQ6:1.0.0": "H", + "cvss:CVSS:1.0.0": "C" + }, + { + "cvss:EQ1:1.0.0": "H", + "cvss:EQ2:1.0.0": "L", + "cvss:EQ3:1.0.0": "H", + "cvss:EQ4:1.0.0": "H", + "cvss:EQ5:1.0.0": "M", + "cvss:EQ6:1.0.0": "H", + "cvss:CVSS:1.0.0": "C" + }, + { + "cvss:EQ1:1.0.0": "M", + "cvss:EQ2:1.0.0": "H", + "cvss:EQ3:1.0.0": "H", + "cvss:EQ4:1.0.0": "H", + "cvss:EQ5:1.0.0": "M", + "cvss:EQ6:1.0.0": "H", + "cvss:CVSS:1.0.0": "C" + }, + { + "cvss:EQ1:1.0.0": "H", + "cvss:EQ2:1.0.0": "H", + "cvss:EQ3:1.0.0": "H", + "cvss:EQ4:1.0.0": "L", + "cvss:EQ5:1.0.0": "H", + "cvss:EQ6:1.0.0": "H", + "cvss:CVSS:1.0.0": "C" + }, + { + "cvss:EQ1:1.0.0": "H", + "cvss:EQ2:1.0.0": "H", + "cvss:EQ3:1.0.0": "M", + "cvss:EQ4:1.0.0": "M", + "cvss:EQ5:1.0.0": "H", + "cvss:EQ6:1.0.0": "H", + "cvss:CVSS:1.0.0": "C" + }, + { + "cvss:EQ1:1.0.0": "H", + "cvss:EQ2:1.0.0": "L", + "cvss:EQ3:1.0.0": "H", + "cvss:EQ4:1.0.0": "M", + "cvss:EQ5:1.0.0": "H", + "cvss:EQ6:1.0.0": "H", + "cvss:CVSS:1.0.0": "C" + }, + { + "cvss:EQ1:1.0.0": "M", + "cvss:EQ2:1.0.0": "H", + "cvss:EQ3:1.0.0": "H", + "cvss:EQ4:1.0.0": "M", + "cvss:EQ5:1.0.0": "H", + "cvss:EQ6:1.0.0": "H", + "cvss:CVSS:1.0.0": "C" + }, + { + "cvss:EQ1:1.0.0": "H", + "cvss:EQ2:1.0.0": "H", + "cvss:EQ3:1.0.0": "L", + "cvss:EQ4:1.0.0": "H", + "cvss:EQ5:1.0.0": "H", + "cvss:EQ6:1.0.0": "H", + "cvss:CVSS:1.0.0": "C" + }, + { + "cvss:EQ1:1.0.0": "H", + "cvss:EQ2:1.0.0": "L", + "cvss:EQ3:1.0.0": "M", + "cvss:EQ4:1.0.0": "H", + "cvss:EQ5:1.0.0": "H", + "cvss:EQ6:1.0.0": "H", + "cvss:CVSS:1.0.0": "C" + }, + { + "cvss:EQ1:1.0.0": "M", + "cvss:EQ2:1.0.0": "H", + "cvss:EQ3:1.0.0": "M", + "cvss:EQ4:1.0.0": "H", + "cvss:EQ5:1.0.0": "H", + "cvss:EQ6:1.0.0": "H", + "cvss:CVSS:1.0.0": "C" + }, + { + "cvss:EQ1:1.0.0": "M", + "cvss:EQ2:1.0.0": "L", + "cvss:EQ3:1.0.0": "H", + "cvss:EQ4:1.0.0": "H", + "cvss:EQ5:1.0.0": "H", + "cvss:EQ6:1.0.0": "H", + "cvss:CVSS:1.0.0": "C" + }, + { + "cvss:EQ1:1.0.0": "L", + "cvss:EQ2:1.0.0": "H", + "cvss:EQ3:1.0.0": "H", + "cvss:EQ4:1.0.0": "H", + "cvss:EQ5:1.0.0": "H", + "cvss:EQ6:1.0.0": "H", + "cvss:CVSS:1.0.0": "C" }, { "cvss:EQ1:1.0.0": "H", "cvss:EQ2:1.0.0": "H", - "cvss:EQ3:1.0.0": "M", - "cvss:EQ4:1.0.0": "M", - "cvss:EQ5:1.0.0": "L", - "cvss:EQ6:1.0.0": "H", - "cvss:CVSS:1.0.0": "H" + "cvss:EQ3:1.0.0": "H", + "cvss:EQ4:1.0.0": "H", + "cvss:EQ5:1.0.0": "H", + "cvss:EQ6:1.0.0": "L", + "cvss:CVSS:1.0.0": "C" }, { "cvss:EQ1:1.0.0": "H", - "cvss:EQ2:1.0.0": "L", + "cvss:EQ2:1.0.0": "H", "cvss:EQ3:1.0.0": "H", - "cvss:EQ4:1.0.0": "M", - "cvss:EQ5:1.0.0": "L", + "cvss:EQ4:1.0.0": "H", + "cvss:EQ5:1.0.0": "M", "cvss:EQ6:1.0.0": "H", - "cvss:CVSS:1.0.0": "H" + "cvss:CVSS:1.0.0": "C" }, { - "cvss:EQ1:1.0.0": "M", + "cvss:EQ1:1.0.0": "H", "cvss:EQ2:1.0.0": "H", "cvss:EQ3:1.0.0": "H", "cvss:EQ4:1.0.0": "M", - "cvss:EQ5:1.0.0": "L", + "cvss:EQ5:1.0.0": "H", "cvss:EQ6:1.0.0": "H", - "cvss:CVSS:1.0.0": "H" + "cvss:CVSS:1.0.0": "C" }, { "cvss:EQ1:1.0.0": "H", "cvss:EQ2:1.0.0": "H", - "cvss:EQ3:1.0.0": "L", + "cvss:EQ3:1.0.0": "M", "cvss:EQ4:1.0.0": "H", - "cvss:EQ5:1.0.0": "L", + "cvss:EQ5:1.0.0": "H", "cvss:EQ6:1.0.0": "H", - "cvss:CVSS:1.0.0": "H" + "cvss:CVSS:1.0.0": "C" }, { "cvss:EQ1:1.0.0": "H", "cvss:EQ2:1.0.0": "L", - "cvss:EQ3:1.0.0": "M", + "cvss:EQ3:1.0.0": "H", "cvss:EQ4:1.0.0": "H", - "cvss:EQ5:1.0.0": "L", + "cvss:EQ5:1.0.0": "H", "cvss:EQ6:1.0.0": "H", - "cvss:CVSS:1.0.0": "H" + "cvss:CVSS:1.0.0": "C" }, { "cvss:EQ1:1.0.0": "M", "cvss:EQ2:1.0.0": "H", - "cvss:EQ3:1.0.0": "M", - "cvss:EQ4:1.0.0": "H", - "cvss:EQ5:1.0.0": "L", - "cvss:EQ6:1.0.0": "H", - "cvss:CVSS:1.0.0": "H" - }, - { - "cvss:EQ1:1.0.0": "M", - "cvss:EQ2:1.0.0": "L", "cvss:EQ3:1.0.0": "H", "cvss:EQ4:1.0.0": "H", - "cvss:EQ5:1.0.0": "L", + "cvss:EQ5:1.0.0": "H", "cvss:EQ6:1.0.0": "H", - "cvss:CVSS:1.0.0": "H" + "cvss:CVSS:1.0.0": "C" }, { - "cvss:EQ1:1.0.0": "L", + "cvss:EQ1:1.0.0": "H", "cvss:EQ2:1.0.0": "H", "cvss:EQ3:1.0.0": "H", "cvss:EQ4:1.0.0": "H", - "cvss:EQ5:1.0.0": "L", + "cvss:EQ5:1.0.0": "H", "cvss:EQ6:1.0.0": "H", - "cvss:CVSS:1.0.0": "H" + "cvss:CVSS:1.0.0": "C" + } + ] + } + } + } + } + } + }, + "ssvc": { + "namespace": "ssvc", + "keys": { + "DT_DP": { + "key": "DT_DP", + "versions": { + "1.0.0": { + "version": "1.0.0", + "obj": { + "namespace": "ssvc", + "key": "DT_DP", + "version": "1.0.0", + "name": "Deployer Patch Application Priority", + "definition": "Decision table for evaluating deployer's patch application priority in SSVC", + "schemaVersion": "2.0.0", + "decision_points": { + "ssvc:E:1.1.0": { + "namespace": "ssvc", + "key": "E", + "version": "1.1.0", + "name": "Exploitation", + "definition": "The present state of exploitation of the vulnerability.", + "schemaVersion": "2.0.0", + "values": [ + { + "key": "N", + "name": "None", + "definition": "There is no evidence of active exploitation and no public proof of concept (PoC) of how to exploit the vulnerability." + }, + { + "key": "P", + "name": "Public PoC", + "definition": "One of the following is true: (1) Typical public PoC exists in sources such as Metasploit or websites like ExploitDB; or (2) the vulnerability has a well-known method of exploitation." + }, + { + "key": "A", + "name": "Active", + "definition": "Shared, observable, reliable evidence that the exploit is being used in the wild by real attackers; there is credible public reporting." + } + ] + }, + "ssvc:EXP:1.0.1": { + "namespace": "ssvc", + "key": "EXP", + "version": "1.0.1", + "name": "System Exposure", + "definition": "The Accessible Attack Surface of the Affected System or Service", + "schemaVersion": "2.0.0", + "values": [ + { + "key": "S", + "name": "Small", + "definition": "Local service or program; highly controlled network" + }, + { + "key": "C", + "name": "Controlled", + "definition": "Networked service with some access restrictions or mitigations already in place (whether locally or on the network). A successful mitigation must reliably interrupt the adversary’s attack, which requires the attack is detectable both reliably and quickly enough to respond. Controlled covers the situation in which a vulnerability can be exploited through chaining it with other vulnerabilities. The assumption is that the number of steps in the attack path is relatively low; if the path is long enough that it is implausible for an adversary to reliably execute it, then exposure should be small." + }, + { + "key": "O", + "name": "Open", + "definition": "Internet or another widely accessible network where access cannot plausibly be restricted or controlled (e.g., DNS servers, web servers, VOIP servers, email servers)" + } + ] + }, + "ssvc:A:2.0.0": { + "namespace": "ssvc", + "key": "A", + "version": "2.0.0", + "name": "Automatable", + "definition": "Can an attacker reliably automate creating exploitation events for this vulnerability?", + "schemaVersion": "2.0.0", + "values": [ + { + "key": "N", + "name": "No", + "definition": "Attackers cannot reliably automate steps 1-4 of the kill chain for this vulnerability. These steps are (1) reconnaissance, (2) weaponization, (3) delivery, and (4) exploitation." + }, + { + "key": "Y", + "name": "Yes", + "definition": "Attackers can reliably automate steps 1-4 of the kill chain." + } + ] + }, + "ssvc:HI:2.0.2": { + "namespace": "ssvc", + "key": "HI", + "version": "2.0.2", + "name": "Human Impact", + "definition": "Human Impact is a combination of Safety and Mission impacts.", + "schemaVersion": "2.0.0", + "values": [ + { + "key": "L", + "name": "Low", + "definition": "Safety Impact:(Negligible) AND Mission Impact:(Degraded OR Crippled)" + }, + { + "key": "M", + "name": "Medium", + "definition": "(Safety Impact:Negligible AND Mission Impact:MEF Failure) OR (Safety Impact:Marginal AND Mission Impact:(Degraded OR Crippled))" + }, + { + "key": "H", + "name": "High", + "definition": "(Safety Impact:Critical AND Mission Impact:(Degraded OR Crippled)) OR (Safety Impact:Marginal AND Mission Impact:MEF Failure)" + }, + { + "key": "VH", + "name": "Very High", + "definition": "Safety Impact:Catastrophic OR Mission Impact:Mission Failure" + } + ] + }, + "ssvc:DSOI:1.0.0": { + "namespace": "ssvc", + "key": "DSOI", + "version": "1.0.0", + "name": "Defer, Scheduled, Out-of-Cycle, Immediate", + "definition": "The original SSVC outcome group.", + "schemaVersion": "2.0.0", + "values": [ + { + "key": "D", + "name": "Defer", + "definition": "Defer" + }, + { + "key": "S", + "name": "Scheduled", + "definition": "Scheduled" + }, + { + "key": "O", + "name": "Out-of-Cycle", + "definition": "Out-of-Cycle" + }, + { + "key": "I", + "name": "Immediate", + "definition": "Immediate" + } + ] + } + }, + "outcome": "ssvc:DSOI:1.0.0", + "mapping": [ + { + "ssvc:E:1.1.0": "N", + "ssvc:EXP:1.0.1": "S", + "ssvc:A:2.0.0": "N", + "ssvc:HI:2.0.2": "L", + "ssvc:DSOI:1.0.0": "D" + }, + { + "ssvc:E:1.1.0": "N", + "ssvc:EXP:1.0.1": "S", + "ssvc:A:2.0.0": "N", + "ssvc:HI:2.0.2": "M", + "ssvc:DSOI:1.0.0": "D" + }, + { + "ssvc:E:1.1.0": "N", + "ssvc:EXP:1.0.1": "S", + "ssvc:A:2.0.0": "N", + "ssvc:HI:2.0.2": "H", + "ssvc:DSOI:1.0.0": "S" + }, + { + "ssvc:E:1.1.0": "N", + "ssvc:EXP:1.0.1": "S", + "ssvc:A:2.0.0": "N", + "ssvc:HI:2.0.2": "VH", + "ssvc:DSOI:1.0.0": "S" + }, + { + "ssvc:E:1.1.0": "N", + "ssvc:EXP:1.0.1": "S", + "ssvc:A:2.0.0": "Y", + "ssvc:HI:2.0.2": "L", + "ssvc:DSOI:1.0.0": "D" + }, + { + "ssvc:E:1.1.0": "N", + "ssvc:EXP:1.0.1": "S", + "ssvc:A:2.0.0": "Y", + "ssvc:HI:2.0.2": "M", + "ssvc:DSOI:1.0.0": "S" + }, + { + "ssvc:E:1.1.0": "N", + "ssvc:EXP:1.0.1": "S", + "ssvc:A:2.0.0": "Y", + "ssvc:HI:2.0.2": "H", + "ssvc:DSOI:1.0.0": "S" }, { - "cvss:EQ1:1.0.0": "H", - "cvss:EQ2:1.0.0": "H", - "cvss:EQ3:1.0.0": "M", - "cvss:EQ4:1.0.0": "L", - "cvss:EQ5:1.0.0": "M", - "cvss:EQ6:1.0.0": "H", - "cvss:CVSS:1.0.0": "H" + "ssvc:E:1.1.0": "N", + "ssvc:EXP:1.0.1": "S", + "ssvc:A:2.0.0": "Y", + "ssvc:HI:2.0.2": "VH", + "ssvc:DSOI:1.0.0": "S" }, { - "cvss:EQ1:1.0.0": "H", - "cvss:EQ2:1.0.0": "L", - "cvss:EQ3:1.0.0": "H", - "cvss:EQ4:1.0.0": "L", - "cvss:EQ5:1.0.0": "M", - "cvss:EQ6:1.0.0": "H", - "cvss:CVSS:1.0.0": "H" + "ssvc:E:1.1.0": "N", + "ssvc:EXP:1.0.1": "C", + "ssvc:A:2.0.0": "N", + "ssvc:HI:2.0.2": "L", + "ssvc:DSOI:1.0.0": "D" }, { - "cvss:EQ1:1.0.0": "M", - "cvss:EQ2:1.0.0": "H", - "cvss:EQ3:1.0.0": "H", - "cvss:EQ4:1.0.0": "L", - "cvss:EQ5:1.0.0": "M", - "cvss:EQ6:1.0.0": "H", - "cvss:CVSS:1.0.0": "H" + "ssvc:E:1.1.0": "N", + "ssvc:EXP:1.0.1": "C", + "ssvc:A:2.0.0": "N", + "ssvc:HI:2.0.2": "M", + "ssvc:DSOI:1.0.0": "S" }, { - "cvss:EQ1:1.0.0": "H", - "cvss:EQ2:1.0.0": "H", - "cvss:EQ3:1.0.0": "L", - "cvss:EQ4:1.0.0": "M", - "cvss:EQ5:1.0.0": "M", - "cvss:EQ6:1.0.0": "H", - "cvss:CVSS:1.0.0": "M" + "ssvc:E:1.1.0": "N", + "ssvc:EXP:1.0.1": "C", + "ssvc:A:2.0.0": "N", + "ssvc:HI:2.0.2": "H", + "ssvc:DSOI:1.0.0": "S" }, { - "cvss:EQ1:1.0.0": "H", - "cvss:EQ2:1.0.0": "L", - "cvss:EQ3:1.0.0": "M", - "cvss:EQ4:1.0.0": "M", - "cvss:EQ5:1.0.0": "M", - "cvss:EQ6:1.0.0": "H", - "cvss:CVSS:1.0.0": "H" + "ssvc:E:1.1.0": "N", + "ssvc:EXP:1.0.1": "C", + "ssvc:A:2.0.0": "N", + "ssvc:HI:2.0.2": "VH", + "ssvc:DSOI:1.0.0": "S" }, { - "cvss:EQ1:1.0.0": "M", - "cvss:EQ2:1.0.0": "H", - "cvss:EQ3:1.0.0": "M", - "cvss:EQ4:1.0.0": "M", - "cvss:EQ5:1.0.0": "M", - "cvss:EQ6:1.0.0": "H", - "cvss:CVSS:1.0.0": "H" + "ssvc:E:1.1.0": "N", + "ssvc:EXP:1.0.1": "C", + "ssvc:A:2.0.0": "Y", + "ssvc:HI:2.0.2": "L", + "ssvc:DSOI:1.0.0": "S" }, { - "cvss:EQ1:1.0.0": "M", - "cvss:EQ2:1.0.0": "L", - "cvss:EQ3:1.0.0": "H", - "cvss:EQ4:1.0.0": "M", - "cvss:EQ5:1.0.0": "M", - "cvss:EQ6:1.0.0": "H", - "cvss:CVSS:1.0.0": "H" + "ssvc:E:1.1.0": "N", + "ssvc:EXP:1.0.1": "C", + "ssvc:A:2.0.0": "Y", + "ssvc:HI:2.0.2": "M", + "ssvc:DSOI:1.0.0": "S" }, { - "cvss:EQ1:1.0.0": "L", - "cvss:EQ2:1.0.0": "H", - "cvss:EQ3:1.0.0": "H", - "cvss:EQ4:1.0.0": "M", - "cvss:EQ5:1.0.0": "M", - "cvss:EQ6:1.0.0": "H", - "cvss:CVSS:1.0.0": "H" + "ssvc:E:1.1.0": "N", + "ssvc:EXP:1.0.1": "C", + "ssvc:A:2.0.0": "Y", + "ssvc:HI:2.0.2": "H", + "ssvc:DSOI:1.0.0": "S" }, { - "cvss:EQ1:1.0.0": "H", - "cvss:EQ2:1.0.0": "L", - "cvss:EQ3:1.0.0": "L", - "cvss:EQ4:1.0.0": "H", - "cvss:EQ5:1.0.0": "M", - "cvss:EQ6:1.0.0": "H", - "cvss:CVSS:1.0.0": "H" + "ssvc:E:1.1.0": "N", + "ssvc:EXP:1.0.1": "C", + "ssvc:A:2.0.0": "Y", + "ssvc:HI:2.0.2": "VH", + "ssvc:DSOI:1.0.0": "S" }, { - "cvss:EQ1:1.0.0": "M", - "cvss:EQ2:1.0.0": "H", - "cvss:EQ3:1.0.0": "L", - "cvss:EQ4:1.0.0": "H", - "cvss:EQ5:1.0.0": "M", - "cvss:EQ6:1.0.0": "H", - "cvss:CVSS:1.0.0": "H" + "ssvc:E:1.1.0": "N", + "ssvc:EXP:1.0.1": "O", + "ssvc:A:2.0.0": "N", + "ssvc:HI:2.0.2": "L", + "ssvc:DSOI:1.0.0": "D" }, { - "cvss:EQ1:1.0.0": "M", - "cvss:EQ2:1.0.0": "L", - "cvss:EQ3:1.0.0": "M", - "cvss:EQ4:1.0.0": "H", - "cvss:EQ5:1.0.0": "M", - "cvss:EQ6:1.0.0": "H", - "cvss:CVSS:1.0.0": "H" + "ssvc:E:1.1.0": "N", + "ssvc:EXP:1.0.1": "O", + "ssvc:A:2.0.0": "N", + "ssvc:HI:2.0.2": "M", + "ssvc:DSOI:1.0.0": "S" }, { - "cvss:EQ1:1.0.0": "L", - "cvss:EQ2:1.0.0": "H", - "cvss:EQ3:1.0.0": "M", - "cvss:EQ4:1.0.0": "H", - "cvss:EQ5:1.0.0": "M", - "cvss:EQ6:1.0.0": "H", - "cvss:CVSS:1.0.0": "H" + "ssvc:E:1.1.0": "N", + "ssvc:EXP:1.0.1": "O", + "ssvc:A:2.0.0": "N", + "ssvc:HI:2.0.2": "H", + "ssvc:DSOI:1.0.0": "S" }, { - "cvss:EQ1:1.0.0": "L", - "cvss:EQ2:1.0.0": "L", - "cvss:EQ3:1.0.0": "H", - "cvss:EQ4:1.0.0": "H", - "cvss:EQ5:1.0.0": "M", - "cvss:EQ6:1.0.0": "H", - "cvss:CVSS:1.0.0": "H" + "ssvc:E:1.1.0": "N", + "ssvc:EXP:1.0.1": "O", + "ssvc:A:2.0.0": "N", + "ssvc:HI:2.0.2": "VH", + "ssvc:DSOI:1.0.0": "S" }, { - "cvss:EQ1:1.0.0": "H", - "cvss:EQ2:1.0.0": "H", - "cvss:EQ3:1.0.0": "L", - "cvss:EQ4:1.0.0": "L", - "cvss:EQ5:1.0.0": "H", - "cvss:EQ6:1.0.0": "H", - "cvss:CVSS:1.0.0": "M" + "ssvc:E:1.1.0": "N", + "ssvc:EXP:1.0.1": "O", + "ssvc:A:2.0.0": "Y", + "ssvc:HI:2.0.2": "L", + "ssvc:DSOI:1.0.0": "S" }, { - "cvss:EQ1:1.0.0": "H", - "cvss:EQ2:1.0.0": "L", - "cvss:EQ3:1.0.0": "M", - "cvss:EQ4:1.0.0": "L", - "cvss:EQ5:1.0.0": "H", - "cvss:EQ6:1.0.0": "H", - "cvss:CVSS:1.0.0": "H" + "ssvc:E:1.1.0": "N", + "ssvc:EXP:1.0.1": "O", + "ssvc:A:2.0.0": "Y", + "ssvc:HI:2.0.2": "M", + "ssvc:DSOI:1.0.0": "S" }, { - "cvss:EQ1:1.0.0": "M", - "cvss:EQ2:1.0.0": "H", - "cvss:EQ3:1.0.0": "M", - "cvss:EQ4:1.0.0": "L", - "cvss:EQ5:1.0.0": "H", - "cvss:EQ6:1.0.0": "H", - "cvss:CVSS:1.0.0": "H" + "ssvc:E:1.1.0": "N", + "ssvc:EXP:1.0.1": "O", + "ssvc:A:2.0.0": "Y", + "ssvc:HI:2.0.2": "H", + "ssvc:DSOI:1.0.0": "S" }, { - "cvss:EQ1:1.0.0": "M", - "cvss:EQ2:1.0.0": "L", - "cvss:EQ3:1.0.0": "H", - "cvss:EQ4:1.0.0": "L", - "cvss:EQ5:1.0.0": "H", - "cvss:EQ6:1.0.0": "H", - "cvss:CVSS:1.0.0": "H" + "ssvc:E:1.1.0": "N", + "ssvc:EXP:1.0.1": "O", + "ssvc:A:2.0.0": "Y", + "ssvc:HI:2.0.2": "VH", + "ssvc:DSOI:1.0.0": "O" }, { - "cvss:EQ1:1.0.0": "L", - "cvss:EQ2:1.0.0": "H", - "cvss:EQ3:1.0.0": "H", - "cvss:EQ4:1.0.0": "L", - "cvss:EQ5:1.0.0": "H", - "cvss:EQ6:1.0.0": "H", - "cvss:CVSS:1.0.0": "H" + "ssvc:E:1.1.0": "P", + "ssvc:EXP:1.0.1": "S", + "ssvc:A:2.0.0": "N", + "ssvc:HI:2.0.2": "L", + "ssvc:DSOI:1.0.0": "D" }, { - "cvss:EQ1:1.0.0": "H", - "cvss:EQ2:1.0.0": "L", - "cvss:EQ3:1.0.0": "L", - "cvss:EQ4:1.0.0": "M", - "cvss:EQ5:1.0.0": "H", - "cvss:EQ6:1.0.0": "H", - "cvss:CVSS:1.0.0": "H" + "ssvc:E:1.1.0": "P", + "ssvc:EXP:1.0.1": "S", + "ssvc:A:2.0.0": "N", + "ssvc:HI:2.0.2": "M", + "ssvc:DSOI:1.0.0": "S" }, { - "cvss:EQ1:1.0.0": "M", - "cvss:EQ2:1.0.0": "H", - "cvss:EQ3:1.0.0": "L", - "cvss:EQ4:1.0.0": "M", - "cvss:EQ5:1.0.0": "H", - "cvss:EQ6:1.0.0": "H", - "cvss:CVSS:1.0.0": "M" + "ssvc:E:1.1.0": "P", + "ssvc:EXP:1.0.1": "S", + "ssvc:A:2.0.0": "N", + "ssvc:HI:2.0.2": "H", + "ssvc:DSOI:1.0.0": "S" }, { - "cvss:EQ1:1.0.0": "M", - "cvss:EQ2:1.0.0": "L", - "cvss:EQ3:1.0.0": "M", - "cvss:EQ4:1.0.0": "M", - "cvss:EQ5:1.0.0": "H", - "cvss:EQ6:1.0.0": "H", - "cvss:CVSS:1.0.0": "H" + "ssvc:E:1.1.0": "P", + "ssvc:EXP:1.0.1": "S", + "ssvc:A:2.0.0": "N", + "ssvc:HI:2.0.2": "VH", + "ssvc:DSOI:1.0.0": "S" }, { - "cvss:EQ1:1.0.0": "L", - "cvss:EQ2:1.0.0": "H", - "cvss:EQ3:1.0.0": "M", - "cvss:EQ4:1.0.0": "M", - "cvss:EQ5:1.0.0": "H", - "cvss:EQ6:1.0.0": "H", - "cvss:CVSS:1.0.0": "H" + "ssvc:E:1.1.0": "P", + "ssvc:EXP:1.0.1": "S", + "ssvc:A:2.0.0": "Y", + "ssvc:HI:2.0.2": "L", + "ssvc:DSOI:1.0.0": "S" }, { - "cvss:EQ1:1.0.0": "L", - "cvss:EQ2:1.0.0": "L", - "cvss:EQ3:1.0.0": "H", - "cvss:EQ4:1.0.0": "M", - "cvss:EQ5:1.0.0": "H", - "cvss:EQ6:1.0.0": "H", - "cvss:CVSS:1.0.0": "H" + "ssvc:E:1.1.0": "P", + "ssvc:EXP:1.0.1": "S", + "ssvc:A:2.0.0": "Y", + "ssvc:HI:2.0.2": "M", + "ssvc:DSOI:1.0.0": "S" }, { - "cvss:EQ1:1.0.0": "M", - "cvss:EQ2:1.0.0": "L", - "cvss:EQ3:1.0.0": "L", - "cvss:EQ4:1.0.0": "H", - "cvss:EQ5:1.0.0": "H", - "cvss:EQ6:1.0.0": "H", - "cvss:CVSS:1.0.0": "H" + "ssvc:E:1.1.0": "P", + "ssvc:EXP:1.0.1": "S", + "ssvc:A:2.0.0": "Y", + "ssvc:HI:2.0.2": "H", + "ssvc:DSOI:1.0.0": "S" }, { - "cvss:EQ1:1.0.0": "L", - "cvss:EQ2:1.0.0": "H", - "cvss:EQ3:1.0.0": "L", - "cvss:EQ4:1.0.0": "H", - "cvss:EQ5:1.0.0": "H", - "cvss:EQ6:1.0.0": "H", - "cvss:CVSS:1.0.0": "M" + "ssvc:E:1.1.0": "P", + "ssvc:EXP:1.0.1": "S", + "ssvc:A:2.0.0": "Y", + "ssvc:HI:2.0.2": "VH", + "ssvc:DSOI:1.0.0": "S" }, { - "cvss:EQ1:1.0.0": "L", - "cvss:EQ2:1.0.0": "L", - "cvss:EQ3:1.0.0": "M", - "cvss:EQ4:1.0.0": "H", - "cvss:EQ5:1.0.0": "H", - "cvss:EQ6:1.0.0": "H", - "cvss:CVSS:1.0.0": "H" + "ssvc:E:1.1.0": "P", + "ssvc:EXP:1.0.1": "C", + "ssvc:A:2.0.0": "N", + "ssvc:HI:2.0.2": "L", + "ssvc:DSOI:1.0.0": "D" }, { - "cvss:EQ1:1.0.0": "H", - "cvss:EQ2:1.0.0": "H", - "cvss:EQ3:1.0.0": "H", - "cvss:EQ4:1.0.0": "H", - "cvss:EQ5:1.0.0": "L", - "cvss:EQ6:1.0.0": "L", - "cvss:CVSS:1.0.0": "C" + "ssvc:E:1.1.0": "P", + "ssvc:EXP:1.0.1": "C", + "ssvc:A:2.0.0": "N", + "ssvc:HI:2.0.2": "M", + "ssvc:DSOI:1.0.0": "S" }, { - "cvss:EQ1:1.0.0": "H", - "cvss:EQ2:1.0.0": "H", - "cvss:EQ3:1.0.0": "H", - "cvss:EQ4:1.0.0": "M", - "cvss:EQ5:1.0.0": "M", - "cvss:EQ6:1.0.0": "L", - "cvss:CVSS:1.0.0": "H" + "ssvc:E:1.1.0": "P", + "ssvc:EXP:1.0.1": "C", + "ssvc:A:2.0.0": "N", + "ssvc:HI:2.0.2": "H", + "ssvc:DSOI:1.0.0": "S" }, { - "cvss:EQ1:1.0.0": "H", - "cvss:EQ2:1.0.0": "H", - "cvss:EQ3:1.0.0": "M", - "cvss:EQ4:1.0.0": "H", - "cvss:EQ5:1.0.0": "M", - "cvss:EQ6:1.0.0": "L", - "cvss:CVSS:1.0.0": "C" + "ssvc:E:1.1.0": "P", + "ssvc:EXP:1.0.1": "C", + "ssvc:A:2.0.0": "N", + "ssvc:HI:2.0.2": "VH", + "ssvc:DSOI:1.0.0": "S" }, { - "cvss:EQ1:1.0.0": "H", - "cvss:EQ2:1.0.0": "L", - "cvss:EQ3:1.0.0": "H", - "cvss:EQ4:1.0.0": "H", - "cvss:EQ5:1.0.0": "M", - "cvss:EQ6:1.0.0": "L", - "cvss:CVSS:1.0.0": "C" + "ssvc:E:1.1.0": "P", + "ssvc:EXP:1.0.1": "C", + "ssvc:A:2.0.0": "Y", + "ssvc:HI:2.0.2": "L", + "ssvc:DSOI:1.0.0": "S" }, { - "cvss:EQ1:1.0.0": "M", - "cvss:EQ2:1.0.0": "H", - "cvss:EQ3:1.0.0": "H", - "cvss:EQ4:1.0.0": "H", - "cvss:EQ5:1.0.0": "M", - "cvss:EQ6:1.0.0": "L", - "cvss:CVSS:1.0.0": "H" + "ssvc:E:1.1.0": "P", + "ssvc:EXP:1.0.1": "C", + "ssvc:A:2.0.0": "Y", + "ssvc:HI:2.0.2": "M", + "ssvc:DSOI:1.0.0": "S" }, { - "cvss:EQ1:1.0.0": "H", - "cvss:EQ2:1.0.0": "H", - "cvss:EQ3:1.0.0": "H", - "cvss:EQ4:1.0.0": "L", - "cvss:EQ5:1.0.0": "H", - "cvss:EQ6:1.0.0": "L", - "cvss:CVSS:1.0.0": "C" + "ssvc:E:1.1.0": "P", + "ssvc:EXP:1.0.1": "C", + "ssvc:A:2.0.0": "Y", + "ssvc:HI:2.0.2": "H", + "ssvc:DSOI:1.0.0": "S" }, { - "cvss:EQ1:1.0.0": "H", - "cvss:EQ2:1.0.0": "H", - "cvss:EQ3:1.0.0": "M", - "cvss:EQ4:1.0.0": "M", - "cvss:EQ5:1.0.0": "H", - "cvss:EQ6:1.0.0": "L", - "cvss:CVSS:1.0.0": "C" + "ssvc:E:1.1.0": "P", + "ssvc:EXP:1.0.1": "C", + "ssvc:A:2.0.0": "Y", + "ssvc:HI:2.0.2": "VH", + "ssvc:DSOI:1.0.0": "O" }, { - "cvss:EQ1:1.0.0": "H", - "cvss:EQ2:1.0.0": "L", - "cvss:EQ3:1.0.0": "H", - "cvss:EQ4:1.0.0": "M", - "cvss:EQ5:1.0.0": "H", - "cvss:EQ6:1.0.0": "L", - "cvss:CVSS:1.0.0": "C" + "ssvc:E:1.1.0": "P", + "ssvc:EXP:1.0.1": "O", + "ssvc:A:2.0.0": "N", + "ssvc:HI:2.0.2": "L", + "ssvc:DSOI:1.0.0": "S" }, { - "cvss:EQ1:1.0.0": "M", - "cvss:EQ2:1.0.0": "H", - "cvss:EQ3:1.0.0": "H", - "cvss:EQ4:1.0.0": "M", - "cvss:EQ5:1.0.0": "H", - "cvss:EQ6:1.0.0": "L", - "cvss:CVSS:1.0.0": "H" + "ssvc:E:1.1.0": "P", + "ssvc:EXP:1.0.1": "O", + "ssvc:A:2.0.0": "N", + "ssvc:HI:2.0.2": "M", + "ssvc:DSOI:1.0.0": "S" }, { - "cvss:EQ1:1.0.0": "H", - "cvss:EQ2:1.0.0": "H", - "cvss:EQ3:1.0.0": "L", - "cvss:EQ4:1.0.0": "H", - "cvss:EQ5:1.0.0": "H", - "cvss:EQ6:1.0.0": "L", - "cvss:CVSS:1.0.0": "C" + "ssvc:E:1.1.0": "P", + "ssvc:EXP:1.0.1": "O", + "ssvc:A:2.0.0": "N", + "ssvc:HI:2.0.2": "H", + "ssvc:DSOI:1.0.0": "S" }, { - "cvss:EQ1:1.0.0": "H", - "cvss:EQ2:1.0.0": "L", - "cvss:EQ3:1.0.0": "M", - "cvss:EQ4:1.0.0": "H", - "cvss:EQ5:1.0.0": "H", - "cvss:EQ6:1.0.0": "L", - "cvss:CVSS:1.0.0": "C" + "ssvc:E:1.1.0": "P", + "ssvc:EXP:1.0.1": "O", + "ssvc:A:2.0.0": "N", + "ssvc:HI:2.0.2": "VH", + "ssvc:DSOI:1.0.0": "O" }, { - "cvss:EQ1:1.0.0": "M", - "cvss:EQ2:1.0.0": "H", - "cvss:EQ3:1.0.0": "M", - "cvss:EQ4:1.0.0": "H", - "cvss:EQ5:1.0.0": "H", - "cvss:EQ6:1.0.0": "L", - "cvss:CVSS:1.0.0": "H" + "ssvc:E:1.1.0": "P", + "ssvc:EXP:1.0.1": "O", + "ssvc:A:2.0.0": "Y", + "ssvc:HI:2.0.2": "L", + "ssvc:DSOI:1.0.0": "S" }, { - "cvss:EQ1:1.0.0": "M", - "cvss:EQ2:1.0.0": "L", - "cvss:EQ3:1.0.0": "H", - "cvss:EQ4:1.0.0": "H", - "cvss:EQ5:1.0.0": "H", - "cvss:EQ6:1.0.0": "L", - "cvss:CVSS:1.0.0": "C" + "ssvc:E:1.1.0": "P", + "ssvc:EXP:1.0.1": "O", + "ssvc:A:2.0.0": "Y", + "ssvc:HI:2.0.2": "M", + "ssvc:DSOI:1.0.0": "S" }, { - "cvss:EQ1:1.0.0": "L", - "cvss:EQ2:1.0.0": "H", - "cvss:EQ3:1.0.0": "H", - "cvss:EQ4:1.0.0": "H", - "cvss:EQ5:1.0.0": "H", - "cvss:EQ6:1.0.0": "L", - "cvss:CVSS:1.0.0": "H" + "ssvc:E:1.1.0": "P", + "ssvc:EXP:1.0.1": "O", + "ssvc:A:2.0.0": "Y", + "ssvc:HI:2.0.2": "H", + "ssvc:DSOI:1.0.0": "O" }, { - "cvss:EQ1:1.0.0": "H", - "cvss:EQ2:1.0.0": "H", - "cvss:EQ3:1.0.0": "H", - "cvss:EQ4:1.0.0": "M", - "cvss:EQ5:1.0.0": "L", - "cvss:EQ6:1.0.0": "H", - "cvss:CVSS:1.0.0": "C" + "ssvc:E:1.1.0": "P", + "ssvc:EXP:1.0.1": "O", + "ssvc:A:2.0.0": "Y", + "ssvc:HI:2.0.2": "VH", + "ssvc:DSOI:1.0.0": "O" }, { - "cvss:EQ1:1.0.0": "H", - "cvss:EQ2:1.0.0": "H", - "cvss:EQ3:1.0.0": "M", - "cvss:EQ4:1.0.0": "H", - "cvss:EQ5:1.0.0": "L", - "cvss:EQ6:1.0.0": "H", - "cvss:CVSS:1.0.0": "C" + "ssvc:E:1.1.0": "A", + "ssvc:EXP:1.0.1": "S", + "ssvc:A:2.0.0": "N", + "ssvc:HI:2.0.2": "L", + "ssvc:DSOI:1.0.0": "S" + }, + { + "ssvc:E:1.1.0": "A", + "ssvc:EXP:1.0.1": "S", + "ssvc:A:2.0.0": "N", + "ssvc:HI:2.0.2": "M", + "ssvc:DSOI:1.0.0": "S" }, { - "cvss:EQ1:1.0.0": "H", - "cvss:EQ2:1.0.0": "L", - "cvss:EQ3:1.0.0": "H", - "cvss:EQ4:1.0.0": "H", - "cvss:EQ5:1.0.0": "L", - "cvss:EQ6:1.0.0": "H", - "cvss:CVSS:1.0.0": "C" + "ssvc:E:1.1.0": "A", + "ssvc:EXP:1.0.1": "S", + "ssvc:A:2.0.0": "N", + "ssvc:HI:2.0.2": "H", + "ssvc:DSOI:1.0.0": "O" }, { - "cvss:EQ1:1.0.0": "M", - "cvss:EQ2:1.0.0": "H", - "cvss:EQ3:1.0.0": "H", - "cvss:EQ4:1.0.0": "H", - "cvss:EQ5:1.0.0": "L", - "cvss:EQ6:1.0.0": "H", - "cvss:CVSS:1.0.0": "C" + "ssvc:E:1.1.0": "A", + "ssvc:EXP:1.0.1": "S", + "ssvc:A:2.0.0": "N", + "ssvc:HI:2.0.2": "VH", + "ssvc:DSOI:1.0.0": "O" }, { - "cvss:EQ1:1.0.0": "H", - "cvss:EQ2:1.0.0": "H", - "cvss:EQ3:1.0.0": "H", - "cvss:EQ4:1.0.0": "L", - "cvss:EQ5:1.0.0": "M", - "cvss:EQ6:1.0.0": "H", - "cvss:CVSS:1.0.0": "H" + "ssvc:E:1.1.0": "A", + "ssvc:EXP:1.0.1": "S", + "ssvc:A:2.0.0": "Y", + "ssvc:HI:2.0.2": "L", + "ssvc:DSOI:1.0.0": "S" }, { - "cvss:EQ1:1.0.0": "H", - "cvss:EQ2:1.0.0": "H", - "cvss:EQ3:1.0.0": "M", - "cvss:EQ4:1.0.0": "M", - "cvss:EQ5:1.0.0": "M", - "cvss:EQ6:1.0.0": "H", - "cvss:CVSS:1.0.0": "H" + "ssvc:E:1.1.0": "A", + "ssvc:EXP:1.0.1": "S", + "ssvc:A:2.0.0": "Y", + "ssvc:HI:2.0.2": "M", + "ssvc:DSOI:1.0.0": "O" }, { - "cvss:EQ1:1.0.0": "H", - "cvss:EQ2:1.0.0": "L", - "cvss:EQ3:1.0.0": "H", - "cvss:EQ4:1.0.0": "M", - "cvss:EQ5:1.0.0": "M", - "cvss:EQ6:1.0.0": "H", - "cvss:CVSS:1.0.0": "C" + "ssvc:E:1.1.0": "A", + "ssvc:EXP:1.0.1": "S", + "ssvc:A:2.0.0": "Y", + "ssvc:HI:2.0.2": "H", + "ssvc:DSOI:1.0.0": "O" }, { - "cvss:EQ1:1.0.0": "M", - "cvss:EQ2:1.0.0": "H", - "cvss:EQ3:1.0.0": "H", - "cvss:EQ4:1.0.0": "M", - "cvss:EQ5:1.0.0": "M", - "cvss:EQ6:1.0.0": "H", - "cvss:CVSS:1.0.0": "H" + "ssvc:E:1.1.0": "A", + "ssvc:EXP:1.0.1": "S", + "ssvc:A:2.0.0": "Y", + "ssvc:HI:2.0.2": "VH", + "ssvc:DSOI:1.0.0": "O" }, { - "cvss:EQ1:1.0.0": "H", - "cvss:EQ2:1.0.0": "H", - "cvss:EQ3:1.0.0": "L", - "cvss:EQ4:1.0.0": "H", - "cvss:EQ5:1.0.0": "M", - "cvss:EQ6:1.0.0": "H", - "cvss:CVSS:1.0.0": "H" + "ssvc:E:1.1.0": "A", + "ssvc:EXP:1.0.1": "C", + "ssvc:A:2.0.0": "N", + "ssvc:HI:2.0.2": "L", + "ssvc:DSOI:1.0.0": "S" }, { - "cvss:EQ1:1.0.0": "H", - "cvss:EQ2:1.0.0": "L", - "cvss:EQ3:1.0.0": "M", - "cvss:EQ4:1.0.0": "H", - "cvss:EQ5:1.0.0": "M", - "cvss:EQ6:1.0.0": "H", - "cvss:CVSS:1.0.0": "C" + "ssvc:E:1.1.0": "A", + "ssvc:EXP:1.0.1": "C", + "ssvc:A:2.0.0": "N", + "ssvc:HI:2.0.2": "M", + "ssvc:DSOI:1.0.0": "S" }, { - "cvss:EQ1:1.0.0": "M", - "cvss:EQ2:1.0.0": "H", - "cvss:EQ3:1.0.0": "M", - "cvss:EQ4:1.0.0": "H", - "cvss:EQ5:1.0.0": "M", - "cvss:EQ6:1.0.0": "H", - "cvss:CVSS:1.0.0": "H" + "ssvc:E:1.1.0": "A", + "ssvc:EXP:1.0.1": "C", + "ssvc:A:2.0.0": "N", + "ssvc:HI:2.0.2": "H", + "ssvc:DSOI:1.0.0": "O" }, { - "cvss:EQ1:1.0.0": "M", - "cvss:EQ2:1.0.0": "L", - "cvss:EQ3:1.0.0": "H", - "cvss:EQ4:1.0.0": "H", - "cvss:EQ5:1.0.0": "M", - "cvss:EQ6:1.0.0": "H", - "cvss:CVSS:1.0.0": "H" + "ssvc:E:1.1.0": "A", + "ssvc:EXP:1.0.1": "C", + "ssvc:A:2.0.0": "N", + "ssvc:HI:2.0.2": "VH", + "ssvc:DSOI:1.0.0": "O" }, { - "cvss:EQ1:1.0.0": "L", - "cvss:EQ2:1.0.0": "H", - "cvss:EQ3:1.0.0": "H", - "cvss:EQ4:1.0.0": "H", - "cvss:EQ5:1.0.0": "M", - "cvss:EQ6:1.0.0": "H", - "cvss:CVSS:1.0.0": "H" + "ssvc:E:1.1.0": "A", + "ssvc:EXP:1.0.1": "C", + "ssvc:A:2.0.0": "Y", + "ssvc:HI:2.0.2": "L", + "ssvc:DSOI:1.0.0": "O" }, { - "cvss:EQ1:1.0.0": "H", - "cvss:EQ2:1.0.0": "H", - "cvss:EQ3:1.0.0": "M", - "cvss:EQ4:1.0.0": "L", - "cvss:EQ5:1.0.0": "H", - "cvss:EQ6:1.0.0": "H", - "cvss:CVSS:1.0.0": "H" + "ssvc:E:1.1.0": "A", + "ssvc:EXP:1.0.1": "C", + "ssvc:A:2.0.0": "Y", + "ssvc:HI:2.0.2": "M", + "ssvc:DSOI:1.0.0": "O" }, { - "cvss:EQ1:1.0.0": "H", - "cvss:EQ2:1.0.0": "L", - "cvss:EQ3:1.0.0": "H", - "cvss:EQ4:1.0.0": "L", - "cvss:EQ5:1.0.0": "H", - "cvss:EQ6:1.0.0": "H", - "cvss:CVSS:1.0.0": "C" + "ssvc:E:1.1.0": "A", + "ssvc:EXP:1.0.1": "C", + "ssvc:A:2.0.0": "Y", + "ssvc:HI:2.0.2": "H", + "ssvc:DSOI:1.0.0": "O" }, { - "cvss:EQ1:1.0.0": "M", - "cvss:EQ2:1.0.0": "H", - "cvss:EQ3:1.0.0": "H", - "cvss:EQ4:1.0.0": "L", - "cvss:EQ5:1.0.0": "H", - "cvss:EQ6:1.0.0": "H", - "cvss:CVSS:1.0.0": "H" + "ssvc:E:1.1.0": "A", + "ssvc:EXP:1.0.1": "C", + "ssvc:A:2.0.0": "Y", + "ssvc:HI:2.0.2": "VH", + "ssvc:DSOI:1.0.0": "O" }, { - "cvss:EQ1:1.0.0": "H", - "cvss:EQ2:1.0.0": "H", - "cvss:EQ3:1.0.0": "L", - "cvss:EQ4:1.0.0": "M", - "cvss:EQ5:1.0.0": "H", - "cvss:EQ6:1.0.0": "H", - "cvss:CVSS:1.0.0": "H" + "ssvc:E:1.1.0": "A", + "ssvc:EXP:1.0.1": "O", + "ssvc:A:2.0.0": "N", + "ssvc:HI:2.0.2": "L", + "ssvc:DSOI:1.0.0": "S" }, { - "cvss:EQ1:1.0.0": "H", - "cvss:EQ2:1.0.0": "L", - "cvss:EQ3:1.0.0": "M", - "cvss:EQ4:1.0.0": "M", - "cvss:EQ5:1.0.0": "H", - "cvss:EQ6:1.0.0": "H", - "cvss:CVSS:1.0.0": "C" + "ssvc:E:1.1.0": "A", + "ssvc:EXP:1.0.1": "O", + "ssvc:A:2.0.0": "N", + "ssvc:HI:2.0.2": "M", + "ssvc:DSOI:1.0.0": "O" }, { - "cvss:EQ1:1.0.0": "M", - "cvss:EQ2:1.0.0": "H", - "cvss:EQ3:1.0.0": "M", - "cvss:EQ4:1.0.0": "M", - "cvss:EQ5:1.0.0": "H", - "cvss:EQ6:1.0.0": "H", - "cvss:CVSS:1.0.0": "H" + "ssvc:E:1.1.0": "A", + "ssvc:EXP:1.0.1": "O", + "ssvc:A:2.0.0": "N", + "ssvc:HI:2.0.2": "H", + "ssvc:DSOI:1.0.0": "O" }, { - "cvss:EQ1:1.0.0": "M", - "cvss:EQ2:1.0.0": "L", - "cvss:EQ3:1.0.0": "H", - "cvss:EQ4:1.0.0": "M", - "cvss:EQ5:1.0.0": "H", - "cvss:EQ6:1.0.0": "H", - "cvss:CVSS:1.0.0": "C" + "ssvc:E:1.1.0": "A", + "ssvc:EXP:1.0.1": "O", + "ssvc:A:2.0.0": "N", + "ssvc:HI:2.0.2": "VH", + "ssvc:DSOI:1.0.0": "I" }, { - "cvss:EQ1:1.0.0": "L", - "cvss:EQ2:1.0.0": "H", - "cvss:EQ3:1.0.0": "H", - "cvss:EQ4:1.0.0": "M", - "cvss:EQ5:1.0.0": "H", - "cvss:EQ6:1.0.0": "H", - "cvss:CVSS:1.0.0": "H" + "ssvc:E:1.1.0": "A", + "ssvc:EXP:1.0.1": "O", + "ssvc:A:2.0.0": "Y", + "ssvc:HI:2.0.2": "L", + "ssvc:DSOI:1.0.0": "O" }, { - "cvss:EQ1:1.0.0": "H", - "cvss:EQ2:1.0.0": "L", - "cvss:EQ3:1.0.0": "L", - "cvss:EQ4:1.0.0": "H", - "cvss:EQ5:1.0.0": "H", - "cvss:EQ6:1.0.0": "H", - "cvss:CVSS:1.0.0": "H" + "ssvc:E:1.1.0": "A", + "ssvc:EXP:1.0.1": "O", + "ssvc:A:2.0.0": "Y", + "ssvc:HI:2.0.2": "M", + "ssvc:DSOI:1.0.0": "O" }, { - "cvss:EQ1:1.0.0": "M", - "cvss:EQ2:1.0.0": "H", - "cvss:EQ3:1.0.0": "L", - "cvss:EQ4:1.0.0": "H", - "cvss:EQ5:1.0.0": "H", - "cvss:EQ6:1.0.0": "H", - "cvss:CVSS:1.0.0": "H" + "ssvc:E:1.1.0": "A", + "ssvc:EXP:1.0.1": "O", + "ssvc:A:2.0.0": "Y", + "ssvc:HI:2.0.2": "H", + "ssvc:DSOI:1.0.0": "I" }, { - "cvss:EQ1:1.0.0": "M", - "cvss:EQ2:1.0.0": "L", - "cvss:EQ3:1.0.0": "M", - "cvss:EQ4:1.0.0": "H", - "cvss:EQ5:1.0.0": "H", - "cvss:EQ6:1.0.0": "H", - "cvss:CVSS:1.0.0": "H" + "ssvc:E:1.1.0": "A", + "ssvc:EXP:1.0.1": "O", + "ssvc:A:2.0.0": "Y", + "ssvc:HI:2.0.2": "VH", + "ssvc:DSOI:1.0.0": "I" + } + ] + } + } + } + }, + "DT_COORD_PUBLISH": { + "key": "DT_COORD_PUBLISH", + "versions": { + "1.0.0": { + "version": "1.0.0", + "obj": { + "namespace": "ssvc", + "key": "DT_COORD_PUBLISH", + "version": "1.0.0", + "name": "Coordinator Publish Decision Table", + "definition": "This decision table is used to determine the priority of a coordinator publish.", + "schemaVersion": "2.0.0", + "decision_points": { + "ssvc:SINV:1.0.0": { + "namespace": "ssvc", + "key": "SINV", + "version": "1.0.0", + "name": "Supplier Involvement", + "definition": "What is the state of the supplier’s work on addressing the vulnerability?", + "schemaVersion": "2.0.0", + "values": [ + { + "key": "FR", + "name": "Fix Ready", + "definition": "The supplier has provided a patch or fix." + }, + { + "key": "C", + "name": "Cooperative", + "definition": "The supplier is actively generating a patch or fix; they may or may not have provided a mitigation or work-around in the mean time." + }, + { + "key": "UU", + "name": "Uncooperative/Unresponsive", + "definition": "The supplier has not responded, declined to generate a remediation, or no longer exists." + } + ] }, - { - "cvss:EQ1:1.0.0": "L", - "cvss:EQ2:1.0.0": "H", - "cvss:EQ3:1.0.0": "M", - "cvss:EQ4:1.0.0": "H", - "cvss:EQ5:1.0.0": "H", - "cvss:EQ6:1.0.0": "H", - "cvss:CVSS:1.0.0": "H" + "ssvc:E:1.1.0": { + "namespace": "ssvc", + "key": "E", + "version": "1.1.0", + "name": "Exploitation", + "definition": "The present state of exploitation of the vulnerability.", + "schemaVersion": "2.0.0", + "values": [ + { + "key": "N", + "name": "None", + "definition": "There is no evidence of active exploitation and no public proof of concept (PoC) of how to exploit the vulnerability." + }, + { + "key": "P", + "name": "Public PoC", + "definition": "One of the following is true: (1) Typical public PoC exists in sources such as Metasploit or websites like ExploitDB; or (2) the vulnerability has a well-known method of exploitation." + }, + { + "key": "A", + "name": "Active", + "definition": "Shared, observable, reliable evidence that the exploit is being used in the wild by real attackers; there is credible public reporting." + } + ] + }, + "ssvc:PVA:1.0.0": { + "namespace": "ssvc", + "key": "PVA", + "version": "1.0.0", + "name": "Public Value Added", + "definition": "How much value would a publication from the coordinator benefit the broader community?", + "schemaVersion": "2.0.0", + "values": [ + { + "key": "L", + "name": "Limited", + "definition": "Minimal value added to the existing public information because existing information is already high quality and in multiple outlets." + }, + { + "key": "A", + "name": "Ampliative", + "definition": "Amplifies and/or augments the existing public information about the vulnerability, for example, adds additional detail, addresses or corrects errors in other public information, draws further attention to the vulnerability, etc." + }, + { + "key": "P", + "name": "Precedence", + "definition": "The publication would be the first publicly available, or be coincident with the first publicly available." + } + ] }, + "ssvc:PUBLISH:1.0.0": { + "namespace": "ssvc", + "key": "PUBLISH", + "version": "1.0.0", + "name": "Publish, Do Not Publish", + "definition": "The publish outcome group.", + "schemaVersion": "2.0.0", + "values": [ + { + "key": "N", + "name": "Do Not Publish", + "definition": "Do Not Publish" + }, + { + "key": "P", + "name": "Publish", + "definition": "Publish" + } + ] + } + }, + "outcome": "ssvc:PUBLISH:1.0.0", + "mapping": [ { - "cvss:EQ1:1.0.0": "L", - "cvss:EQ2:1.0.0": "L", - "cvss:EQ3:1.0.0": "H", - "cvss:EQ4:1.0.0": "H", - "cvss:EQ5:1.0.0": "H", - "cvss:EQ6:1.0.0": "H", - "cvss:CVSS:1.0.0": "H" + "ssvc:SINV:1.0.0": "FR", + "ssvc:E:1.1.0": "N", + "ssvc:PVA:1.0.0": "L", + "ssvc:PUBLISH:1.0.0": "N" }, { - "cvss:EQ1:1.0.0": "H", - "cvss:EQ2:1.0.0": "H", - "cvss:EQ3:1.0.0": "H", - "cvss:EQ4:1.0.0": "H", - "cvss:EQ5:1.0.0": "M", - "cvss:EQ6:1.0.0": "L", - "cvss:CVSS:1.0.0": "C" + "ssvc:SINV:1.0.0": "C", + "ssvc:E:1.1.0": "N", + "ssvc:PVA:1.0.0": "L", + "ssvc:PUBLISH:1.0.0": "N" }, { - "cvss:EQ1:1.0.0": "H", - "cvss:EQ2:1.0.0": "H", - "cvss:EQ3:1.0.0": "H", - "cvss:EQ4:1.0.0": "M", - "cvss:EQ5:1.0.0": "H", - "cvss:EQ6:1.0.0": "L", - "cvss:CVSS:1.0.0": "C" + "ssvc:SINV:1.0.0": "FR", + "ssvc:E:1.1.0": "P", + "ssvc:PVA:1.0.0": "L", + "ssvc:PUBLISH:1.0.0": "N" }, { - "cvss:EQ1:1.0.0": "H", - "cvss:EQ2:1.0.0": "H", - "cvss:EQ3:1.0.0": "M", - "cvss:EQ4:1.0.0": "H", - "cvss:EQ5:1.0.0": "H", - "cvss:EQ6:1.0.0": "L", - "cvss:CVSS:1.0.0": "C" + "ssvc:SINV:1.0.0": "FR", + "ssvc:E:1.1.0": "N", + "ssvc:PVA:1.0.0": "A", + "ssvc:PUBLISH:1.0.0": "N" }, { - "cvss:EQ1:1.0.0": "H", - "cvss:EQ2:1.0.0": "L", - "cvss:EQ3:1.0.0": "H", - "cvss:EQ4:1.0.0": "H", - "cvss:EQ5:1.0.0": "H", - "cvss:EQ6:1.0.0": "L", - "cvss:CVSS:1.0.0": "C" + "ssvc:SINV:1.0.0": "UU", + "ssvc:E:1.1.0": "N", + "ssvc:PVA:1.0.0": "L", + "ssvc:PUBLISH:1.0.0": "N" }, { - "cvss:EQ1:1.0.0": "M", - "cvss:EQ2:1.0.0": "H", - "cvss:EQ3:1.0.0": "H", - "cvss:EQ4:1.0.0": "H", - "cvss:EQ5:1.0.0": "H", - "cvss:EQ6:1.0.0": "L", - "cvss:CVSS:1.0.0": "C" + "ssvc:SINV:1.0.0": "C", + "ssvc:E:1.1.0": "P", + "ssvc:PVA:1.0.0": "L", + "ssvc:PUBLISH:1.0.0": "N" }, { - "cvss:EQ1:1.0.0": "H", - "cvss:EQ2:1.0.0": "H", - "cvss:EQ3:1.0.0": "H", - "cvss:EQ4:1.0.0": "H", - "cvss:EQ5:1.0.0": "L", - "cvss:EQ6:1.0.0": "H", - "cvss:CVSS:1.0.0": "C" + "ssvc:SINV:1.0.0": "FR", + "ssvc:E:1.1.0": "A", + "ssvc:PVA:1.0.0": "L", + "ssvc:PUBLISH:1.0.0": "N" }, { - "cvss:EQ1:1.0.0": "H", - "cvss:EQ2:1.0.0": "H", - "cvss:EQ3:1.0.0": "H", - "cvss:EQ4:1.0.0": "M", - "cvss:EQ5:1.0.0": "M", - "cvss:EQ6:1.0.0": "H", - "cvss:CVSS:1.0.0": "C" + "ssvc:SINV:1.0.0": "C", + "ssvc:E:1.1.0": "N", + "ssvc:PVA:1.0.0": "A", + "ssvc:PUBLISH:1.0.0": "N" }, { - "cvss:EQ1:1.0.0": "H", - "cvss:EQ2:1.0.0": "H", - "cvss:EQ3:1.0.0": "M", - "cvss:EQ4:1.0.0": "H", - "cvss:EQ5:1.0.0": "M", - "cvss:EQ6:1.0.0": "H", - "cvss:CVSS:1.0.0": "C" + "ssvc:SINV:1.0.0": "FR", + "ssvc:E:1.1.0": "P", + "ssvc:PVA:1.0.0": "A", + "ssvc:PUBLISH:1.0.0": "N" }, { - "cvss:EQ1:1.0.0": "H", - "cvss:EQ2:1.0.0": "L", - "cvss:EQ3:1.0.0": "H", - "cvss:EQ4:1.0.0": "H", - "cvss:EQ5:1.0.0": "M", - "cvss:EQ6:1.0.0": "H", - "cvss:CVSS:1.0.0": "C" + "ssvc:SINV:1.0.0": "FR", + "ssvc:E:1.1.0": "N", + "ssvc:PVA:1.0.0": "P", + "ssvc:PUBLISH:1.0.0": "P" }, { - "cvss:EQ1:1.0.0": "M", - "cvss:EQ2:1.0.0": "H", - "cvss:EQ3:1.0.0": "H", - "cvss:EQ4:1.0.0": "H", - "cvss:EQ5:1.0.0": "M", - "cvss:EQ6:1.0.0": "H", - "cvss:CVSS:1.0.0": "C" + "ssvc:SINV:1.0.0": "UU", + "ssvc:E:1.1.0": "P", + "ssvc:PVA:1.0.0": "L", + "ssvc:PUBLISH:1.0.0": "N" }, { - "cvss:EQ1:1.0.0": "H", - "cvss:EQ2:1.0.0": "H", - "cvss:EQ3:1.0.0": "H", - "cvss:EQ4:1.0.0": "L", - "cvss:EQ5:1.0.0": "H", - "cvss:EQ6:1.0.0": "H", - "cvss:CVSS:1.0.0": "C" + "ssvc:SINV:1.0.0": "C", + "ssvc:E:1.1.0": "A", + "ssvc:PVA:1.0.0": "L", + "ssvc:PUBLISH:1.0.0": "N" }, { - "cvss:EQ1:1.0.0": "H", - "cvss:EQ2:1.0.0": "H", - "cvss:EQ3:1.0.0": "M", - "cvss:EQ4:1.0.0": "M", - "cvss:EQ5:1.0.0": "H", - "cvss:EQ6:1.0.0": "H", - "cvss:CVSS:1.0.0": "C" + "ssvc:SINV:1.0.0": "UU", + "ssvc:E:1.1.0": "N", + "ssvc:PVA:1.0.0": "A", + "ssvc:PUBLISH:1.0.0": "N" }, { - "cvss:EQ1:1.0.0": "H", - "cvss:EQ2:1.0.0": "L", - "cvss:EQ3:1.0.0": "H", - "cvss:EQ4:1.0.0": "M", - "cvss:EQ5:1.0.0": "H", - "cvss:EQ6:1.0.0": "H", - "cvss:CVSS:1.0.0": "C" + "ssvc:SINV:1.0.0": "C", + "ssvc:E:1.1.0": "P", + "ssvc:PVA:1.0.0": "A", + "ssvc:PUBLISH:1.0.0": "N" }, { - "cvss:EQ1:1.0.0": "M", - "cvss:EQ2:1.0.0": "H", - "cvss:EQ3:1.0.0": "H", - "cvss:EQ4:1.0.0": "M", - "cvss:EQ5:1.0.0": "H", - "cvss:EQ6:1.0.0": "H", - "cvss:CVSS:1.0.0": "C" + "ssvc:SINV:1.0.0": "FR", + "ssvc:E:1.1.0": "A", + "ssvc:PVA:1.0.0": "A", + "ssvc:PUBLISH:1.0.0": "P" }, { - "cvss:EQ1:1.0.0": "H", - "cvss:EQ2:1.0.0": "H", - "cvss:EQ3:1.0.0": "L", - "cvss:EQ4:1.0.0": "H", - "cvss:EQ5:1.0.0": "H", - "cvss:EQ6:1.0.0": "H", - "cvss:CVSS:1.0.0": "C" + "ssvc:SINV:1.0.0": "C", + "ssvc:E:1.1.0": "N", + "ssvc:PVA:1.0.0": "P", + "ssvc:PUBLISH:1.0.0": "P" }, { - "cvss:EQ1:1.0.0": "H", - "cvss:EQ2:1.0.0": "L", - "cvss:EQ3:1.0.0": "M", - "cvss:EQ4:1.0.0": "H", - "cvss:EQ5:1.0.0": "H", - "cvss:EQ6:1.0.0": "H", - "cvss:CVSS:1.0.0": "C" + "ssvc:SINV:1.0.0": "FR", + "ssvc:E:1.1.0": "P", + "ssvc:PVA:1.0.0": "P", + "ssvc:PUBLISH:1.0.0": "P" }, { - "cvss:EQ1:1.0.0": "M", - "cvss:EQ2:1.0.0": "H", - "cvss:EQ3:1.0.0": "M", - "cvss:EQ4:1.0.0": "H", - "cvss:EQ5:1.0.0": "H", - "cvss:EQ6:1.0.0": "H", - "cvss:CVSS:1.0.0": "C" + "ssvc:SINV:1.0.0": "UU", + "ssvc:E:1.1.0": "A", + "ssvc:PVA:1.0.0": "L", + "ssvc:PUBLISH:1.0.0": "P" }, { - "cvss:EQ1:1.0.0": "M", - "cvss:EQ2:1.0.0": "L", - "cvss:EQ3:1.0.0": "H", - "cvss:EQ4:1.0.0": "H", - "cvss:EQ5:1.0.0": "H", - "cvss:EQ6:1.0.0": "H", - "cvss:CVSS:1.0.0": "C" + "ssvc:SINV:1.0.0": "UU", + "ssvc:E:1.1.0": "P", + "ssvc:PVA:1.0.0": "A", + "ssvc:PUBLISH:1.0.0": "P" }, { - "cvss:EQ1:1.0.0": "L", - "cvss:EQ2:1.0.0": "H", - "cvss:EQ3:1.0.0": "H", - "cvss:EQ4:1.0.0": "H", - "cvss:EQ5:1.0.0": "H", - "cvss:EQ6:1.0.0": "H", - "cvss:CVSS:1.0.0": "C" + "ssvc:SINV:1.0.0": "C", + "ssvc:E:1.1.0": "A", + "ssvc:PVA:1.0.0": "A", + "ssvc:PUBLISH:1.0.0": "P" }, { - "cvss:EQ1:1.0.0": "H", - "cvss:EQ2:1.0.0": "H", - "cvss:EQ3:1.0.0": "H", - "cvss:EQ4:1.0.0": "H", - "cvss:EQ5:1.0.0": "H", - "cvss:EQ6:1.0.0": "L", - "cvss:CVSS:1.0.0": "C" + "ssvc:SINV:1.0.0": "UU", + "ssvc:E:1.1.0": "N", + "ssvc:PVA:1.0.0": "P", + "ssvc:PUBLISH:1.0.0": "P" }, { - "cvss:EQ1:1.0.0": "H", - "cvss:EQ2:1.0.0": "H", - "cvss:EQ3:1.0.0": "H", - "cvss:EQ4:1.0.0": "H", - "cvss:EQ5:1.0.0": "M", - "cvss:EQ6:1.0.0": "H", - "cvss:CVSS:1.0.0": "C" + "ssvc:SINV:1.0.0": "C", + "ssvc:E:1.1.0": "P", + "ssvc:PVA:1.0.0": "P", + "ssvc:PUBLISH:1.0.0": "P" }, { - "cvss:EQ1:1.0.0": "H", - "cvss:EQ2:1.0.0": "H", - "cvss:EQ3:1.0.0": "H", - "cvss:EQ4:1.0.0": "M", - "cvss:EQ5:1.0.0": "H", - "cvss:EQ6:1.0.0": "H", - "cvss:CVSS:1.0.0": "C" + "ssvc:SINV:1.0.0": "FR", + "ssvc:E:1.1.0": "A", + "ssvc:PVA:1.0.0": "P", + "ssvc:PUBLISH:1.0.0": "P" }, { - "cvss:EQ1:1.0.0": "H", - "cvss:EQ2:1.0.0": "H", - "cvss:EQ3:1.0.0": "M", - "cvss:EQ4:1.0.0": "H", - "cvss:EQ5:1.0.0": "H", - "cvss:EQ6:1.0.0": "H", - "cvss:CVSS:1.0.0": "C" + "ssvc:SINV:1.0.0": "UU", + "ssvc:E:1.1.0": "A", + "ssvc:PVA:1.0.0": "A", + "ssvc:PUBLISH:1.0.0": "P" }, { - "cvss:EQ1:1.0.0": "H", - "cvss:EQ2:1.0.0": "L", - "cvss:EQ3:1.0.0": "H", - "cvss:EQ4:1.0.0": "H", - "cvss:EQ5:1.0.0": "H", - "cvss:EQ6:1.0.0": "H", - "cvss:CVSS:1.0.0": "C" + "ssvc:SINV:1.0.0": "UU", + "ssvc:E:1.1.0": "P", + "ssvc:PVA:1.0.0": "P", + "ssvc:PUBLISH:1.0.0": "P" }, { - "cvss:EQ1:1.0.0": "M", - "cvss:EQ2:1.0.0": "H", - "cvss:EQ3:1.0.0": "H", - "cvss:EQ4:1.0.0": "H", - "cvss:EQ5:1.0.0": "H", - "cvss:EQ6:1.0.0": "H", - "cvss:CVSS:1.0.0": "C" + "ssvc:SINV:1.0.0": "C", + "ssvc:E:1.1.0": "A", + "ssvc:PVA:1.0.0": "P", + "ssvc:PUBLISH:1.0.0": "P" }, { - "cvss:EQ1:1.0.0": "H", - "cvss:EQ2:1.0.0": "H", - "cvss:EQ3:1.0.0": "H", - "cvss:EQ4:1.0.0": "H", - "cvss:EQ5:1.0.0": "H", - "cvss:EQ6:1.0.0": "H", - "cvss:CVSS:1.0.0": "C" + "ssvc:SINV:1.0.0": "UU", + "ssvc:E:1.1.0": "A", + "ssvc:PVA:1.0.0": "P", + "ssvc:PUBLISH:1.0.0": "P" } ] } } } - } - } - }, - "ssvc": { - "namespace": "ssvc", - "keys": { - "DT_DP": { - "key": "DT_DP", + }, + "DT_COORD_TRIAGE": { + "key": "DT_COORD_TRIAGE", "versions": { "1.0.0": { "version": "1.0.0", "obj": { "namespace": "ssvc", - "key": "DT_DP", + "key": "DT_COORD_TRIAGE", "version": "1.0.0", - "name": "Deployer Patch Application Priority", - "definition": "Decision table for evaluating deployer's patch application priority in SSVC", + "name": "Coordinator Triage", + "definition": "Decision table for coordinator triage", "schemaVersion": "2.0.0", "decision_points": { - "ssvc:E:1.1.0": { + "ssvc:RP:1.0.0": { "namespace": "ssvc", - "key": "E", - "version": "1.1.0", - "name": "Exploitation", - "definition": "The present state of exploitation of the vulnerability.", + "key": "RP", + "version": "1.0.0", + "name": "Report Public", + "definition": "Is a viable report of the details of the vulnerability already publicly available?", "schemaVersion": "2.0.0", "values": [ + { + "key": "Y", + "name": "Yes", + "definition": "A public report of the vulnerability exists." + }, { "key": "N", - "name": "None", - "definition": "There is no evidence of active exploitation and no public proof of concept (PoC) of how to exploit the vulnerability." + "name": "No", + "definition": "No public report of the vulnerability exists." + } + ] + }, + "ssvc:SCON:1.0.0": { + "namespace": "ssvc", + "key": "SCON", + "version": "1.0.0", + "name": "Supplier Contacted", + "definition": "Has the reporter made a good-faith effort to contact the supplier of the vulnerable component using a quality contact method?", + "schemaVersion": "2.0.0", + "values": [ + { + "key": "N", + "name": "No", + "definition": "The supplier has not been contacted." }, { - "key": "P", - "name": "Public PoC", - "definition": "One of the following is true: (1) Typical public PoC exists in sources such as Metasploit or websites like ExploitDB; or (2) the vulnerability has a well-known method of exploitation." + "key": "Y", + "name": "Yes", + "definition": "The supplier has been contacted." + } + ] + }, + "ssvc:RC:1.0.0": { + "namespace": "ssvc", + "key": "RC", + "version": "1.0.0", + "name": "Report Credibility", + "definition": "Is the report credible?", + "schemaVersion": "2.0.0", + "values": [ + { + "key": "NC", + "name": "Not Credible", + "definition": "The report is not credible." }, { - "key": "A", - "name": "Active", - "definition": "Shared, observable, reliable evidence that the exploit is being used in the wild by real attackers; there is credible public reporting." + "key": "C", + "name": "Credible", + "definition": "The report is credible." } ] }, - "ssvc:EXP:1.0.1": { + "ssvc:SC:1.0.0": { "namespace": "ssvc", - "key": "EXP", - "version": "1.0.1", - "name": "System Exposure", - "definition": "The Accessible Attack Surface of the Affected System or Service", + "key": "SC", + "version": "1.0.0", + "name": "Supplier Cardinality", + "definition": "How many suppliers are responsible for the vulnerable component and its remediation or mitigation plan?", "schemaVersion": "2.0.0", "values": [ { - "key": "S", - "name": "Small", - "definition": "Local service or program; highly controlled network" - }, - { - "key": "C", - "name": "Controlled", - "definition": "Networked service with some access restrictions or mitigations already in place (whether locally or on the network). A successful mitigation must reliably interrupt the adversary’s attack, which requires the attack is detectable both reliably and quickly enough to respond. Controlled covers the situation in which a vulnerability can be exploited through chaining it with other vulnerabilities. The assumption is that the number of steps in the attack path is relatively low; if the path is long enough that it is implausible for an adversary to reliably execute it, then exposure should be small." + "key": "O", + "name": "One", + "definition": "There is only one supplier of the vulnerable component." }, { - "key": "O", - "name": "Open", - "definition": "Internet or another widely accessible network where access cannot plausibly be restricted or controlled (e.g., DNS servers, web servers, VOIP servers, email servers)" + "key": "M", + "name": "Multiple", + "definition": "There are multiple suppliers of the vulnerable component." } ] }, - "ssvc:A:2.0.0": { + "ssvc:SE:1.0.0": { "namespace": "ssvc", - "key": "A", - "version": "2.0.0", - "name": "Automatable", - "definition": "Can an attacker reliably automate creating exploitation events for this vulnerability?", + "key": "SE", + "version": "1.0.0", + "name": "Supplier Engagement", + "definition": "Is the supplier responding to the reporter’s contact effort and actively participating in the coordination effort?", "schemaVersion": "2.0.0", "values": [ { - "key": "N", - "name": "No", - "definition": "Attackers cannot reliably automate steps 1-4 of the kill chain for this vulnerability. These steps are (1) reconnaissance, (2) weaponization, (3) delivery, and (4) exploitation." + "key": "A", + "name": "Active", + "definition": "The supplier is responding to the reporter’s contact effort and actively participating in the coordination effort." }, { - "key": "Y", - "name": "Yes", - "definition": "Attackers can reliably automate steps 1-4 of the kill chain." + "key": "U", + "name": "Unresponsive", + "definition": "The supplier is not responding to the reporter’s contact effort and not actively participating in the coordination effort." } ] }, - "ssvc:HI:2.0.2": { + "ssvc:U:1.0.1": { "namespace": "ssvc", - "key": "HI", - "version": "2.0.2", - "name": "Human Impact", - "definition": "Human Impact is a combination of Safety and Mission impacts.", + "key": "U", + "version": "1.0.1", + "name": "Utility", + "definition": "The Usefulness of the Exploit to the Adversary", "schemaVersion": "2.0.0", "values": [ { "key": "L", - "name": "Low", - "definition": "Safety Impact:(Negligible) AND Mission Impact:(Degraded OR Crippled)" - }, - { - "key": "M", - "name": "Medium", - "definition": "(Safety Impact:Negligible AND Mission Impact:MEF Failure) OR (Safety Impact:Marginal AND Mission Impact:(Degraded OR Crippled))" + "name": "Laborious", + "definition": "Automatable:No AND Value Density:Diffuse" }, { - "key": "H", - "name": "High", - "definition": "(Safety Impact:Critical AND Mission Impact:(Degraded OR Crippled)) OR (Safety Impact:Marginal AND Mission Impact:MEF Failure)" + "key": "E", + "name": "Efficient", + "definition": "(Automatable:Yes AND Value Density:Diffuse) OR (Automatable:No AND Value Density:Concentrated)" }, { - "key": "VH", - "name": "Very High", - "definition": "Safety Impact:Catastrophic OR Mission Impact:Mission Failure" + "key": "S", + "name": "Super Effective", + "definition": "Automatable:Yes AND Value Density:Concentrated" } ] }, - "ssvc:DSOI:1.0.0": { + "ssvc:PSI:2.0.1": { "namespace": "ssvc", - "key": "DSOI", - "version": "1.0.0", - "name": "Defer, Scheduled, Out-of-Cycle, Immediate", - "definition": "The original SSVC outcome group.", + "key": "PSI", + "version": "2.0.1", + "name": "Public Safety Impact", + "definition": "A coarse-grained representation of impact to public safety.", "schemaVersion": "2.0.0", "values": [ { - "key": "D", - "name": "Defer", - "definition": "Defer" + "key": "M", + "name": "Minimal", + "definition": "Safety Impact:Negligible" }, { "key": "S", - "name": "Scheduled", - "definition": "Scheduled" - }, - { - "key": "O", - "name": "Out-of-Cycle", - "definition": "Out-of-Cycle" - }, - { - "key": "I", - "name": "Immediate", - "definition": "Immediate" + "name": "Significant", + "definition": "Safety Impact:(Marginal OR Critical OR Catastrophic)" } ] - } - }, - "outcome": "ssvc:DSOI:1.0.0", - "mapping": [ - { - "ssvc:E:1.1.0": "N", - "ssvc:EXP:1.0.1": "S", - "ssvc:A:2.0.0": "N", - "ssvc:HI:2.0.2": "L", - "ssvc:DSOI:1.0.0": "D" - }, - { - "ssvc:E:1.1.0": "N", - "ssvc:EXP:1.0.1": "S", - "ssvc:A:2.0.0": "N", - "ssvc:HI:2.0.2": "M", - "ssvc:DSOI:1.0.0": "D" - }, - { - "ssvc:E:1.1.0": "N", - "ssvc:EXP:1.0.1": "S", - "ssvc:A:2.0.0": "N", - "ssvc:HI:2.0.2": "H", - "ssvc:DSOI:1.0.0": "S" - }, - { - "ssvc:E:1.1.0": "N", - "ssvc:EXP:1.0.1": "S", - "ssvc:A:2.0.0": "N", - "ssvc:HI:2.0.2": "VH", - "ssvc:DSOI:1.0.0": "S" - }, - { - "ssvc:E:1.1.0": "N", - "ssvc:EXP:1.0.1": "S", - "ssvc:A:2.0.0": "Y", - "ssvc:HI:2.0.2": "L", - "ssvc:DSOI:1.0.0": "D" - }, - { - "ssvc:E:1.1.0": "N", - "ssvc:EXP:1.0.1": "S", - "ssvc:A:2.0.0": "Y", - "ssvc:HI:2.0.2": "M", - "ssvc:DSOI:1.0.0": "S" - }, - { - "ssvc:E:1.1.0": "N", - "ssvc:EXP:1.0.1": "S", - "ssvc:A:2.0.0": "Y", - "ssvc:HI:2.0.2": "H", - "ssvc:DSOI:1.0.0": "S" - }, - { - "ssvc:E:1.1.0": "N", - "ssvc:EXP:1.0.1": "S", - "ssvc:A:2.0.0": "Y", - "ssvc:HI:2.0.2": "VH", - "ssvc:DSOI:1.0.0": "S" - }, - { - "ssvc:E:1.1.0": "N", - "ssvc:EXP:1.0.1": "C", - "ssvc:A:2.0.0": "N", - "ssvc:HI:2.0.2": "L", - "ssvc:DSOI:1.0.0": "D" - }, - { - "ssvc:E:1.1.0": "N", - "ssvc:EXP:1.0.1": "C", - "ssvc:A:2.0.0": "N", - "ssvc:HI:2.0.2": "M", - "ssvc:DSOI:1.0.0": "S" - }, - { - "ssvc:E:1.1.0": "N", - "ssvc:EXP:1.0.1": "C", - "ssvc:A:2.0.0": "N", - "ssvc:HI:2.0.2": "H", - "ssvc:DSOI:1.0.0": "S" - }, - { - "ssvc:E:1.1.0": "N", - "ssvc:EXP:1.0.1": "C", - "ssvc:A:2.0.0": "N", - "ssvc:HI:2.0.2": "VH", - "ssvc:DSOI:1.0.0": "S" - }, - { - "ssvc:E:1.1.0": "N", - "ssvc:EXP:1.0.1": "C", - "ssvc:A:2.0.0": "Y", - "ssvc:HI:2.0.2": "L", - "ssvc:DSOI:1.0.0": "S" - }, - { - "ssvc:E:1.1.0": "N", - "ssvc:EXP:1.0.1": "C", - "ssvc:A:2.0.0": "Y", - "ssvc:HI:2.0.2": "M", - "ssvc:DSOI:1.0.0": "S" - }, - { - "ssvc:E:1.1.0": "N", - "ssvc:EXP:1.0.1": "C", - "ssvc:A:2.0.0": "Y", - "ssvc:HI:2.0.2": "H", - "ssvc:DSOI:1.0.0": "S" - }, - { - "ssvc:E:1.1.0": "N", - "ssvc:EXP:1.0.1": "C", - "ssvc:A:2.0.0": "Y", - "ssvc:HI:2.0.2": "VH", - "ssvc:DSOI:1.0.0": "S" - }, - { - "ssvc:E:1.1.0": "N", - "ssvc:EXP:1.0.1": "O", - "ssvc:A:2.0.0": "N", - "ssvc:HI:2.0.2": "L", - "ssvc:DSOI:1.0.0": "D" - }, - { - "ssvc:E:1.1.0": "N", - "ssvc:EXP:1.0.1": "O", - "ssvc:A:2.0.0": "N", - "ssvc:HI:2.0.2": "M", - "ssvc:DSOI:1.0.0": "S" - }, - { - "ssvc:E:1.1.0": "N", - "ssvc:EXP:1.0.1": "O", - "ssvc:A:2.0.0": "N", - "ssvc:HI:2.0.2": "H", - "ssvc:DSOI:1.0.0": "S" - }, - { - "ssvc:E:1.1.0": "N", - "ssvc:EXP:1.0.1": "O", - "ssvc:A:2.0.0": "N", - "ssvc:HI:2.0.2": "VH", - "ssvc:DSOI:1.0.0": "S" }, + "ssvc:COORDINATE:1.0.1": { + "namespace": "ssvc", + "key": "COORDINATE", + "version": "1.0.1", + "name": "Decline, Track, Coordinate", + "definition": "The coordinate outcome group.", + "schemaVersion": "2.0.0", + "values": [ + { + "key": "D", + "name": "Decline", + "definition": "Do not act on the report." + }, + { + "key": "T", + "name": "Track", + "definition": "Receive information about the vulnerability and monitor for status changes but do not take any overt actions." + }, + { + "key": "C", + "name": "Coordinate", + "definition": "Take action on the report." + } + ] + } + }, + "outcome": "ssvc:COORDINATE:1.0.1", + "mapping": [ { - "ssvc:E:1.1.0": "N", - "ssvc:EXP:1.0.1": "O", - "ssvc:A:2.0.0": "Y", - "ssvc:HI:2.0.2": "L", - "ssvc:DSOI:1.0.0": "S" + "ssvc:RP:1.0.0": "Y", + "ssvc:SCON:1.0.0": "N", + "ssvc:RC:1.0.0": "NC", + "ssvc:SC:1.0.0": "O", + "ssvc:SE:1.0.0": "A", + "ssvc:U:1.0.1": "L", + "ssvc:PSI:2.0.1": "M", + "ssvc:COORDINATE:1.0.1": "D" }, { - "ssvc:E:1.1.0": "N", - "ssvc:EXP:1.0.1": "O", - "ssvc:A:2.0.0": "Y", - "ssvc:HI:2.0.2": "M", - "ssvc:DSOI:1.0.0": "S" + "ssvc:RP:1.0.0": "N", + "ssvc:SCON:1.0.0": "N", + "ssvc:RC:1.0.0": "NC", + "ssvc:SC:1.0.0": "O", + "ssvc:SE:1.0.0": "A", + "ssvc:U:1.0.1": "L", + "ssvc:PSI:2.0.1": "M", + "ssvc:COORDINATE:1.0.1": "D" }, { - "ssvc:E:1.1.0": "N", - "ssvc:EXP:1.0.1": "O", - "ssvc:A:2.0.0": "Y", - "ssvc:HI:2.0.2": "H", - "ssvc:DSOI:1.0.0": "S" + "ssvc:RP:1.0.0": "Y", + "ssvc:SCON:1.0.0": "Y", + "ssvc:RC:1.0.0": "NC", + "ssvc:SC:1.0.0": "O", + "ssvc:SE:1.0.0": "A", + "ssvc:U:1.0.1": "L", + "ssvc:PSI:2.0.1": "M", + "ssvc:COORDINATE:1.0.1": "D" }, { - "ssvc:E:1.1.0": "N", - "ssvc:EXP:1.0.1": "O", - "ssvc:A:2.0.0": "Y", - "ssvc:HI:2.0.2": "VH", - "ssvc:DSOI:1.0.0": "O" + "ssvc:RP:1.0.0": "Y", + "ssvc:SCON:1.0.0": "N", + "ssvc:RC:1.0.0": "C", + "ssvc:SC:1.0.0": "O", + "ssvc:SE:1.0.0": "A", + "ssvc:U:1.0.1": "L", + "ssvc:PSI:2.0.1": "M", + "ssvc:COORDINATE:1.0.1": "D" }, { - "ssvc:E:1.1.0": "P", - "ssvc:EXP:1.0.1": "S", - "ssvc:A:2.0.0": "N", - "ssvc:HI:2.0.2": "L", - "ssvc:DSOI:1.0.0": "D" + "ssvc:RP:1.0.0": "Y", + "ssvc:SCON:1.0.0": "N", + "ssvc:RC:1.0.0": "NC", + "ssvc:SC:1.0.0": "M", + "ssvc:SE:1.0.0": "A", + "ssvc:U:1.0.1": "L", + "ssvc:PSI:2.0.1": "M", + "ssvc:COORDINATE:1.0.1": "D" }, { - "ssvc:E:1.1.0": "P", - "ssvc:EXP:1.0.1": "S", - "ssvc:A:2.0.0": "N", - "ssvc:HI:2.0.2": "M", - "ssvc:DSOI:1.0.0": "S" + "ssvc:RP:1.0.0": "Y", + "ssvc:SCON:1.0.0": "N", + "ssvc:RC:1.0.0": "NC", + "ssvc:SC:1.0.0": "O", + "ssvc:SE:1.0.0": "U", + "ssvc:U:1.0.1": "L", + "ssvc:PSI:2.0.1": "M", + "ssvc:COORDINATE:1.0.1": "D" }, { - "ssvc:E:1.1.0": "P", - "ssvc:EXP:1.0.1": "S", - "ssvc:A:2.0.0": "N", - "ssvc:HI:2.0.2": "H", - "ssvc:DSOI:1.0.0": "S" + "ssvc:RP:1.0.0": "Y", + "ssvc:SCON:1.0.0": "N", + "ssvc:RC:1.0.0": "NC", + "ssvc:SC:1.0.0": "O", + "ssvc:SE:1.0.0": "A", + "ssvc:U:1.0.1": "E", + "ssvc:PSI:2.0.1": "M", + "ssvc:COORDINATE:1.0.1": "D" }, { - "ssvc:E:1.1.0": "P", - "ssvc:EXP:1.0.1": "S", - "ssvc:A:2.0.0": "N", - "ssvc:HI:2.0.2": "VH", - "ssvc:DSOI:1.0.0": "S" + "ssvc:RP:1.0.0": "Y", + "ssvc:SCON:1.0.0": "N", + "ssvc:RC:1.0.0": "NC", + "ssvc:SC:1.0.0": "O", + "ssvc:SE:1.0.0": "A", + "ssvc:U:1.0.1": "L", + "ssvc:PSI:2.0.1": "S", + "ssvc:COORDINATE:1.0.1": "D" }, { - "ssvc:E:1.1.0": "P", - "ssvc:EXP:1.0.1": "S", - "ssvc:A:2.0.0": "Y", - "ssvc:HI:2.0.2": "L", - "ssvc:DSOI:1.0.0": "S" + "ssvc:RP:1.0.0": "N", + "ssvc:SCON:1.0.0": "Y", + "ssvc:RC:1.0.0": "NC", + "ssvc:SC:1.0.0": "O", + "ssvc:SE:1.0.0": "A", + "ssvc:U:1.0.1": "L", + "ssvc:PSI:2.0.1": "M", + "ssvc:COORDINATE:1.0.1": "D" }, { - "ssvc:E:1.1.0": "P", - "ssvc:EXP:1.0.1": "S", - "ssvc:A:2.0.0": "Y", - "ssvc:HI:2.0.2": "M", - "ssvc:DSOI:1.0.0": "S" + "ssvc:RP:1.0.0": "N", + "ssvc:SCON:1.0.0": "N", + "ssvc:RC:1.0.0": "C", + "ssvc:SC:1.0.0": "O", + "ssvc:SE:1.0.0": "A", + "ssvc:U:1.0.1": "L", + "ssvc:PSI:2.0.1": "M", + "ssvc:COORDINATE:1.0.1": "D" }, { - "ssvc:E:1.1.0": "P", - "ssvc:EXP:1.0.1": "S", - "ssvc:A:2.0.0": "Y", - "ssvc:HI:2.0.2": "H", - "ssvc:DSOI:1.0.0": "S" + "ssvc:RP:1.0.0": "Y", + "ssvc:SCON:1.0.0": "Y", + "ssvc:RC:1.0.0": "C", + "ssvc:SC:1.0.0": "O", + "ssvc:SE:1.0.0": "A", + "ssvc:U:1.0.1": "L", + "ssvc:PSI:2.0.1": "M", + "ssvc:COORDINATE:1.0.1": "D" }, { - "ssvc:E:1.1.0": "P", - "ssvc:EXP:1.0.1": "S", - "ssvc:A:2.0.0": "Y", - "ssvc:HI:2.0.2": "VH", - "ssvc:DSOI:1.0.0": "S" + "ssvc:RP:1.0.0": "N", + "ssvc:SCON:1.0.0": "N", + "ssvc:RC:1.0.0": "NC", + "ssvc:SC:1.0.0": "M", + "ssvc:SE:1.0.0": "A", + "ssvc:U:1.0.1": "L", + "ssvc:PSI:2.0.1": "M", + "ssvc:COORDINATE:1.0.1": "D" }, { - "ssvc:E:1.1.0": "P", - "ssvc:EXP:1.0.1": "C", - "ssvc:A:2.0.0": "N", - "ssvc:HI:2.0.2": "L", - "ssvc:DSOI:1.0.0": "D" + "ssvc:RP:1.0.0": "Y", + "ssvc:SCON:1.0.0": "Y", + "ssvc:RC:1.0.0": "NC", + "ssvc:SC:1.0.0": "M", + "ssvc:SE:1.0.0": "A", + "ssvc:U:1.0.1": "L", + "ssvc:PSI:2.0.1": "M", + "ssvc:COORDINATE:1.0.1": "D" }, { - "ssvc:E:1.1.0": "P", - "ssvc:EXP:1.0.1": "C", - "ssvc:A:2.0.0": "N", - "ssvc:HI:2.0.2": "M", - "ssvc:DSOI:1.0.0": "S" + "ssvc:RP:1.0.0": "Y", + "ssvc:SCON:1.0.0": "N", + "ssvc:RC:1.0.0": "C", + "ssvc:SC:1.0.0": "M", + "ssvc:SE:1.0.0": "A", + "ssvc:U:1.0.1": "L", + "ssvc:PSI:2.0.1": "M", + "ssvc:COORDINATE:1.0.1": "D" }, { - "ssvc:E:1.1.0": "P", - "ssvc:EXP:1.0.1": "C", - "ssvc:A:2.0.0": "N", - "ssvc:HI:2.0.2": "H", - "ssvc:DSOI:1.0.0": "S" + "ssvc:RP:1.0.0": "N", + "ssvc:SCON:1.0.0": "N", + "ssvc:RC:1.0.0": "NC", + "ssvc:SC:1.0.0": "O", + "ssvc:SE:1.0.0": "U", + "ssvc:U:1.0.1": "L", + "ssvc:PSI:2.0.1": "M", + "ssvc:COORDINATE:1.0.1": "D" }, { - "ssvc:E:1.1.0": "P", - "ssvc:EXP:1.0.1": "C", - "ssvc:A:2.0.0": "N", - "ssvc:HI:2.0.2": "VH", - "ssvc:DSOI:1.0.0": "S" + "ssvc:RP:1.0.0": "Y", + "ssvc:SCON:1.0.0": "Y", + "ssvc:RC:1.0.0": "NC", + "ssvc:SC:1.0.0": "O", + "ssvc:SE:1.0.0": "U", + "ssvc:U:1.0.1": "L", + "ssvc:PSI:2.0.1": "M", + "ssvc:COORDINATE:1.0.1": "D" }, { - "ssvc:E:1.1.0": "P", - "ssvc:EXP:1.0.1": "C", - "ssvc:A:2.0.0": "Y", - "ssvc:HI:2.0.2": "L", - "ssvc:DSOI:1.0.0": "S" + "ssvc:RP:1.0.0": "Y", + "ssvc:SCON:1.0.0": "N", + "ssvc:RC:1.0.0": "C", + "ssvc:SC:1.0.0": "O", + "ssvc:SE:1.0.0": "U", + "ssvc:U:1.0.1": "L", + "ssvc:PSI:2.0.1": "M", + "ssvc:COORDINATE:1.0.1": "D" }, { - "ssvc:E:1.1.0": "P", - "ssvc:EXP:1.0.1": "C", - "ssvc:A:2.0.0": "Y", - "ssvc:HI:2.0.2": "M", - "ssvc:DSOI:1.0.0": "S" + "ssvc:RP:1.0.0": "Y", + "ssvc:SCON:1.0.0": "N", + "ssvc:RC:1.0.0": "NC", + "ssvc:SC:1.0.0": "M", + "ssvc:SE:1.0.0": "U", + "ssvc:U:1.0.1": "L", + "ssvc:PSI:2.0.1": "M", + "ssvc:COORDINATE:1.0.1": "D" }, { - "ssvc:E:1.1.0": "P", - "ssvc:EXP:1.0.1": "C", - "ssvc:A:2.0.0": "Y", - "ssvc:HI:2.0.2": "H", - "ssvc:DSOI:1.0.0": "S" + "ssvc:RP:1.0.0": "N", + "ssvc:SCON:1.0.0": "N", + "ssvc:RC:1.0.0": "NC", + "ssvc:SC:1.0.0": "O", + "ssvc:SE:1.0.0": "A", + "ssvc:U:1.0.1": "E", + "ssvc:PSI:2.0.1": "M", + "ssvc:COORDINATE:1.0.1": "D" }, { - "ssvc:E:1.1.0": "P", - "ssvc:EXP:1.0.1": "C", - "ssvc:A:2.0.0": "Y", - "ssvc:HI:2.0.2": "VH", - "ssvc:DSOI:1.0.0": "O" + "ssvc:RP:1.0.0": "Y", + "ssvc:SCON:1.0.0": "Y", + "ssvc:RC:1.0.0": "NC", + "ssvc:SC:1.0.0": "O", + "ssvc:SE:1.0.0": "A", + "ssvc:U:1.0.1": "E", + "ssvc:PSI:2.0.1": "M", + "ssvc:COORDINATE:1.0.1": "D" }, { - "ssvc:E:1.1.0": "P", - "ssvc:EXP:1.0.1": "O", - "ssvc:A:2.0.0": "N", - "ssvc:HI:2.0.2": "L", - "ssvc:DSOI:1.0.0": "S" + "ssvc:RP:1.0.0": "Y", + "ssvc:SCON:1.0.0": "N", + "ssvc:RC:1.0.0": "C", + "ssvc:SC:1.0.0": "O", + "ssvc:SE:1.0.0": "A", + "ssvc:U:1.0.1": "E", + "ssvc:PSI:2.0.1": "M", + "ssvc:COORDINATE:1.0.1": "D" }, { - "ssvc:E:1.1.0": "P", - "ssvc:EXP:1.0.1": "O", - "ssvc:A:2.0.0": "N", - "ssvc:HI:2.0.2": "M", - "ssvc:DSOI:1.0.0": "S" + "ssvc:RP:1.0.0": "Y", + "ssvc:SCON:1.0.0": "N", + "ssvc:RC:1.0.0": "NC", + "ssvc:SC:1.0.0": "M", + "ssvc:SE:1.0.0": "A", + "ssvc:U:1.0.1": "E", + "ssvc:PSI:2.0.1": "M", + "ssvc:COORDINATE:1.0.1": "D" }, { - "ssvc:E:1.1.0": "P", - "ssvc:EXP:1.0.1": "O", - "ssvc:A:2.0.0": "N", - "ssvc:HI:2.0.2": "H", - "ssvc:DSOI:1.0.0": "S" + "ssvc:RP:1.0.0": "Y", + "ssvc:SCON:1.0.0": "N", + "ssvc:RC:1.0.0": "NC", + "ssvc:SC:1.0.0": "O", + "ssvc:SE:1.0.0": "U", + "ssvc:U:1.0.1": "E", + "ssvc:PSI:2.0.1": "M", + "ssvc:COORDINATE:1.0.1": "D" }, { - "ssvc:E:1.1.0": "P", - "ssvc:EXP:1.0.1": "O", - "ssvc:A:2.0.0": "N", - "ssvc:HI:2.0.2": "VH", - "ssvc:DSOI:1.0.0": "O" + "ssvc:RP:1.0.0": "Y", + "ssvc:SCON:1.0.0": "N", + "ssvc:RC:1.0.0": "NC", + "ssvc:SC:1.0.0": "O", + "ssvc:SE:1.0.0": "A", + "ssvc:U:1.0.1": "S", + "ssvc:PSI:2.0.1": "M", + "ssvc:COORDINATE:1.0.1": "D" }, { - "ssvc:E:1.1.0": "P", - "ssvc:EXP:1.0.1": "O", - "ssvc:A:2.0.0": "Y", - "ssvc:HI:2.0.2": "L", - "ssvc:DSOI:1.0.0": "S" + "ssvc:RP:1.0.0": "N", + "ssvc:SCON:1.0.0": "N", + "ssvc:RC:1.0.0": "NC", + "ssvc:SC:1.0.0": "O", + "ssvc:SE:1.0.0": "A", + "ssvc:U:1.0.1": "L", + "ssvc:PSI:2.0.1": "S", + "ssvc:COORDINATE:1.0.1": "D" }, { - "ssvc:E:1.1.0": "P", - "ssvc:EXP:1.0.1": "O", - "ssvc:A:2.0.0": "Y", - "ssvc:HI:2.0.2": "M", - "ssvc:DSOI:1.0.0": "S" + "ssvc:RP:1.0.0": "Y", + "ssvc:SCON:1.0.0": "Y", + "ssvc:RC:1.0.0": "NC", + "ssvc:SC:1.0.0": "O", + "ssvc:SE:1.0.0": "A", + "ssvc:U:1.0.1": "L", + "ssvc:PSI:2.0.1": "S", + "ssvc:COORDINATE:1.0.1": "D" }, { - "ssvc:E:1.1.0": "P", - "ssvc:EXP:1.0.1": "O", - "ssvc:A:2.0.0": "Y", - "ssvc:HI:2.0.2": "H", - "ssvc:DSOI:1.0.0": "O" + "ssvc:RP:1.0.0": "Y", + "ssvc:SCON:1.0.0": "N", + "ssvc:RC:1.0.0": "C", + "ssvc:SC:1.0.0": "O", + "ssvc:SE:1.0.0": "A", + "ssvc:U:1.0.1": "L", + "ssvc:PSI:2.0.1": "S", + "ssvc:COORDINATE:1.0.1": "D" }, { - "ssvc:E:1.1.0": "P", - "ssvc:EXP:1.0.1": "O", - "ssvc:A:2.0.0": "Y", - "ssvc:HI:2.0.2": "VH", - "ssvc:DSOI:1.0.0": "O" + "ssvc:RP:1.0.0": "Y", + "ssvc:SCON:1.0.0": "N", + "ssvc:RC:1.0.0": "NC", + "ssvc:SC:1.0.0": "M", + "ssvc:SE:1.0.0": "A", + "ssvc:U:1.0.1": "L", + "ssvc:PSI:2.0.1": "S", + "ssvc:COORDINATE:1.0.1": "D" }, { - "ssvc:E:1.1.0": "A", - "ssvc:EXP:1.0.1": "S", - "ssvc:A:2.0.0": "N", - "ssvc:HI:2.0.2": "L", - "ssvc:DSOI:1.0.0": "S" + "ssvc:RP:1.0.0": "Y", + "ssvc:SCON:1.0.0": "N", + "ssvc:RC:1.0.0": "NC", + "ssvc:SC:1.0.0": "O", + "ssvc:SE:1.0.0": "U", + "ssvc:U:1.0.1": "L", + "ssvc:PSI:2.0.1": "S", + "ssvc:COORDINATE:1.0.1": "D" }, { - "ssvc:E:1.1.0": "A", - "ssvc:EXP:1.0.1": "S", - "ssvc:A:2.0.0": "N", - "ssvc:HI:2.0.2": "M", - "ssvc:DSOI:1.0.0": "S" + "ssvc:RP:1.0.0": "Y", + "ssvc:SCON:1.0.0": "N", + "ssvc:RC:1.0.0": "NC", + "ssvc:SC:1.0.0": "O", + "ssvc:SE:1.0.0": "A", + "ssvc:U:1.0.1": "E", + "ssvc:PSI:2.0.1": "S", + "ssvc:COORDINATE:1.0.1": "D" }, { - "ssvc:E:1.1.0": "A", - "ssvc:EXP:1.0.1": "S", - "ssvc:A:2.0.0": "N", - "ssvc:HI:2.0.2": "H", - "ssvc:DSOI:1.0.0": "O" + "ssvc:RP:1.0.0": "N", + "ssvc:SCON:1.0.0": "Y", + "ssvc:RC:1.0.0": "C", + "ssvc:SC:1.0.0": "O", + "ssvc:SE:1.0.0": "A", + "ssvc:U:1.0.1": "L", + "ssvc:PSI:2.0.1": "M", + "ssvc:COORDINATE:1.0.1": "D" }, { - "ssvc:E:1.1.0": "A", - "ssvc:EXP:1.0.1": "S", - "ssvc:A:2.0.0": "N", - "ssvc:HI:2.0.2": "VH", - "ssvc:DSOI:1.0.0": "O" + "ssvc:RP:1.0.0": "N", + "ssvc:SCON:1.0.0": "Y", + "ssvc:RC:1.0.0": "NC", + "ssvc:SC:1.0.0": "M", + "ssvc:SE:1.0.0": "A", + "ssvc:U:1.0.1": "L", + "ssvc:PSI:2.0.1": "M", + "ssvc:COORDINATE:1.0.1": "D" }, { - "ssvc:E:1.1.0": "A", - "ssvc:EXP:1.0.1": "S", - "ssvc:A:2.0.0": "Y", - "ssvc:HI:2.0.2": "L", - "ssvc:DSOI:1.0.0": "S" + "ssvc:RP:1.0.0": "N", + "ssvc:SCON:1.0.0": "N", + "ssvc:RC:1.0.0": "C", + "ssvc:SC:1.0.0": "M", + "ssvc:SE:1.0.0": "A", + "ssvc:U:1.0.1": "L", + "ssvc:PSI:2.0.1": "M", + "ssvc:COORDINATE:1.0.1": "D" }, { - "ssvc:E:1.1.0": "A", - "ssvc:EXP:1.0.1": "S", - "ssvc:A:2.0.0": "Y", - "ssvc:HI:2.0.2": "M", - "ssvc:DSOI:1.0.0": "O" + "ssvc:RP:1.0.0": "Y", + "ssvc:SCON:1.0.0": "Y", + "ssvc:RC:1.0.0": "C", + "ssvc:SC:1.0.0": "M", + "ssvc:SE:1.0.0": "A", + "ssvc:U:1.0.1": "L", + "ssvc:PSI:2.0.1": "M", + "ssvc:COORDINATE:1.0.1": "D" }, { - "ssvc:E:1.1.0": "A", - "ssvc:EXP:1.0.1": "S", - "ssvc:A:2.0.0": "Y", - "ssvc:HI:2.0.2": "H", - "ssvc:DSOI:1.0.0": "O" + "ssvc:RP:1.0.0": "N", + "ssvc:SCON:1.0.0": "Y", + "ssvc:RC:1.0.0": "NC", + "ssvc:SC:1.0.0": "O", + "ssvc:SE:1.0.0": "U", + "ssvc:U:1.0.1": "L", + "ssvc:PSI:2.0.1": "M", + "ssvc:COORDINATE:1.0.1": "D" }, { - "ssvc:E:1.1.0": "A", - "ssvc:EXP:1.0.1": "S", - "ssvc:A:2.0.0": "Y", - "ssvc:HI:2.0.2": "VH", - "ssvc:DSOI:1.0.0": "O" + "ssvc:RP:1.0.0": "N", + "ssvc:SCON:1.0.0": "N", + "ssvc:RC:1.0.0": "C", + "ssvc:SC:1.0.0": "O", + "ssvc:SE:1.0.0": "U", + "ssvc:U:1.0.1": "L", + "ssvc:PSI:2.0.1": "M", + "ssvc:COORDINATE:1.0.1": "D" }, { - "ssvc:E:1.1.0": "A", - "ssvc:EXP:1.0.1": "C", - "ssvc:A:2.0.0": "N", - "ssvc:HI:2.0.2": "L", - "ssvc:DSOI:1.0.0": "S" + "ssvc:RP:1.0.0": "Y", + "ssvc:SCON:1.0.0": "Y", + "ssvc:RC:1.0.0": "C", + "ssvc:SC:1.0.0": "O", + "ssvc:SE:1.0.0": "U", + "ssvc:U:1.0.1": "L", + "ssvc:PSI:2.0.1": "M", + "ssvc:COORDINATE:1.0.1": "D" }, { - "ssvc:E:1.1.0": "A", - "ssvc:EXP:1.0.1": "C", - "ssvc:A:2.0.0": "N", - "ssvc:HI:2.0.2": "M", - "ssvc:DSOI:1.0.0": "S" + "ssvc:RP:1.0.0": "N", + "ssvc:SCON:1.0.0": "N", + "ssvc:RC:1.0.0": "NC", + "ssvc:SC:1.0.0": "M", + "ssvc:SE:1.0.0": "U", + "ssvc:U:1.0.1": "L", + "ssvc:PSI:2.0.1": "M", + "ssvc:COORDINATE:1.0.1": "D" }, { - "ssvc:E:1.1.0": "A", - "ssvc:EXP:1.0.1": "C", - "ssvc:A:2.0.0": "N", - "ssvc:HI:2.0.2": "H", - "ssvc:DSOI:1.0.0": "O" + "ssvc:RP:1.0.0": "Y", + "ssvc:SCON:1.0.0": "Y", + "ssvc:RC:1.0.0": "NC", + "ssvc:SC:1.0.0": "M", + "ssvc:SE:1.0.0": "U", + "ssvc:U:1.0.1": "L", + "ssvc:PSI:2.0.1": "M", + "ssvc:COORDINATE:1.0.1": "D" }, { - "ssvc:E:1.1.0": "A", - "ssvc:EXP:1.0.1": "C", - "ssvc:A:2.0.0": "N", - "ssvc:HI:2.0.2": "VH", - "ssvc:DSOI:1.0.0": "O" + "ssvc:RP:1.0.0": "Y", + "ssvc:SCON:1.0.0": "N", + "ssvc:RC:1.0.0": "C", + "ssvc:SC:1.0.0": "M", + "ssvc:SE:1.0.0": "U", + "ssvc:U:1.0.1": "L", + "ssvc:PSI:2.0.1": "M", + "ssvc:COORDINATE:1.0.1": "D" }, { - "ssvc:E:1.1.0": "A", - "ssvc:EXP:1.0.1": "C", - "ssvc:A:2.0.0": "Y", - "ssvc:HI:2.0.2": "L", - "ssvc:DSOI:1.0.0": "O" + "ssvc:RP:1.0.0": "N", + "ssvc:SCON:1.0.0": "Y", + "ssvc:RC:1.0.0": "NC", + "ssvc:SC:1.0.0": "O", + "ssvc:SE:1.0.0": "A", + "ssvc:U:1.0.1": "E", + "ssvc:PSI:2.0.1": "M", + "ssvc:COORDINATE:1.0.1": "D" }, { - "ssvc:E:1.1.0": "A", - "ssvc:EXP:1.0.1": "C", - "ssvc:A:2.0.0": "Y", - "ssvc:HI:2.0.2": "M", - "ssvc:DSOI:1.0.0": "O" + "ssvc:RP:1.0.0": "N", + "ssvc:SCON:1.0.0": "N", + "ssvc:RC:1.0.0": "C", + "ssvc:SC:1.0.0": "O", + "ssvc:SE:1.0.0": "A", + "ssvc:U:1.0.1": "E", + "ssvc:PSI:2.0.1": "M", + "ssvc:COORDINATE:1.0.1": "D" }, { - "ssvc:E:1.1.0": "A", - "ssvc:EXP:1.0.1": "C", - "ssvc:A:2.0.0": "Y", - "ssvc:HI:2.0.2": "H", - "ssvc:DSOI:1.0.0": "O" + "ssvc:RP:1.0.0": "Y", + "ssvc:SCON:1.0.0": "Y", + "ssvc:RC:1.0.0": "C", + "ssvc:SC:1.0.0": "O", + "ssvc:SE:1.0.0": "A", + "ssvc:U:1.0.1": "E", + "ssvc:PSI:2.0.1": "M", + "ssvc:COORDINATE:1.0.1": "D" }, { - "ssvc:E:1.1.0": "A", - "ssvc:EXP:1.0.1": "C", - "ssvc:A:2.0.0": "Y", - "ssvc:HI:2.0.2": "VH", - "ssvc:DSOI:1.0.0": "O" + "ssvc:RP:1.0.0": "N", + "ssvc:SCON:1.0.0": "N", + "ssvc:RC:1.0.0": "NC", + "ssvc:SC:1.0.0": "M", + "ssvc:SE:1.0.0": "A", + "ssvc:U:1.0.1": "E", + "ssvc:PSI:2.0.1": "M", + "ssvc:COORDINATE:1.0.1": "D" }, { - "ssvc:E:1.1.0": "A", - "ssvc:EXP:1.0.1": "O", - "ssvc:A:2.0.0": "N", - "ssvc:HI:2.0.2": "L", - "ssvc:DSOI:1.0.0": "S" + "ssvc:RP:1.0.0": "Y", + "ssvc:SCON:1.0.0": "Y", + "ssvc:RC:1.0.0": "NC", + "ssvc:SC:1.0.0": "M", + "ssvc:SE:1.0.0": "A", + "ssvc:U:1.0.1": "E", + "ssvc:PSI:2.0.1": "M", + "ssvc:COORDINATE:1.0.1": "D" }, { - "ssvc:E:1.1.0": "A", - "ssvc:EXP:1.0.1": "O", - "ssvc:A:2.0.0": "N", - "ssvc:HI:2.0.2": "M", - "ssvc:DSOI:1.0.0": "O" + "ssvc:RP:1.0.0": "Y", + "ssvc:SCON:1.0.0": "N", + "ssvc:RC:1.0.0": "C", + "ssvc:SC:1.0.0": "M", + "ssvc:SE:1.0.0": "A", + "ssvc:U:1.0.1": "E", + "ssvc:PSI:2.0.1": "M", + "ssvc:COORDINATE:1.0.1": "D" }, { - "ssvc:E:1.1.0": "A", - "ssvc:EXP:1.0.1": "O", - "ssvc:A:2.0.0": "N", - "ssvc:HI:2.0.2": "H", - "ssvc:DSOI:1.0.0": "O" + "ssvc:RP:1.0.0": "N", + "ssvc:SCON:1.0.0": "N", + "ssvc:RC:1.0.0": "NC", + "ssvc:SC:1.0.0": "O", + "ssvc:SE:1.0.0": "U", + "ssvc:U:1.0.1": "E", + "ssvc:PSI:2.0.1": "M", + "ssvc:COORDINATE:1.0.1": "D" }, { - "ssvc:E:1.1.0": "A", - "ssvc:EXP:1.0.1": "O", - "ssvc:A:2.0.0": "N", - "ssvc:HI:2.0.2": "VH", - "ssvc:DSOI:1.0.0": "I" + "ssvc:RP:1.0.0": "Y", + "ssvc:SCON:1.0.0": "Y", + "ssvc:RC:1.0.0": "NC", + "ssvc:SC:1.0.0": "O", + "ssvc:SE:1.0.0": "U", + "ssvc:U:1.0.1": "E", + "ssvc:PSI:2.0.1": "M", + "ssvc:COORDINATE:1.0.1": "D" }, { - "ssvc:E:1.1.0": "A", - "ssvc:EXP:1.0.1": "O", - "ssvc:A:2.0.0": "Y", - "ssvc:HI:2.0.2": "L", - "ssvc:DSOI:1.0.0": "O" + "ssvc:RP:1.0.0": "Y", + "ssvc:SCON:1.0.0": "N", + "ssvc:RC:1.0.0": "C", + "ssvc:SC:1.0.0": "O", + "ssvc:SE:1.0.0": "U", + "ssvc:U:1.0.1": "E", + "ssvc:PSI:2.0.1": "M", + "ssvc:COORDINATE:1.0.1": "D" }, { - "ssvc:E:1.1.0": "A", - "ssvc:EXP:1.0.1": "O", - "ssvc:A:2.0.0": "Y", - "ssvc:HI:2.0.2": "M", - "ssvc:DSOI:1.0.0": "O" + "ssvc:RP:1.0.0": "Y", + "ssvc:SCON:1.0.0": "N", + "ssvc:RC:1.0.0": "NC", + "ssvc:SC:1.0.0": "M", + "ssvc:SE:1.0.0": "U", + "ssvc:U:1.0.1": "E", + "ssvc:PSI:2.0.1": "M", + "ssvc:COORDINATE:1.0.1": "D" }, { - "ssvc:E:1.1.0": "A", - "ssvc:EXP:1.0.1": "O", - "ssvc:A:2.0.0": "Y", - "ssvc:HI:2.0.2": "H", - "ssvc:DSOI:1.0.0": "I" + "ssvc:RP:1.0.0": "N", + "ssvc:SCON:1.0.0": "N", + "ssvc:RC:1.0.0": "NC", + "ssvc:SC:1.0.0": "O", + "ssvc:SE:1.0.0": "A", + "ssvc:U:1.0.1": "S", + "ssvc:PSI:2.0.1": "M", + "ssvc:COORDINATE:1.0.1": "D" }, { - "ssvc:E:1.1.0": "A", - "ssvc:EXP:1.0.1": "O", - "ssvc:A:2.0.0": "Y", - "ssvc:HI:2.0.2": "VH", - "ssvc:DSOI:1.0.0": "I" - } - ] - } - } - } - }, - "DT_COORD_PUBLISH": { - "key": "DT_COORD_PUBLISH", - "versions": { - "1.0.0": { - "version": "1.0.0", - "obj": { - "namespace": "ssvc", - "key": "DT_COORD_PUBLISH", - "version": "1.0.0", - "name": "Coordinator Publish Decision Table", - "definition": "This decision table is used to determine the priority of a coordinator publish.", - "schemaVersion": "2.0.0", - "decision_points": { - "ssvc:SINV:1.0.0": { - "namespace": "ssvc", - "key": "SINV", - "version": "1.0.0", - "name": "Supplier Involvement", - "definition": "What is the state of the supplier’s work on addressing the vulnerability?", - "schemaVersion": "2.0.0", - "values": [ - { - "key": "FR", - "name": "Fix Ready", - "definition": "The supplier has provided a patch or fix." - }, - { - "key": "C", - "name": "Cooperative", - "definition": "The supplier is actively generating a patch or fix; they may or may not have provided a mitigation or work-around in the mean time." - }, - { - "key": "UU", - "name": "Uncooperative/Unresponsive", - "definition": "The supplier has not responded, declined to generate a remediation, or no longer exists." - } - ] - }, - "ssvc:E:1.1.0": { - "namespace": "ssvc", - "key": "E", - "version": "1.1.0", - "name": "Exploitation", - "definition": "The present state of exploitation of the vulnerability.", - "schemaVersion": "2.0.0", - "values": [ - { - "key": "N", - "name": "None", - "definition": "There is no evidence of active exploitation and no public proof of concept (PoC) of how to exploit the vulnerability." - }, - { - "key": "P", - "name": "Public PoC", - "definition": "One of the following is true: (1) Typical public PoC exists in sources such as Metasploit or websites like ExploitDB; or (2) the vulnerability has a well-known method of exploitation." - }, - { - "key": "A", - "name": "Active", - "definition": "Shared, observable, reliable evidence that the exploit is being used in the wild by real attackers; there is credible public reporting." - } - ] + "ssvc:RP:1.0.0": "Y", + "ssvc:SCON:1.0.0": "Y", + "ssvc:RC:1.0.0": "NC", + "ssvc:SC:1.0.0": "O", + "ssvc:SE:1.0.0": "A", + "ssvc:U:1.0.1": "S", + "ssvc:PSI:2.0.1": "M", + "ssvc:COORDINATE:1.0.1": "D" }, - "ssvc:PVA:1.0.0": { - "namespace": "ssvc", - "key": "PVA", - "version": "1.0.0", - "name": "Public Value Added", - "definition": "How much value would a publication from the coordinator benefit the broader community?", - "schemaVersion": "2.0.0", - "values": [ - { - "key": "L", - "name": "Limited", - "definition": "Minimal value added to the existing public information because existing information is already high quality and in multiple outlets." - }, - { - "key": "A", - "name": "Ampliative", - "definition": "Amplifies and/or augments the existing public information about the vulnerability, for example, adds additional detail, addresses or corrects errors in other public information, draws further attention to the vulnerability, etc." - }, - { - "key": "P", - "name": "Precedence", - "definition": "The publication would be the first publicly available, or be coincident with the first publicly available." - } - ] + { + "ssvc:RP:1.0.0": "Y", + "ssvc:SCON:1.0.0": "N", + "ssvc:RC:1.0.0": "C", + "ssvc:SC:1.0.0": "O", + "ssvc:SE:1.0.0": "A", + "ssvc:U:1.0.1": "S", + "ssvc:PSI:2.0.1": "M", + "ssvc:COORDINATE:1.0.1": "D" }, - "ssvc:PUBLISH:1.0.0": { - "namespace": "ssvc", - "key": "PUBLISH", - "version": "1.0.0", - "name": "Publish, Do Not Publish", - "definition": "The publish outcome group.", - "schemaVersion": "2.0.0", - "values": [ - { - "key": "N", - "name": "Do Not Publish", - "definition": "Do Not Publish" - }, - { - "key": "P", - "name": "Publish", - "definition": "Publish" - } - ] - } - }, - "outcome": "ssvc:PUBLISH:1.0.0", - "mapping": [ { - "ssvc:SINV:1.0.0": "FR", - "ssvc:E:1.1.0": "N", - "ssvc:PVA:1.0.0": "L", - "ssvc:PUBLISH:1.0.0": "N" + "ssvc:RP:1.0.0": "Y", + "ssvc:SCON:1.0.0": "N", + "ssvc:RC:1.0.0": "NC", + "ssvc:SC:1.0.0": "M", + "ssvc:SE:1.0.0": "A", + "ssvc:U:1.0.1": "S", + "ssvc:PSI:2.0.1": "M", + "ssvc:COORDINATE:1.0.1": "D" }, { - "ssvc:SINV:1.0.0": "C", - "ssvc:E:1.1.0": "N", - "ssvc:PVA:1.0.0": "L", - "ssvc:PUBLISH:1.0.0": "N" + "ssvc:RP:1.0.0": "Y", + "ssvc:SCON:1.0.0": "N", + "ssvc:RC:1.0.0": "NC", + "ssvc:SC:1.0.0": "O", + "ssvc:SE:1.0.0": "U", + "ssvc:U:1.0.1": "S", + "ssvc:PSI:2.0.1": "M", + "ssvc:COORDINATE:1.0.1": "D" }, { - "ssvc:SINV:1.0.0": "FR", - "ssvc:E:1.1.0": "P", - "ssvc:PVA:1.0.0": "L", - "ssvc:PUBLISH:1.0.0": "N" + "ssvc:RP:1.0.0": "N", + "ssvc:SCON:1.0.0": "Y", + "ssvc:RC:1.0.0": "NC", + "ssvc:SC:1.0.0": "O", + "ssvc:SE:1.0.0": "A", + "ssvc:U:1.0.1": "L", + "ssvc:PSI:2.0.1": "S", + "ssvc:COORDINATE:1.0.1": "D" }, { - "ssvc:SINV:1.0.0": "FR", - "ssvc:E:1.1.0": "N", - "ssvc:PVA:1.0.0": "A", - "ssvc:PUBLISH:1.0.0": "N" + "ssvc:RP:1.0.0": "N", + "ssvc:SCON:1.0.0": "N", + "ssvc:RC:1.0.0": "C", + "ssvc:SC:1.0.0": "O", + "ssvc:SE:1.0.0": "A", + "ssvc:U:1.0.1": "L", + "ssvc:PSI:2.0.1": "S", + "ssvc:COORDINATE:1.0.1": "D" }, { - "ssvc:SINV:1.0.0": "UU", - "ssvc:E:1.1.0": "N", - "ssvc:PVA:1.0.0": "L", - "ssvc:PUBLISH:1.0.0": "N" + "ssvc:RP:1.0.0": "Y", + "ssvc:SCON:1.0.0": "Y", + "ssvc:RC:1.0.0": "C", + "ssvc:SC:1.0.0": "O", + "ssvc:SE:1.0.0": "A", + "ssvc:U:1.0.1": "L", + "ssvc:PSI:2.0.1": "S", + "ssvc:COORDINATE:1.0.1": "D" }, { - "ssvc:SINV:1.0.0": "C", - "ssvc:E:1.1.0": "P", - "ssvc:PVA:1.0.0": "L", - "ssvc:PUBLISH:1.0.0": "N" + "ssvc:RP:1.0.0": "N", + "ssvc:SCON:1.0.0": "N", + "ssvc:RC:1.0.0": "NC", + "ssvc:SC:1.0.0": "M", + "ssvc:SE:1.0.0": "A", + "ssvc:U:1.0.1": "L", + "ssvc:PSI:2.0.1": "S", + "ssvc:COORDINATE:1.0.1": "D" }, { - "ssvc:SINV:1.0.0": "FR", - "ssvc:E:1.1.0": "A", - "ssvc:PVA:1.0.0": "L", - "ssvc:PUBLISH:1.0.0": "N" + "ssvc:RP:1.0.0": "Y", + "ssvc:SCON:1.0.0": "Y", + "ssvc:RC:1.0.0": "NC", + "ssvc:SC:1.0.0": "M", + "ssvc:SE:1.0.0": "A", + "ssvc:U:1.0.1": "L", + "ssvc:PSI:2.0.1": "S", + "ssvc:COORDINATE:1.0.1": "D" }, { - "ssvc:SINV:1.0.0": "C", - "ssvc:E:1.1.0": "N", - "ssvc:PVA:1.0.0": "A", - "ssvc:PUBLISH:1.0.0": "N" + "ssvc:RP:1.0.0": "Y", + "ssvc:SCON:1.0.0": "N", + "ssvc:RC:1.0.0": "C", + "ssvc:SC:1.0.0": "M", + "ssvc:SE:1.0.0": "A", + "ssvc:U:1.0.1": "L", + "ssvc:PSI:2.0.1": "S", + "ssvc:COORDINATE:1.0.1": "D" }, { - "ssvc:SINV:1.0.0": "FR", - "ssvc:E:1.1.0": "P", - "ssvc:PVA:1.0.0": "A", - "ssvc:PUBLISH:1.0.0": "N" + "ssvc:RP:1.0.0": "N", + "ssvc:SCON:1.0.0": "N", + "ssvc:RC:1.0.0": "NC", + "ssvc:SC:1.0.0": "O", + "ssvc:SE:1.0.0": "U", + "ssvc:U:1.0.1": "L", + "ssvc:PSI:2.0.1": "S", + "ssvc:COORDINATE:1.0.1": "D" }, { - "ssvc:SINV:1.0.0": "FR", - "ssvc:E:1.1.0": "N", - "ssvc:PVA:1.0.0": "P", - "ssvc:PUBLISH:1.0.0": "P" + "ssvc:RP:1.0.0": "Y", + "ssvc:SCON:1.0.0": "Y", + "ssvc:RC:1.0.0": "NC", + "ssvc:SC:1.0.0": "O", + "ssvc:SE:1.0.0": "U", + "ssvc:U:1.0.1": "L", + "ssvc:PSI:2.0.1": "S", + "ssvc:COORDINATE:1.0.1": "D" }, { - "ssvc:SINV:1.0.0": "UU", - "ssvc:E:1.1.0": "P", - "ssvc:PVA:1.0.0": "L", - "ssvc:PUBLISH:1.0.0": "N" + "ssvc:RP:1.0.0": "Y", + "ssvc:SCON:1.0.0": "N", + "ssvc:RC:1.0.0": "C", + "ssvc:SC:1.0.0": "O", + "ssvc:SE:1.0.0": "U", + "ssvc:U:1.0.1": "L", + "ssvc:PSI:2.0.1": "S", + "ssvc:COORDINATE:1.0.1": "D" }, { - "ssvc:SINV:1.0.0": "C", - "ssvc:E:1.1.0": "A", - "ssvc:PVA:1.0.0": "L", - "ssvc:PUBLISH:1.0.0": "N" + "ssvc:RP:1.0.0": "Y", + "ssvc:SCON:1.0.0": "N", + "ssvc:RC:1.0.0": "NC", + "ssvc:SC:1.0.0": "M", + "ssvc:SE:1.0.0": "U", + "ssvc:U:1.0.1": "L", + "ssvc:PSI:2.0.1": "S", + "ssvc:COORDINATE:1.0.1": "D" }, { - "ssvc:SINV:1.0.0": "UU", - "ssvc:E:1.1.0": "N", - "ssvc:PVA:1.0.0": "A", - "ssvc:PUBLISH:1.0.0": "N" + "ssvc:RP:1.0.0": "N", + "ssvc:SCON:1.0.0": "N", + "ssvc:RC:1.0.0": "NC", + "ssvc:SC:1.0.0": "O", + "ssvc:SE:1.0.0": "A", + "ssvc:U:1.0.1": "E", + "ssvc:PSI:2.0.1": "S", + "ssvc:COORDINATE:1.0.1": "D" }, { - "ssvc:SINV:1.0.0": "C", - "ssvc:E:1.1.0": "P", - "ssvc:PVA:1.0.0": "A", - "ssvc:PUBLISH:1.0.0": "N" + "ssvc:RP:1.0.0": "Y", + "ssvc:SCON:1.0.0": "Y", + "ssvc:RC:1.0.0": "NC", + "ssvc:SC:1.0.0": "O", + "ssvc:SE:1.0.0": "A", + "ssvc:U:1.0.1": "E", + "ssvc:PSI:2.0.1": "S", + "ssvc:COORDINATE:1.0.1": "D" }, { - "ssvc:SINV:1.0.0": "FR", - "ssvc:E:1.1.0": "A", - "ssvc:PVA:1.0.0": "A", - "ssvc:PUBLISH:1.0.0": "P" + "ssvc:RP:1.0.0": "Y", + "ssvc:SCON:1.0.0": "N", + "ssvc:RC:1.0.0": "C", + "ssvc:SC:1.0.0": "O", + "ssvc:SE:1.0.0": "A", + "ssvc:U:1.0.1": "E", + "ssvc:PSI:2.0.1": "S", + "ssvc:COORDINATE:1.0.1": "D" + }, + { + "ssvc:RP:1.0.0": "Y", + "ssvc:SCON:1.0.0": "N", + "ssvc:RC:1.0.0": "NC", + "ssvc:SC:1.0.0": "M", + "ssvc:SE:1.0.0": "A", + "ssvc:U:1.0.1": "E", + "ssvc:PSI:2.0.1": "S", + "ssvc:COORDINATE:1.0.1": "D" + }, + { + "ssvc:RP:1.0.0": "Y", + "ssvc:SCON:1.0.0": "N", + "ssvc:RC:1.0.0": "NC", + "ssvc:SC:1.0.0": "O", + "ssvc:SE:1.0.0": "U", + "ssvc:U:1.0.1": "E", + "ssvc:PSI:2.0.1": "S", + "ssvc:COORDINATE:1.0.1": "D" }, { - "ssvc:SINV:1.0.0": "C", - "ssvc:E:1.1.0": "N", - "ssvc:PVA:1.0.0": "P", - "ssvc:PUBLISH:1.0.0": "P" + "ssvc:RP:1.0.0": "Y", + "ssvc:SCON:1.0.0": "N", + "ssvc:RC:1.0.0": "NC", + "ssvc:SC:1.0.0": "O", + "ssvc:SE:1.0.0": "A", + "ssvc:U:1.0.1": "S", + "ssvc:PSI:2.0.1": "S", + "ssvc:COORDINATE:1.0.1": "D" }, { - "ssvc:SINV:1.0.0": "FR", - "ssvc:E:1.1.0": "P", - "ssvc:PVA:1.0.0": "P", - "ssvc:PUBLISH:1.0.0": "P" + "ssvc:RP:1.0.0": "N", + "ssvc:SCON:1.0.0": "Y", + "ssvc:RC:1.0.0": "C", + "ssvc:SC:1.0.0": "M", + "ssvc:SE:1.0.0": "A", + "ssvc:U:1.0.1": "L", + "ssvc:PSI:2.0.1": "M", + "ssvc:COORDINATE:1.0.1": "D" }, { - "ssvc:SINV:1.0.0": "UU", - "ssvc:E:1.1.0": "A", - "ssvc:PVA:1.0.0": "L", - "ssvc:PUBLISH:1.0.0": "P" + "ssvc:RP:1.0.0": "N", + "ssvc:SCON:1.0.0": "Y", + "ssvc:RC:1.0.0": "C", + "ssvc:SC:1.0.0": "O", + "ssvc:SE:1.0.0": "U", + "ssvc:U:1.0.1": "L", + "ssvc:PSI:2.0.1": "M", + "ssvc:COORDINATE:1.0.1": "T" }, { - "ssvc:SINV:1.0.0": "UU", - "ssvc:E:1.1.0": "P", - "ssvc:PVA:1.0.0": "A", - "ssvc:PUBLISH:1.0.0": "P" + "ssvc:RP:1.0.0": "N", + "ssvc:SCON:1.0.0": "Y", + "ssvc:RC:1.0.0": "NC", + "ssvc:SC:1.0.0": "M", + "ssvc:SE:1.0.0": "U", + "ssvc:U:1.0.1": "L", + "ssvc:PSI:2.0.1": "M", + "ssvc:COORDINATE:1.0.1": "D" }, { - "ssvc:SINV:1.0.0": "C", - "ssvc:E:1.1.0": "A", - "ssvc:PVA:1.0.0": "A", - "ssvc:PUBLISH:1.0.0": "P" + "ssvc:RP:1.0.0": "N", + "ssvc:SCON:1.0.0": "N", + "ssvc:RC:1.0.0": "C", + "ssvc:SC:1.0.0": "M", + "ssvc:SE:1.0.0": "U", + "ssvc:U:1.0.1": "L", + "ssvc:PSI:2.0.1": "M", + "ssvc:COORDINATE:1.0.1": "D" }, { - "ssvc:SINV:1.0.0": "UU", - "ssvc:E:1.1.0": "N", - "ssvc:PVA:1.0.0": "P", - "ssvc:PUBLISH:1.0.0": "P" + "ssvc:RP:1.0.0": "Y", + "ssvc:SCON:1.0.0": "Y", + "ssvc:RC:1.0.0": "C", + "ssvc:SC:1.0.0": "M", + "ssvc:SE:1.0.0": "U", + "ssvc:U:1.0.1": "L", + "ssvc:PSI:2.0.1": "M", + "ssvc:COORDINATE:1.0.1": "D" }, { - "ssvc:SINV:1.0.0": "C", - "ssvc:E:1.1.0": "P", - "ssvc:PVA:1.0.0": "P", - "ssvc:PUBLISH:1.0.0": "P" + "ssvc:RP:1.0.0": "N", + "ssvc:SCON:1.0.0": "Y", + "ssvc:RC:1.0.0": "C", + "ssvc:SC:1.0.0": "O", + "ssvc:SE:1.0.0": "A", + "ssvc:U:1.0.1": "E", + "ssvc:PSI:2.0.1": "M", + "ssvc:COORDINATE:1.0.1": "D" }, { - "ssvc:SINV:1.0.0": "FR", - "ssvc:E:1.1.0": "A", - "ssvc:PVA:1.0.0": "P", - "ssvc:PUBLISH:1.0.0": "P" + "ssvc:RP:1.0.0": "N", + "ssvc:SCON:1.0.0": "Y", + "ssvc:RC:1.0.0": "NC", + "ssvc:SC:1.0.0": "M", + "ssvc:SE:1.0.0": "A", + "ssvc:U:1.0.1": "E", + "ssvc:PSI:2.0.1": "M", + "ssvc:COORDINATE:1.0.1": "D" }, { - "ssvc:SINV:1.0.0": "UU", - "ssvc:E:1.1.0": "A", - "ssvc:PVA:1.0.0": "A", - "ssvc:PUBLISH:1.0.0": "P" + "ssvc:RP:1.0.0": "N", + "ssvc:SCON:1.0.0": "N", + "ssvc:RC:1.0.0": "C", + "ssvc:SC:1.0.0": "M", + "ssvc:SE:1.0.0": "A", + "ssvc:U:1.0.1": "E", + "ssvc:PSI:2.0.1": "M", + "ssvc:COORDINATE:1.0.1": "D" }, { - "ssvc:SINV:1.0.0": "UU", - "ssvc:E:1.1.0": "P", - "ssvc:PVA:1.0.0": "P", - "ssvc:PUBLISH:1.0.0": "P" + "ssvc:RP:1.0.0": "Y", + "ssvc:SCON:1.0.0": "Y", + "ssvc:RC:1.0.0": "C", + "ssvc:SC:1.0.0": "M", + "ssvc:SE:1.0.0": "A", + "ssvc:U:1.0.1": "E", + "ssvc:PSI:2.0.1": "M", + "ssvc:COORDINATE:1.0.1": "D" }, { - "ssvc:SINV:1.0.0": "C", - "ssvc:E:1.1.0": "A", - "ssvc:PVA:1.0.0": "P", - "ssvc:PUBLISH:1.0.0": "P" + "ssvc:RP:1.0.0": "N", + "ssvc:SCON:1.0.0": "Y", + "ssvc:RC:1.0.0": "NC", + "ssvc:SC:1.0.0": "O", + "ssvc:SE:1.0.0": "U", + "ssvc:U:1.0.1": "E", + "ssvc:PSI:2.0.1": "M", + "ssvc:COORDINATE:1.0.1": "D" }, { - "ssvc:SINV:1.0.0": "UU", - "ssvc:E:1.1.0": "A", - "ssvc:PVA:1.0.0": "P", - "ssvc:PUBLISH:1.0.0": "P" - } - ] - } - } - } - }, - "DT_COORD_TRIAGE": { - "key": "DT_COORD_TRIAGE", - "versions": { - "1.0.0": { - "version": "1.0.0", - "obj": { - "namespace": "ssvc", - "key": "DT_COORD_TRIAGE", - "version": "1.0.0", - "name": "Coordinator Triage", - "definition": "Decision table for coordinator triage", - "schemaVersion": "2.0.0", - "decision_points": { - "ssvc:RP:1.0.0": { - "namespace": "ssvc", - "key": "RP", - "version": "1.0.0", - "name": "Report Public", - "definition": "Is a viable report of the details of the vulnerability already publicly available?", - "schemaVersion": "2.0.0", - "values": [ - { - "key": "Y", - "name": "Yes", - "definition": "A public report of the vulnerability exists." - }, - { - "key": "N", - "name": "No", - "definition": "No public report of the vulnerability exists." - } - ] - }, - "ssvc:SCON:1.0.0": { - "namespace": "ssvc", - "key": "SCON", - "version": "1.0.0", - "name": "Supplier Contacted", - "definition": "Has the reporter made a good-faith effort to contact the supplier of the vulnerable component using a quality contact method?", - "schemaVersion": "2.0.0", - "values": [ - { - "key": "N", - "name": "No", - "definition": "The supplier has not been contacted." - }, - { - "key": "Y", - "name": "Yes", - "definition": "The supplier has been contacted." - } - ] - }, - "ssvc:RC:1.0.0": { - "namespace": "ssvc", - "key": "RC", - "version": "1.0.0", - "name": "Report Credibility", - "definition": "Is the report credible?", - "schemaVersion": "2.0.0", - "values": [ - { - "key": "NC", - "name": "Not Credible", - "definition": "The report is not credible." - }, - { - "key": "C", - "name": "Credible", - "definition": "The report is credible." - } - ] - }, - "ssvc:SC:1.0.0": { - "namespace": "ssvc", - "key": "SC", - "version": "1.0.0", - "name": "Supplier Cardinality", - "definition": "How many suppliers are responsible for the vulnerable component and its remediation or mitigation plan?", - "schemaVersion": "2.0.0", - "values": [ - { - "key": "O", - "name": "One", - "definition": "There is only one supplier of the vulnerable component." - }, - { - "key": "M", - "name": "Multiple", - "definition": "There are multiple suppliers of the vulnerable component." - } - ] - }, - "ssvc:SE:1.0.0": { - "namespace": "ssvc", - "key": "SE", - "version": "1.0.0", - "name": "Supplier Engagement", - "definition": "Is the supplier responding to the reporter’s contact effort and actively participating in the coordination effort?", - "schemaVersion": "2.0.0", - "values": [ - { - "key": "A", - "name": "Active", - "definition": "The supplier is responding to the reporter’s contact effort and actively participating in the coordination effort." - }, - { - "key": "U", - "name": "Unresponsive", - "definition": "The supplier is not responding to the reporter’s contact effort and not actively participating in the coordination effort." - } - ] + "ssvc:RP:1.0.0": "N", + "ssvc:SCON:1.0.0": "N", + "ssvc:RC:1.0.0": "C", + "ssvc:SC:1.0.0": "O", + "ssvc:SE:1.0.0": "U", + "ssvc:U:1.0.1": "E", + "ssvc:PSI:2.0.1": "M", + "ssvc:COORDINATE:1.0.1": "D" }, - "ssvc:U:1.0.1": { - "namespace": "ssvc", - "key": "U", - "version": "1.0.1", - "name": "Utility", - "definition": "The Usefulness of the Exploit to the Adversary", - "schemaVersion": "2.0.0", - "values": [ - { - "key": "L", - "name": "Laborious", - "definition": "Automatable:No AND Value Density:Diffuse" - }, - { - "key": "E", - "name": "Efficient", - "definition": "(Automatable:Yes AND Value Density:Diffuse) OR (Automatable:No AND Value Density:Concentrated)" - }, - { - "key": "S", - "name": "Super Effective", - "definition": "Automatable:Yes AND Value Density:Concentrated" - } - ] + { + "ssvc:RP:1.0.0": "Y", + "ssvc:SCON:1.0.0": "Y", + "ssvc:RC:1.0.0": "C", + "ssvc:SC:1.0.0": "O", + "ssvc:SE:1.0.0": "U", + "ssvc:U:1.0.1": "E", + "ssvc:PSI:2.0.1": "M", + "ssvc:COORDINATE:1.0.1": "D" }, - "ssvc:PSI:2.0.1": { - "namespace": "ssvc", - "key": "PSI", - "version": "2.0.1", - "name": "Public Safety Impact", - "definition": "A coarse-grained representation of impact to public safety.", - "schemaVersion": "2.0.0", - "values": [ - { - "key": "M", - "name": "Minimal", - "definition": "Safety Impact:Negligible" - }, - { - "key": "S", - "name": "Significant", - "definition": "Safety Impact:(Marginal OR Critical OR Catastrophic)" - } - ] + { + "ssvc:RP:1.0.0": "N", + "ssvc:SCON:1.0.0": "N", + "ssvc:RC:1.0.0": "NC", + "ssvc:SC:1.0.0": "M", + "ssvc:SE:1.0.0": "U", + "ssvc:U:1.0.1": "E", + "ssvc:PSI:2.0.1": "M", + "ssvc:COORDINATE:1.0.1": "D" + }, + { + "ssvc:RP:1.0.0": "Y", + "ssvc:SCON:1.0.0": "Y", + "ssvc:RC:1.0.0": "NC", + "ssvc:SC:1.0.0": "M", + "ssvc:SE:1.0.0": "U", + "ssvc:U:1.0.1": "E", + "ssvc:PSI:2.0.1": "M", + "ssvc:COORDINATE:1.0.1": "D" }, - "ssvc:COORDINATE:1.0.1": { - "namespace": "ssvc", - "key": "COORDINATE", - "version": "1.0.1", - "name": "Decline, Track, Coordinate", - "definition": "The coordinate outcome group.", - "schemaVersion": "2.0.0", - "values": [ - { - "key": "D", - "name": "Decline", - "definition": "Do not act on the report." - }, - { - "key": "T", - "name": "Track", - "definition": "Receive information about the vulnerability and monitor for status changes but do not take any overt actions." - }, - { - "key": "C", - "name": "Coordinate", - "definition": "Take action on the report." - } - ] - } - }, - "outcome": "ssvc:COORDINATE:1.0.1", - "mapping": [ { "ssvc:RP:1.0.0": "Y", "ssvc:SCON:1.0.0": "N", + "ssvc:RC:1.0.0": "C", + "ssvc:SC:1.0.0": "M", + "ssvc:SE:1.0.0": "U", + "ssvc:U:1.0.1": "E", + "ssvc:PSI:2.0.1": "M", + "ssvc:COORDINATE:1.0.1": "D" + }, + { + "ssvc:RP:1.0.0": "N", + "ssvc:SCON:1.0.0": "Y", "ssvc:RC:1.0.0": "NC", "ssvc:SC:1.0.0": "O", "ssvc:SE:1.0.0": "A", - "ssvc:U:1.0.1": "L", + "ssvc:U:1.0.1": "S", "ssvc:PSI:2.0.1": "M", "ssvc:COORDINATE:1.0.1": "D" }, { "ssvc:RP:1.0.0": "N", "ssvc:SCON:1.0.0": "N", - "ssvc:RC:1.0.0": "NC", + "ssvc:RC:1.0.0": "C", "ssvc:SC:1.0.0": "O", "ssvc:SE:1.0.0": "A", - "ssvc:U:1.0.1": "L", + "ssvc:U:1.0.1": "S", "ssvc:PSI:2.0.1": "M", "ssvc:COORDINATE:1.0.1": "D" }, { "ssvc:RP:1.0.0": "Y", "ssvc:SCON:1.0.0": "Y", - "ssvc:RC:1.0.0": "NC", + "ssvc:RC:1.0.0": "C", "ssvc:SC:1.0.0": "O", "ssvc:SE:1.0.0": "A", - "ssvc:U:1.0.1": "L", + "ssvc:U:1.0.1": "S", + "ssvc:PSI:2.0.1": "M", + "ssvc:COORDINATE:1.0.1": "D" + }, + { + "ssvc:RP:1.0.0": "N", + "ssvc:SCON:1.0.0": "N", + "ssvc:RC:1.0.0": "NC", + "ssvc:SC:1.0.0": "M", + "ssvc:SE:1.0.0": "A", + "ssvc:U:1.0.1": "S", + "ssvc:PSI:2.0.1": "M", + "ssvc:COORDINATE:1.0.1": "D" + }, + { + "ssvc:RP:1.0.0": "Y", + "ssvc:SCON:1.0.0": "Y", + "ssvc:RC:1.0.0": "NC", + "ssvc:SC:1.0.0": "M", + "ssvc:SE:1.0.0": "A", + "ssvc:U:1.0.1": "S", + "ssvc:PSI:2.0.1": "M", + "ssvc:COORDINATE:1.0.1": "D" + }, + { + "ssvc:RP:1.0.0": "Y", + "ssvc:SCON:1.0.0": "N", + "ssvc:RC:1.0.0": "C", + "ssvc:SC:1.0.0": "M", + "ssvc:SE:1.0.0": "A", + "ssvc:U:1.0.1": "S", + "ssvc:PSI:2.0.1": "M", + "ssvc:COORDINATE:1.0.1": "D" + }, + { + "ssvc:RP:1.0.0": "N", + "ssvc:SCON:1.0.0": "N", + "ssvc:RC:1.0.0": "NC", + "ssvc:SC:1.0.0": "O", + "ssvc:SE:1.0.0": "U", + "ssvc:U:1.0.1": "S", + "ssvc:PSI:2.0.1": "M", + "ssvc:COORDINATE:1.0.1": "D" + }, + { + "ssvc:RP:1.0.0": "Y", + "ssvc:SCON:1.0.0": "Y", + "ssvc:RC:1.0.0": "NC", + "ssvc:SC:1.0.0": "O", + "ssvc:SE:1.0.0": "U", + "ssvc:U:1.0.1": "S", + "ssvc:PSI:2.0.1": "M", + "ssvc:COORDINATE:1.0.1": "D" + }, + { + "ssvc:RP:1.0.0": "Y", + "ssvc:SCON:1.0.0": "N", + "ssvc:RC:1.0.0": "C", + "ssvc:SC:1.0.0": "O", + "ssvc:SE:1.0.0": "U", + "ssvc:U:1.0.1": "S", "ssvc:PSI:2.0.1": "M", "ssvc:COORDINATE:1.0.1": "D" }, { "ssvc:RP:1.0.0": "Y", "ssvc:SCON:1.0.0": "N", + "ssvc:RC:1.0.0": "NC", + "ssvc:SC:1.0.0": "M", + "ssvc:SE:1.0.0": "U", + "ssvc:U:1.0.1": "S", + "ssvc:PSI:2.0.1": "M", + "ssvc:COORDINATE:1.0.1": "D" + }, + { + "ssvc:RP:1.0.0": "N", + "ssvc:SCON:1.0.0": "Y", "ssvc:RC:1.0.0": "C", "ssvc:SC:1.0.0": "O", "ssvc:SE:1.0.0": "A", "ssvc:U:1.0.1": "L", - "ssvc:PSI:2.0.1": "M", + "ssvc:PSI:2.0.1": "S", + "ssvc:COORDINATE:1.0.1": "D" + }, + { + "ssvc:RP:1.0.0": "N", + "ssvc:SCON:1.0.0": "Y", + "ssvc:RC:1.0.0": "NC", + "ssvc:SC:1.0.0": "M", + "ssvc:SE:1.0.0": "A", + "ssvc:U:1.0.1": "L", + "ssvc:PSI:2.0.1": "S", + "ssvc:COORDINATE:1.0.1": "T" + }, + { + "ssvc:RP:1.0.0": "N", + "ssvc:SCON:1.0.0": "N", + "ssvc:RC:1.0.0": "C", + "ssvc:SC:1.0.0": "M", + "ssvc:SE:1.0.0": "A", + "ssvc:U:1.0.1": "L", + "ssvc:PSI:2.0.1": "S", + "ssvc:COORDINATE:1.0.1": "D" + }, + { + "ssvc:RP:1.0.0": "Y", + "ssvc:SCON:1.0.0": "Y", + "ssvc:RC:1.0.0": "C", + "ssvc:SC:1.0.0": "M", + "ssvc:SE:1.0.0": "A", + "ssvc:U:1.0.1": "L", + "ssvc:PSI:2.0.1": "S", + "ssvc:COORDINATE:1.0.1": "D" + }, + { + "ssvc:RP:1.0.0": "N", + "ssvc:SCON:1.0.0": "Y", + "ssvc:RC:1.0.0": "NC", + "ssvc:SC:1.0.0": "O", + "ssvc:SE:1.0.0": "U", + "ssvc:U:1.0.1": "L", + "ssvc:PSI:2.0.1": "S", + "ssvc:COORDINATE:1.0.1": "D" + }, + { + "ssvc:RP:1.0.0": "N", + "ssvc:SCON:1.0.0": "N", + "ssvc:RC:1.0.0": "C", + "ssvc:SC:1.0.0": "O", + "ssvc:SE:1.0.0": "U", + "ssvc:U:1.0.1": "L", + "ssvc:PSI:2.0.1": "S", + "ssvc:COORDINATE:1.0.1": "D" + }, + { + "ssvc:RP:1.0.0": "Y", + "ssvc:SCON:1.0.0": "Y", + "ssvc:RC:1.0.0": "C", + "ssvc:SC:1.0.0": "O", + "ssvc:SE:1.0.0": "U", + "ssvc:U:1.0.1": "L", + "ssvc:PSI:2.0.1": "S", "ssvc:COORDINATE:1.0.1": "D" }, { - "ssvc:RP:1.0.0": "Y", + "ssvc:RP:1.0.0": "N", "ssvc:SCON:1.0.0": "N", "ssvc:RC:1.0.0": "NC", "ssvc:SC:1.0.0": "M", - "ssvc:SE:1.0.0": "A", + "ssvc:SE:1.0.0": "U", "ssvc:U:1.0.1": "L", - "ssvc:PSI:2.0.1": "M", + "ssvc:PSI:2.0.1": "S", "ssvc:COORDINATE:1.0.1": "D" }, { "ssvc:RP:1.0.0": "Y", - "ssvc:SCON:1.0.0": "N", + "ssvc:SCON:1.0.0": "Y", "ssvc:RC:1.0.0": "NC", - "ssvc:SC:1.0.0": "O", + "ssvc:SC:1.0.0": "M", "ssvc:SE:1.0.0": "U", "ssvc:U:1.0.1": "L", - "ssvc:PSI:2.0.1": "M", - "ssvc:COORDINATE:1.0.1": "D" - }, - { - "ssvc:RP:1.0.0": "Y", - "ssvc:SCON:1.0.0": "N", - "ssvc:RC:1.0.0": "NC", - "ssvc:SC:1.0.0": "O", - "ssvc:SE:1.0.0": "A", - "ssvc:U:1.0.1": "E", - "ssvc:PSI:2.0.1": "M", + "ssvc:PSI:2.0.1": "S", "ssvc:COORDINATE:1.0.1": "D" }, { "ssvc:RP:1.0.0": "Y", "ssvc:SCON:1.0.0": "N", - "ssvc:RC:1.0.0": "NC", - "ssvc:SC:1.0.0": "O", - "ssvc:SE:1.0.0": "A", + "ssvc:RC:1.0.0": "C", + "ssvc:SC:1.0.0": "M", + "ssvc:SE:1.0.0": "U", "ssvc:U:1.0.1": "L", "ssvc:PSI:2.0.1": "S", "ssvc:COORDINATE:1.0.1": "D" @@ -20459,9 +22279,9 @@ "ssvc:RC:1.0.0": "NC", "ssvc:SC:1.0.0": "O", "ssvc:SE:1.0.0": "A", - "ssvc:U:1.0.1": "L", - "ssvc:PSI:2.0.1": "M", - "ssvc:COORDINATE:1.0.1": "D" + "ssvc:U:1.0.1": "E", + "ssvc:PSI:2.0.1": "S", + "ssvc:COORDINATE:1.0.1": "T" }, { "ssvc:RP:1.0.0": "N", @@ -20469,8 +22289,8 @@ "ssvc:RC:1.0.0": "C", "ssvc:SC:1.0.0": "O", "ssvc:SE:1.0.0": "A", - "ssvc:U:1.0.1": "L", - "ssvc:PSI:2.0.1": "M", + "ssvc:U:1.0.1": "E", + "ssvc:PSI:2.0.1": "S", "ssvc:COORDINATE:1.0.1": "D" }, { @@ -20479,8 +22299,8 @@ "ssvc:RC:1.0.0": "C", "ssvc:SC:1.0.0": "O", "ssvc:SE:1.0.0": "A", - "ssvc:U:1.0.1": "L", - "ssvc:PSI:2.0.1": "M", + "ssvc:U:1.0.1": "E", + "ssvc:PSI:2.0.1": "S", "ssvc:COORDINATE:1.0.1": "D" }, { @@ -20489,8 +22309,8 @@ "ssvc:RC:1.0.0": "NC", "ssvc:SC:1.0.0": "M", "ssvc:SE:1.0.0": "A", - "ssvc:U:1.0.1": "L", - "ssvc:PSI:2.0.1": "M", + "ssvc:U:1.0.1": "E", + "ssvc:PSI:2.0.1": "S", "ssvc:COORDINATE:1.0.1": "D" }, { @@ -20499,8 +22319,8 @@ "ssvc:RC:1.0.0": "NC", "ssvc:SC:1.0.0": "M", "ssvc:SE:1.0.0": "A", - "ssvc:U:1.0.1": "L", - "ssvc:PSI:2.0.1": "M", + "ssvc:U:1.0.1": "E", + "ssvc:PSI:2.0.1": "S", "ssvc:COORDINATE:1.0.1": "D" }, { @@ -20509,8 +22329,8 @@ "ssvc:RC:1.0.0": "C", "ssvc:SC:1.0.0": "M", "ssvc:SE:1.0.0": "A", - "ssvc:U:1.0.1": "L", - "ssvc:PSI:2.0.1": "M", + "ssvc:U:1.0.1": "E", + "ssvc:PSI:2.0.1": "S", "ssvc:COORDINATE:1.0.1": "D" }, { @@ -20519,8 +22339,8 @@ "ssvc:RC:1.0.0": "NC", "ssvc:SC:1.0.0": "O", "ssvc:SE:1.0.0": "U", - "ssvc:U:1.0.1": "L", - "ssvc:PSI:2.0.1": "M", + "ssvc:U:1.0.1": "E", + "ssvc:PSI:2.0.1": "S", "ssvc:COORDINATE:1.0.1": "D" }, { @@ -20529,8 +22349,8 @@ "ssvc:RC:1.0.0": "NC", "ssvc:SC:1.0.0": "O", "ssvc:SE:1.0.0": "U", - "ssvc:U:1.0.1": "L", - "ssvc:PSI:2.0.1": "M", + "ssvc:U:1.0.1": "E", + "ssvc:PSI:2.0.1": "S", "ssvc:COORDINATE:1.0.1": "D" }, { @@ -20539,8 +22359,8 @@ "ssvc:RC:1.0.0": "C", "ssvc:SC:1.0.0": "O", "ssvc:SE:1.0.0": "U", - "ssvc:U:1.0.1": "L", - "ssvc:PSI:2.0.1": "M", + "ssvc:U:1.0.1": "E", + "ssvc:PSI:2.0.1": "S", "ssvc:COORDINATE:1.0.1": "D" }, { @@ -20549,8 +22369,8 @@ "ssvc:RC:1.0.0": "NC", "ssvc:SC:1.0.0": "M", "ssvc:SE:1.0.0": "U", - "ssvc:U:1.0.1": "L", - "ssvc:PSI:2.0.1": "M", + "ssvc:U:1.0.1": "E", + "ssvc:PSI:2.0.1": "S", "ssvc:COORDINATE:1.0.1": "D" }, { @@ -20559,8 +22379,8 @@ "ssvc:RC:1.0.0": "NC", "ssvc:SC:1.0.0": "O", "ssvc:SE:1.0.0": "A", - "ssvc:U:1.0.1": "E", - "ssvc:PSI:2.0.1": "M", + "ssvc:U:1.0.1": "S", + "ssvc:PSI:2.0.1": "S", "ssvc:COORDINATE:1.0.1": "D" }, { @@ -20569,8 +22389,8 @@ "ssvc:RC:1.0.0": "NC", "ssvc:SC:1.0.0": "O", "ssvc:SE:1.0.0": "A", - "ssvc:U:1.0.1": "E", - "ssvc:PSI:2.0.1": "M", + "ssvc:U:1.0.1": "S", + "ssvc:PSI:2.0.1": "S", "ssvc:COORDINATE:1.0.1": "D" }, { @@ -20579,8 +22399,8 @@ "ssvc:RC:1.0.0": "C", "ssvc:SC:1.0.0": "O", "ssvc:SE:1.0.0": "A", - "ssvc:U:1.0.1": "E", - "ssvc:PSI:2.0.1": "M", + "ssvc:U:1.0.1": "S", + "ssvc:PSI:2.0.1": "S", "ssvc:COORDINATE:1.0.1": "D" }, { @@ -20589,9 +22409,9 @@ "ssvc:RC:1.0.0": "NC", "ssvc:SC:1.0.0": "M", "ssvc:SE:1.0.0": "A", - "ssvc:U:1.0.1": "E", - "ssvc:PSI:2.0.1": "M", - "ssvc:COORDINATE:1.0.1": "D" + "ssvc:U:1.0.1": "S", + "ssvc:PSI:2.0.1": "S", + "ssvc:COORDINATE:1.0.1": "C" }, { "ssvc:RP:1.0.0": "Y", @@ -20599,78 +22419,68 @@ "ssvc:RC:1.0.0": "NC", "ssvc:SC:1.0.0": "O", "ssvc:SE:1.0.0": "U", - "ssvc:U:1.0.1": "E", - "ssvc:PSI:2.0.1": "M", - "ssvc:COORDINATE:1.0.1": "D" - }, - { - "ssvc:RP:1.0.0": "Y", - "ssvc:SCON:1.0.0": "N", - "ssvc:RC:1.0.0": "NC", - "ssvc:SC:1.0.0": "O", - "ssvc:SE:1.0.0": "A", "ssvc:U:1.0.1": "S", - "ssvc:PSI:2.0.1": "M", + "ssvc:PSI:2.0.1": "S", "ssvc:COORDINATE:1.0.1": "D" }, { "ssvc:RP:1.0.0": "N", - "ssvc:SCON:1.0.0": "N", - "ssvc:RC:1.0.0": "NC", - "ssvc:SC:1.0.0": "O", - "ssvc:SE:1.0.0": "A", + "ssvc:SCON:1.0.0": "Y", + "ssvc:RC:1.0.0": "C", + "ssvc:SC:1.0.0": "M", + "ssvc:SE:1.0.0": "U", "ssvc:U:1.0.1": "L", - "ssvc:PSI:2.0.1": "S", - "ssvc:COORDINATE:1.0.1": "D" + "ssvc:PSI:2.0.1": "M", + "ssvc:COORDINATE:1.0.1": "C" }, { - "ssvc:RP:1.0.0": "Y", + "ssvc:RP:1.0.0": "N", "ssvc:SCON:1.0.0": "Y", - "ssvc:RC:1.0.0": "NC", - "ssvc:SC:1.0.0": "O", + "ssvc:RC:1.0.0": "C", + "ssvc:SC:1.0.0": "M", "ssvc:SE:1.0.0": "A", - "ssvc:U:1.0.1": "L", - "ssvc:PSI:2.0.1": "S", + "ssvc:U:1.0.1": "E", + "ssvc:PSI:2.0.1": "M", "ssvc:COORDINATE:1.0.1": "D" }, { - "ssvc:RP:1.0.0": "Y", - "ssvc:SCON:1.0.0": "N", + "ssvc:RP:1.0.0": "N", + "ssvc:SCON:1.0.0": "Y", "ssvc:RC:1.0.0": "C", "ssvc:SC:1.0.0": "O", - "ssvc:SE:1.0.0": "A", - "ssvc:U:1.0.1": "L", - "ssvc:PSI:2.0.1": "S", - "ssvc:COORDINATE:1.0.1": "D" + "ssvc:SE:1.0.0": "U", + "ssvc:U:1.0.1": "E", + "ssvc:PSI:2.0.1": "M", + "ssvc:COORDINATE:1.0.1": "C" }, { - "ssvc:RP:1.0.0": "Y", - "ssvc:SCON:1.0.0": "N", + "ssvc:RP:1.0.0": "N", + "ssvc:SCON:1.0.0": "Y", "ssvc:RC:1.0.0": "NC", "ssvc:SC:1.0.0": "M", - "ssvc:SE:1.0.0": "A", - "ssvc:U:1.0.1": "L", - "ssvc:PSI:2.0.1": "S", + "ssvc:SE:1.0.0": "U", + "ssvc:U:1.0.1": "E", + "ssvc:PSI:2.0.1": "M", "ssvc:COORDINATE:1.0.1": "D" }, { - "ssvc:RP:1.0.0": "Y", + "ssvc:RP:1.0.0": "N", "ssvc:SCON:1.0.0": "N", - "ssvc:RC:1.0.0": "NC", - "ssvc:SC:1.0.0": "O", + "ssvc:RC:1.0.0": "C", + "ssvc:SC:1.0.0": "M", "ssvc:SE:1.0.0": "U", - "ssvc:U:1.0.1": "L", - "ssvc:PSI:2.0.1": "S", + "ssvc:U:1.0.1": "E", + "ssvc:PSI:2.0.1": "M", "ssvc:COORDINATE:1.0.1": "D" }, { "ssvc:RP:1.0.0": "Y", - "ssvc:SCON:1.0.0": "N", - "ssvc:RC:1.0.0": "NC", - "ssvc:SC:1.0.0": "O", - "ssvc:SE:1.0.0": "A", + "ssvc:SCON:1.0.0": "Y", + "ssvc:RC:1.0.0": "C", + "ssvc:SC:1.0.0": "M", + "ssvc:SE:1.0.0": "U", "ssvc:U:1.0.1": "E", - "ssvc:PSI:2.0.1": "S", + "ssvc:PSI:2.0.1": "M", "ssvc:COORDINATE:1.0.1": "D" }, { @@ -20679,7 +22489,7 @@ "ssvc:RC:1.0.0": "C", "ssvc:SC:1.0.0": "O", "ssvc:SE:1.0.0": "A", - "ssvc:U:1.0.1": "L", + "ssvc:U:1.0.1": "S", "ssvc:PSI:2.0.1": "M", "ssvc:COORDINATE:1.0.1": "D" }, @@ -20689,9 +22499,9 @@ "ssvc:RC:1.0.0": "NC", "ssvc:SC:1.0.0": "M", "ssvc:SE:1.0.0": "A", - "ssvc:U:1.0.1": "L", + "ssvc:U:1.0.1": "S", "ssvc:PSI:2.0.1": "M", - "ssvc:COORDINATE:1.0.1": "D" + "ssvc:COORDINATE:1.0.1": "T" }, { "ssvc:RP:1.0.0": "N", @@ -20699,7 +22509,7 @@ "ssvc:RC:1.0.0": "C", "ssvc:SC:1.0.0": "M", "ssvc:SE:1.0.0": "A", - "ssvc:U:1.0.1": "L", + "ssvc:U:1.0.1": "S", "ssvc:PSI:2.0.1": "M", "ssvc:COORDINATE:1.0.1": "D" }, @@ -20709,7 +22519,7 @@ "ssvc:RC:1.0.0": "C", "ssvc:SC:1.0.0": "M", "ssvc:SE:1.0.0": "A", - "ssvc:U:1.0.1": "L", + "ssvc:U:1.0.1": "S", "ssvc:PSI:2.0.1": "M", "ssvc:COORDINATE:1.0.1": "D" }, @@ -20719,7 +22529,7 @@ "ssvc:RC:1.0.0": "NC", "ssvc:SC:1.0.0": "O", "ssvc:SE:1.0.0": "U", - "ssvc:U:1.0.1": "L", + "ssvc:U:1.0.1": "S", "ssvc:PSI:2.0.1": "M", "ssvc:COORDINATE:1.0.1": "D" }, @@ -20729,7 +22539,7 @@ "ssvc:RC:1.0.0": "C", "ssvc:SC:1.0.0": "O", "ssvc:SE:1.0.0": "U", - "ssvc:U:1.0.1": "L", + "ssvc:U:1.0.1": "S", "ssvc:PSI:2.0.1": "M", "ssvc:COORDINATE:1.0.1": "D" }, @@ -20739,7 +22549,7 @@ "ssvc:RC:1.0.0": "C", "ssvc:SC:1.0.0": "O", "ssvc:SE:1.0.0": "U", - "ssvc:U:1.0.1": "L", + "ssvc:U:1.0.1": "S", "ssvc:PSI:2.0.1": "M", "ssvc:COORDINATE:1.0.1": "D" }, @@ -20749,7 +22559,7 @@ "ssvc:RC:1.0.0": "NC", "ssvc:SC:1.0.0": "M", "ssvc:SE:1.0.0": "U", - "ssvc:U:1.0.1": "L", + "ssvc:U:1.0.1": "S", "ssvc:PSI:2.0.1": "M", "ssvc:COORDINATE:1.0.1": "D" }, @@ -20759,7 +22569,7 @@ "ssvc:RC:1.0.0": "NC", "ssvc:SC:1.0.0": "M", "ssvc:SE:1.0.0": "U", - "ssvc:U:1.0.1": "L", + "ssvc:U:1.0.1": "S", "ssvc:PSI:2.0.1": "M", "ssvc:COORDINATE:1.0.1": "D" }, @@ -20769,158 +22579,158 @@ "ssvc:RC:1.0.0": "C", "ssvc:SC:1.0.0": "M", "ssvc:SE:1.0.0": "U", - "ssvc:U:1.0.1": "L", + "ssvc:U:1.0.1": "S", "ssvc:PSI:2.0.1": "M", "ssvc:COORDINATE:1.0.1": "D" }, { "ssvc:RP:1.0.0": "N", "ssvc:SCON:1.0.0": "Y", - "ssvc:RC:1.0.0": "NC", - "ssvc:SC:1.0.0": "O", + "ssvc:RC:1.0.0": "C", + "ssvc:SC:1.0.0": "M", "ssvc:SE:1.0.0": "A", - "ssvc:U:1.0.1": "E", - "ssvc:PSI:2.0.1": "M", - "ssvc:COORDINATE:1.0.1": "D" + "ssvc:U:1.0.1": "L", + "ssvc:PSI:2.0.1": "S", + "ssvc:COORDINATE:1.0.1": "T" }, { "ssvc:RP:1.0.0": "N", - "ssvc:SCON:1.0.0": "N", + "ssvc:SCON:1.0.0": "Y", "ssvc:RC:1.0.0": "C", "ssvc:SC:1.0.0": "O", - "ssvc:SE:1.0.0": "A", - "ssvc:U:1.0.1": "E", - "ssvc:PSI:2.0.1": "M", + "ssvc:SE:1.0.0": "U", + "ssvc:U:1.0.1": "L", + "ssvc:PSI:2.0.1": "S", + "ssvc:COORDINATE:1.0.1": "C" + }, + { + "ssvc:RP:1.0.0": "N", + "ssvc:SCON:1.0.0": "Y", + "ssvc:RC:1.0.0": "NC", + "ssvc:SC:1.0.0": "M", + "ssvc:SE:1.0.0": "U", + "ssvc:U:1.0.1": "L", + "ssvc:PSI:2.0.1": "S", + "ssvc:COORDINATE:1.0.1": "T" + }, + { + "ssvc:RP:1.0.0": "N", + "ssvc:SCON:1.0.0": "N", + "ssvc:RC:1.0.0": "C", + "ssvc:SC:1.0.0": "M", + "ssvc:SE:1.0.0": "U", + "ssvc:U:1.0.1": "L", + "ssvc:PSI:2.0.1": "S", "ssvc:COORDINATE:1.0.1": "D" }, { "ssvc:RP:1.0.0": "Y", "ssvc:SCON:1.0.0": "Y", "ssvc:RC:1.0.0": "C", + "ssvc:SC:1.0.0": "M", + "ssvc:SE:1.0.0": "U", + "ssvc:U:1.0.1": "L", + "ssvc:PSI:2.0.1": "S", + "ssvc:COORDINATE:1.0.1": "D" + }, + { + "ssvc:RP:1.0.0": "N", + "ssvc:SCON:1.0.0": "Y", + "ssvc:RC:1.0.0": "C", "ssvc:SC:1.0.0": "O", "ssvc:SE:1.0.0": "A", "ssvc:U:1.0.1": "E", - "ssvc:PSI:2.0.1": "M", - "ssvc:COORDINATE:1.0.1": "D" + "ssvc:PSI:2.0.1": "S", + "ssvc:COORDINATE:1.0.1": "T" }, { "ssvc:RP:1.0.0": "N", - "ssvc:SCON:1.0.0": "N", + "ssvc:SCON:1.0.0": "Y", "ssvc:RC:1.0.0": "NC", "ssvc:SC:1.0.0": "M", "ssvc:SE:1.0.0": "A", "ssvc:U:1.0.1": "E", - "ssvc:PSI:2.0.1": "M", - "ssvc:COORDINATE:1.0.1": "D" + "ssvc:PSI:2.0.1": "S", + "ssvc:COORDINATE:1.0.1": "T" }, { - "ssvc:RP:1.0.0": "Y", - "ssvc:SCON:1.0.0": "Y", - "ssvc:RC:1.0.0": "NC", + "ssvc:RP:1.0.0": "N", + "ssvc:SCON:1.0.0": "N", + "ssvc:RC:1.0.0": "C", "ssvc:SC:1.0.0": "M", "ssvc:SE:1.0.0": "A", "ssvc:U:1.0.1": "E", - "ssvc:PSI:2.0.1": "M", + "ssvc:PSI:2.0.1": "S", "ssvc:COORDINATE:1.0.1": "D" }, { "ssvc:RP:1.0.0": "Y", - "ssvc:SCON:1.0.0": "N", + "ssvc:SCON:1.0.0": "Y", "ssvc:RC:1.0.0": "C", "ssvc:SC:1.0.0": "M", "ssvc:SE:1.0.0": "A", "ssvc:U:1.0.1": "E", - "ssvc:PSI:2.0.1": "M", + "ssvc:PSI:2.0.1": "S", "ssvc:COORDINATE:1.0.1": "D" }, { "ssvc:RP:1.0.0": "N", - "ssvc:SCON:1.0.0": "N", + "ssvc:SCON:1.0.0": "Y", "ssvc:RC:1.0.0": "NC", "ssvc:SC:1.0.0": "O", "ssvc:SE:1.0.0": "U", "ssvc:U:1.0.1": "E", - "ssvc:PSI:2.0.1": "M", - "ssvc:COORDINATE:1.0.1": "D" + "ssvc:PSI:2.0.1": "S", + "ssvc:COORDINATE:1.0.1": "T" }, { - "ssvc:RP:1.0.0": "Y", - "ssvc:SCON:1.0.0": "Y", - "ssvc:RC:1.0.0": "NC", + "ssvc:RP:1.0.0": "N", + "ssvc:SCON:1.0.0": "N", + "ssvc:RC:1.0.0": "C", "ssvc:SC:1.0.0": "O", "ssvc:SE:1.0.0": "U", "ssvc:U:1.0.1": "E", - "ssvc:PSI:2.0.1": "M", + "ssvc:PSI:2.0.1": "S", "ssvc:COORDINATE:1.0.1": "D" }, { "ssvc:RP:1.0.0": "Y", - "ssvc:SCON:1.0.0": "N", + "ssvc:SCON:1.0.0": "Y", "ssvc:RC:1.0.0": "C", "ssvc:SC:1.0.0": "O", "ssvc:SE:1.0.0": "U", "ssvc:U:1.0.1": "E", - "ssvc:PSI:2.0.1": "M", + "ssvc:PSI:2.0.1": "S", "ssvc:COORDINATE:1.0.1": "D" }, { - "ssvc:RP:1.0.0": "Y", + "ssvc:RP:1.0.0": "N", "ssvc:SCON:1.0.0": "N", "ssvc:RC:1.0.0": "NC", "ssvc:SC:1.0.0": "M", "ssvc:SE:1.0.0": "U", "ssvc:U:1.0.1": "E", - "ssvc:PSI:2.0.1": "M", - "ssvc:COORDINATE:1.0.1": "D" - }, - { - "ssvc:RP:1.0.0": "N", - "ssvc:SCON:1.0.0": "N", - "ssvc:RC:1.0.0": "NC", - "ssvc:SC:1.0.0": "O", - "ssvc:SE:1.0.0": "A", - "ssvc:U:1.0.1": "S", - "ssvc:PSI:2.0.1": "M", + "ssvc:PSI:2.0.1": "S", "ssvc:COORDINATE:1.0.1": "D" }, { "ssvc:RP:1.0.0": "Y", "ssvc:SCON:1.0.0": "Y", "ssvc:RC:1.0.0": "NC", - "ssvc:SC:1.0.0": "O", - "ssvc:SE:1.0.0": "A", - "ssvc:U:1.0.1": "S", - "ssvc:PSI:2.0.1": "M", + "ssvc:SC:1.0.0": "M", + "ssvc:SE:1.0.0": "U", + "ssvc:U:1.0.1": "E", + "ssvc:PSI:2.0.1": "S", "ssvc:COORDINATE:1.0.1": "D" }, { "ssvc:RP:1.0.0": "Y", "ssvc:SCON:1.0.0": "N", "ssvc:RC:1.0.0": "C", - "ssvc:SC:1.0.0": "O", - "ssvc:SE:1.0.0": "A", - "ssvc:U:1.0.1": "S", - "ssvc:PSI:2.0.1": "M", - "ssvc:COORDINATE:1.0.1": "D" - }, - { - "ssvc:RP:1.0.0": "Y", - "ssvc:SCON:1.0.0": "N", - "ssvc:RC:1.0.0": "NC", "ssvc:SC:1.0.0": "M", - "ssvc:SE:1.0.0": "A", - "ssvc:U:1.0.1": "S", - "ssvc:PSI:2.0.1": "M", - "ssvc:COORDINATE:1.0.1": "D" - }, - { - "ssvc:RP:1.0.0": "Y", - "ssvc:SCON:1.0.0": "N", - "ssvc:RC:1.0.0": "NC", - "ssvc:SC:1.0.0": "O", "ssvc:SE:1.0.0": "U", - "ssvc:U:1.0.1": "S", - "ssvc:PSI:2.0.1": "M", + "ssvc:U:1.0.1": "E", + "ssvc:PSI:2.0.1": "S", "ssvc:COORDINATE:1.0.1": "D" }, { @@ -20929,9 +22739,9 @@ "ssvc:RC:1.0.0": "NC", "ssvc:SC:1.0.0": "O", "ssvc:SE:1.0.0": "A", - "ssvc:U:1.0.1": "L", + "ssvc:U:1.0.1": "S", "ssvc:PSI:2.0.1": "S", - "ssvc:COORDINATE:1.0.1": "D" + "ssvc:COORDINATE:1.0.1": "T" }, { "ssvc:RP:1.0.0": "N", @@ -20939,7 +22749,7 @@ "ssvc:RC:1.0.0": "C", "ssvc:SC:1.0.0": "O", "ssvc:SE:1.0.0": "A", - "ssvc:U:1.0.1": "L", + "ssvc:U:1.0.1": "S", "ssvc:PSI:2.0.1": "S", "ssvc:COORDINATE:1.0.1": "D" }, @@ -20949,7 +22759,7 @@ "ssvc:RC:1.0.0": "C", "ssvc:SC:1.0.0": "O", "ssvc:SE:1.0.0": "A", - "ssvc:U:1.0.1": "L", + "ssvc:U:1.0.1": "S", "ssvc:PSI:2.0.1": "S", "ssvc:COORDINATE:1.0.1": "D" }, @@ -20959,9 +22769,9 @@ "ssvc:RC:1.0.0": "NC", "ssvc:SC:1.0.0": "M", "ssvc:SE:1.0.0": "A", - "ssvc:U:1.0.1": "L", + "ssvc:U:1.0.1": "S", "ssvc:PSI:2.0.1": "S", - "ssvc:COORDINATE:1.0.1": "D" + "ssvc:COORDINATE:1.0.1": "C" }, { "ssvc:RP:1.0.0": "Y", @@ -20969,9 +22779,9 @@ "ssvc:RC:1.0.0": "NC", "ssvc:SC:1.0.0": "M", "ssvc:SE:1.0.0": "A", - "ssvc:U:1.0.1": "L", + "ssvc:U:1.0.1": "S", "ssvc:PSI:2.0.1": "S", - "ssvc:COORDINATE:1.0.1": "D" + "ssvc:COORDINATE:1.0.1": "C" }, { "ssvc:RP:1.0.0": "Y", @@ -20979,9 +22789,9 @@ "ssvc:RC:1.0.0": "C", "ssvc:SC:1.0.0": "M", "ssvc:SE:1.0.0": "A", - "ssvc:U:1.0.1": "L", + "ssvc:U:1.0.1": "S", "ssvc:PSI:2.0.1": "S", - "ssvc:COORDINATE:1.0.1": "D" + "ssvc:COORDINATE:1.0.1": "C" }, { "ssvc:RP:1.0.0": "N", @@ -20989,7 +22799,7 @@ "ssvc:RC:1.0.0": "NC", "ssvc:SC:1.0.0": "O", "ssvc:SE:1.0.0": "U", - "ssvc:U:1.0.1": "L", + "ssvc:U:1.0.1": "S", "ssvc:PSI:2.0.1": "S", "ssvc:COORDINATE:1.0.1": "D" }, @@ -20999,7 +22809,7 @@ "ssvc:RC:1.0.0": "NC", "ssvc:SC:1.0.0": "O", "ssvc:SE:1.0.0": "U", - "ssvc:U:1.0.1": "L", + "ssvc:U:1.0.1": "S", "ssvc:PSI:2.0.1": "S", "ssvc:COORDINATE:1.0.1": "D" }, @@ -21009,7 +22819,7 @@ "ssvc:RC:1.0.0": "C", "ssvc:SC:1.0.0": "O", "ssvc:SE:1.0.0": "U", - "ssvc:U:1.0.1": "L", + "ssvc:U:1.0.1": "S", "ssvc:PSI:2.0.1": "S", "ssvc:COORDINATE:1.0.1": "D" }, @@ -21019,69 +22829,19 @@ "ssvc:RC:1.0.0": "NC", "ssvc:SC:1.0.0": "M", "ssvc:SE:1.0.0": "U", - "ssvc:U:1.0.1": "L", + "ssvc:U:1.0.1": "S", "ssvc:PSI:2.0.1": "S", - "ssvc:COORDINATE:1.0.1": "D" + "ssvc:COORDINATE:1.0.1": "C" }, { "ssvc:RP:1.0.0": "N", - "ssvc:SCON:1.0.0": "N", - "ssvc:RC:1.0.0": "NC", - "ssvc:SC:1.0.0": "O", - "ssvc:SE:1.0.0": "A", - "ssvc:U:1.0.1": "E", - "ssvc:PSI:2.0.1": "S", - "ssvc:COORDINATE:1.0.1": "D" - }, - { - "ssvc:RP:1.0.0": "Y", "ssvc:SCON:1.0.0": "Y", - "ssvc:RC:1.0.0": "NC", - "ssvc:SC:1.0.0": "O", - "ssvc:SE:1.0.0": "A", - "ssvc:U:1.0.1": "E", - "ssvc:PSI:2.0.1": "S", - "ssvc:COORDINATE:1.0.1": "D" - }, - { - "ssvc:RP:1.0.0": "Y", - "ssvc:SCON:1.0.0": "N", "ssvc:RC:1.0.0": "C", - "ssvc:SC:1.0.0": "O", - "ssvc:SE:1.0.0": "A", - "ssvc:U:1.0.1": "E", - "ssvc:PSI:2.0.1": "S", - "ssvc:COORDINATE:1.0.1": "D" - }, - { - "ssvc:RP:1.0.0": "Y", - "ssvc:SCON:1.0.0": "N", - "ssvc:RC:1.0.0": "NC", "ssvc:SC:1.0.0": "M", - "ssvc:SE:1.0.0": "A", - "ssvc:U:1.0.1": "E", - "ssvc:PSI:2.0.1": "S", - "ssvc:COORDINATE:1.0.1": "D" - }, - { - "ssvc:RP:1.0.0": "Y", - "ssvc:SCON:1.0.0": "N", - "ssvc:RC:1.0.0": "NC", - "ssvc:SC:1.0.0": "O", "ssvc:SE:1.0.0": "U", "ssvc:U:1.0.1": "E", - "ssvc:PSI:2.0.1": "S", - "ssvc:COORDINATE:1.0.1": "D" - }, - { - "ssvc:RP:1.0.0": "Y", - "ssvc:SCON:1.0.0": "N", - "ssvc:RC:1.0.0": "NC", - "ssvc:SC:1.0.0": "O", - "ssvc:SE:1.0.0": "A", - "ssvc:U:1.0.1": "S", - "ssvc:PSI:2.0.1": "S", - "ssvc:COORDINATE:1.0.1": "D" + "ssvc:PSI:2.0.1": "M", + "ssvc:COORDINATE:1.0.1": "C" }, { "ssvc:RP:1.0.0": "N", @@ -21089,9 +22849,9 @@ "ssvc:RC:1.0.0": "C", "ssvc:SC:1.0.0": "M", "ssvc:SE:1.0.0": "A", - "ssvc:U:1.0.1": "L", + "ssvc:U:1.0.1": "S", "ssvc:PSI:2.0.1": "M", - "ssvc:COORDINATE:1.0.1": "D" + "ssvc:COORDINATE:1.0.1": "C" }, { "ssvc:RP:1.0.0": "N", @@ -21099,9 +22859,9 @@ "ssvc:RC:1.0.0": "C", "ssvc:SC:1.0.0": "O", "ssvc:SE:1.0.0": "U", - "ssvc:U:1.0.1": "L", + "ssvc:U:1.0.1": "S", "ssvc:PSI:2.0.1": "M", - "ssvc:COORDINATE:1.0.1": "T" + "ssvc:COORDINATE:1.0.1": "C" }, { "ssvc:RP:1.0.0": "N", @@ -21109,9 +22869,9 @@ "ssvc:RC:1.0.0": "NC", "ssvc:SC:1.0.0": "M", "ssvc:SE:1.0.0": "U", - "ssvc:U:1.0.1": "L", + "ssvc:U:1.0.1": "S", "ssvc:PSI:2.0.1": "M", - "ssvc:COORDINATE:1.0.1": "D" + "ssvc:COORDINATE:1.0.1": "T" }, { "ssvc:RP:1.0.0": "N", @@ -21119,7 +22879,7 @@ "ssvc:RC:1.0.0": "C", "ssvc:SC:1.0.0": "M", "ssvc:SE:1.0.0": "U", - "ssvc:U:1.0.1": "L", + "ssvc:U:1.0.1": "S", "ssvc:PSI:2.0.1": "M", "ssvc:COORDINATE:1.0.1": "D" }, @@ -21129,7 +22889,7 @@ "ssvc:RC:1.0.0": "C", "ssvc:SC:1.0.0": "M", "ssvc:SE:1.0.0": "U", - "ssvc:U:1.0.1": "L", + "ssvc:U:1.0.1": "S", "ssvc:PSI:2.0.1": "M", "ssvc:COORDINATE:1.0.1": "D" }, @@ -21137,1938 +22897,2732 @@ "ssvc:RP:1.0.0": "N", "ssvc:SCON:1.0.0": "Y", "ssvc:RC:1.0.0": "C", - "ssvc:SC:1.0.0": "O", - "ssvc:SE:1.0.0": "A", - "ssvc:U:1.0.1": "E", - "ssvc:PSI:2.0.1": "M", - "ssvc:COORDINATE:1.0.1": "D" - }, - { - "ssvc:RP:1.0.0": "N", - "ssvc:SCON:1.0.0": "Y", - "ssvc:RC:1.0.0": "NC", "ssvc:SC:1.0.0": "M", - "ssvc:SE:1.0.0": "A", - "ssvc:U:1.0.1": "E", - "ssvc:PSI:2.0.1": "M", - "ssvc:COORDINATE:1.0.1": "D" + "ssvc:SE:1.0.0": "U", + "ssvc:U:1.0.1": "L", + "ssvc:PSI:2.0.1": "S", + "ssvc:COORDINATE:1.0.1": "C" }, { "ssvc:RP:1.0.0": "N", - "ssvc:SCON:1.0.0": "N", - "ssvc:RC:1.0.0": "C", - "ssvc:SC:1.0.0": "M", - "ssvc:SE:1.0.0": "A", - "ssvc:U:1.0.1": "E", - "ssvc:PSI:2.0.1": "M", - "ssvc:COORDINATE:1.0.1": "D" - }, - { - "ssvc:RP:1.0.0": "Y", "ssvc:SCON:1.0.0": "Y", "ssvc:RC:1.0.0": "C", "ssvc:SC:1.0.0": "M", "ssvc:SE:1.0.0": "A", "ssvc:U:1.0.1": "E", - "ssvc:PSI:2.0.1": "M", - "ssvc:COORDINATE:1.0.1": "D" - }, - { - "ssvc:RP:1.0.0": "N", - "ssvc:SCON:1.0.0": "Y", - "ssvc:RC:1.0.0": "NC", - "ssvc:SC:1.0.0": "O", - "ssvc:SE:1.0.0": "U", - "ssvc:U:1.0.1": "E", - "ssvc:PSI:2.0.1": "M", - "ssvc:COORDINATE:1.0.1": "D" + "ssvc:PSI:2.0.1": "S", + "ssvc:COORDINATE:1.0.1": "T" }, { "ssvc:RP:1.0.0": "N", - "ssvc:SCON:1.0.0": "N", - "ssvc:RC:1.0.0": "C", - "ssvc:SC:1.0.0": "O", - "ssvc:SE:1.0.0": "U", - "ssvc:U:1.0.1": "E", - "ssvc:PSI:2.0.1": "M", - "ssvc:COORDINATE:1.0.1": "D" - }, - { - "ssvc:RP:1.0.0": "Y", "ssvc:SCON:1.0.0": "Y", "ssvc:RC:1.0.0": "C", "ssvc:SC:1.0.0": "O", "ssvc:SE:1.0.0": "U", "ssvc:U:1.0.1": "E", - "ssvc:PSI:2.0.1": "M", - "ssvc:COORDINATE:1.0.1": "D" + "ssvc:PSI:2.0.1": "S", + "ssvc:COORDINATE:1.0.1": "C" }, { "ssvc:RP:1.0.0": "N", - "ssvc:SCON:1.0.0": "N", - "ssvc:RC:1.0.0": "NC", - "ssvc:SC:1.0.0": "M", - "ssvc:SE:1.0.0": "U", - "ssvc:U:1.0.1": "E", - "ssvc:PSI:2.0.1": "M", - "ssvc:COORDINATE:1.0.1": "D" - }, - { - "ssvc:RP:1.0.0": "Y", "ssvc:SCON:1.0.0": "Y", "ssvc:RC:1.0.0": "NC", "ssvc:SC:1.0.0": "M", "ssvc:SE:1.0.0": "U", "ssvc:U:1.0.1": "E", - "ssvc:PSI:2.0.1": "M", - "ssvc:COORDINATE:1.0.1": "D" + "ssvc:PSI:2.0.1": "S", + "ssvc:COORDINATE:1.0.1": "T" }, { - "ssvc:RP:1.0.0": "Y", + "ssvc:RP:1.0.0": "N", "ssvc:SCON:1.0.0": "N", "ssvc:RC:1.0.0": "C", "ssvc:SC:1.0.0": "M", "ssvc:SE:1.0.0": "U", "ssvc:U:1.0.1": "E", - "ssvc:PSI:2.0.1": "M", + "ssvc:PSI:2.0.1": "S", "ssvc:COORDINATE:1.0.1": "D" }, { - "ssvc:RP:1.0.0": "N", + "ssvc:RP:1.0.0": "Y", "ssvc:SCON:1.0.0": "Y", - "ssvc:RC:1.0.0": "NC", - "ssvc:SC:1.0.0": "O", - "ssvc:SE:1.0.0": "A", - "ssvc:U:1.0.1": "S", - "ssvc:PSI:2.0.1": "M", - "ssvc:COORDINATE:1.0.1": "D" - }, - { - "ssvc:RP:1.0.0": "N", - "ssvc:SCON:1.0.0": "N", - "ssvc:RC:1.0.0": "C", - "ssvc:SC:1.0.0": "O", - "ssvc:SE:1.0.0": "A", - "ssvc:U:1.0.1": "S", - "ssvc:PSI:2.0.1": "M", + "ssvc:RC:1.0.0": "C", + "ssvc:SC:1.0.0": "M", + "ssvc:SE:1.0.0": "U", + "ssvc:U:1.0.1": "E", + "ssvc:PSI:2.0.1": "S", "ssvc:COORDINATE:1.0.1": "D" }, { - "ssvc:RP:1.0.0": "Y", + "ssvc:RP:1.0.0": "N", "ssvc:SCON:1.0.0": "Y", "ssvc:RC:1.0.0": "C", "ssvc:SC:1.0.0": "O", "ssvc:SE:1.0.0": "A", "ssvc:U:1.0.1": "S", - "ssvc:PSI:2.0.1": "M", - "ssvc:COORDINATE:1.0.1": "D" + "ssvc:PSI:2.0.1": "S", + "ssvc:COORDINATE:1.0.1": "T" }, { "ssvc:RP:1.0.0": "N", - "ssvc:SCON:1.0.0": "N", + "ssvc:SCON:1.0.0": "Y", "ssvc:RC:1.0.0": "NC", "ssvc:SC:1.0.0": "M", "ssvc:SE:1.0.0": "A", "ssvc:U:1.0.1": "S", - "ssvc:PSI:2.0.1": "M", - "ssvc:COORDINATE:1.0.1": "D" + "ssvc:PSI:2.0.1": "S", + "ssvc:COORDINATE:1.0.1": "C" }, { - "ssvc:RP:1.0.0": "Y", - "ssvc:SCON:1.0.0": "Y", - "ssvc:RC:1.0.0": "NC", + "ssvc:RP:1.0.0": "N", + "ssvc:SCON:1.0.0": "N", + "ssvc:RC:1.0.0": "C", "ssvc:SC:1.0.0": "M", "ssvc:SE:1.0.0": "A", "ssvc:U:1.0.1": "S", - "ssvc:PSI:2.0.1": "M", - "ssvc:COORDINATE:1.0.1": "D" + "ssvc:PSI:2.0.1": "S", + "ssvc:COORDINATE:1.0.1": "C" }, { "ssvc:RP:1.0.0": "Y", - "ssvc:SCON:1.0.0": "N", + "ssvc:SCON:1.0.0": "Y", "ssvc:RC:1.0.0": "C", "ssvc:SC:1.0.0": "M", "ssvc:SE:1.0.0": "A", "ssvc:U:1.0.1": "S", - "ssvc:PSI:2.0.1": "M", - "ssvc:COORDINATE:1.0.1": "D" + "ssvc:PSI:2.0.1": "S", + "ssvc:COORDINATE:1.0.1": "C" }, { "ssvc:RP:1.0.0": "N", - "ssvc:SCON:1.0.0": "N", + "ssvc:SCON:1.0.0": "Y", "ssvc:RC:1.0.0": "NC", "ssvc:SC:1.0.0": "O", "ssvc:SE:1.0.0": "U", "ssvc:U:1.0.1": "S", - "ssvc:PSI:2.0.1": "M", - "ssvc:COORDINATE:1.0.1": "D" + "ssvc:PSI:2.0.1": "S", + "ssvc:COORDINATE:1.0.1": "T" }, { - "ssvc:RP:1.0.0": "Y", - "ssvc:SCON:1.0.0": "Y", - "ssvc:RC:1.0.0": "NC", + "ssvc:RP:1.0.0": "N", + "ssvc:SCON:1.0.0": "N", + "ssvc:RC:1.0.0": "C", "ssvc:SC:1.0.0": "O", "ssvc:SE:1.0.0": "U", "ssvc:U:1.0.1": "S", - "ssvc:PSI:2.0.1": "M", + "ssvc:PSI:2.0.1": "S", "ssvc:COORDINATE:1.0.1": "D" }, { "ssvc:RP:1.0.0": "Y", - "ssvc:SCON:1.0.0": "N", + "ssvc:SCON:1.0.0": "Y", "ssvc:RC:1.0.0": "C", "ssvc:SC:1.0.0": "O", "ssvc:SE:1.0.0": "U", "ssvc:U:1.0.1": "S", - "ssvc:PSI:2.0.1": "M", + "ssvc:PSI:2.0.1": "S", "ssvc:COORDINATE:1.0.1": "D" }, { - "ssvc:RP:1.0.0": "Y", + "ssvc:RP:1.0.0": "N", "ssvc:SCON:1.0.0": "N", "ssvc:RC:1.0.0": "NC", "ssvc:SC:1.0.0": "M", "ssvc:SE:1.0.0": "U", "ssvc:U:1.0.1": "S", - "ssvc:PSI:2.0.1": "M", - "ssvc:COORDINATE:1.0.1": "D" - }, - { - "ssvc:RP:1.0.0": "N", - "ssvc:SCON:1.0.0": "Y", - "ssvc:RC:1.0.0": "C", - "ssvc:SC:1.0.0": "O", - "ssvc:SE:1.0.0": "A", - "ssvc:U:1.0.1": "L", "ssvc:PSI:2.0.1": "S", - "ssvc:COORDINATE:1.0.1": "D" + "ssvc:COORDINATE:1.0.1": "C" }, { - "ssvc:RP:1.0.0": "N", + "ssvc:RP:1.0.0": "Y", "ssvc:SCON:1.0.0": "Y", "ssvc:RC:1.0.0": "NC", "ssvc:SC:1.0.0": "M", - "ssvc:SE:1.0.0": "A", - "ssvc:U:1.0.1": "L", + "ssvc:SE:1.0.0": "U", + "ssvc:U:1.0.1": "S", "ssvc:PSI:2.0.1": "S", - "ssvc:COORDINATE:1.0.1": "T" + "ssvc:COORDINATE:1.0.1": "C" }, { - "ssvc:RP:1.0.0": "N", + "ssvc:RP:1.0.0": "Y", "ssvc:SCON:1.0.0": "N", "ssvc:RC:1.0.0": "C", "ssvc:SC:1.0.0": "M", - "ssvc:SE:1.0.0": "A", - "ssvc:U:1.0.1": "L", + "ssvc:SE:1.0.0": "U", + "ssvc:U:1.0.1": "S", "ssvc:PSI:2.0.1": "S", - "ssvc:COORDINATE:1.0.1": "D" + "ssvc:COORDINATE:1.0.1": "C" }, { - "ssvc:RP:1.0.0": "Y", + "ssvc:RP:1.0.0": "N", "ssvc:SCON:1.0.0": "Y", "ssvc:RC:1.0.0": "C", "ssvc:SC:1.0.0": "M", - "ssvc:SE:1.0.0": "A", - "ssvc:U:1.0.1": "L", - "ssvc:PSI:2.0.1": "S", - "ssvc:COORDINATE:1.0.1": "D" + "ssvc:SE:1.0.0": "U", + "ssvc:U:1.0.1": "S", + "ssvc:PSI:2.0.1": "M", + "ssvc:COORDINATE:1.0.1": "C" }, { "ssvc:RP:1.0.0": "N", "ssvc:SCON:1.0.0": "Y", - "ssvc:RC:1.0.0": "NC", - "ssvc:SC:1.0.0": "O", + "ssvc:RC:1.0.0": "C", + "ssvc:SC:1.0.0": "M", "ssvc:SE:1.0.0": "U", - "ssvc:U:1.0.1": "L", + "ssvc:U:1.0.1": "E", "ssvc:PSI:2.0.1": "S", - "ssvc:COORDINATE:1.0.1": "D" + "ssvc:COORDINATE:1.0.1": "C" }, { "ssvc:RP:1.0.0": "N", - "ssvc:SCON:1.0.0": "N", + "ssvc:SCON:1.0.0": "Y", "ssvc:RC:1.0.0": "C", - "ssvc:SC:1.0.0": "O", - "ssvc:SE:1.0.0": "U", - "ssvc:U:1.0.1": "L", + "ssvc:SC:1.0.0": "M", + "ssvc:SE:1.0.0": "A", + "ssvc:U:1.0.1": "S", "ssvc:PSI:2.0.1": "S", - "ssvc:COORDINATE:1.0.1": "D" + "ssvc:COORDINATE:1.0.1": "C" }, { - "ssvc:RP:1.0.0": "Y", + "ssvc:RP:1.0.0": "N", "ssvc:SCON:1.0.0": "Y", "ssvc:RC:1.0.0": "C", "ssvc:SC:1.0.0": "O", "ssvc:SE:1.0.0": "U", - "ssvc:U:1.0.1": "L", + "ssvc:U:1.0.1": "S", "ssvc:PSI:2.0.1": "S", - "ssvc:COORDINATE:1.0.1": "D" + "ssvc:COORDINATE:1.0.1": "C" }, { "ssvc:RP:1.0.0": "N", - "ssvc:SCON:1.0.0": "N", + "ssvc:SCON:1.0.0": "Y", "ssvc:RC:1.0.0": "NC", "ssvc:SC:1.0.0": "M", "ssvc:SE:1.0.0": "U", - "ssvc:U:1.0.1": "L", + "ssvc:U:1.0.1": "S", "ssvc:PSI:2.0.1": "S", - "ssvc:COORDINATE:1.0.1": "D" + "ssvc:COORDINATE:1.0.1": "C" + }, + { + "ssvc:RP:1.0.0": "N", + "ssvc:SCON:1.0.0": "N", + "ssvc:RC:1.0.0": "C", + "ssvc:SC:1.0.0": "M", + "ssvc:SE:1.0.0": "U", + "ssvc:U:1.0.1": "S", + "ssvc:PSI:2.0.1": "S", + "ssvc:COORDINATE:1.0.1": "C" }, { "ssvc:RP:1.0.0": "Y", "ssvc:SCON:1.0.0": "Y", - "ssvc:RC:1.0.0": "NC", + "ssvc:RC:1.0.0": "C", "ssvc:SC:1.0.0": "M", "ssvc:SE:1.0.0": "U", - "ssvc:U:1.0.1": "L", + "ssvc:U:1.0.1": "S", "ssvc:PSI:2.0.1": "S", - "ssvc:COORDINATE:1.0.1": "D" + "ssvc:COORDINATE:1.0.1": "C" }, { - "ssvc:RP:1.0.0": "Y", - "ssvc:SCON:1.0.0": "N", + "ssvc:RP:1.0.0": "N", + "ssvc:SCON:1.0.0": "Y", "ssvc:RC:1.0.0": "C", "ssvc:SC:1.0.0": "M", "ssvc:SE:1.0.0": "U", - "ssvc:U:1.0.1": "L", + "ssvc:U:1.0.1": "S", "ssvc:PSI:2.0.1": "S", - "ssvc:COORDINATE:1.0.1": "D" + "ssvc:COORDINATE:1.0.1": "C" + } + ] + } + } + } + }, + "DT_HI": { + "key": "DT_HI", + "versions": { + "1.0.0": { + "version": "1.0.0", + "obj": { + "namespace": "ssvc", + "key": "DT_HI", + "version": "1.0.0", + "name": "Human Impact", + "definition": "Human Impact decision table for SSVC", + "schemaVersion": "2.0.0", + "decision_points": { + "ssvc:SI:2.0.1": { + "namespace": "ssvc", + "key": "SI", + "version": "2.0.1", + "name": "Safety Impact", + "definition": "The safety impact of the vulnerability. (based on IEC 61508 with modifications)", + "schemaVersion": "2.0.0", + "values": [ + { + "key": "N", + "name": "Negligible", + "definition": "Any one or more of these conditions hold. **Physical harm**: Minor injuries at worst (IEC 61508 Negligible). **Operator resiliency**: Requires action by system operator to maintain safe system state as a result of exploitation of the vulnerability where operator actions would be well within expected operator abilities; OR causes a minor occupational safety hazard. **System resiliency**: Small reduction in built-in system safety margins; OR small reduction in system functional capabilities that support safe operation. **Environment**: Minor externalities (property damage, environmental damage, etc.) imposed on other parties. **Financial**: Financial losses, which are not readily absorbable, to multiple persons. **Psychological**: Emotional or psychological harm, sufficient to be cause for counselling or therapy, to multiple persons." + }, + { + "key": "M", + "name": "Marginal", + "definition": "Any one or more of these conditions hold. **Physical harm**: Major injuries to one or more persons (IEC 61508 Marginal). **Operator resiliency**: Requires action by system operator to maintain safe system state as a result of exploitation of the vulnerability where operator actions would be within their capabilities but the actions require their full attention and effort; OR significant distraction or discomfort to operators; OR causes significant occupational safety hazard. **System resiliency**: System safety margin effectively eliminated but no actual harm; OR failure of system functional capabilities that support safe operation. **Environment**: Major externalities (property damage, environmental damage, etc.) imposed on other parties. **Financial**: Financial losses that likely lead to bankruptcy of multiple persons. **Psychological**: Widespread emotional or psychological harm, sufficient to be cause for counselling or therapy, to populations of people." + }, + { + "key": "R", + "name": "Critical", + "definition": "Any one or more of these conditions hold. **Physical harm**: Loss of life (IEC 61508 Critical). **Operator resiliency**: Actions that would keep the system in a safe state are beyond system operator capabilities, resulting in adverse conditions; OR great physical distress to system operators such that they cannot be expected to operate the system properly. **System resiliency**: Parts of the cyber-physical system break; system’s ability to recover lost functionality remains intact. **Environment**: Serious externalities (threat to life as well as property, widespread environmental damage, measurable public health risks, etc.) imposed on other parties. **Financial**: Socio-technical system (elections, financial grid, etc.) of which the affected component is a part is actively destabilized and enters unsafe state. **Psychological**: N/A." + }, + { + "key": "C", + "name": "Catastrophic", + "definition": "Any one or more of these conditions hold. **Physical harm**: Multiple loss of life (IEC 61508 Catastrophic). **Operator resiliency**: Operator incapacitated (includes fatality or otherwise incapacitated). **System resiliency**: Total loss of whole cyber-physical system, of which the software is a part. **Environment**: Extreme externalities (immediate public health threat, environmental damage leading to small ecosystem collapse, etc.) imposed on other parties. **Financial**: Social systems (elections, financial grid, etc.) supported by the software collapse. **Psychological**: N/A." + } + ] + }, + "ssvc:MI:2.0.0": { + "namespace": "ssvc", + "key": "MI", + "version": "2.0.0", + "name": "Mission Impact", + "definition": "Impact on Mission Essential Functions of the Organization", + "schemaVersion": "2.0.0", + "values": [ + { + "key": "D", + "name": "Degraded", + "definition": "Little to no impact up to degradation of non-essential functions; chronic degradation would eventually harm essential functions" + }, + { + "key": "MSC", + "name": "MEF Support Crippled", + "definition": "Activities that directly support essential functions are crippled; essential functions continue for a time" + }, + { + "key": "MEF", + "name": "MEF Failure", + "definition": "Any one mission essential function fails for period of time longer than acceptable; overall mission of the organization degraded but can still be accomplished for a time" + }, + { + "key": "MF", + "name": "Mission Failure", + "definition": "Multiple or all mission essential functions fail; ability to recover those functions degraded; organization’s ability to deliver its overall mission fails" + } + ] }, + "ssvc:HI:2.0.2": { + "namespace": "ssvc", + "key": "HI", + "version": "2.0.2", + "name": "Human Impact", + "definition": "Human Impact is a combination of Safety and Mission impacts.", + "schemaVersion": "2.0.0", + "values": [ + { + "key": "L", + "name": "Low", + "definition": "Safety Impact:(Negligible) AND Mission Impact:(Degraded OR Crippled)" + }, + { + "key": "M", + "name": "Medium", + "definition": "(Safety Impact:Negligible AND Mission Impact:MEF Failure) OR (Safety Impact:Marginal AND Mission Impact:(Degraded OR Crippled))" + }, + { + "key": "H", + "name": "High", + "definition": "(Safety Impact:Critical AND Mission Impact:(Degraded OR Crippled)) OR (Safety Impact:Marginal AND Mission Impact:MEF Failure)" + }, + { + "key": "VH", + "name": "Very High", + "definition": "Safety Impact:Catastrophic OR Mission Impact:Mission Failure" + } + ] + } + }, + "outcome": "ssvc:HI:2.0.2", + "mapping": [ { - "ssvc:RP:1.0.0": "N", - "ssvc:SCON:1.0.0": "Y", - "ssvc:RC:1.0.0": "NC", - "ssvc:SC:1.0.0": "O", - "ssvc:SE:1.0.0": "A", - "ssvc:U:1.0.1": "E", - "ssvc:PSI:2.0.1": "S", - "ssvc:COORDINATE:1.0.1": "T" + "ssvc:SI:2.0.1": "N", + "ssvc:MI:2.0.0": "D", + "ssvc:HI:2.0.2": "L" }, { - "ssvc:RP:1.0.0": "N", - "ssvc:SCON:1.0.0": "N", - "ssvc:RC:1.0.0": "C", - "ssvc:SC:1.0.0": "O", - "ssvc:SE:1.0.0": "A", - "ssvc:U:1.0.1": "E", - "ssvc:PSI:2.0.1": "S", - "ssvc:COORDINATE:1.0.1": "D" + "ssvc:SI:2.0.1": "N", + "ssvc:MI:2.0.0": "MSC", + "ssvc:HI:2.0.2": "L" }, { - "ssvc:RP:1.0.0": "Y", - "ssvc:SCON:1.0.0": "Y", - "ssvc:RC:1.0.0": "C", - "ssvc:SC:1.0.0": "O", - "ssvc:SE:1.0.0": "A", - "ssvc:U:1.0.1": "E", - "ssvc:PSI:2.0.1": "S", - "ssvc:COORDINATE:1.0.1": "D" + "ssvc:SI:2.0.1": "N", + "ssvc:MI:2.0.0": "MEF", + "ssvc:HI:2.0.2": "M" }, { - "ssvc:RP:1.0.0": "N", - "ssvc:SCON:1.0.0": "N", - "ssvc:RC:1.0.0": "NC", - "ssvc:SC:1.0.0": "M", - "ssvc:SE:1.0.0": "A", - "ssvc:U:1.0.1": "E", - "ssvc:PSI:2.0.1": "S", - "ssvc:COORDINATE:1.0.1": "D" + "ssvc:SI:2.0.1": "N", + "ssvc:MI:2.0.0": "MF", + "ssvc:HI:2.0.2": "VH" }, { - "ssvc:RP:1.0.0": "Y", - "ssvc:SCON:1.0.0": "Y", - "ssvc:RC:1.0.0": "NC", - "ssvc:SC:1.0.0": "M", - "ssvc:SE:1.0.0": "A", - "ssvc:U:1.0.1": "E", - "ssvc:PSI:2.0.1": "S", - "ssvc:COORDINATE:1.0.1": "D" + "ssvc:SI:2.0.1": "M", + "ssvc:MI:2.0.0": "D", + "ssvc:HI:2.0.2": "L" }, { - "ssvc:RP:1.0.0": "Y", - "ssvc:SCON:1.0.0": "N", - "ssvc:RC:1.0.0": "C", - "ssvc:SC:1.0.0": "M", - "ssvc:SE:1.0.0": "A", - "ssvc:U:1.0.1": "E", - "ssvc:PSI:2.0.1": "S", - "ssvc:COORDINATE:1.0.1": "D" + "ssvc:SI:2.0.1": "M", + "ssvc:MI:2.0.0": "MSC", + "ssvc:HI:2.0.2": "L" }, { - "ssvc:RP:1.0.0": "N", - "ssvc:SCON:1.0.0": "N", - "ssvc:RC:1.0.0": "NC", - "ssvc:SC:1.0.0": "O", - "ssvc:SE:1.0.0": "U", - "ssvc:U:1.0.1": "E", - "ssvc:PSI:2.0.1": "S", - "ssvc:COORDINATE:1.0.1": "D" + "ssvc:SI:2.0.1": "M", + "ssvc:MI:2.0.0": "MEF", + "ssvc:HI:2.0.2": "M" }, { - "ssvc:RP:1.0.0": "Y", - "ssvc:SCON:1.0.0": "Y", - "ssvc:RC:1.0.0": "NC", - "ssvc:SC:1.0.0": "O", - "ssvc:SE:1.0.0": "U", - "ssvc:U:1.0.1": "E", - "ssvc:PSI:2.0.1": "S", - "ssvc:COORDINATE:1.0.1": "D" + "ssvc:SI:2.0.1": "M", + "ssvc:MI:2.0.0": "MF", + "ssvc:HI:2.0.2": "VH" }, { - "ssvc:RP:1.0.0": "Y", - "ssvc:SCON:1.0.0": "N", - "ssvc:RC:1.0.0": "C", - "ssvc:SC:1.0.0": "O", - "ssvc:SE:1.0.0": "U", - "ssvc:U:1.0.1": "E", - "ssvc:PSI:2.0.1": "S", - "ssvc:COORDINATE:1.0.1": "D" + "ssvc:SI:2.0.1": "R", + "ssvc:MI:2.0.0": "D", + "ssvc:HI:2.0.2": "M" }, { - "ssvc:RP:1.0.0": "Y", - "ssvc:SCON:1.0.0": "N", - "ssvc:RC:1.0.0": "NC", - "ssvc:SC:1.0.0": "M", - "ssvc:SE:1.0.0": "U", - "ssvc:U:1.0.1": "E", - "ssvc:PSI:2.0.1": "S", - "ssvc:COORDINATE:1.0.1": "D" + "ssvc:SI:2.0.1": "R", + "ssvc:MI:2.0.0": "MSC", + "ssvc:HI:2.0.2": "H" }, { - "ssvc:RP:1.0.0": "N", - "ssvc:SCON:1.0.0": "N", - "ssvc:RC:1.0.0": "NC", - "ssvc:SC:1.0.0": "O", - "ssvc:SE:1.0.0": "A", - "ssvc:U:1.0.1": "S", - "ssvc:PSI:2.0.1": "S", - "ssvc:COORDINATE:1.0.1": "D" + "ssvc:SI:2.0.1": "R", + "ssvc:MI:2.0.0": "MEF", + "ssvc:HI:2.0.2": "H" }, { - "ssvc:RP:1.0.0": "Y", - "ssvc:SCON:1.0.0": "Y", - "ssvc:RC:1.0.0": "NC", - "ssvc:SC:1.0.0": "O", - "ssvc:SE:1.0.0": "A", - "ssvc:U:1.0.1": "S", - "ssvc:PSI:2.0.1": "S", - "ssvc:COORDINATE:1.0.1": "D" + "ssvc:SI:2.0.1": "R", + "ssvc:MI:2.0.0": "MF", + "ssvc:HI:2.0.2": "VH" }, { - "ssvc:RP:1.0.0": "Y", - "ssvc:SCON:1.0.0": "N", - "ssvc:RC:1.0.0": "C", - "ssvc:SC:1.0.0": "O", - "ssvc:SE:1.0.0": "A", - "ssvc:U:1.0.1": "S", - "ssvc:PSI:2.0.1": "S", - "ssvc:COORDINATE:1.0.1": "D" + "ssvc:SI:2.0.1": "C", + "ssvc:MI:2.0.0": "D", + "ssvc:HI:2.0.2": "VH" }, { - "ssvc:RP:1.0.0": "Y", - "ssvc:SCON:1.0.0": "N", - "ssvc:RC:1.0.0": "NC", - "ssvc:SC:1.0.0": "M", - "ssvc:SE:1.0.0": "A", - "ssvc:U:1.0.1": "S", - "ssvc:PSI:2.0.1": "S", - "ssvc:COORDINATE:1.0.1": "C" + "ssvc:SI:2.0.1": "C", + "ssvc:MI:2.0.0": "MSC", + "ssvc:HI:2.0.2": "VH" }, { - "ssvc:RP:1.0.0": "Y", - "ssvc:SCON:1.0.0": "N", - "ssvc:RC:1.0.0": "NC", - "ssvc:SC:1.0.0": "O", - "ssvc:SE:1.0.0": "U", - "ssvc:U:1.0.1": "S", - "ssvc:PSI:2.0.1": "S", - "ssvc:COORDINATE:1.0.1": "D" + "ssvc:SI:2.0.1": "C", + "ssvc:MI:2.0.0": "MEF", + "ssvc:HI:2.0.2": "VH" }, { - "ssvc:RP:1.0.0": "N", - "ssvc:SCON:1.0.0": "Y", - "ssvc:RC:1.0.0": "C", - "ssvc:SC:1.0.0": "M", - "ssvc:SE:1.0.0": "U", - "ssvc:U:1.0.1": "L", - "ssvc:PSI:2.0.1": "M", - "ssvc:COORDINATE:1.0.1": "C" + "ssvc:SI:2.0.1": "C", + "ssvc:MI:2.0.0": "MF", + "ssvc:HI:2.0.2": "VH" + } + ] + } + } + } + }, + "DT_PSI": { + "key": "DT_PSI", + "versions": { + "1.0.0": { + "version": "1.0.0", + "obj": { + "namespace": "ssvc", + "key": "DT_PSI", + "version": "1.0.0", + "name": "Public Safety Impact", + "definition": "Public Safety Impact Decision Table", + "schemaVersion": "2.0.0", + "decision_points": { + "ssvc:SI:2.0.1": { + "namespace": "ssvc", + "key": "SI", + "version": "2.0.1", + "name": "Safety Impact", + "definition": "The safety impact of the vulnerability. (based on IEC 61508 with modifications)", + "schemaVersion": "2.0.0", + "values": [ + { + "key": "N", + "name": "Negligible", + "definition": "Any one or more of these conditions hold. **Physical harm**: Minor injuries at worst (IEC 61508 Negligible). **Operator resiliency**: Requires action by system operator to maintain safe system state as a result of exploitation of the vulnerability where operator actions would be well within expected operator abilities; OR causes a minor occupational safety hazard. **System resiliency**: Small reduction in built-in system safety margins; OR small reduction in system functional capabilities that support safe operation. **Environment**: Minor externalities (property damage, environmental damage, etc.) imposed on other parties. **Financial**: Financial losses, which are not readily absorbable, to multiple persons. **Psychological**: Emotional or psychological harm, sufficient to be cause for counselling or therapy, to multiple persons." + }, + { + "key": "M", + "name": "Marginal", + "definition": "Any one or more of these conditions hold. **Physical harm**: Major injuries to one or more persons (IEC 61508 Marginal). **Operator resiliency**: Requires action by system operator to maintain safe system state as a result of exploitation of the vulnerability where operator actions would be within their capabilities but the actions require their full attention and effort; OR significant distraction or discomfort to operators; OR causes significant occupational safety hazard. **System resiliency**: System safety margin effectively eliminated but no actual harm; OR failure of system functional capabilities that support safe operation. **Environment**: Major externalities (property damage, environmental damage, etc.) imposed on other parties. **Financial**: Financial losses that likely lead to bankruptcy of multiple persons. **Psychological**: Widespread emotional or psychological harm, sufficient to be cause for counselling or therapy, to populations of people." + }, + { + "key": "R", + "name": "Critical", + "definition": "Any one or more of these conditions hold. **Physical harm**: Loss of life (IEC 61508 Critical). **Operator resiliency**: Actions that would keep the system in a safe state are beyond system operator capabilities, resulting in adverse conditions; OR great physical distress to system operators such that they cannot be expected to operate the system properly. **System resiliency**: Parts of the cyber-physical system break; system’s ability to recover lost functionality remains intact. **Environment**: Serious externalities (threat to life as well as property, widespread environmental damage, measurable public health risks, etc.) imposed on other parties. **Financial**: Socio-technical system (elections, financial grid, etc.) of which the affected component is a part is actively destabilized and enters unsafe state. **Psychological**: N/A." + }, + { + "key": "C", + "name": "Catastrophic", + "definition": "Any one or more of these conditions hold. **Physical harm**: Multiple loss of life (IEC 61508 Catastrophic). **Operator resiliency**: Operator incapacitated (includes fatality or otherwise incapacitated). **System resiliency**: Total loss of whole cyber-physical system, of which the software is a part. **Environment**: Extreme externalities (immediate public health threat, environmental damage leading to small ecosystem collapse, etc.) imposed on other parties. **Financial**: Social systems (elections, financial grid, etc.) supported by the software collapse. **Psychological**: N/A." + } + ] }, - { - "ssvc:RP:1.0.0": "N", - "ssvc:SCON:1.0.0": "Y", - "ssvc:RC:1.0.0": "C", - "ssvc:SC:1.0.0": "M", - "ssvc:SE:1.0.0": "A", - "ssvc:U:1.0.1": "E", - "ssvc:PSI:2.0.1": "M", - "ssvc:COORDINATE:1.0.1": "D" + "ssvc:PSI:2.0.1": { + "namespace": "ssvc", + "key": "PSI", + "version": "2.0.1", + "name": "Public Safety Impact", + "definition": "A coarse-grained representation of impact to public safety.", + "schemaVersion": "2.0.0", + "values": [ + { + "key": "M", + "name": "Minimal", + "definition": "Safety Impact:Negligible" + }, + { + "key": "S", + "name": "Significant", + "definition": "Safety Impact:(Marginal OR Critical OR Catastrophic)" + } + ] + } + }, + "outcome": "ssvc:PSI:2.0.1", + "mapping": [ + { + "ssvc:SI:2.0.1": "N", + "ssvc:PSI:2.0.1": "M" }, { - "ssvc:RP:1.0.0": "N", - "ssvc:SCON:1.0.0": "Y", - "ssvc:RC:1.0.0": "C", - "ssvc:SC:1.0.0": "O", - "ssvc:SE:1.0.0": "U", - "ssvc:U:1.0.1": "E", - "ssvc:PSI:2.0.1": "M", - "ssvc:COORDINATE:1.0.1": "C" + "ssvc:SI:2.0.1": "M", + "ssvc:PSI:2.0.1": "S" }, { - "ssvc:RP:1.0.0": "N", - "ssvc:SCON:1.0.0": "Y", - "ssvc:RC:1.0.0": "NC", - "ssvc:SC:1.0.0": "M", - "ssvc:SE:1.0.0": "U", - "ssvc:U:1.0.1": "E", - "ssvc:PSI:2.0.1": "M", - "ssvc:COORDINATE:1.0.1": "D" + "ssvc:SI:2.0.1": "R", + "ssvc:PSI:2.0.1": "S" }, { - "ssvc:RP:1.0.0": "N", - "ssvc:SCON:1.0.0": "N", - "ssvc:RC:1.0.0": "C", - "ssvc:SC:1.0.0": "M", - "ssvc:SE:1.0.0": "U", - "ssvc:U:1.0.1": "E", - "ssvc:PSI:2.0.1": "M", - "ssvc:COORDINATE:1.0.1": "D" + "ssvc:SI:2.0.1": "C", + "ssvc:PSI:2.0.1": "S" + } + ] + } + } + } + }, + "DT_SP": { + "key": "DT_SP", + "versions": { + "1.0.0": { + "version": "1.0.0", + "obj": { + "namespace": "ssvc", + "key": "DT_SP", + "version": "1.0.0", + "name": "Supplier Patch Development Priority", + "definition": "Decision table for evaluating supplier patch development priority in SSVC", + "schemaVersion": "2.0.0", + "decision_points": { + "ssvc:E:1.1.0": { + "namespace": "ssvc", + "key": "E", + "version": "1.1.0", + "name": "Exploitation", + "definition": "The present state of exploitation of the vulnerability.", + "schemaVersion": "2.0.0", + "values": [ + { + "key": "N", + "name": "None", + "definition": "There is no evidence of active exploitation and no public proof of concept (PoC) of how to exploit the vulnerability." + }, + { + "key": "P", + "name": "Public PoC", + "definition": "One of the following is true: (1) Typical public PoC exists in sources such as Metasploit or websites like ExploitDB; or (2) the vulnerability has a well-known method of exploitation." + }, + { + "key": "A", + "name": "Active", + "definition": "Shared, observable, reliable evidence that the exploit is being used in the wild by real attackers; there is credible public reporting." + } + ] + }, + "ssvc:U:1.0.1": { + "namespace": "ssvc", + "key": "U", + "version": "1.0.1", + "name": "Utility", + "definition": "The Usefulness of the Exploit to the Adversary", + "schemaVersion": "2.0.0", + "values": [ + { + "key": "L", + "name": "Laborious", + "definition": "Automatable:No AND Value Density:Diffuse" + }, + { + "key": "E", + "name": "Efficient", + "definition": "(Automatable:Yes AND Value Density:Diffuse) OR (Automatable:No AND Value Density:Concentrated)" + }, + { + "key": "S", + "name": "Super Effective", + "definition": "Automatable:Yes AND Value Density:Concentrated" + } + ] + }, + "ssvc:TI:1.0.0": { + "namespace": "ssvc", + "key": "TI", + "version": "1.0.0", + "name": "Technical Impact", + "definition": "The technical impact of the vulnerability.", + "schemaVersion": "2.0.0", + "values": [ + { + "key": "P", + "name": "Partial", + "definition": "The exploit gives the adversary limited control over, or information exposure about, the behavior of the software that contains the vulnerability. Or the exploit gives the adversary an importantly low stochastic opportunity for total control." + }, + { + "key": "T", + "name": "Total", + "definition": "The exploit gives the adversary total control over the behavior of the software, or it gives total disclosure of all information on the system that contains the vulnerability." + } + ] + }, + "ssvc:PSI:2.0.1": { + "namespace": "ssvc", + "key": "PSI", + "version": "2.0.1", + "name": "Public Safety Impact", + "definition": "A coarse-grained representation of impact to public safety.", + "schemaVersion": "2.0.0", + "values": [ + { + "key": "M", + "name": "Minimal", + "definition": "Safety Impact:Negligible" + }, + { + "key": "S", + "name": "Significant", + "definition": "Safety Impact:(Marginal OR Critical OR Catastrophic)" + } + ] }, + "ssvc:DSOI:1.0.0": { + "namespace": "ssvc", + "key": "DSOI", + "version": "1.0.0", + "name": "Defer, Scheduled, Out-of-Cycle, Immediate", + "definition": "The original SSVC outcome group.", + "schemaVersion": "2.0.0", + "values": [ + { + "key": "D", + "name": "Defer", + "definition": "Defer" + }, + { + "key": "S", + "name": "Scheduled", + "definition": "Scheduled" + }, + { + "key": "O", + "name": "Out-of-Cycle", + "definition": "Out-of-Cycle" + }, + { + "key": "I", + "name": "Immediate", + "definition": "Immediate" + } + ] + } + }, + "outcome": "ssvc:DSOI:1.0.0", + "mapping": [ { - "ssvc:RP:1.0.0": "Y", - "ssvc:SCON:1.0.0": "Y", - "ssvc:RC:1.0.0": "C", - "ssvc:SC:1.0.0": "M", - "ssvc:SE:1.0.0": "U", - "ssvc:U:1.0.1": "E", + "ssvc:E:1.1.0": "N", + "ssvc:U:1.0.1": "L", + "ssvc:TI:1.0.0": "P", "ssvc:PSI:2.0.1": "M", - "ssvc:COORDINATE:1.0.1": "D" + "ssvc:DSOI:1.0.0": "D" }, { - "ssvc:RP:1.0.0": "N", - "ssvc:SCON:1.0.0": "Y", - "ssvc:RC:1.0.0": "C", - "ssvc:SC:1.0.0": "O", - "ssvc:SE:1.0.0": "A", - "ssvc:U:1.0.1": "S", - "ssvc:PSI:2.0.1": "M", - "ssvc:COORDINATE:1.0.1": "D" + "ssvc:E:1.1.0": "N", + "ssvc:U:1.0.1": "L", + "ssvc:TI:1.0.0": "P", + "ssvc:PSI:2.0.1": "S", + "ssvc:DSOI:1.0.0": "S" }, { - "ssvc:RP:1.0.0": "N", - "ssvc:SCON:1.0.0": "Y", - "ssvc:RC:1.0.0": "NC", - "ssvc:SC:1.0.0": "M", - "ssvc:SE:1.0.0": "A", - "ssvc:U:1.0.1": "S", + "ssvc:E:1.1.0": "N", + "ssvc:U:1.0.1": "L", + "ssvc:TI:1.0.0": "T", "ssvc:PSI:2.0.1": "M", - "ssvc:COORDINATE:1.0.1": "T" + "ssvc:DSOI:1.0.0": "S" }, { - "ssvc:RP:1.0.0": "N", - "ssvc:SCON:1.0.0": "N", - "ssvc:RC:1.0.0": "C", - "ssvc:SC:1.0.0": "M", - "ssvc:SE:1.0.0": "A", - "ssvc:U:1.0.1": "S", - "ssvc:PSI:2.0.1": "M", - "ssvc:COORDINATE:1.0.1": "D" + "ssvc:E:1.1.0": "N", + "ssvc:U:1.0.1": "L", + "ssvc:TI:1.0.0": "T", + "ssvc:PSI:2.0.1": "S", + "ssvc:DSOI:1.0.0": "O" }, { - "ssvc:RP:1.0.0": "Y", - "ssvc:SCON:1.0.0": "Y", - "ssvc:RC:1.0.0": "C", - "ssvc:SC:1.0.0": "M", - "ssvc:SE:1.0.0": "A", - "ssvc:U:1.0.1": "S", + "ssvc:E:1.1.0": "N", + "ssvc:U:1.0.1": "E", + "ssvc:TI:1.0.0": "P", "ssvc:PSI:2.0.1": "M", - "ssvc:COORDINATE:1.0.1": "D" + "ssvc:DSOI:1.0.0": "S" }, { - "ssvc:RP:1.0.0": "N", - "ssvc:SCON:1.0.0": "Y", - "ssvc:RC:1.0.0": "NC", - "ssvc:SC:1.0.0": "O", - "ssvc:SE:1.0.0": "U", - "ssvc:U:1.0.1": "S", - "ssvc:PSI:2.0.1": "M", - "ssvc:COORDINATE:1.0.1": "D" + "ssvc:E:1.1.0": "N", + "ssvc:U:1.0.1": "E", + "ssvc:TI:1.0.0": "P", + "ssvc:PSI:2.0.1": "S", + "ssvc:DSOI:1.0.0": "O" }, { - "ssvc:RP:1.0.0": "N", - "ssvc:SCON:1.0.0": "N", - "ssvc:RC:1.0.0": "C", - "ssvc:SC:1.0.0": "O", - "ssvc:SE:1.0.0": "U", - "ssvc:U:1.0.1": "S", + "ssvc:E:1.1.0": "N", + "ssvc:U:1.0.1": "E", + "ssvc:TI:1.0.0": "T", "ssvc:PSI:2.0.1": "M", - "ssvc:COORDINATE:1.0.1": "D" + "ssvc:DSOI:1.0.0": "S" }, { - "ssvc:RP:1.0.0": "Y", - "ssvc:SCON:1.0.0": "Y", - "ssvc:RC:1.0.0": "C", - "ssvc:SC:1.0.0": "O", - "ssvc:SE:1.0.0": "U", - "ssvc:U:1.0.1": "S", - "ssvc:PSI:2.0.1": "M", - "ssvc:COORDINATE:1.0.1": "D" + "ssvc:E:1.1.0": "N", + "ssvc:U:1.0.1": "E", + "ssvc:TI:1.0.0": "T", + "ssvc:PSI:2.0.1": "S", + "ssvc:DSOI:1.0.0": "O" }, { - "ssvc:RP:1.0.0": "N", - "ssvc:SCON:1.0.0": "N", - "ssvc:RC:1.0.0": "NC", - "ssvc:SC:1.0.0": "M", - "ssvc:SE:1.0.0": "U", + "ssvc:E:1.1.0": "N", "ssvc:U:1.0.1": "S", + "ssvc:TI:1.0.0": "P", "ssvc:PSI:2.0.1": "M", - "ssvc:COORDINATE:1.0.1": "D" + "ssvc:DSOI:1.0.0": "S" }, { - "ssvc:RP:1.0.0": "Y", - "ssvc:SCON:1.0.0": "Y", - "ssvc:RC:1.0.0": "NC", - "ssvc:SC:1.0.0": "M", - "ssvc:SE:1.0.0": "U", + "ssvc:E:1.1.0": "N", "ssvc:U:1.0.1": "S", - "ssvc:PSI:2.0.1": "M", - "ssvc:COORDINATE:1.0.1": "D" + "ssvc:TI:1.0.0": "P", + "ssvc:PSI:2.0.1": "S", + "ssvc:DSOI:1.0.0": "O" }, { - "ssvc:RP:1.0.0": "Y", - "ssvc:SCON:1.0.0": "N", - "ssvc:RC:1.0.0": "C", - "ssvc:SC:1.0.0": "M", - "ssvc:SE:1.0.0": "U", + "ssvc:E:1.1.0": "N", "ssvc:U:1.0.1": "S", + "ssvc:TI:1.0.0": "T", "ssvc:PSI:2.0.1": "M", - "ssvc:COORDINATE:1.0.1": "D" + "ssvc:DSOI:1.0.0": "O" }, { - "ssvc:RP:1.0.0": "N", - "ssvc:SCON:1.0.0": "Y", - "ssvc:RC:1.0.0": "C", - "ssvc:SC:1.0.0": "M", - "ssvc:SE:1.0.0": "A", - "ssvc:U:1.0.1": "L", + "ssvc:E:1.1.0": "N", + "ssvc:U:1.0.1": "S", + "ssvc:TI:1.0.0": "T", "ssvc:PSI:2.0.1": "S", - "ssvc:COORDINATE:1.0.1": "T" + "ssvc:DSOI:1.0.0": "O" }, { - "ssvc:RP:1.0.0": "N", - "ssvc:SCON:1.0.0": "Y", - "ssvc:RC:1.0.0": "C", - "ssvc:SC:1.0.0": "O", - "ssvc:SE:1.0.0": "U", + "ssvc:E:1.1.0": "P", "ssvc:U:1.0.1": "L", - "ssvc:PSI:2.0.1": "S", - "ssvc:COORDINATE:1.0.1": "C" + "ssvc:TI:1.0.0": "P", + "ssvc:PSI:2.0.1": "M", + "ssvc:DSOI:1.0.0": "S" }, { - "ssvc:RP:1.0.0": "N", - "ssvc:SCON:1.0.0": "Y", - "ssvc:RC:1.0.0": "NC", - "ssvc:SC:1.0.0": "M", - "ssvc:SE:1.0.0": "U", + "ssvc:E:1.1.0": "P", "ssvc:U:1.0.1": "L", + "ssvc:TI:1.0.0": "P", "ssvc:PSI:2.0.1": "S", - "ssvc:COORDINATE:1.0.1": "T" + "ssvc:DSOI:1.0.0": "O" }, { - "ssvc:RP:1.0.0": "N", - "ssvc:SCON:1.0.0": "N", - "ssvc:RC:1.0.0": "C", - "ssvc:SC:1.0.0": "M", - "ssvc:SE:1.0.0": "U", + "ssvc:E:1.1.0": "P", "ssvc:U:1.0.1": "L", - "ssvc:PSI:2.0.1": "S", - "ssvc:COORDINATE:1.0.1": "D" + "ssvc:TI:1.0.0": "T", + "ssvc:PSI:2.0.1": "M", + "ssvc:DSOI:1.0.0": "S" }, { - "ssvc:RP:1.0.0": "Y", - "ssvc:SCON:1.0.0": "Y", - "ssvc:RC:1.0.0": "C", - "ssvc:SC:1.0.0": "M", - "ssvc:SE:1.0.0": "U", + "ssvc:E:1.1.0": "P", "ssvc:U:1.0.1": "L", + "ssvc:TI:1.0.0": "T", "ssvc:PSI:2.0.1": "S", - "ssvc:COORDINATE:1.0.1": "D" + "ssvc:DSOI:1.0.0": "I" }, { - "ssvc:RP:1.0.0": "N", - "ssvc:SCON:1.0.0": "Y", - "ssvc:RC:1.0.0": "C", - "ssvc:SC:1.0.0": "O", - "ssvc:SE:1.0.0": "A", + "ssvc:E:1.1.0": "P", "ssvc:U:1.0.1": "E", - "ssvc:PSI:2.0.1": "S", - "ssvc:COORDINATE:1.0.1": "T" + "ssvc:TI:1.0.0": "P", + "ssvc:PSI:2.0.1": "M", + "ssvc:DSOI:1.0.0": "S" }, { - "ssvc:RP:1.0.0": "N", - "ssvc:SCON:1.0.0": "Y", - "ssvc:RC:1.0.0": "NC", - "ssvc:SC:1.0.0": "M", - "ssvc:SE:1.0.0": "A", + "ssvc:E:1.1.0": "P", "ssvc:U:1.0.1": "E", + "ssvc:TI:1.0.0": "P", "ssvc:PSI:2.0.1": "S", - "ssvc:COORDINATE:1.0.1": "T" + "ssvc:DSOI:1.0.0": "I" }, { - "ssvc:RP:1.0.0": "N", - "ssvc:SCON:1.0.0": "N", - "ssvc:RC:1.0.0": "C", - "ssvc:SC:1.0.0": "M", - "ssvc:SE:1.0.0": "A", + "ssvc:E:1.1.0": "P", "ssvc:U:1.0.1": "E", - "ssvc:PSI:2.0.1": "S", - "ssvc:COORDINATE:1.0.1": "D" + "ssvc:TI:1.0.0": "T", + "ssvc:PSI:2.0.1": "M", + "ssvc:DSOI:1.0.0": "O" }, { - "ssvc:RP:1.0.0": "Y", - "ssvc:SCON:1.0.0": "Y", - "ssvc:RC:1.0.0": "C", - "ssvc:SC:1.0.0": "M", - "ssvc:SE:1.0.0": "A", + "ssvc:E:1.1.0": "P", "ssvc:U:1.0.1": "E", + "ssvc:TI:1.0.0": "T", "ssvc:PSI:2.0.1": "S", - "ssvc:COORDINATE:1.0.1": "D" + "ssvc:DSOI:1.0.0": "I" }, { - "ssvc:RP:1.0.0": "N", - "ssvc:SCON:1.0.0": "Y", - "ssvc:RC:1.0.0": "NC", - "ssvc:SC:1.0.0": "O", - "ssvc:SE:1.0.0": "U", - "ssvc:U:1.0.1": "E", - "ssvc:PSI:2.0.1": "S", - "ssvc:COORDINATE:1.0.1": "T" + "ssvc:E:1.1.0": "P", + "ssvc:U:1.0.1": "S", + "ssvc:TI:1.0.0": "P", + "ssvc:PSI:2.0.1": "M", + "ssvc:DSOI:1.0.0": "O" }, { - "ssvc:RP:1.0.0": "N", - "ssvc:SCON:1.0.0": "N", - "ssvc:RC:1.0.0": "C", - "ssvc:SC:1.0.0": "O", - "ssvc:SE:1.0.0": "U", - "ssvc:U:1.0.1": "E", + "ssvc:E:1.1.0": "P", + "ssvc:U:1.0.1": "S", + "ssvc:TI:1.0.0": "P", "ssvc:PSI:2.0.1": "S", - "ssvc:COORDINATE:1.0.1": "D" + "ssvc:DSOI:1.0.0": "I" }, { - "ssvc:RP:1.0.0": "Y", - "ssvc:SCON:1.0.0": "Y", - "ssvc:RC:1.0.0": "C", - "ssvc:SC:1.0.0": "O", - "ssvc:SE:1.0.0": "U", - "ssvc:U:1.0.1": "E", - "ssvc:PSI:2.0.1": "S", - "ssvc:COORDINATE:1.0.1": "D" + "ssvc:E:1.1.0": "P", + "ssvc:U:1.0.1": "S", + "ssvc:TI:1.0.0": "T", + "ssvc:PSI:2.0.1": "M", + "ssvc:DSOI:1.0.0": "O" }, { - "ssvc:RP:1.0.0": "N", - "ssvc:SCON:1.0.0": "N", - "ssvc:RC:1.0.0": "NC", - "ssvc:SC:1.0.0": "M", - "ssvc:SE:1.0.0": "U", - "ssvc:U:1.0.1": "E", + "ssvc:E:1.1.0": "P", + "ssvc:U:1.0.1": "S", + "ssvc:TI:1.0.0": "T", "ssvc:PSI:2.0.1": "S", - "ssvc:COORDINATE:1.0.1": "D" + "ssvc:DSOI:1.0.0": "I" }, { - "ssvc:RP:1.0.0": "Y", - "ssvc:SCON:1.0.0": "Y", - "ssvc:RC:1.0.0": "NC", - "ssvc:SC:1.0.0": "M", - "ssvc:SE:1.0.0": "U", - "ssvc:U:1.0.1": "E", - "ssvc:PSI:2.0.1": "S", - "ssvc:COORDINATE:1.0.1": "D" + "ssvc:E:1.1.0": "A", + "ssvc:U:1.0.1": "L", + "ssvc:TI:1.0.0": "P", + "ssvc:PSI:2.0.1": "M", + "ssvc:DSOI:1.0.0": "O" }, { - "ssvc:RP:1.0.0": "Y", - "ssvc:SCON:1.0.0": "N", - "ssvc:RC:1.0.0": "C", - "ssvc:SC:1.0.0": "M", - "ssvc:SE:1.0.0": "U", - "ssvc:U:1.0.1": "E", + "ssvc:E:1.1.0": "A", + "ssvc:U:1.0.1": "L", + "ssvc:TI:1.0.0": "P", "ssvc:PSI:2.0.1": "S", - "ssvc:COORDINATE:1.0.1": "D" + "ssvc:DSOI:1.0.0": "I" }, { - "ssvc:RP:1.0.0": "N", - "ssvc:SCON:1.0.0": "Y", - "ssvc:RC:1.0.0": "NC", - "ssvc:SC:1.0.0": "O", - "ssvc:SE:1.0.0": "A", - "ssvc:U:1.0.1": "S", - "ssvc:PSI:2.0.1": "S", - "ssvc:COORDINATE:1.0.1": "T" + "ssvc:E:1.1.0": "A", + "ssvc:U:1.0.1": "L", + "ssvc:TI:1.0.0": "T", + "ssvc:PSI:2.0.1": "M", + "ssvc:DSOI:1.0.0": "O" }, { - "ssvc:RP:1.0.0": "N", - "ssvc:SCON:1.0.0": "N", - "ssvc:RC:1.0.0": "C", - "ssvc:SC:1.0.0": "O", - "ssvc:SE:1.0.0": "A", - "ssvc:U:1.0.1": "S", + "ssvc:E:1.1.0": "A", + "ssvc:U:1.0.1": "L", + "ssvc:TI:1.0.0": "T", "ssvc:PSI:2.0.1": "S", - "ssvc:COORDINATE:1.0.1": "D" + "ssvc:DSOI:1.0.0": "I" }, { - "ssvc:RP:1.0.0": "Y", - "ssvc:SCON:1.0.0": "Y", - "ssvc:RC:1.0.0": "C", - "ssvc:SC:1.0.0": "O", - "ssvc:SE:1.0.0": "A", - "ssvc:U:1.0.1": "S", - "ssvc:PSI:2.0.1": "S", - "ssvc:COORDINATE:1.0.1": "D" + "ssvc:E:1.1.0": "A", + "ssvc:U:1.0.1": "E", + "ssvc:TI:1.0.0": "P", + "ssvc:PSI:2.0.1": "M", + "ssvc:DSOI:1.0.0": "O" }, { - "ssvc:RP:1.0.0": "N", - "ssvc:SCON:1.0.0": "N", - "ssvc:RC:1.0.0": "NC", - "ssvc:SC:1.0.0": "M", - "ssvc:SE:1.0.0": "A", - "ssvc:U:1.0.1": "S", + "ssvc:E:1.1.0": "A", + "ssvc:U:1.0.1": "E", + "ssvc:TI:1.0.0": "P", "ssvc:PSI:2.0.1": "S", - "ssvc:COORDINATE:1.0.1": "C" + "ssvc:DSOI:1.0.0": "I" + }, + { + "ssvc:E:1.1.0": "A", + "ssvc:U:1.0.1": "E", + "ssvc:TI:1.0.0": "T", + "ssvc:PSI:2.0.1": "M", + "ssvc:DSOI:1.0.0": "O" }, { - "ssvc:RP:1.0.0": "Y", - "ssvc:SCON:1.0.0": "Y", - "ssvc:RC:1.0.0": "NC", - "ssvc:SC:1.0.0": "M", - "ssvc:SE:1.0.0": "A", - "ssvc:U:1.0.1": "S", + "ssvc:E:1.1.0": "A", + "ssvc:U:1.0.1": "E", + "ssvc:TI:1.0.0": "T", "ssvc:PSI:2.0.1": "S", - "ssvc:COORDINATE:1.0.1": "C" + "ssvc:DSOI:1.0.0": "I" }, { - "ssvc:RP:1.0.0": "Y", - "ssvc:SCON:1.0.0": "N", - "ssvc:RC:1.0.0": "C", - "ssvc:SC:1.0.0": "M", - "ssvc:SE:1.0.0": "A", + "ssvc:E:1.1.0": "A", "ssvc:U:1.0.1": "S", - "ssvc:PSI:2.0.1": "S", - "ssvc:COORDINATE:1.0.1": "C" + "ssvc:TI:1.0.0": "P", + "ssvc:PSI:2.0.1": "M", + "ssvc:DSOI:1.0.0": "I" }, { - "ssvc:RP:1.0.0": "N", - "ssvc:SCON:1.0.0": "N", - "ssvc:RC:1.0.0": "NC", - "ssvc:SC:1.0.0": "O", - "ssvc:SE:1.0.0": "U", + "ssvc:E:1.1.0": "A", "ssvc:U:1.0.1": "S", + "ssvc:TI:1.0.0": "P", "ssvc:PSI:2.0.1": "S", - "ssvc:COORDINATE:1.0.1": "D" + "ssvc:DSOI:1.0.0": "I" }, { - "ssvc:RP:1.0.0": "Y", - "ssvc:SCON:1.0.0": "Y", - "ssvc:RC:1.0.0": "NC", - "ssvc:SC:1.0.0": "O", - "ssvc:SE:1.0.0": "U", + "ssvc:E:1.1.0": "A", "ssvc:U:1.0.1": "S", - "ssvc:PSI:2.0.1": "S", - "ssvc:COORDINATE:1.0.1": "D" + "ssvc:TI:1.0.0": "T", + "ssvc:PSI:2.0.1": "M", + "ssvc:DSOI:1.0.0": "I" }, { - "ssvc:RP:1.0.0": "Y", - "ssvc:SCON:1.0.0": "N", - "ssvc:RC:1.0.0": "C", - "ssvc:SC:1.0.0": "O", - "ssvc:SE:1.0.0": "U", + "ssvc:E:1.1.0": "A", "ssvc:U:1.0.1": "S", + "ssvc:TI:1.0.0": "T", "ssvc:PSI:2.0.1": "S", - "ssvc:COORDINATE:1.0.1": "D" + "ssvc:DSOI:1.0.0": "I" + } + ] + } + } + } + }, + "DT_U": { + "key": "DT_U", + "versions": { + "1.0.0": { + "version": "1.0.0", + "obj": { + "namespace": "ssvc", + "key": "DT_U", + "version": "1.0.0", + "name": "Utility", + "definition": "Utility decision table for SSVC", + "schemaVersion": "2.0.0", + "decision_points": { + "ssvc:A:2.0.0": { + "namespace": "ssvc", + "key": "A", + "version": "2.0.0", + "name": "Automatable", + "definition": "Can an attacker reliably automate creating exploitation events for this vulnerability?", + "schemaVersion": "2.0.0", + "values": [ + { + "key": "N", + "name": "No", + "definition": "Attackers cannot reliably automate steps 1-4 of the kill chain for this vulnerability. These steps are (1) reconnaissance, (2) weaponization, (3) delivery, and (4) exploitation." + }, + { + "key": "Y", + "name": "Yes", + "definition": "Attackers can reliably automate steps 1-4 of the kill chain." + } + ] + }, + "ssvc:VD:1.0.0": { + "namespace": "ssvc", + "key": "VD", + "version": "1.0.0", + "name": "Value Density", + "definition": "The concentration of value in the target", + "schemaVersion": "2.0.0", + "values": [ + { + "key": "D", + "name": "Diffuse", + "definition": "The system that contains the vulnerable component has limited resources. That is, the resources that the adversary will gain control over with a single exploitation event are relatively small." + }, + { + "key": "C", + "name": "Concentrated", + "definition": "The system that contains the vulnerable component is rich in resources. Heuristically, such systems are often the direct responsibility of “system operators” rather than users." + } + ] }, + "ssvc:U:1.0.1": { + "namespace": "ssvc", + "key": "U", + "version": "1.0.1", + "name": "Utility", + "definition": "The Usefulness of the Exploit to the Adversary", + "schemaVersion": "2.0.0", + "values": [ + { + "key": "L", + "name": "Laborious", + "definition": "Automatable:No AND Value Density:Diffuse" + }, + { + "key": "E", + "name": "Efficient", + "definition": "(Automatable:Yes AND Value Density:Diffuse) OR (Automatable:No AND Value Density:Concentrated)" + }, + { + "key": "S", + "name": "Super Effective", + "definition": "Automatable:Yes AND Value Density:Concentrated" + } + ] + } + }, + "outcome": "ssvc:U:1.0.1", + "mapping": [ { - "ssvc:RP:1.0.0": "Y", - "ssvc:SCON:1.0.0": "N", - "ssvc:RC:1.0.0": "NC", - "ssvc:SC:1.0.0": "M", - "ssvc:SE:1.0.0": "U", - "ssvc:U:1.0.1": "S", - "ssvc:PSI:2.0.1": "S", - "ssvc:COORDINATE:1.0.1": "C" + "ssvc:A:2.0.0": "N", + "ssvc:VD:1.0.0": "D", + "ssvc:U:1.0.1": "L" }, { - "ssvc:RP:1.0.0": "N", - "ssvc:SCON:1.0.0": "Y", - "ssvc:RC:1.0.0": "C", - "ssvc:SC:1.0.0": "M", - "ssvc:SE:1.0.0": "U", - "ssvc:U:1.0.1": "E", - "ssvc:PSI:2.0.1": "M", - "ssvc:COORDINATE:1.0.1": "C" + "ssvc:A:2.0.0": "N", + "ssvc:VD:1.0.0": "C", + "ssvc:U:1.0.1": "E" }, { - "ssvc:RP:1.0.0": "N", - "ssvc:SCON:1.0.0": "Y", - "ssvc:RC:1.0.0": "C", - "ssvc:SC:1.0.0": "M", - "ssvc:SE:1.0.0": "A", - "ssvc:U:1.0.1": "S", - "ssvc:PSI:2.0.1": "M", - "ssvc:COORDINATE:1.0.1": "C" + "ssvc:A:2.0.0": "Y", + "ssvc:VD:1.0.0": "D", + "ssvc:U:1.0.1": "E" }, { - "ssvc:RP:1.0.0": "N", - "ssvc:SCON:1.0.0": "Y", - "ssvc:RC:1.0.0": "C", - "ssvc:SC:1.0.0": "O", - "ssvc:SE:1.0.0": "U", - "ssvc:U:1.0.1": "S", - "ssvc:PSI:2.0.1": "M", - "ssvc:COORDINATE:1.0.1": "C" + "ssvc:A:2.0.0": "Y", + "ssvc:VD:1.0.0": "C", + "ssvc:U:1.0.1": "S" + } + ] + } + } + } + } + } + }, + "x_org.owasp#aivss": { + "namespace": "x_org.owasp#aivss", + "keys": { + "DT_AIL": { + "key": "DT_AIL", + "versions": { + "1.0.0": { + "version": "1.0.0", + "obj": { + "namespace": "x_org.owasp#aivss", + "key": "DT_AIL", + "version": "1.0.0", + "name": "Agentic Impact Level", + "definition": "TODO writeme", + "schemaVersion": "2.0.0", + "decision_points": { + "x_org.owasp#aivss:EP:1.0.0": { + "namespace": "x_org.owasp#aivss", + "key": "EP", + "version": "1.0.0", + "name": "Execution Power", + "definition": "Determines the level of execution power granted to an AI agent, influencing its ability to perform actions autonomously and interact with external systems.", + "schemaVersion": "2.0.0", + "values": [ + { + "key": "C", + "name": "Constrained", + "definition": "The AI agent has limited execution power, restricting its ability to perform actions autonomously or interact with external systems." + }, + { + "key": "CA", + "name": "Capable", + "definition": "The AI agent has moderate execution power, allowing it to perform certain actions autonomously and interact with external systems under supervision." + }, + { + "key": "H", + "name": "High Leverage", + "definition": "The AI agent has extensive execution power, enabling it to perform actions autonomously and interact with external systems with minimal supervision." + } + ] + }, + "x_org.owasp#aivss:EA:1.0.0": { + "namespace": "x_org.owasp#aivss", + "key": "EA", + "version": "1.0.0", + "name": "Environment & Adaptation", + "definition": "Determines the environment and adaptation level of an AI system based on its context awareness and adaptability.", + "schemaVersion": "2.0.0", + "values": [ + { + "key": "I", + "name": "Isolated", + "definition": "Operates in a narrow, stable context with no meaningful external awareness. No cross-session memory, multi-agent behavior, or identity changes. Environmental shifts don’t affect behavior unless a human explicitly updates inputs." + }, + { + "key": "C", + "name": "Connected", + "definition": "Uses curated signals, scoped identity roles, or predefined multi-agent patterns to adapt. Environmental changes can influence behavior, but only within controlled, auditable bounds." + }, + { + "key": "P", + "name": "Pervasive", + "definition": "Continuously adapts to broad, dynamic environmental inputs and multi-agent activity. Identity, memory, and context can shift fluidly, creating emergent behavior. Environmental variation can substantially redirect or amplify its actions." + } + ] + }, + "x_org.owasp#aivss:PI:1.0.0": { + "namespace": "x_org.owasp#aivss", + "key": "PI", + "version": "1.0.0", + "name": "Predictability and Influence", + "definition": "TODO writeme", + "schemaVersion": "2.0.0", + "values": [ + { + "key": "V", + "name": "Verifiable", + "definition": "Behavior is traceable, reproducible, and backed by strong logging or proofs. Outputs align with clear rules, and any action can be independently checked. Unexpected deviations are rare and easy to diagnose." + }, + { + "key": "U", + "name": "Uncertain", + "definition": "Behavior is generally well-structured but can deviate within known bounds. Some reasoning steps or interactions lack full visibility, making verification partial. Issues may be diagnosable but require effort or contextual reconstruction." + }, + { + "key": "O", + "name": "Opaque", + "definition": "Behavior is highly variable, difficult to trace, and resistant to verification. Key reasoning paths, external influences, or interactions are hidden or unpredictable. Actions may appear coherent but cannot be reliably reproduced or audited." + } + ] }, + "x_org.owasp#aivss:AIL:1.0.0": { + "namespace": "x_org.owasp#aivss", + "key": "AIL", + "version": "1.0.0", + "name": "Agentic Impact Level", + "definition": "Determines the agentic impact level of a vulnerability based on its characteristics and potential effects.", + "schemaVersion": "2.0.0", + "values": [ + { + "key": "C", + "name": "CoPilot", + "definition": "The agent is primarily a copilot or assistant. Its actions are heavily constrained, requiring human oversight. The agent explicitly does not have rights to execute code." + }, + { + "key": "S", + "name": "Specialist", + "definition": "The agent is a specialist with significant autonomy within a defined domain.It can use powerful tools and may learn from interactions." + }, + { + "key": "P", + "name": "Prime Mover", + "definition": "The agent is a prime mover with broad autonomy. It can orchestrate other systems, modify its own logic, and interact with critical infrastructure." + } + ] + } + }, + "outcome": "x_org.owasp#aivss:AIL:1.0.0", + "mapping": [ { - "ssvc:RP:1.0.0": "N", - "ssvc:SCON:1.0.0": "Y", - "ssvc:RC:1.0.0": "NC", - "ssvc:SC:1.0.0": "M", - "ssvc:SE:1.0.0": "U", - "ssvc:U:1.0.1": "S", - "ssvc:PSI:2.0.1": "M", - "ssvc:COORDINATE:1.0.1": "T" + "x_org.owasp#aivss:EP:1.0.0": "C", + "x_org.owasp#aivss:EA:1.0.0": "I", + "x_org.owasp#aivss:PI:1.0.0": "V", + "x_org.owasp#aivss:AIL:1.0.0": "C" }, { - "ssvc:RP:1.0.0": "N", - "ssvc:SCON:1.0.0": "N", - "ssvc:RC:1.0.0": "C", - "ssvc:SC:1.0.0": "M", - "ssvc:SE:1.0.0": "U", - "ssvc:U:1.0.1": "S", - "ssvc:PSI:2.0.1": "M", - "ssvc:COORDINATE:1.0.1": "D" + "x_org.owasp#aivss:EP:1.0.0": "C", + "x_org.owasp#aivss:EA:1.0.0": "I", + "x_org.owasp#aivss:PI:1.0.0": "U", + "x_org.owasp#aivss:AIL:1.0.0": "C" }, { - "ssvc:RP:1.0.0": "Y", - "ssvc:SCON:1.0.0": "Y", - "ssvc:RC:1.0.0": "C", - "ssvc:SC:1.0.0": "M", - "ssvc:SE:1.0.0": "U", - "ssvc:U:1.0.1": "S", - "ssvc:PSI:2.0.1": "M", - "ssvc:COORDINATE:1.0.1": "D" + "x_org.owasp#aivss:EP:1.0.0": "C", + "x_org.owasp#aivss:EA:1.0.0": "I", + "x_org.owasp#aivss:PI:1.0.0": "O", + "x_org.owasp#aivss:AIL:1.0.0": "S" }, { - "ssvc:RP:1.0.0": "N", - "ssvc:SCON:1.0.0": "Y", - "ssvc:RC:1.0.0": "C", - "ssvc:SC:1.0.0": "M", - "ssvc:SE:1.0.0": "U", - "ssvc:U:1.0.1": "L", - "ssvc:PSI:2.0.1": "S", - "ssvc:COORDINATE:1.0.1": "C" + "x_org.owasp#aivss:EP:1.0.0": "C", + "x_org.owasp#aivss:EA:1.0.0": "C", + "x_org.owasp#aivss:PI:1.0.0": "V", + "x_org.owasp#aivss:AIL:1.0.0": "C" }, { - "ssvc:RP:1.0.0": "N", - "ssvc:SCON:1.0.0": "Y", - "ssvc:RC:1.0.0": "C", - "ssvc:SC:1.0.0": "M", - "ssvc:SE:1.0.0": "A", - "ssvc:U:1.0.1": "E", - "ssvc:PSI:2.0.1": "S", - "ssvc:COORDINATE:1.0.1": "T" + "x_org.owasp#aivss:EP:1.0.0": "C", + "x_org.owasp#aivss:EA:1.0.0": "C", + "x_org.owasp#aivss:PI:1.0.0": "U", + "x_org.owasp#aivss:AIL:1.0.0": "S" }, { - "ssvc:RP:1.0.0": "N", - "ssvc:SCON:1.0.0": "Y", - "ssvc:RC:1.0.0": "C", - "ssvc:SC:1.0.0": "O", - "ssvc:SE:1.0.0": "U", - "ssvc:U:1.0.1": "E", - "ssvc:PSI:2.0.1": "S", - "ssvc:COORDINATE:1.0.1": "C" + "x_org.owasp#aivss:EP:1.0.0": "C", + "x_org.owasp#aivss:EA:1.0.0": "C", + "x_org.owasp#aivss:PI:1.0.0": "O", + "x_org.owasp#aivss:AIL:1.0.0": "S" }, { - "ssvc:RP:1.0.0": "N", - "ssvc:SCON:1.0.0": "Y", - "ssvc:RC:1.0.0": "NC", - "ssvc:SC:1.0.0": "M", - "ssvc:SE:1.0.0": "U", - "ssvc:U:1.0.1": "E", - "ssvc:PSI:2.0.1": "S", - "ssvc:COORDINATE:1.0.1": "T" + "x_org.owasp#aivss:EP:1.0.0": "C", + "x_org.owasp#aivss:EA:1.0.0": "P", + "x_org.owasp#aivss:PI:1.0.0": "V", + "x_org.owasp#aivss:AIL:1.0.0": "S" }, { - "ssvc:RP:1.0.0": "N", - "ssvc:SCON:1.0.0": "N", - "ssvc:RC:1.0.0": "C", - "ssvc:SC:1.0.0": "M", - "ssvc:SE:1.0.0": "U", - "ssvc:U:1.0.1": "E", - "ssvc:PSI:2.0.1": "S", - "ssvc:COORDINATE:1.0.1": "D" + "x_org.owasp#aivss:EP:1.0.0": "C", + "x_org.owasp#aivss:EA:1.0.0": "P", + "x_org.owasp#aivss:PI:1.0.0": "U", + "x_org.owasp#aivss:AIL:1.0.0": "S" }, { - "ssvc:RP:1.0.0": "Y", - "ssvc:SCON:1.0.0": "Y", - "ssvc:RC:1.0.0": "C", - "ssvc:SC:1.0.0": "M", - "ssvc:SE:1.0.0": "U", - "ssvc:U:1.0.1": "E", - "ssvc:PSI:2.0.1": "S", - "ssvc:COORDINATE:1.0.1": "D" + "x_org.owasp#aivss:EP:1.0.0": "C", + "x_org.owasp#aivss:EA:1.0.0": "P", + "x_org.owasp#aivss:PI:1.0.0": "O", + "x_org.owasp#aivss:AIL:1.0.0": "P" }, { - "ssvc:RP:1.0.0": "N", - "ssvc:SCON:1.0.0": "Y", - "ssvc:RC:1.0.0": "C", - "ssvc:SC:1.0.0": "O", - "ssvc:SE:1.0.0": "A", - "ssvc:U:1.0.1": "S", - "ssvc:PSI:2.0.1": "S", - "ssvc:COORDINATE:1.0.1": "T" + "x_org.owasp#aivss:EP:1.0.0": "CA", + "x_org.owasp#aivss:EA:1.0.0": "I", + "x_org.owasp#aivss:PI:1.0.0": "V", + "x_org.owasp#aivss:AIL:1.0.0": "C" }, { - "ssvc:RP:1.0.0": "N", - "ssvc:SCON:1.0.0": "Y", - "ssvc:RC:1.0.0": "NC", - "ssvc:SC:1.0.0": "M", - "ssvc:SE:1.0.0": "A", - "ssvc:U:1.0.1": "S", - "ssvc:PSI:2.0.1": "S", - "ssvc:COORDINATE:1.0.1": "C" + "x_org.owasp#aivss:EP:1.0.0": "CA", + "x_org.owasp#aivss:EA:1.0.0": "I", + "x_org.owasp#aivss:PI:1.0.0": "U", + "x_org.owasp#aivss:AIL:1.0.0": "S" }, { - "ssvc:RP:1.0.0": "N", - "ssvc:SCON:1.0.0": "N", - "ssvc:RC:1.0.0": "C", - "ssvc:SC:1.0.0": "M", - "ssvc:SE:1.0.0": "A", - "ssvc:U:1.0.1": "S", - "ssvc:PSI:2.0.1": "S", - "ssvc:COORDINATE:1.0.1": "C" + "x_org.owasp#aivss:EP:1.0.0": "CA", + "x_org.owasp#aivss:EA:1.0.0": "I", + "x_org.owasp#aivss:PI:1.0.0": "O", + "x_org.owasp#aivss:AIL:1.0.0": "S" }, { - "ssvc:RP:1.0.0": "Y", - "ssvc:SCON:1.0.0": "Y", - "ssvc:RC:1.0.0": "C", - "ssvc:SC:1.0.0": "M", - "ssvc:SE:1.0.0": "A", - "ssvc:U:1.0.1": "S", - "ssvc:PSI:2.0.1": "S", - "ssvc:COORDINATE:1.0.1": "C" + "x_org.owasp#aivss:EP:1.0.0": "CA", + "x_org.owasp#aivss:EA:1.0.0": "C", + "x_org.owasp#aivss:PI:1.0.0": "V", + "x_org.owasp#aivss:AIL:1.0.0": "S" }, { - "ssvc:RP:1.0.0": "N", - "ssvc:SCON:1.0.0": "Y", - "ssvc:RC:1.0.0": "NC", - "ssvc:SC:1.0.0": "O", - "ssvc:SE:1.0.0": "U", - "ssvc:U:1.0.1": "S", - "ssvc:PSI:2.0.1": "S", - "ssvc:COORDINATE:1.0.1": "T" + "x_org.owasp#aivss:EP:1.0.0": "CA", + "x_org.owasp#aivss:EA:1.0.0": "C", + "x_org.owasp#aivss:PI:1.0.0": "U", + "x_org.owasp#aivss:AIL:1.0.0": "S" }, { - "ssvc:RP:1.0.0": "N", - "ssvc:SCON:1.0.0": "N", - "ssvc:RC:1.0.0": "C", - "ssvc:SC:1.0.0": "O", - "ssvc:SE:1.0.0": "U", - "ssvc:U:1.0.1": "S", - "ssvc:PSI:2.0.1": "S", - "ssvc:COORDINATE:1.0.1": "D" + "x_org.owasp#aivss:EP:1.0.0": "CA", + "x_org.owasp#aivss:EA:1.0.0": "C", + "x_org.owasp#aivss:PI:1.0.0": "O", + "x_org.owasp#aivss:AIL:1.0.0": "S" }, { - "ssvc:RP:1.0.0": "Y", - "ssvc:SCON:1.0.0": "Y", - "ssvc:RC:1.0.0": "C", - "ssvc:SC:1.0.0": "O", - "ssvc:SE:1.0.0": "U", - "ssvc:U:1.0.1": "S", - "ssvc:PSI:2.0.1": "S", - "ssvc:COORDINATE:1.0.1": "D" + "x_org.owasp#aivss:EP:1.0.0": "CA", + "x_org.owasp#aivss:EA:1.0.0": "P", + "x_org.owasp#aivss:PI:1.0.0": "V", + "x_org.owasp#aivss:AIL:1.0.0": "S" }, { - "ssvc:RP:1.0.0": "N", - "ssvc:SCON:1.0.0": "N", - "ssvc:RC:1.0.0": "NC", - "ssvc:SC:1.0.0": "M", - "ssvc:SE:1.0.0": "U", - "ssvc:U:1.0.1": "S", - "ssvc:PSI:2.0.1": "S", - "ssvc:COORDINATE:1.0.1": "C" + "x_org.owasp#aivss:EP:1.0.0": "CA", + "x_org.owasp#aivss:EA:1.0.0": "P", + "x_org.owasp#aivss:PI:1.0.0": "U", + "x_org.owasp#aivss:AIL:1.0.0": "S" }, { - "ssvc:RP:1.0.0": "Y", - "ssvc:SCON:1.0.0": "Y", - "ssvc:RC:1.0.0": "NC", - "ssvc:SC:1.0.0": "M", - "ssvc:SE:1.0.0": "U", - "ssvc:U:1.0.1": "S", - "ssvc:PSI:2.0.1": "S", - "ssvc:COORDINATE:1.0.1": "C" + "x_org.owasp#aivss:EP:1.0.0": "CA", + "x_org.owasp#aivss:EA:1.0.0": "P", + "x_org.owasp#aivss:PI:1.0.0": "O", + "x_org.owasp#aivss:AIL:1.0.0": "P" }, { - "ssvc:RP:1.0.0": "Y", - "ssvc:SCON:1.0.0": "N", - "ssvc:RC:1.0.0": "C", - "ssvc:SC:1.0.0": "M", - "ssvc:SE:1.0.0": "U", - "ssvc:U:1.0.1": "S", - "ssvc:PSI:2.0.1": "S", - "ssvc:COORDINATE:1.0.1": "C" + "x_org.owasp#aivss:EP:1.0.0": "H", + "x_org.owasp#aivss:EA:1.0.0": "I", + "x_org.owasp#aivss:PI:1.0.0": "V", + "x_org.owasp#aivss:AIL:1.0.0": "S" }, { - "ssvc:RP:1.0.0": "N", - "ssvc:SCON:1.0.0": "Y", - "ssvc:RC:1.0.0": "C", - "ssvc:SC:1.0.0": "M", - "ssvc:SE:1.0.0": "U", - "ssvc:U:1.0.1": "S", - "ssvc:PSI:2.0.1": "M", - "ssvc:COORDINATE:1.0.1": "C" + "x_org.owasp#aivss:EP:1.0.0": "H", + "x_org.owasp#aivss:EA:1.0.0": "I", + "x_org.owasp#aivss:PI:1.0.0": "U", + "x_org.owasp#aivss:AIL:1.0.0": "S" }, { - "ssvc:RP:1.0.0": "N", - "ssvc:SCON:1.0.0": "Y", - "ssvc:RC:1.0.0": "C", - "ssvc:SC:1.0.0": "M", - "ssvc:SE:1.0.0": "U", - "ssvc:U:1.0.1": "E", - "ssvc:PSI:2.0.1": "S", - "ssvc:COORDINATE:1.0.1": "C" + "x_org.owasp#aivss:EP:1.0.0": "H", + "x_org.owasp#aivss:EA:1.0.0": "I", + "x_org.owasp#aivss:PI:1.0.0": "O", + "x_org.owasp#aivss:AIL:1.0.0": "P" }, { - "ssvc:RP:1.0.0": "N", - "ssvc:SCON:1.0.0": "Y", - "ssvc:RC:1.0.0": "C", - "ssvc:SC:1.0.0": "M", - "ssvc:SE:1.0.0": "A", - "ssvc:U:1.0.1": "S", - "ssvc:PSI:2.0.1": "S", - "ssvc:COORDINATE:1.0.1": "C" + "x_org.owasp#aivss:EP:1.0.0": "H", + "x_org.owasp#aivss:EA:1.0.0": "C", + "x_org.owasp#aivss:PI:1.0.0": "V", + "x_org.owasp#aivss:AIL:1.0.0": "S" }, { - "ssvc:RP:1.0.0": "N", - "ssvc:SCON:1.0.0": "Y", - "ssvc:RC:1.0.0": "C", - "ssvc:SC:1.0.0": "O", - "ssvc:SE:1.0.0": "U", - "ssvc:U:1.0.1": "S", - "ssvc:PSI:2.0.1": "S", - "ssvc:COORDINATE:1.0.1": "C" + "x_org.owasp#aivss:EP:1.0.0": "H", + "x_org.owasp#aivss:EA:1.0.0": "C", + "x_org.owasp#aivss:PI:1.0.0": "U", + "x_org.owasp#aivss:AIL:1.0.0": "S" }, { - "ssvc:RP:1.0.0": "N", - "ssvc:SCON:1.0.0": "Y", - "ssvc:RC:1.0.0": "NC", - "ssvc:SC:1.0.0": "M", - "ssvc:SE:1.0.0": "U", - "ssvc:U:1.0.1": "S", - "ssvc:PSI:2.0.1": "S", - "ssvc:COORDINATE:1.0.1": "C" + "x_org.owasp#aivss:EP:1.0.0": "H", + "x_org.owasp#aivss:EA:1.0.0": "C", + "x_org.owasp#aivss:PI:1.0.0": "O", + "x_org.owasp#aivss:AIL:1.0.0": "P" }, { - "ssvc:RP:1.0.0": "N", - "ssvc:SCON:1.0.0": "N", - "ssvc:RC:1.0.0": "C", - "ssvc:SC:1.0.0": "M", - "ssvc:SE:1.0.0": "U", - "ssvc:U:1.0.1": "S", - "ssvc:PSI:2.0.1": "S", - "ssvc:COORDINATE:1.0.1": "C" + "x_org.owasp#aivss:EP:1.0.0": "H", + "x_org.owasp#aivss:EA:1.0.0": "P", + "x_org.owasp#aivss:PI:1.0.0": "V", + "x_org.owasp#aivss:AIL:1.0.0": "P" }, { - "ssvc:RP:1.0.0": "Y", - "ssvc:SCON:1.0.0": "Y", - "ssvc:RC:1.0.0": "C", - "ssvc:SC:1.0.0": "M", - "ssvc:SE:1.0.0": "U", - "ssvc:U:1.0.1": "S", - "ssvc:PSI:2.0.1": "S", - "ssvc:COORDINATE:1.0.1": "C" + "x_org.owasp#aivss:EP:1.0.0": "H", + "x_org.owasp#aivss:EA:1.0.0": "P", + "x_org.owasp#aivss:PI:1.0.0": "U", + "x_org.owasp#aivss:AIL:1.0.0": "P" }, { - "ssvc:RP:1.0.0": "N", - "ssvc:SCON:1.0.0": "Y", - "ssvc:RC:1.0.0": "C", - "ssvc:SC:1.0.0": "M", - "ssvc:SE:1.0.0": "U", - "ssvc:U:1.0.1": "S", - "ssvc:PSI:2.0.1": "S", - "ssvc:COORDINATE:1.0.1": "C" + "x_org.owasp#aivss:EP:1.0.0": "H", + "x_org.owasp#aivss:EA:1.0.0": "P", + "x_org.owasp#aivss:PI:1.0.0": "O", + "x_org.owasp#aivss:AIL:1.0.0": "P" } ] } } } }, - "DT_HI": { - "key": "DT_HI", + "DT_PI": { + "key": "DT_PI", "versions": { "1.0.0": { "version": "1.0.0", "obj": { - "namespace": "ssvc", - "key": "DT_HI", + "namespace": "x_org.owasp#aivss", + "key": "DT_PI", "version": "1.0.0", - "name": "Human Impact", - "definition": "Human Impact decision table for SSVC", + "name": "Predictability and Influence", + "definition": "TODO writeme", "schemaVersion": "2.0.0", "decision_points": { - "ssvc:SI:2.0.1": { - "namespace": "ssvc", - "key": "SI", - "version": "2.0.1", - "name": "Safety Impact", - "definition": "The safety impact of the vulnerability. (based on IEC 61508 with modifications)", + "x_org.owasp#aivss:ND:1.0.0": { + "namespace": "x_org.owasp#aivss", + "key": "ND", + "version": "1.0.0", + "name": "Non-Determinism", + "definition": "Describes variability of system outputs across repeated executions.", + "schemaVersion": "2.0.0", + "values": [ + { + "key": "D", + "name": "Deterministic", + "definition": "Stable outputs; no randomness." + }, + { + "key": "B", + "name": "Bounded", + "definition": "Controlled variance within predictable limits." + }, + { + "key": "H", + "name": "High-Variance", + "definition": "Broad or unstable behavioral range." + } + ] + }, + "x_org.owasp#aivss:OR:1.0.0": { + "namespace": "x_org.owasp#aivss", + "key": "OR", + "version": "1.0.0", + "name": "Opacity & Reflexivity", + "definition": "Captures how observable and explainable the internal reasoning and adaptation cycle is.", + "schemaVersion": "2.0.0", + "values": [ + { + "key": "T", + "name": "Transparent", + "definition": "Full logs and traceable reasoning." + }, + { + "key": "F", + "name": "Fragmented", + "definition": "Partial visibility; some steps hidden." + }, + { + "key": "O", + "name": "Opaque", + "definition": "Black-box behavior; internal process not observable." + } + ] + }, + "x_org.owasp#aivss:VC:1.0.0": { + "namespace": "x_org.owasp#aivss", + "key": "VC", + "version": "1.0.0", + "name": "Verification Capability", + "definition": "Indicates whether the system’s critical properties can be formally or practically verified.", "schemaVersion": "2.0.0", "values": [ { - "key": "N", - "name": "Negligible", - "definition": "Any one or more of these conditions hold. **Physical harm**: Minor injuries at worst (IEC 61508 Negligible). **Operator resiliency**: Requires action by system operator to maintain safe system state as a result of exploitation of the vulnerability where operator actions would be well within expected operator abilities; OR causes a minor occupational safety hazard. **System resiliency**: Small reduction in built-in system safety margins; OR small reduction in system functional capabilities that support safe operation. **Environment**: Minor externalities (property damage, environmental damage, etc.) imposed on other parties. **Financial**: Financial losses, which are not readily absorbable, to multiple persons. **Psychological**: Emotional or psychological harm, sufficient to be cause for counselling or therapy, to multiple persons." - }, - { - "key": "M", - "name": "Marginal", - "definition": "Any one or more of these conditions hold. **Physical harm**: Major injuries to one or more persons (IEC 61508 Marginal). **Operator resiliency**: Requires action by system operator to maintain safe system state as a result of exploitation of the vulnerability where operator actions would be within their capabilities but the actions require their full attention and effort; OR significant distraction or discomfort to operators; OR causes significant occupational safety hazard. **System resiliency**: System safety margin effectively eliminated but no actual harm; OR failure of system functional capabilities that support safe operation. **Environment**: Major externalities (property damage, environmental damage, etc.) imposed on other parties. **Financial**: Financial losses that likely lead to bankruptcy of multiple persons. **Psychological**: Widespread emotional or psychological harm, sufficient to be cause for counselling or therapy, to populations of people." + "key": "P", + "name": "Provable", + "definition": "Critical safety or correctness invariants can be verified." }, { - "key": "R", - "name": "Critical", - "definition": "Any one or more of these conditions hold. **Physical harm**: Loss of life (IEC 61508 Critical). **Operator resiliency**: Actions that would keep the system in a safe state are beyond system operator capabilities, resulting in adverse conditions; OR great physical distress to system operators such that they cannot be expected to operate the system properly. **System resiliency**: Parts of the cyber-physical system break; system’s ability to recover lost functionality remains intact. **Environment**: Serious externalities (threat to life as well as property, widespread environmental damage, measurable public health risks, etc.) imposed on other parties. **Financial**: Socio-technical system (elections, financial grid, etc.) of which the affected component is a part is actively destabilized and enters unsafe state. **Psychological**: N/A." + "key": "K", + "name": "Key Invariants Verifiable", + "definition": "Some critical properties can be verified, but not all." }, { - "key": "C", - "name": "Catastrophic", - "definition": "Any one or more of these conditions hold. **Physical harm**: Multiple loss of life (IEC 61508 Catastrophic). **Operator resiliency**: Operator incapacitated (includes fatality or otherwise incapacitated). **System resiliency**: Total loss of whole cyber-physical system, of which the software is a part. **Environment**: Extreme externalities (immediate public health threat, environmental damage leading to small ecosystem collapse, etc.) imposed on other parties. **Financial**: Social systems (elections, financial grid, etc.) supported by the software collapse. **Psychological**: N/A." + "key": "U", + "name": "Unverifiable", + "definition": "Cannot prove correctness or invariants in practice." } ] }, - "ssvc:MI:2.0.0": { - "namespace": "ssvc", - "key": "MI", - "version": "2.0.0", - "name": "Mission Impact", - "definition": "Impact on Mission Essential Functions of the Organization", + "x_org.owasp#aivss:DP:1.0.0": { + "namespace": "x_org.owasp#aivss", + "key": "DP", + "version": "1.0.0", + "name": "Deceptiveness Potential", + "definition": "Assesses the potential for AI-generated vulnerability reports to be deceptive, ranging from plain structured output to highly persuasive content.", "schemaVersion": "2.0.0", "values": [ { - "key": "D", - "name": "Degraded", - "definition": "Little to no impact up to degradation of non-essential functions; chronic degradation would eventually harm essential functions" - }, - { - "key": "MSC", - "name": "MEF Support Crippled", - "definition": "Activities that directly support essential functions are crippled; essential functions continue for a time" + "key": "P", + "name": "Plain", + "definition": "Structured, non-persona output." }, { - "key": "MEF", - "name": "MEF Failure", - "definition": "Any one mission essential function fails for period of time longer than acceptable; overall mission of the organization degraded but can still be accomplished for a time" + "key": "F", + "name": "Fluent", + "definition": "Natural language output, but not convincingly human." }, { - "key": "MF", - "name": "Mission Failure", - "definition": "Multiple or all mission essential functions fail; ability to recover those functions degraded; organization’s ability to deliver its overall mission fails" + "key": "S", + "name": "Persuasive", + "definition": "Persona mimicry, deepfakes, or social-engineering capability." } ] }, - "ssvc:HI:2.0.2": { - "namespace": "ssvc", - "key": "HI", - "version": "2.0.2", - "name": "Human Impact", - "definition": "Human Impact is a combination of Safety and Mission impacts.", + "x_org.owasp#aivss:PI:1.0.0": { + "namespace": "x_org.owasp#aivss", + "key": "PI", + "version": "1.0.0", + "name": "Predictability and Influence", + "definition": "TODO writeme", "schemaVersion": "2.0.0", "values": [ { - "key": "L", - "name": "Low", - "definition": "Safety Impact:(Negligible) AND Mission Impact:(Degraded OR Crippled)" - }, - { - "key": "M", - "name": "Medium", - "definition": "(Safety Impact:Negligible AND Mission Impact:MEF Failure) OR (Safety Impact:Marginal AND Mission Impact:(Degraded OR Crippled))" + "key": "V", + "name": "Verifiable", + "definition": "Behavior is traceable, reproducible, and backed by strong logging or proofs. Outputs align with clear rules, and any action can be independently checked. Unexpected deviations are rare and easy to diagnose." }, { - "key": "H", - "name": "High", - "definition": "(Safety Impact:Critical AND Mission Impact:(Degraded OR Crippled)) OR (Safety Impact:Marginal AND Mission Impact:MEF Failure)" + "key": "U", + "name": "Uncertain", + "definition": "Behavior is generally well-structured but can deviate within known bounds. Some reasoning steps or interactions lack full visibility, making verification partial. Issues may be diagnosable but require effort or contextual reconstruction." }, { - "key": "VH", - "name": "Very High", - "definition": "Safety Impact:Catastrophic OR Mission Impact:Mission Failure" + "key": "O", + "name": "Opaque", + "definition": "Behavior is highly variable, difficult to trace, and resistant to verification. Key reasoning paths, external influences, or interactions are hidden or unpredictable. Actions may appear coherent but cannot be reliably reproduced or audited." } ] } }, - "outcome": "ssvc:HI:2.0.2", + "outcome": "x_org.owasp#aivss:PI:1.0.0", "mapping": [ { - "ssvc:SI:2.0.1": "N", - "ssvc:MI:2.0.0": "D", - "ssvc:HI:2.0.2": "L" + "x_org.owasp#aivss:ND:1.0.0": "D", + "x_org.owasp#aivss:OR:1.0.0": "T", + "x_org.owasp#aivss:VC:1.0.0": "P", + "x_org.owasp#aivss:DP:1.0.0": "P", + "x_org.owasp#aivss:PI:1.0.0": "V" }, { - "ssvc:SI:2.0.1": "N", - "ssvc:MI:2.0.0": "MSC", - "ssvc:HI:2.0.2": "L" + "x_org.owasp#aivss:ND:1.0.0": "D", + "x_org.owasp#aivss:OR:1.0.0": "T", + "x_org.owasp#aivss:VC:1.0.0": "P", + "x_org.owasp#aivss:DP:1.0.0": "F", + "x_org.owasp#aivss:PI:1.0.0": "V" }, { - "ssvc:SI:2.0.1": "N", - "ssvc:MI:2.0.0": "MEF", - "ssvc:HI:2.0.2": "M" + "x_org.owasp#aivss:ND:1.0.0": "D", + "x_org.owasp#aivss:OR:1.0.0": "T", + "x_org.owasp#aivss:VC:1.0.0": "P", + "x_org.owasp#aivss:DP:1.0.0": "S", + "x_org.owasp#aivss:PI:1.0.0": "U" }, { - "ssvc:SI:2.0.1": "N", - "ssvc:MI:2.0.0": "MF", - "ssvc:HI:2.0.2": "VH" + "x_org.owasp#aivss:ND:1.0.0": "D", + "x_org.owasp#aivss:OR:1.0.0": "T", + "x_org.owasp#aivss:VC:1.0.0": "K", + "x_org.owasp#aivss:DP:1.0.0": "P", + "x_org.owasp#aivss:PI:1.0.0": "V" }, { - "ssvc:SI:2.0.1": "M", - "ssvc:MI:2.0.0": "D", - "ssvc:HI:2.0.2": "L" + "x_org.owasp#aivss:ND:1.0.0": "D", + "x_org.owasp#aivss:OR:1.0.0": "T", + "x_org.owasp#aivss:VC:1.0.0": "K", + "x_org.owasp#aivss:DP:1.0.0": "F", + "x_org.owasp#aivss:PI:1.0.0": "U" }, { - "ssvc:SI:2.0.1": "M", - "ssvc:MI:2.0.0": "MSC", - "ssvc:HI:2.0.2": "L" + "x_org.owasp#aivss:ND:1.0.0": "D", + "x_org.owasp#aivss:OR:1.0.0": "T", + "x_org.owasp#aivss:VC:1.0.0": "K", + "x_org.owasp#aivss:DP:1.0.0": "S", + "x_org.owasp#aivss:PI:1.0.0": "U" }, { - "ssvc:SI:2.0.1": "M", - "ssvc:MI:2.0.0": "MEF", - "ssvc:HI:2.0.2": "M" + "x_org.owasp#aivss:ND:1.0.0": "D", + "x_org.owasp#aivss:OR:1.0.0": "T", + "x_org.owasp#aivss:VC:1.0.0": "U", + "x_org.owasp#aivss:DP:1.0.0": "P", + "x_org.owasp#aivss:PI:1.0.0": "U" }, { - "ssvc:SI:2.0.1": "M", - "ssvc:MI:2.0.0": "MF", - "ssvc:HI:2.0.2": "VH" + "x_org.owasp#aivss:ND:1.0.0": "D", + "x_org.owasp#aivss:OR:1.0.0": "T", + "x_org.owasp#aivss:VC:1.0.0": "U", + "x_org.owasp#aivss:DP:1.0.0": "F", + "x_org.owasp#aivss:PI:1.0.0": "U" }, { - "ssvc:SI:2.0.1": "R", - "ssvc:MI:2.0.0": "D", - "ssvc:HI:2.0.2": "M" + "x_org.owasp#aivss:ND:1.0.0": "D", + "x_org.owasp#aivss:OR:1.0.0": "T", + "x_org.owasp#aivss:VC:1.0.0": "U", + "x_org.owasp#aivss:DP:1.0.0": "S", + "x_org.owasp#aivss:PI:1.0.0": "O" }, { - "ssvc:SI:2.0.1": "R", - "ssvc:MI:2.0.0": "MSC", - "ssvc:HI:2.0.2": "H" + "x_org.owasp#aivss:ND:1.0.0": "D", + "x_org.owasp#aivss:OR:1.0.0": "F", + "x_org.owasp#aivss:VC:1.0.0": "P", + "x_org.owasp#aivss:DP:1.0.0": "P", + "x_org.owasp#aivss:PI:1.0.0": "V" }, { - "ssvc:SI:2.0.1": "R", - "ssvc:MI:2.0.0": "MEF", - "ssvc:HI:2.0.2": "H" + "x_org.owasp#aivss:ND:1.0.0": "D", + "x_org.owasp#aivss:OR:1.0.0": "F", + "x_org.owasp#aivss:VC:1.0.0": "P", + "x_org.owasp#aivss:DP:1.0.0": "F", + "x_org.owasp#aivss:PI:1.0.0": "U" }, { - "ssvc:SI:2.0.1": "R", - "ssvc:MI:2.0.0": "MF", - "ssvc:HI:2.0.2": "VH" + "x_org.owasp#aivss:ND:1.0.0": "D", + "x_org.owasp#aivss:OR:1.0.0": "F", + "x_org.owasp#aivss:VC:1.0.0": "P", + "x_org.owasp#aivss:DP:1.0.0": "S", + "x_org.owasp#aivss:PI:1.0.0": "U" }, { - "ssvc:SI:2.0.1": "C", - "ssvc:MI:2.0.0": "D", - "ssvc:HI:2.0.2": "VH" + "x_org.owasp#aivss:ND:1.0.0": "D", + "x_org.owasp#aivss:OR:1.0.0": "F", + "x_org.owasp#aivss:VC:1.0.0": "K", + "x_org.owasp#aivss:DP:1.0.0": "P", + "x_org.owasp#aivss:PI:1.0.0": "U" }, { - "ssvc:SI:2.0.1": "C", - "ssvc:MI:2.0.0": "MSC", - "ssvc:HI:2.0.2": "VH" + "x_org.owasp#aivss:ND:1.0.0": "D", + "x_org.owasp#aivss:OR:1.0.0": "F", + "x_org.owasp#aivss:VC:1.0.0": "K", + "x_org.owasp#aivss:DP:1.0.0": "F", + "x_org.owasp#aivss:PI:1.0.0": "U" }, { - "ssvc:SI:2.0.1": "C", - "ssvc:MI:2.0.0": "MEF", - "ssvc:HI:2.0.2": "VH" + "x_org.owasp#aivss:ND:1.0.0": "D", + "x_org.owasp#aivss:OR:1.0.0": "F", + "x_org.owasp#aivss:VC:1.0.0": "K", + "x_org.owasp#aivss:DP:1.0.0": "S", + "x_org.owasp#aivss:PI:1.0.0": "U" }, { - "ssvc:SI:2.0.1": "C", - "ssvc:MI:2.0.0": "MF", - "ssvc:HI:2.0.2": "VH" - } - ] - } - } - } - }, - "DT_PSI": { - "key": "DT_PSI", - "versions": { - "1.0.0": { - "version": "1.0.0", - "obj": { - "namespace": "ssvc", - "key": "DT_PSI", - "version": "1.0.0", - "name": "Public Safety Impact", - "definition": "Public Safety Impact Decision Table", - "schemaVersion": "2.0.0", - "decision_points": { - "ssvc:SI:2.0.1": { - "namespace": "ssvc", - "key": "SI", - "version": "2.0.1", - "name": "Safety Impact", - "definition": "The safety impact of the vulnerability. (based on IEC 61508 with modifications)", - "schemaVersion": "2.0.0", - "values": [ - { - "key": "N", - "name": "Negligible", - "definition": "Any one or more of these conditions hold. **Physical harm**: Minor injuries at worst (IEC 61508 Negligible). **Operator resiliency**: Requires action by system operator to maintain safe system state as a result of exploitation of the vulnerability where operator actions would be well within expected operator abilities; OR causes a minor occupational safety hazard. **System resiliency**: Small reduction in built-in system safety margins; OR small reduction in system functional capabilities that support safe operation. **Environment**: Minor externalities (property damage, environmental damage, etc.) imposed on other parties. **Financial**: Financial losses, which are not readily absorbable, to multiple persons. **Psychological**: Emotional or psychological harm, sufficient to be cause for counselling or therapy, to multiple persons." - }, - { - "key": "M", - "name": "Marginal", - "definition": "Any one or more of these conditions hold. **Physical harm**: Major injuries to one or more persons (IEC 61508 Marginal). **Operator resiliency**: Requires action by system operator to maintain safe system state as a result of exploitation of the vulnerability where operator actions would be within their capabilities but the actions require their full attention and effort; OR significant distraction or discomfort to operators; OR causes significant occupational safety hazard. **System resiliency**: System safety margin effectively eliminated but no actual harm; OR failure of system functional capabilities that support safe operation. **Environment**: Major externalities (property damage, environmental damage, etc.) imposed on other parties. **Financial**: Financial losses that likely lead to bankruptcy of multiple persons. **Psychological**: Widespread emotional or psychological harm, sufficient to be cause for counselling or therapy, to populations of people." - }, - { - "key": "R", - "name": "Critical", - "definition": "Any one or more of these conditions hold. **Physical harm**: Loss of life (IEC 61508 Critical). **Operator resiliency**: Actions that would keep the system in a safe state are beyond system operator capabilities, resulting in adverse conditions; OR great physical distress to system operators such that they cannot be expected to operate the system properly. **System resiliency**: Parts of the cyber-physical system break; system’s ability to recover lost functionality remains intact. **Environment**: Serious externalities (threat to life as well as property, widespread environmental damage, measurable public health risks, etc.) imposed on other parties. **Financial**: Socio-technical system (elections, financial grid, etc.) of which the affected component is a part is actively destabilized and enters unsafe state. **Psychological**: N/A." - }, - { - "key": "C", - "name": "Catastrophic", - "definition": "Any one or more of these conditions hold. **Physical harm**: Multiple loss of life (IEC 61508 Catastrophic). **Operator resiliency**: Operator incapacitated (includes fatality or otherwise incapacitated). **System resiliency**: Total loss of whole cyber-physical system, of which the software is a part. **Environment**: Extreme externalities (immediate public health threat, environmental damage leading to small ecosystem collapse, etc.) imposed on other parties. **Financial**: Social systems (elections, financial grid, etc.) supported by the software collapse. **Psychological**: N/A." - } - ] + "x_org.owasp#aivss:ND:1.0.0": "D", + "x_org.owasp#aivss:OR:1.0.0": "F", + "x_org.owasp#aivss:VC:1.0.0": "U", + "x_org.owasp#aivss:DP:1.0.0": "P", + "x_org.owasp#aivss:PI:1.0.0": "U" + }, + { + "x_org.owasp#aivss:ND:1.0.0": "D", + "x_org.owasp#aivss:OR:1.0.0": "F", + "x_org.owasp#aivss:VC:1.0.0": "U", + "x_org.owasp#aivss:DP:1.0.0": "F", + "x_org.owasp#aivss:PI:1.0.0": "U" + }, + { + "x_org.owasp#aivss:ND:1.0.0": "D", + "x_org.owasp#aivss:OR:1.0.0": "F", + "x_org.owasp#aivss:VC:1.0.0": "U", + "x_org.owasp#aivss:DP:1.0.0": "S", + "x_org.owasp#aivss:PI:1.0.0": "O" + }, + { + "x_org.owasp#aivss:ND:1.0.0": "D", + "x_org.owasp#aivss:OR:1.0.0": "O", + "x_org.owasp#aivss:VC:1.0.0": "P", + "x_org.owasp#aivss:DP:1.0.0": "P", + "x_org.owasp#aivss:PI:1.0.0": "U" + }, + { + "x_org.owasp#aivss:ND:1.0.0": "D", + "x_org.owasp#aivss:OR:1.0.0": "O", + "x_org.owasp#aivss:VC:1.0.0": "P", + "x_org.owasp#aivss:DP:1.0.0": "F", + "x_org.owasp#aivss:PI:1.0.0": "U" + }, + { + "x_org.owasp#aivss:ND:1.0.0": "D", + "x_org.owasp#aivss:OR:1.0.0": "O", + "x_org.owasp#aivss:VC:1.0.0": "P", + "x_org.owasp#aivss:DP:1.0.0": "S", + "x_org.owasp#aivss:PI:1.0.0": "O" + }, + { + "x_org.owasp#aivss:ND:1.0.0": "D", + "x_org.owasp#aivss:OR:1.0.0": "O", + "x_org.owasp#aivss:VC:1.0.0": "K", + "x_org.owasp#aivss:DP:1.0.0": "P", + "x_org.owasp#aivss:PI:1.0.0": "U" + }, + { + "x_org.owasp#aivss:ND:1.0.0": "D", + "x_org.owasp#aivss:OR:1.0.0": "O", + "x_org.owasp#aivss:VC:1.0.0": "K", + "x_org.owasp#aivss:DP:1.0.0": "F", + "x_org.owasp#aivss:PI:1.0.0": "U" + }, + { + "x_org.owasp#aivss:ND:1.0.0": "D", + "x_org.owasp#aivss:OR:1.0.0": "O", + "x_org.owasp#aivss:VC:1.0.0": "K", + "x_org.owasp#aivss:DP:1.0.0": "S", + "x_org.owasp#aivss:PI:1.0.0": "O" + }, + { + "x_org.owasp#aivss:ND:1.0.0": "D", + "x_org.owasp#aivss:OR:1.0.0": "O", + "x_org.owasp#aivss:VC:1.0.0": "U", + "x_org.owasp#aivss:DP:1.0.0": "P", + "x_org.owasp#aivss:PI:1.0.0": "O" + }, + { + "x_org.owasp#aivss:ND:1.0.0": "D", + "x_org.owasp#aivss:OR:1.0.0": "O", + "x_org.owasp#aivss:VC:1.0.0": "U", + "x_org.owasp#aivss:DP:1.0.0": "F", + "x_org.owasp#aivss:PI:1.0.0": "O" + }, + { + "x_org.owasp#aivss:ND:1.0.0": "D", + "x_org.owasp#aivss:OR:1.0.0": "O", + "x_org.owasp#aivss:VC:1.0.0": "U", + "x_org.owasp#aivss:DP:1.0.0": "S", + "x_org.owasp#aivss:PI:1.0.0": "O" + }, + { + "x_org.owasp#aivss:ND:1.0.0": "B", + "x_org.owasp#aivss:OR:1.0.0": "T", + "x_org.owasp#aivss:VC:1.0.0": "P", + "x_org.owasp#aivss:DP:1.0.0": "P", + "x_org.owasp#aivss:PI:1.0.0": "V" + }, + { + "x_org.owasp#aivss:ND:1.0.0": "B", + "x_org.owasp#aivss:OR:1.0.0": "T", + "x_org.owasp#aivss:VC:1.0.0": "P", + "x_org.owasp#aivss:DP:1.0.0": "F", + "x_org.owasp#aivss:PI:1.0.0": "U" + }, + { + "x_org.owasp#aivss:ND:1.0.0": "B", + "x_org.owasp#aivss:OR:1.0.0": "T", + "x_org.owasp#aivss:VC:1.0.0": "P", + "x_org.owasp#aivss:DP:1.0.0": "S", + "x_org.owasp#aivss:PI:1.0.0": "U" + }, + { + "x_org.owasp#aivss:ND:1.0.0": "B", + "x_org.owasp#aivss:OR:1.0.0": "T", + "x_org.owasp#aivss:VC:1.0.0": "K", + "x_org.owasp#aivss:DP:1.0.0": "P", + "x_org.owasp#aivss:PI:1.0.0": "U" + }, + { + "x_org.owasp#aivss:ND:1.0.0": "B", + "x_org.owasp#aivss:OR:1.0.0": "T", + "x_org.owasp#aivss:VC:1.0.0": "K", + "x_org.owasp#aivss:DP:1.0.0": "F", + "x_org.owasp#aivss:PI:1.0.0": "U" + }, + { + "x_org.owasp#aivss:ND:1.0.0": "B", + "x_org.owasp#aivss:OR:1.0.0": "T", + "x_org.owasp#aivss:VC:1.0.0": "K", + "x_org.owasp#aivss:DP:1.0.0": "S", + "x_org.owasp#aivss:PI:1.0.0": "U" + }, + { + "x_org.owasp#aivss:ND:1.0.0": "B", + "x_org.owasp#aivss:OR:1.0.0": "T", + "x_org.owasp#aivss:VC:1.0.0": "U", + "x_org.owasp#aivss:DP:1.0.0": "P", + "x_org.owasp#aivss:PI:1.0.0": "U" + }, + { + "x_org.owasp#aivss:ND:1.0.0": "B", + "x_org.owasp#aivss:OR:1.0.0": "T", + "x_org.owasp#aivss:VC:1.0.0": "U", + "x_org.owasp#aivss:DP:1.0.0": "F", + "x_org.owasp#aivss:PI:1.0.0": "U" + }, + { + "x_org.owasp#aivss:ND:1.0.0": "B", + "x_org.owasp#aivss:OR:1.0.0": "T", + "x_org.owasp#aivss:VC:1.0.0": "U", + "x_org.owasp#aivss:DP:1.0.0": "S", + "x_org.owasp#aivss:PI:1.0.0": "O" + }, + { + "x_org.owasp#aivss:ND:1.0.0": "B", + "x_org.owasp#aivss:OR:1.0.0": "F", + "x_org.owasp#aivss:VC:1.0.0": "P", + "x_org.owasp#aivss:DP:1.0.0": "P", + "x_org.owasp#aivss:PI:1.0.0": "U" + }, + { + "x_org.owasp#aivss:ND:1.0.0": "B", + "x_org.owasp#aivss:OR:1.0.0": "F", + "x_org.owasp#aivss:VC:1.0.0": "P", + "x_org.owasp#aivss:DP:1.0.0": "F", + "x_org.owasp#aivss:PI:1.0.0": "U" + }, + { + "x_org.owasp#aivss:ND:1.0.0": "B", + "x_org.owasp#aivss:OR:1.0.0": "F", + "x_org.owasp#aivss:VC:1.0.0": "P", + "x_org.owasp#aivss:DP:1.0.0": "S", + "x_org.owasp#aivss:PI:1.0.0": "U" + }, + { + "x_org.owasp#aivss:ND:1.0.0": "B", + "x_org.owasp#aivss:OR:1.0.0": "F", + "x_org.owasp#aivss:VC:1.0.0": "K", + "x_org.owasp#aivss:DP:1.0.0": "P", + "x_org.owasp#aivss:PI:1.0.0": "U" + }, + { + "x_org.owasp#aivss:ND:1.0.0": "B", + "x_org.owasp#aivss:OR:1.0.0": "F", + "x_org.owasp#aivss:VC:1.0.0": "K", + "x_org.owasp#aivss:DP:1.0.0": "F", + "x_org.owasp#aivss:PI:1.0.0": "U" + }, + { + "x_org.owasp#aivss:ND:1.0.0": "B", + "x_org.owasp#aivss:OR:1.0.0": "F", + "x_org.owasp#aivss:VC:1.0.0": "K", + "x_org.owasp#aivss:DP:1.0.0": "S", + "x_org.owasp#aivss:PI:1.0.0": "U" + }, + { + "x_org.owasp#aivss:ND:1.0.0": "B", + "x_org.owasp#aivss:OR:1.0.0": "F", + "x_org.owasp#aivss:VC:1.0.0": "U", + "x_org.owasp#aivss:DP:1.0.0": "P", + "x_org.owasp#aivss:PI:1.0.0": "U" + }, + { + "x_org.owasp#aivss:ND:1.0.0": "B", + "x_org.owasp#aivss:OR:1.0.0": "F", + "x_org.owasp#aivss:VC:1.0.0": "U", + "x_org.owasp#aivss:DP:1.0.0": "F", + "x_org.owasp#aivss:PI:1.0.0": "U" + }, + { + "x_org.owasp#aivss:ND:1.0.0": "B", + "x_org.owasp#aivss:OR:1.0.0": "F", + "x_org.owasp#aivss:VC:1.0.0": "U", + "x_org.owasp#aivss:DP:1.0.0": "S", + "x_org.owasp#aivss:PI:1.0.0": "O" + }, + { + "x_org.owasp#aivss:ND:1.0.0": "B", + "x_org.owasp#aivss:OR:1.0.0": "O", + "x_org.owasp#aivss:VC:1.0.0": "P", + "x_org.owasp#aivss:DP:1.0.0": "P", + "x_org.owasp#aivss:PI:1.0.0": "U" + }, + { + "x_org.owasp#aivss:ND:1.0.0": "B", + "x_org.owasp#aivss:OR:1.0.0": "O", + "x_org.owasp#aivss:VC:1.0.0": "P", + "x_org.owasp#aivss:DP:1.0.0": "F", + "x_org.owasp#aivss:PI:1.0.0": "U" + }, + { + "x_org.owasp#aivss:ND:1.0.0": "B", + "x_org.owasp#aivss:OR:1.0.0": "O", + "x_org.owasp#aivss:VC:1.0.0": "P", + "x_org.owasp#aivss:DP:1.0.0": "S", + "x_org.owasp#aivss:PI:1.0.0": "O" + }, + { + "x_org.owasp#aivss:ND:1.0.0": "B", + "x_org.owasp#aivss:OR:1.0.0": "O", + "x_org.owasp#aivss:VC:1.0.0": "K", + "x_org.owasp#aivss:DP:1.0.0": "P", + "x_org.owasp#aivss:PI:1.0.0": "U" + }, + { + "x_org.owasp#aivss:ND:1.0.0": "B", + "x_org.owasp#aivss:OR:1.0.0": "O", + "x_org.owasp#aivss:VC:1.0.0": "K", + "x_org.owasp#aivss:DP:1.0.0": "F", + "x_org.owasp#aivss:PI:1.0.0": "U" + }, + { + "x_org.owasp#aivss:ND:1.0.0": "B", + "x_org.owasp#aivss:OR:1.0.0": "O", + "x_org.owasp#aivss:VC:1.0.0": "K", + "x_org.owasp#aivss:DP:1.0.0": "S", + "x_org.owasp#aivss:PI:1.0.0": "O" + }, + { + "x_org.owasp#aivss:ND:1.0.0": "B", + "x_org.owasp#aivss:OR:1.0.0": "O", + "x_org.owasp#aivss:VC:1.0.0": "U", + "x_org.owasp#aivss:DP:1.0.0": "P", + "x_org.owasp#aivss:PI:1.0.0": "O" + }, + { + "x_org.owasp#aivss:ND:1.0.0": "B", + "x_org.owasp#aivss:OR:1.0.0": "O", + "x_org.owasp#aivss:VC:1.0.0": "U", + "x_org.owasp#aivss:DP:1.0.0": "F", + "x_org.owasp#aivss:PI:1.0.0": "O" + }, + { + "x_org.owasp#aivss:ND:1.0.0": "B", + "x_org.owasp#aivss:OR:1.0.0": "O", + "x_org.owasp#aivss:VC:1.0.0": "U", + "x_org.owasp#aivss:DP:1.0.0": "S", + "x_org.owasp#aivss:PI:1.0.0": "O" + }, + { + "x_org.owasp#aivss:ND:1.0.0": "H", + "x_org.owasp#aivss:OR:1.0.0": "T", + "x_org.owasp#aivss:VC:1.0.0": "P", + "x_org.owasp#aivss:DP:1.0.0": "P", + "x_org.owasp#aivss:PI:1.0.0": "U" + }, + { + "x_org.owasp#aivss:ND:1.0.0": "H", + "x_org.owasp#aivss:OR:1.0.0": "T", + "x_org.owasp#aivss:VC:1.0.0": "P", + "x_org.owasp#aivss:DP:1.0.0": "F", + "x_org.owasp#aivss:PI:1.0.0": "U" + }, + { + "x_org.owasp#aivss:ND:1.0.0": "H", + "x_org.owasp#aivss:OR:1.0.0": "T", + "x_org.owasp#aivss:VC:1.0.0": "P", + "x_org.owasp#aivss:DP:1.0.0": "S", + "x_org.owasp#aivss:PI:1.0.0": "O" + }, + { + "x_org.owasp#aivss:ND:1.0.0": "H", + "x_org.owasp#aivss:OR:1.0.0": "T", + "x_org.owasp#aivss:VC:1.0.0": "K", + "x_org.owasp#aivss:DP:1.0.0": "P", + "x_org.owasp#aivss:PI:1.0.0": "U" + }, + { + "x_org.owasp#aivss:ND:1.0.0": "H", + "x_org.owasp#aivss:OR:1.0.0": "T", + "x_org.owasp#aivss:VC:1.0.0": "K", + "x_org.owasp#aivss:DP:1.0.0": "F", + "x_org.owasp#aivss:PI:1.0.0": "U" + }, + { + "x_org.owasp#aivss:ND:1.0.0": "H", + "x_org.owasp#aivss:OR:1.0.0": "T", + "x_org.owasp#aivss:VC:1.0.0": "K", + "x_org.owasp#aivss:DP:1.0.0": "S", + "x_org.owasp#aivss:PI:1.0.0": "O" + }, + { + "x_org.owasp#aivss:ND:1.0.0": "H", + "x_org.owasp#aivss:OR:1.0.0": "T", + "x_org.owasp#aivss:VC:1.0.0": "U", + "x_org.owasp#aivss:DP:1.0.0": "P", + "x_org.owasp#aivss:PI:1.0.0": "O" + }, + { + "x_org.owasp#aivss:ND:1.0.0": "H", + "x_org.owasp#aivss:OR:1.0.0": "T", + "x_org.owasp#aivss:VC:1.0.0": "U", + "x_org.owasp#aivss:DP:1.0.0": "F", + "x_org.owasp#aivss:PI:1.0.0": "O" + }, + { + "x_org.owasp#aivss:ND:1.0.0": "H", + "x_org.owasp#aivss:OR:1.0.0": "T", + "x_org.owasp#aivss:VC:1.0.0": "U", + "x_org.owasp#aivss:DP:1.0.0": "S", + "x_org.owasp#aivss:PI:1.0.0": "O" + }, + { + "x_org.owasp#aivss:ND:1.0.0": "H", + "x_org.owasp#aivss:OR:1.0.0": "F", + "x_org.owasp#aivss:VC:1.0.0": "P", + "x_org.owasp#aivss:DP:1.0.0": "P", + "x_org.owasp#aivss:PI:1.0.0": "U" }, - "ssvc:PSI:2.0.1": { - "namespace": "ssvc", - "key": "PSI", - "version": "2.0.1", - "name": "Public Safety Impact", - "definition": "A coarse-grained representation of impact to public safety.", - "schemaVersion": "2.0.0", - "values": [ - { - "key": "M", - "name": "Minimal", - "definition": "Safety Impact:Negligible" - }, - { - "key": "S", - "name": "Significant", - "definition": "Safety Impact:(Marginal OR Critical OR Catastrophic)" - } - ] - } - }, - "outcome": "ssvc:PSI:2.0.1", - "mapping": [ { - "ssvc:SI:2.0.1": "N", - "ssvc:PSI:2.0.1": "M" + "x_org.owasp#aivss:ND:1.0.0": "H", + "x_org.owasp#aivss:OR:1.0.0": "F", + "x_org.owasp#aivss:VC:1.0.0": "P", + "x_org.owasp#aivss:DP:1.0.0": "F", + "x_org.owasp#aivss:PI:1.0.0": "U" }, { - "ssvc:SI:2.0.1": "M", - "ssvc:PSI:2.0.1": "S" + "x_org.owasp#aivss:ND:1.0.0": "H", + "x_org.owasp#aivss:OR:1.0.0": "F", + "x_org.owasp#aivss:VC:1.0.0": "P", + "x_org.owasp#aivss:DP:1.0.0": "S", + "x_org.owasp#aivss:PI:1.0.0": "O" }, { - "ssvc:SI:2.0.1": "R", - "ssvc:PSI:2.0.1": "S" + "x_org.owasp#aivss:ND:1.0.0": "H", + "x_org.owasp#aivss:OR:1.0.0": "F", + "x_org.owasp#aivss:VC:1.0.0": "K", + "x_org.owasp#aivss:DP:1.0.0": "P", + "x_org.owasp#aivss:PI:1.0.0": "U" }, { - "ssvc:SI:2.0.1": "C", - "ssvc:PSI:2.0.1": "S" + "x_org.owasp#aivss:ND:1.0.0": "H", + "x_org.owasp#aivss:OR:1.0.0": "F", + "x_org.owasp#aivss:VC:1.0.0": "K", + "x_org.owasp#aivss:DP:1.0.0": "F", + "x_org.owasp#aivss:PI:1.0.0": "U" + }, + { + "x_org.owasp#aivss:ND:1.0.0": "H", + "x_org.owasp#aivss:OR:1.0.0": "F", + "x_org.owasp#aivss:VC:1.0.0": "K", + "x_org.owasp#aivss:DP:1.0.0": "S", + "x_org.owasp#aivss:PI:1.0.0": "O" + }, + { + "x_org.owasp#aivss:ND:1.0.0": "H", + "x_org.owasp#aivss:OR:1.0.0": "F", + "x_org.owasp#aivss:VC:1.0.0": "U", + "x_org.owasp#aivss:DP:1.0.0": "P", + "x_org.owasp#aivss:PI:1.0.0": "O" + }, + { + "x_org.owasp#aivss:ND:1.0.0": "H", + "x_org.owasp#aivss:OR:1.0.0": "F", + "x_org.owasp#aivss:VC:1.0.0": "U", + "x_org.owasp#aivss:DP:1.0.0": "F", + "x_org.owasp#aivss:PI:1.0.0": "O" + }, + { + "x_org.owasp#aivss:ND:1.0.0": "H", + "x_org.owasp#aivss:OR:1.0.0": "F", + "x_org.owasp#aivss:VC:1.0.0": "U", + "x_org.owasp#aivss:DP:1.0.0": "S", + "x_org.owasp#aivss:PI:1.0.0": "O" + }, + { + "x_org.owasp#aivss:ND:1.0.0": "H", + "x_org.owasp#aivss:OR:1.0.0": "O", + "x_org.owasp#aivss:VC:1.0.0": "P", + "x_org.owasp#aivss:DP:1.0.0": "P", + "x_org.owasp#aivss:PI:1.0.0": "O" + }, + { + "x_org.owasp#aivss:ND:1.0.0": "H", + "x_org.owasp#aivss:OR:1.0.0": "O", + "x_org.owasp#aivss:VC:1.0.0": "P", + "x_org.owasp#aivss:DP:1.0.0": "F", + "x_org.owasp#aivss:PI:1.0.0": "O" + }, + { + "x_org.owasp#aivss:ND:1.0.0": "H", + "x_org.owasp#aivss:OR:1.0.0": "O", + "x_org.owasp#aivss:VC:1.0.0": "P", + "x_org.owasp#aivss:DP:1.0.0": "S", + "x_org.owasp#aivss:PI:1.0.0": "O" + }, + { + "x_org.owasp#aivss:ND:1.0.0": "H", + "x_org.owasp#aivss:OR:1.0.0": "O", + "x_org.owasp#aivss:VC:1.0.0": "K", + "x_org.owasp#aivss:DP:1.0.0": "P", + "x_org.owasp#aivss:PI:1.0.0": "O" + }, + { + "x_org.owasp#aivss:ND:1.0.0": "H", + "x_org.owasp#aivss:OR:1.0.0": "O", + "x_org.owasp#aivss:VC:1.0.0": "K", + "x_org.owasp#aivss:DP:1.0.0": "F", + "x_org.owasp#aivss:PI:1.0.0": "O" + }, + { + "x_org.owasp#aivss:ND:1.0.0": "H", + "x_org.owasp#aivss:OR:1.0.0": "O", + "x_org.owasp#aivss:VC:1.0.0": "K", + "x_org.owasp#aivss:DP:1.0.0": "S", + "x_org.owasp#aivss:PI:1.0.0": "O" + }, + { + "x_org.owasp#aivss:ND:1.0.0": "H", + "x_org.owasp#aivss:OR:1.0.0": "O", + "x_org.owasp#aivss:VC:1.0.0": "U", + "x_org.owasp#aivss:DP:1.0.0": "P", + "x_org.owasp#aivss:PI:1.0.0": "O" + }, + { + "x_org.owasp#aivss:ND:1.0.0": "H", + "x_org.owasp#aivss:OR:1.0.0": "O", + "x_org.owasp#aivss:VC:1.0.0": "U", + "x_org.owasp#aivss:DP:1.0.0": "F", + "x_org.owasp#aivss:PI:1.0.0": "O" + }, + { + "x_org.owasp#aivss:ND:1.0.0": "H", + "x_org.owasp#aivss:OR:1.0.0": "O", + "x_org.owasp#aivss:VC:1.0.0": "U", + "x_org.owasp#aivss:DP:1.0.0": "S", + "x_org.owasp#aivss:PI:1.0.0": "O" } ] } } } }, - "DT_SP": { - "key": "DT_SP", + "DT_EP": { + "key": "DT_EP", "versions": { "1.0.0": { "version": "1.0.0", "obj": { - "namespace": "ssvc", - "key": "DT_SP", + "namespace": "x_org.owasp#aivss", + "key": "DT_EP", "version": "1.0.0", - "name": "Supplier Patch Development Priority", - "definition": "Decision table for evaluating supplier patch development priority in SSVC", + "name": "Execution Power", + "definition": "Determines the level of execution power granted to an AI agent, influencing its ability to perform actions autonomously and interact with external systems.", "schemaVersion": "2.0.0", "decision_points": { - "ssvc:E:1.1.0": { - "namespace": "ssvc", - "key": "E", - "version": "1.1.0", - "name": "Exploitation", - "definition": "The present state of exploitation of the vulnerability.", + "x_org.owasp#aivss:AA:1.0.0": { + "namespace": "x_org.owasp#aivss", + "key": "AA", + "version": "1.0.0", + "name": "Autonomy of Action", + "definition": "Determines the autonomy of action level of a vulnerability based on its characteristics and potential effects.", "schemaVersion": "2.0.0", "values": [ { - "key": "N", - "name": "None", - "definition": "There is no evidence of active exploitation and no public proof of concept (PoC) of how to exploit the vulnerability." + "key": "G", + "name": "Gated", + "definition": "The agent cannot act without human approval." }, { - "key": "P", - "name": "Public PoC", - "definition": "One of the following is true: (1) Typical public PoC exists in sources such as Metasploit or websites like ExploitDB; or (2) the vulnerability has a well-known method of exploitation." + "key": "S", + "name": "Scoped", + "definition": "The agent can act independently but only in tightly bounded spaces." }, { - "key": "A", - "name": "Active", - "definition": "Shared, observable, reliable evidence that the exploit is being used in the wild by real attackers; there is credible public reporting." + "key": "F", + "name": "Free-Running", + "definition": "The agent can execute actions in live systems without a human in the loop." } ] }, - "ssvc:U:1.0.1": { - "namespace": "ssvc", - "key": "U", - "version": "1.0.1", - "name": "Utility", - "definition": "The Usefulness of the Exploit to the Adversary", + "x_org.owasp#aivss:TU:1.0.0": { + "namespace": "x_org.owasp#aivss", + "key": "TU", + "version": "1.0.0", + "name": "Tool Use", + "definition": "Determines the tool use level of an AI agent based on its capabilities to interact with systems.", "schemaVersion": "2.0.0", "values": [ { - "key": "L", - "name": "Laborious", - "definition": "Automatable:No AND Value Density:Diffuse" + "key": "V", + "name": "Viewer", + "definition": "The agent can only read and analyze information without making any changes." }, { - "key": "E", - "name": "Efficient", - "definition": "(Automatable:Yes AND Value Density:Diffuse) OR (Automatable:No AND Value Density:Concentrated)" + "key": "O", + "name": "Operator", + "definition": "The agent can make changes within a controlled environment, such as test systems or local files." }, { - "key": "S", - "name": "Super Effective", - "definition": "Automatable:Yes AND Value Density:Concentrated" + "key": "A", + "name": "Administrator", + "definition": "The agent has full control and can make changes to privileged systems, including production environments." } ] }, - "ssvc:TI:1.0.0": { - "namespace": "ssvc", - "key": "TI", - "version": "1.0.0", - "name": "Technical Impact", - "definition": "The technical impact of the vulnerability.", + "x_org.owasp#aivss:SM:1.1.0": { + "namespace": "x_org.owasp#aivss", + "key": "SM", + "version": "1.1.0", + "name": "Self-Modification", + "definition": "Determines the self-modification capabilities of an AI agent based on its ability to alter its own code, configuration, or behavior.", "schemaVersion": "2.0.0", "values": [ { - "key": "P", - "name": "Partial", - "definition": "The exploit gives the adversary limited control over, or information exposure about, the behavior of the software that contains the vulnerability. Or the exploit gives the adversary an importantly low stochastic opportunity for total control." + "key": "F", + "name": "Fixed", + "definition": "The agent cannot modify its own code, configuration, or behavior." }, { "key": "T", - "name": "Total", - "definition": "The exploit gives the adversary total control over the behavior of the software, or it gives total disclosure of all information on the system that contains the vulnerability." + "name": "Tunable", + "definition": "The agent can modify its configuration or prompts but not its core code or behavior." + }, + { + "key": "M", + "name": "Mutable", + "definition": "The agent can modify its own code, configuration, or behavior." } ] }, - "ssvc:PSI:2.0.1": { - "namespace": "ssvc", - "key": "PSI", - "version": "2.0.1", - "name": "Public Safety Impact", - "definition": "A coarse-grained representation of impact to public safety.", + "x_org.owasp#aivss:GDP:1.0.0": { + "namespace": "x_org.owasp#aivss", + "key": "GDP", + "version": "1.0.0", + "name": "Goal-Driven Planning", + "definition": "Determines the goal-driven planning capabilities of an AI agent based on its ability to plan and execute actions over multiple steps.", "schemaVersion": "2.0.0", "values": [ { - "key": "M", - "name": "Minimal", - "definition": "Safety Impact:Negligible" + "key": "R", + "name": "Reactive", + "definition": "The agent can only respond to immediate inputs without planning." }, { - "key": "S", - "name": "Significant", - "definition": "Safety Impact:(Marginal OR Critical OR Catastrophic)" + "key": "A", + "name": "Assisted", + "definition": "The agent can plan multiple steps ahead but requires human execution or approval." + }, + { + "key": "U", + "name": "Autonomous", + "definition": "The agent can plan and execute multiple steps independently." } ] }, - "ssvc:DSOI:1.0.0": { - "namespace": "ssvc", - "key": "DSOI", + "x_org.owasp#aivss:EP:1.0.0": { + "namespace": "x_org.owasp#aivss", + "key": "EP", "version": "1.0.0", - "name": "Defer, Scheduled, Out-of-Cycle, Immediate", - "definition": "The original SSVC outcome group.", + "name": "Execution Power", + "definition": "Determines the level of execution power granted to an AI agent, influencing its ability to perform actions autonomously and interact with external systems.", "schemaVersion": "2.0.0", "values": [ { - "key": "D", - "name": "Defer", - "definition": "Defer" - }, - { - "key": "S", - "name": "Scheduled", - "definition": "Scheduled" + "key": "C", + "name": "Constrained", + "definition": "The AI agent has limited execution power, restricting its ability to perform actions autonomously or interact with external systems." }, { - "key": "O", - "name": "Out-of-Cycle", - "definition": "Out-of-Cycle" + "key": "CA", + "name": "Capable", + "definition": "The AI agent has moderate execution power, allowing it to perform certain actions autonomously and interact with external systems under supervision." }, { - "key": "I", - "name": "Immediate", - "definition": "Immediate" + "key": "H", + "name": "High Leverage", + "definition": "The AI agent has extensive execution power, enabling it to perform actions autonomously and interact with external systems with minimal supervision." } ] } }, - "outcome": "ssvc:DSOI:1.0.0", + "outcome": "x_org.owasp#aivss:EP:1.0.0", "mapping": [ { - "ssvc:E:1.1.0": "N", - "ssvc:U:1.0.1": "L", - "ssvc:TI:1.0.0": "P", - "ssvc:PSI:2.0.1": "M", - "ssvc:DSOI:1.0.0": "D" + "x_org.owasp#aivss:AA:1.0.0": "G", + "x_org.owasp#aivss:TU:1.0.0": "V", + "x_org.owasp#aivss:SM:1.1.0": "F", + "x_org.owasp#aivss:GDP:1.0.0": "R", + "x_org.owasp#aivss:EP:1.0.0": "C" }, { - "ssvc:E:1.1.0": "N", - "ssvc:U:1.0.1": "L", - "ssvc:TI:1.0.0": "P", - "ssvc:PSI:2.0.1": "S", - "ssvc:DSOI:1.0.0": "S" + "x_org.owasp#aivss:AA:1.0.0": "G", + "x_org.owasp#aivss:TU:1.0.0": "V", + "x_org.owasp#aivss:SM:1.1.0": "F", + "x_org.owasp#aivss:GDP:1.0.0": "A", + "x_org.owasp#aivss:EP:1.0.0": "C" }, { - "ssvc:E:1.1.0": "N", - "ssvc:U:1.0.1": "L", - "ssvc:TI:1.0.0": "T", - "ssvc:PSI:2.0.1": "M", - "ssvc:DSOI:1.0.0": "S" + "x_org.owasp#aivss:AA:1.0.0": "G", + "x_org.owasp#aivss:TU:1.0.0": "V", + "x_org.owasp#aivss:SM:1.1.0": "F", + "x_org.owasp#aivss:GDP:1.0.0": "U", + "x_org.owasp#aivss:EP:1.0.0": "CA" }, { - "ssvc:E:1.1.0": "N", - "ssvc:U:1.0.1": "L", - "ssvc:TI:1.0.0": "T", - "ssvc:PSI:2.0.1": "S", - "ssvc:DSOI:1.0.0": "O" + "x_org.owasp#aivss:AA:1.0.0": "G", + "x_org.owasp#aivss:TU:1.0.0": "V", + "x_org.owasp#aivss:SM:1.1.0": "T", + "x_org.owasp#aivss:GDP:1.0.0": "R", + "x_org.owasp#aivss:EP:1.0.0": "C" }, { - "ssvc:E:1.1.0": "N", - "ssvc:U:1.0.1": "E", - "ssvc:TI:1.0.0": "P", - "ssvc:PSI:2.0.1": "M", - "ssvc:DSOI:1.0.0": "S" + "x_org.owasp#aivss:AA:1.0.0": "G", + "x_org.owasp#aivss:TU:1.0.0": "V", + "x_org.owasp#aivss:SM:1.1.0": "T", + "x_org.owasp#aivss:GDP:1.0.0": "A", + "x_org.owasp#aivss:EP:1.0.0": "C" + }, + { + "x_org.owasp#aivss:AA:1.0.0": "G", + "x_org.owasp#aivss:TU:1.0.0": "V", + "x_org.owasp#aivss:SM:1.1.0": "T", + "x_org.owasp#aivss:GDP:1.0.0": "U", + "x_org.owasp#aivss:EP:1.0.0": "CA" + }, + { + "x_org.owasp#aivss:AA:1.0.0": "G", + "x_org.owasp#aivss:TU:1.0.0": "V", + "x_org.owasp#aivss:SM:1.1.0": "M", + "x_org.owasp#aivss:GDP:1.0.0": "R", + "x_org.owasp#aivss:EP:1.0.0": "CA" + }, + { + "x_org.owasp#aivss:AA:1.0.0": "G", + "x_org.owasp#aivss:TU:1.0.0": "V", + "x_org.owasp#aivss:SM:1.1.0": "M", + "x_org.owasp#aivss:GDP:1.0.0": "A", + "x_org.owasp#aivss:EP:1.0.0": "CA" + }, + { + "x_org.owasp#aivss:AA:1.0.0": "G", + "x_org.owasp#aivss:TU:1.0.0": "V", + "x_org.owasp#aivss:SM:1.1.0": "M", + "x_org.owasp#aivss:GDP:1.0.0": "U", + "x_org.owasp#aivss:EP:1.0.0": "H" + }, + { + "x_org.owasp#aivss:AA:1.0.0": "G", + "x_org.owasp#aivss:TU:1.0.0": "O", + "x_org.owasp#aivss:SM:1.1.0": "F", + "x_org.owasp#aivss:GDP:1.0.0": "R", + "x_org.owasp#aivss:EP:1.0.0": "C" + }, + { + "x_org.owasp#aivss:AA:1.0.0": "G", + "x_org.owasp#aivss:TU:1.0.0": "O", + "x_org.owasp#aivss:SM:1.1.0": "F", + "x_org.owasp#aivss:GDP:1.0.0": "A", + "x_org.owasp#aivss:EP:1.0.0": "C" + }, + { + "x_org.owasp#aivss:AA:1.0.0": "G", + "x_org.owasp#aivss:TU:1.0.0": "O", + "x_org.owasp#aivss:SM:1.1.0": "F", + "x_org.owasp#aivss:GDP:1.0.0": "U", + "x_org.owasp#aivss:EP:1.0.0": "CA" + }, + { + "x_org.owasp#aivss:AA:1.0.0": "G", + "x_org.owasp#aivss:TU:1.0.0": "O", + "x_org.owasp#aivss:SM:1.1.0": "T", + "x_org.owasp#aivss:GDP:1.0.0": "R", + "x_org.owasp#aivss:EP:1.0.0": "C" + }, + { + "x_org.owasp#aivss:AA:1.0.0": "G", + "x_org.owasp#aivss:TU:1.0.0": "O", + "x_org.owasp#aivss:SM:1.1.0": "T", + "x_org.owasp#aivss:GDP:1.0.0": "A", + "x_org.owasp#aivss:EP:1.0.0": "CA" + }, + { + "x_org.owasp#aivss:AA:1.0.0": "G", + "x_org.owasp#aivss:TU:1.0.0": "O", + "x_org.owasp#aivss:SM:1.1.0": "T", + "x_org.owasp#aivss:GDP:1.0.0": "U", + "x_org.owasp#aivss:EP:1.0.0": "CA" + }, + { + "x_org.owasp#aivss:AA:1.0.0": "G", + "x_org.owasp#aivss:TU:1.0.0": "O", + "x_org.owasp#aivss:SM:1.1.0": "M", + "x_org.owasp#aivss:GDP:1.0.0": "R", + "x_org.owasp#aivss:EP:1.0.0": "CA" + }, + { + "x_org.owasp#aivss:AA:1.0.0": "G", + "x_org.owasp#aivss:TU:1.0.0": "O", + "x_org.owasp#aivss:SM:1.1.0": "M", + "x_org.owasp#aivss:GDP:1.0.0": "A", + "x_org.owasp#aivss:EP:1.0.0": "CA" + }, + { + "x_org.owasp#aivss:AA:1.0.0": "G", + "x_org.owasp#aivss:TU:1.0.0": "O", + "x_org.owasp#aivss:SM:1.1.0": "M", + "x_org.owasp#aivss:GDP:1.0.0": "U", + "x_org.owasp#aivss:EP:1.0.0": "H" + }, + { + "x_org.owasp#aivss:AA:1.0.0": "G", + "x_org.owasp#aivss:TU:1.0.0": "A", + "x_org.owasp#aivss:SM:1.1.0": "F", + "x_org.owasp#aivss:GDP:1.0.0": "R", + "x_org.owasp#aivss:EP:1.0.0": "CA" + }, + { + "x_org.owasp#aivss:AA:1.0.0": "G", + "x_org.owasp#aivss:TU:1.0.0": "A", + "x_org.owasp#aivss:SM:1.1.0": "F", + "x_org.owasp#aivss:GDP:1.0.0": "A", + "x_org.owasp#aivss:EP:1.0.0": "CA" + }, + { + "x_org.owasp#aivss:AA:1.0.0": "G", + "x_org.owasp#aivss:TU:1.0.0": "A", + "x_org.owasp#aivss:SM:1.1.0": "F", + "x_org.owasp#aivss:GDP:1.0.0": "U", + "x_org.owasp#aivss:EP:1.0.0": "H" + }, + { + "x_org.owasp#aivss:AA:1.0.0": "G", + "x_org.owasp#aivss:TU:1.0.0": "A", + "x_org.owasp#aivss:SM:1.1.0": "T", + "x_org.owasp#aivss:GDP:1.0.0": "R", + "x_org.owasp#aivss:EP:1.0.0": "CA" + }, + { + "x_org.owasp#aivss:AA:1.0.0": "G", + "x_org.owasp#aivss:TU:1.0.0": "A", + "x_org.owasp#aivss:SM:1.1.0": "T", + "x_org.owasp#aivss:GDP:1.0.0": "A", + "x_org.owasp#aivss:EP:1.0.0": "CA" + }, + { + "x_org.owasp#aivss:AA:1.0.0": "G", + "x_org.owasp#aivss:TU:1.0.0": "A", + "x_org.owasp#aivss:SM:1.1.0": "T", + "x_org.owasp#aivss:GDP:1.0.0": "U", + "x_org.owasp#aivss:EP:1.0.0": "H" + }, + { + "x_org.owasp#aivss:AA:1.0.0": "G", + "x_org.owasp#aivss:TU:1.0.0": "A", + "x_org.owasp#aivss:SM:1.1.0": "M", + "x_org.owasp#aivss:GDP:1.0.0": "R", + "x_org.owasp#aivss:EP:1.0.0": "H" + }, + { + "x_org.owasp#aivss:AA:1.0.0": "G", + "x_org.owasp#aivss:TU:1.0.0": "A", + "x_org.owasp#aivss:SM:1.1.0": "M", + "x_org.owasp#aivss:GDP:1.0.0": "A", + "x_org.owasp#aivss:EP:1.0.0": "H" + }, + { + "x_org.owasp#aivss:AA:1.0.0": "G", + "x_org.owasp#aivss:TU:1.0.0": "A", + "x_org.owasp#aivss:SM:1.1.0": "M", + "x_org.owasp#aivss:GDP:1.0.0": "U", + "x_org.owasp#aivss:EP:1.0.0": "H" + }, + { + "x_org.owasp#aivss:AA:1.0.0": "S", + "x_org.owasp#aivss:TU:1.0.0": "V", + "x_org.owasp#aivss:SM:1.1.0": "F", + "x_org.owasp#aivss:GDP:1.0.0": "R", + "x_org.owasp#aivss:EP:1.0.0": "C" + }, + { + "x_org.owasp#aivss:AA:1.0.0": "S", + "x_org.owasp#aivss:TU:1.0.0": "V", + "x_org.owasp#aivss:SM:1.1.0": "F", + "x_org.owasp#aivss:GDP:1.0.0": "A", + "x_org.owasp#aivss:EP:1.0.0": "C" + }, + { + "x_org.owasp#aivss:AA:1.0.0": "S", + "x_org.owasp#aivss:TU:1.0.0": "V", + "x_org.owasp#aivss:SM:1.1.0": "F", + "x_org.owasp#aivss:GDP:1.0.0": "U", + "x_org.owasp#aivss:EP:1.0.0": "CA" + }, + { + "x_org.owasp#aivss:AA:1.0.0": "S", + "x_org.owasp#aivss:TU:1.0.0": "V", + "x_org.owasp#aivss:SM:1.1.0": "T", + "x_org.owasp#aivss:GDP:1.0.0": "R", + "x_org.owasp#aivss:EP:1.0.0": "C" + }, + { + "x_org.owasp#aivss:AA:1.0.0": "S", + "x_org.owasp#aivss:TU:1.0.0": "V", + "x_org.owasp#aivss:SM:1.1.0": "T", + "x_org.owasp#aivss:GDP:1.0.0": "A", + "x_org.owasp#aivss:EP:1.0.0": "CA" + }, + { + "x_org.owasp#aivss:AA:1.0.0": "S", + "x_org.owasp#aivss:TU:1.0.0": "V", + "x_org.owasp#aivss:SM:1.1.0": "T", + "x_org.owasp#aivss:GDP:1.0.0": "U", + "x_org.owasp#aivss:EP:1.0.0": "CA" + }, + { + "x_org.owasp#aivss:AA:1.0.0": "S", + "x_org.owasp#aivss:TU:1.0.0": "V", + "x_org.owasp#aivss:SM:1.1.0": "M", + "x_org.owasp#aivss:GDP:1.0.0": "R", + "x_org.owasp#aivss:EP:1.0.0": "CA" + }, + { + "x_org.owasp#aivss:AA:1.0.0": "S", + "x_org.owasp#aivss:TU:1.0.0": "V", + "x_org.owasp#aivss:SM:1.1.0": "M", + "x_org.owasp#aivss:GDP:1.0.0": "A", + "x_org.owasp#aivss:EP:1.0.0": "CA" + }, + { + "x_org.owasp#aivss:AA:1.0.0": "S", + "x_org.owasp#aivss:TU:1.0.0": "V", + "x_org.owasp#aivss:SM:1.1.0": "M", + "x_org.owasp#aivss:GDP:1.0.0": "U", + "x_org.owasp#aivss:EP:1.0.0": "H" + }, + { + "x_org.owasp#aivss:AA:1.0.0": "S", + "x_org.owasp#aivss:TU:1.0.0": "O", + "x_org.owasp#aivss:SM:1.1.0": "F", + "x_org.owasp#aivss:GDP:1.0.0": "R", + "x_org.owasp#aivss:EP:1.0.0": "C" + }, + { + "x_org.owasp#aivss:AA:1.0.0": "S", + "x_org.owasp#aivss:TU:1.0.0": "O", + "x_org.owasp#aivss:SM:1.1.0": "F", + "x_org.owasp#aivss:GDP:1.0.0": "A", + "x_org.owasp#aivss:EP:1.0.0": "CA" + }, + { + "x_org.owasp#aivss:AA:1.0.0": "S", + "x_org.owasp#aivss:TU:1.0.0": "O", + "x_org.owasp#aivss:SM:1.1.0": "F", + "x_org.owasp#aivss:GDP:1.0.0": "U", + "x_org.owasp#aivss:EP:1.0.0": "CA" + }, + { + "x_org.owasp#aivss:AA:1.0.0": "S", + "x_org.owasp#aivss:TU:1.0.0": "O", + "x_org.owasp#aivss:SM:1.1.0": "T", + "x_org.owasp#aivss:GDP:1.0.0": "R", + "x_org.owasp#aivss:EP:1.0.0": "CA" + }, + { + "x_org.owasp#aivss:AA:1.0.0": "S", + "x_org.owasp#aivss:TU:1.0.0": "O", + "x_org.owasp#aivss:SM:1.1.0": "T", + "x_org.owasp#aivss:GDP:1.0.0": "A", + "x_org.owasp#aivss:EP:1.0.0": "CA" + }, + { + "x_org.owasp#aivss:AA:1.0.0": "S", + "x_org.owasp#aivss:TU:1.0.0": "O", + "x_org.owasp#aivss:SM:1.1.0": "T", + "x_org.owasp#aivss:GDP:1.0.0": "U", + "x_org.owasp#aivss:EP:1.0.0": "CA" + }, + { + "x_org.owasp#aivss:AA:1.0.0": "S", + "x_org.owasp#aivss:TU:1.0.0": "O", + "x_org.owasp#aivss:SM:1.1.0": "M", + "x_org.owasp#aivss:GDP:1.0.0": "R", + "x_org.owasp#aivss:EP:1.0.0": "CA" + }, + { + "x_org.owasp#aivss:AA:1.0.0": "S", + "x_org.owasp#aivss:TU:1.0.0": "O", + "x_org.owasp#aivss:SM:1.1.0": "M", + "x_org.owasp#aivss:GDP:1.0.0": "A", + "x_org.owasp#aivss:EP:1.0.0": "CA" }, { - "ssvc:E:1.1.0": "N", - "ssvc:U:1.0.1": "E", - "ssvc:TI:1.0.0": "P", - "ssvc:PSI:2.0.1": "S", - "ssvc:DSOI:1.0.0": "O" + "x_org.owasp#aivss:AA:1.0.0": "S", + "x_org.owasp#aivss:TU:1.0.0": "O", + "x_org.owasp#aivss:SM:1.1.0": "M", + "x_org.owasp#aivss:GDP:1.0.0": "U", + "x_org.owasp#aivss:EP:1.0.0": "H" }, { - "ssvc:E:1.1.0": "N", - "ssvc:U:1.0.1": "E", - "ssvc:TI:1.0.0": "T", - "ssvc:PSI:2.0.1": "M", - "ssvc:DSOI:1.0.0": "S" + "x_org.owasp#aivss:AA:1.0.0": "S", + "x_org.owasp#aivss:TU:1.0.0": "A", + "x_org.owasp#aivss:SM:1.1.0": "F", + "x_org.owasp#aivss:GDP:1.0.0": "R", + "x_org.owasp#aivss:EP:1.0.0": "CA" }, { - "ssvc:E:1.1.0": "N", - "ssvc:U:1.0.1": "E", - "ssvc:TI:1.0.0": "T", - "ssvc:PSI:2.0.1": "S", - "ssvc:DSOI:1.0.0": "O" + "x_org.owasp#aivss:AA:1.0.0": "S", + "x_org.owasp#aivss:TU:1.0.0": "A", + "x_org.owasp#aivss:SM:1.1.0": "F", + "x_org.owasp#aivss:GDP:1.0.0": "A", + "x_org.owasp#aivss:EP:1.0.0": "CA" }, { - "ssvc:E:1.1.0": "N", - "ssvc:U:1.0.1": "S", - "ssvc:TI:1.0.0": "P", - "ssvc:PSI:2.0.1": "M", - "ssvc:DSOI:1.0.0": "S" + "x_org.owasp#aivss:AA:1.0.0": "S", + "x_org.owasp#aivss:TU:1.0.0": "A", + "x_org.owasp#aivss:SM:1.1.0": "F", + "x_org.owasp#aivss:GDP:1.0.0": "U", + "x_org.owasp#aivss:EP:1.0.0": "H" }, { - "ssvc:E:1.1.0": "N", - "ssvc:U:1.0.1": "S", - "ssvc:TI:1.0.0": "P", - "ssvc:PSI:2.0.1": "S", - "ssvc:DSOI:1.0.0": "O" + "x_org.owasp#aivss:AA:1.0.0": "S", + "x_org.owasp#aivss:TU:1.0.0": "A", + "x_org.owasp#aivss:SM:1.1.0": "T", + "x_org.owasp#aivss:GDP:1.0.0": "R", + "x_org.owasp#aivss:EP:1.0.0": "CA" }, { - "ssvc:E:1.1.0": "N", - "ssvc:U:1.0.1": "S", - "ssvc:TI:1.0.0": "T", - "ssvc:PSI:2.0.1": "M", - "ssvc:DSOI:1.0.0": "O" + "x_org.owasp#aivss:AA:1.0.0": "S", + "x_org.owasp#aivss:TU:1.0.0": "A", + "x_org.owasp#aivss:SM:1.1.0": "T", + "x_org.owasp#aivss:GDP:1.0.0": "A", + "x_org.owasp#aivss:EP:1.0.0": "CA" }, { - "ssvc:E:1.1.0": "N", - "ssvc:U:1.0.1": "S", - "ssvc:TI:1.0.0": "T", - "ssvc:PSI:2.0.1": "S", - "ssvc:DSOI:1.0.0": "O" + "x_org.owasp#aivss:AA:1.0.0": "S", + "x_org.owasp#aivss:TU:1.0.0": "A", + "x_org.owasp#aivss:SM:1.1.0": "T", + "x_org.owasp#aivss:GDP:1.0.0": "U", + "x_org.owasp#aivss:EP:1.0.0": "H" }, { - "ssvc:E:1.1.0": "P", - "ssvc:U:1.0.1": "L", - "ssvc:TI:1.0.0": "P", - "ssvc:PSI:2.0.1": "M", - "ssvc:DSOI:1.0.0": "S" + "x_org.owasp#aivss:AA:1.0.0": "S", + "x_org.owasp#aivss:TU:1.0.0": "A", + "x_org.owasp#aivss:SM:1.1.0": "M", + "x_org.owasp#aivss:GDP:1.0.0": "R", + "x_org.owasp#aivss:EP:1.0.0": "H" }, { - "ssvc:E:1.1.0": "P", - "ssvc:U:1.0.1": "L", - "ssvc:TI:1.0.0": "P", - "ssvc:PSI:2.0.1": "S", - "ssvc:DSOI:1.0.0": "O" + "x_org.owasp#aivss:AA:1.0.0": "S", + "x_org.owasp#aivss:TU:1.0.0": "A", + "x_org.owasp#aivss:SM:1.1.0": "M", + "x_org.owasp#aivss:GDP:1.0.0": "A", + "x_org.owasp#aivss:EP:1.0.0": "H" }, { - "ssvc:E:1.1.0": "P", - "ssvc:U:1.0.1": "L", - "ssvc:TI:1.0.0": "T", - "ssvc:PSI:2.0.1": "M", - "ssvc:DSOI:1.0.0": "S" + "x_org.owasp#aivss:AA:1.0.0": "S", + "x_org.owasp#aivss:TU:1.0.0": "A", + "x_org.owasp#aivss:SM:1.1.0": "M", + "x_org.owasp#aivss:GDP:1.0.0": "U", + "x_org.owasp#aivss:EP:1.0.0": "H" }, { - "ssvc:E:1.1.0": "P", - "ssvc:U:1.0.1": "L", - "ssvc:TI:1.0.0": "T", - "ssvc:PSI:2.0.1": "S", - "ssvc:DSOI:1.0.0": "I" + "x_org.owasp#aivss:AA:1.0.0": "F", + "x_org.owasp#aivss:TU:1.0.0": "V", + "x_org.owasp#aivss:SM:1.1.0": "F", + "x_org.owasp#aivss:GDP:1.0.0": "R", + "x_org.owasp#aivss:EP:1.0.0": "CA" }, { - "ssvc:E:1.1.0": "P", - "ssvc:U:1.0.1": "E", - "ssvc:TI:1.0.0": "P", - "ssvc:PSI:2.0.1": "M", - "ssvc:DSOI:1.0.0": "S" + "x_org.owasp#aivss:AA:1.0.0": "F", + "x_org.owasp#aivss:TU:1.0.0": "V", + "x_org.owasp#aivss:SM:1.1.0": "F", + "x_org.owasp#aivss:GDP:1.0.0": "A", + "x_org.owasp#aivss:EP:1.0.0": "CA" }, { - "ssvc:E:1.1.0": "P", - "ssvc:U:1.0.1": "E", - "ssvc:TI:1.0.0": "P", - "ssvc:PSI:2.0.1": "S", - "ssvc:DSOI:1.0.0": "I" + "x_org.owasp#aivss:AA:1.0.0": "F", + "x_org.owasp#aivss:TU:1.0.0": "V", + "x_org.owasp#aivss:SM:1.1.0": "F", + "x_org.owasp#aivss:GDP:1.0.0": "U", + "x_org.owasp#aivss:EP:1.0.0": "H" }, { - "ssvc:E:1.1.0": "P", - "ssvc:U:1.0.1": "E", - "ssvc:TI:1.0.0": "T", - "ssvc:PSI:2.0.1": "M", - "ssvc:DSOI:1.0.0": "O" + "x_org.owasp#aivss:AA:1.0.0": "F", + "x_org.owasp#aivss:TU:1.0.0": "V", + "x_org.owasp#aivss:SM:1.1.0": "T", + "x_org.owasp#aivss:GDP:1.0.0": "R", + "x_org.owasp#aivss:EP:1.0.0": "CA" }, { - "ssvc:E:1.1.0": "P", - "ssvc:U:1.0.1": "E", - "ssvc:TI:1.0.0": "T", - "ssvc:PSI:2.0.1": "S", - "ssvc:DSOI:1.0.0": "I" + "x_org.owasp#aivss:AA:1.0.0": "F", + "x_org.owasp#aivss:TU:1.0.0": "V", + "x_org.owasp#aivss:SM:1.1.0": "T", + "x_org.owasp#aivss:GDP:1.0.0": "A", + "x_org.owasp#aivss:EP:1.0.0": "CA" }, { - "ssvc:E:1.1.0": "P", - "ssvc:U:1.0.1": "S", - "ssvc:TI:1.0.0": "P", - "ssvc:PSI:2.0.1": "M", - "ssvc:DSOI:1.0.0": "O" + "x_org.owasp#aivss:AA:1.0.0": "F", + "x_org.owasp#aivss:TU:1.0.0": "V", + "x_org.owasp#aivss:SM:1.1.0": "T", + "x_org.owasp#aivss:GDP:1.0.0": "U", + "x_org.owasp#aivss:EP:1.0.0": "H" }, { - "ssvc:E:1.1.0": "P", - "ssvc:U:1.0.1": "S", - "ssvc:TI:1.0.0": "P", - "ssvc:PSI:2.0.1": "S", - "ssvc:DSOI:1.0.0": "I" + "x_org.owasp#aivss:AA:1.0.0": "F", + "x_org.owasp#aivss:TU:1.0.0": "V", + "x_org.owasp#aivss:SM:1.1.0": "M", + "x_org.owasp#aivss:GDP:1.0.0": "R", + "x_org.owasp#aivss:EP:1.0.0": "H" }, { - "ssvc:E:1.1.0": "P", - "ssvc:U:1.0.1": "S", - "ssvc:TI:1.0.0": "T", - "ssvc:PSI:2.0.1": "M", - "ssvc:DSOI:1.0.0": "O" + "x_org.owasp#aivss:AA:1.0.0": "F", + "x_org.owasp#aivss:TU:1.0.0": "V", + "x_org.owasp#aivss:SM:1.1.0": "M", + "x_org.owasp#aivss:GDP:1.0.0": "A", + "x_org.owasp#aivss:EP:1.0.0": "H" }, { - "ssvc:E:1.1.0": "P", - "ssvc:U:1.0.1": "S", - "ssvc:TI:1.0.0": "T", - "ssvc:PSI:2.0.1": "S", - "ssvc:DSOI:1.0.0": "I" + "x_org.owasp#aivss:AA:1.0.0": "F", + "x_org.owasp#aivss:TU:1.0.0": "V", + "x_org.owasp#aivss:SM:1.1.0": "M", + "x_org.owasp#aivss:GDP:1.0.0": "U", + "x_org.owasp#aivss:EP:1.0.0": "H" }, { - "ssvc:E:1.1.0": "A", - "ssvc:U:1.0.1": "L", - "ssvc:TI:1.0.0": "P", - "ssvc:PSI:2.0.1": "M", - "ssvc:DSOI:1.0.0": "O" + "x_org.owasp#aivss:AA:1.0.0": "F", + "x_org.owasp#aivss:TU:1.0.0": "O", + "x_org.owasp#aivss:SM:1.1.0": "F", + "x_org.owasp#aivss:GDP:1.0.0": "R", + "x_org.owasp#aivss:EP:1.0.0": "CA" }, { - "ssvc:E:1.1.0": "A", - "ssvc:U:1.0.1": "L", - "ssvc:TI:1.0.0": "P", - "ssvc:PSI:2.0.1": "S", - "ssvc:DSOI:1.0.0": "I" + "x_org.owasp#aivss:AA:1.0.0": "F", + "x_org.owasp#aivss:TU:1.0.0": "O", + "x_org.owasp#aivss:SM:1.1.0": "F", + "x_org.owasp#aivss:GDP:1.0.0": "A", + "x_org.owasp#aivss:EP:1.0.0": "CA" }, { - "ssvc:E:1.1.0": "A", - "ssvc:U:1.0.1": "L", - "ssvc:TI:1.0.0": "T", - "ssvc:PSI:2.0.1": "M", - "ssvc:DSOI:1.0.0": "O" + "x_org.owasp#aivss:AA:1.0.0": "F", + "x_org.owasp#aivss:TU:1.0.0": "O", + "x_org.owasp#aivss:SM:1.1.0": "F", + "x_org.owasp#aivss:GDP:1.0.0": "U", + "x_org.owasp#aivss:EP:1.0.0": "H" }, { - "ssvc:E:1.1.0": "A", - "ssvc:U:1.0.1": "L", - "ssvc:TI:1.0.0": "T", - "ssvc:PSI:2.0.1": "S", - "ssvc:DSOI:1.0.0": "I" + "x_org.owasp#aivss:AA:1.0.0": "F", + "x_org.owasp#aivss:TU:1.0.0": "O", + "x_org.owasp#aivss:SM:1.1.0": "T", + "x_org.owasp#aivss:GDP:1.0.0": "R", + "x_org.owasp#aivss:EP:1.0.0": "CA" }, { - "ssvc:E:1.1.0": "A", - "ssvc:U:1.0.1": "E", - "ssvc:TI:1.0.0": "P", - "ssvc:PSI:2.0.1": "M", - "ssvc:DSOI:1.0.0": "O" + "x_org.owasp#aivss:AA:1.0.0": "F", + "x_org.owasp#aivss:TU:1.0.0": "O", + "x_org.owasp#aivss:SM:1.1.0": "T", + "x_org.owasp#aivss:GDP:1.0.0": "A", + "x_org.owasp#aivss:EP:1.0.0": "CA" }, { - "ssvc:E:1.1.0": "A", - "ssvc:U:1.0.1": "E", - "ssvc:TI:1.0.0": "P", - "ssvc:PSI:2.0.1": "S", - "ssvc:DSOI:1.0.0": "I" + "x_org.owasp#aivss:AA:1.0.0": "F", + "x_org.owasp#aivss:TU:1.0.0": "O", + "x_org.owasp#aivss:SM:1.1.0": "T", + "x_org.owasp#aivss:GDP:1.0.0": "U", + "x_org.owasp#aivss:EP:1.0.0": "H" }, { - "ssvc:E:1.1.0": "A", - "ssvc:U:1.0.1": "E", - "ssvc:TI:1.0.0": "T", - "ssvc:PSI:2.0.1": "M", - "ssvc:DSOI:1.0.0": "O" + "x_org.owasp#aivss:AA:1.0.0": "F", + "x_org.owasp#aivss:TU:1.0.0": "O", + "x_org.owasp#aivss:SM:1.1.0": "M", + "x_org.owasp#aivss:GDP:1.0.0": "R", + "x_org.owasp#aivss:EP:1.0.0": "H" }, { - "ssvc:E:1.1.0": "A", - "ssvc:U:1.0.1": "E", - "ssvc:TI:1.0.0": "T", - "ssvc:PSI:2.0.1": "S", - "ssvc:DSOI:1.0.0": "I" + "x_org.owasp#aivss:AA:1.0.0": "F", + "x_org.owasp#aivss:TU:1.0.0": "O", + "x_org.owasp#aivss:SM:1.1.0": "M", + "x_org.owasp#aivss:GDP:1.0.0": "A", + "x_org.owasp#aivss:EP:1.0.0": "H" }, { - "ssvc:E:1.1.0": "A", - "ssvc:U:1.0.1": "S", - "ssvc:TI:1.0.0": "P", - "ssvc:PSI:2.0.1": "M", - "ssvc:DSOI:1.0.0": "I" + "x_org.owasp#aivss:AA:1.0.0": "F", + "x_org.owasp#aivss:TU:1.0.0": "O", + "x_org.owasp#aivss:SM:1.1.0": "M", + "x_org.owasp#aivss:GDP:1.0.0": "U", + "x_org.owasp#aivss:EP:1.0.0": "H" }, { - "ssvc:E:1.1.0": "A", - "ssvc:U:1.0.1": "S", - "ssvc:TI:1.0.0": "P", - "ssvc:PSI:2.0.1": "S", - "ssvc:DSOI:1.0.0": "I" + "x_org.owasp#aivss:AA:1.0.0": "F", + "x_org.owasp#aivss:TU:1.0.0": "A", + "x_org.owasp#aivss:SM:1.1.0": "F", + "x_org.owasp#aivss:GDP:1.0.0": "R", + "x_org.owasp#aivss:EP:1.0.0": "H" }, { - "ssvc:E:1.1.0": "A", - "ssvc:U:1.0.1": "S", - "ssvc:TI:1.0.0": "T", - "ssvc:PSI:2.0.1": "M", - "ssvc:DSOI:1.0.0": "I" + "x_org.owasp#aivss:AA:1.0.0": "F", + "x_org.owasp#aivss:TU:1.0.0": "A", + "x_org.owasp#aivss:SM:1.1.0": "F", + "x_org.owasp#aivss:GDP:1.0.0": "A", + "x_org.owasp#aivss:EP:1.0.0": "H" }, { - "ssvc:E:1.1.0": "A", - "ssvc:U:1.0.1": "S", - "ssvc:TI:1.0.0": "T", - "ssvc:PSI:2.0.1": "S", - "ssvc:DSOI:1.0.0": "I" - } - ] - } - } - } - }, - "DT_U": { - "key": "DT_U", - "versions": { - "1.0.0": { - "version": "1.0.0", - "obj": { - "namespace": "ssvc", - "key": "DT_U", - "version": "1.0.0", - "name": "Utility", - "definition": "Utility decision table for SSVC", - "schemaVersion": "2.0.0", - "decision_points": { - "ssvc:A:2.0.0": { - "namespace": "ssvc", - "key": "A", - "version": "2.0.0", - "name": "Automatable", - "definition": "Can an attacker reliably automate creating exploitation events for this vulnerability?", - "schemaVersion": "2.0.0", - "values": [ - { - "key": "N", - "name": "No", - "definition": "Attackers cannot reliably automate steps 1-4 of the kill chain for this vulnerability. These steps are (1) reconnaissance, (2) weaponization, (3) delivery, and (4) exploitation." - }, - { - "key": "Y", - "name": "Yes", - "definition": "Attackers can reliably automate steps 1-4 of the kill chain." - } - ] + "x_org.owasp#aivss:AA:1.0.0": "F", + "x_org.owasp#aivss:TU:1.0.0": "A", + "x_org.owasp#aivss:SM:1.1.0": "F", + "x_org.owasp#aivss:GDP:1.0.0": "U", + "x_org.owasp#aivss:EP:1.0.0": "H" }, - "ssvc:VD:1.0.0": { - "namespace": "ssvc", - "key": "VD", - "version": "1.0.0", - "name": "Value Density", - "definition": "The concentration of value in the target", - "schemaVersion": "2.0.0", - "values": [ - { - "key": "D", - "name": "Diffuse", - "definition": "The system that contains the vulnerable component has limited resources. That is, the resources that the adversary will gain control over with a single exploitation event are relatively small." - }, - { - "key": "C", - "name": "Concentrated", - "definition": "The system that contains the vulnerable component is rich in resources. Heuristically, such systems are often the direct responsibility of “system operators” rather than users." - } - ] + { + "x_org.owasp#aivss:AA:1.0.0": "F", + "x_org.owasp#aivss:TU:1.0.0": "A", + "x_org.owasp#aivss:SM:1.1.0": "T", + "x_org.owasp#aivss:GDP:1.0.0": "R", + "x_org.owasp#aivss:EP:1.0.0": "H" }, - "ssvc:U:1.0.1": { - "namespace": "ssvc", - "key": "U", - "version": "1.0.1", - "name": "Utility", - "definition": "The Usefulness of the Exploit to the Adversary", - "schemaVersion": "2.0.0", - "values": [ - { - "key": "L", - "name": "Laborious", - "definition": "Automatable:No AND Value Density:Diffuse" - }, - { - "key": "E", - "name": "Efficient", - "definition": "(Automatable:Yes AND Value Density:Diffuse) OR (Automatable:No AND Value Density:Concentrated)" - }, - { - "key": "S", - "name": "Super Effective", - "definition": "Automatable:Yes AND Value Density:Concentrated" - } - ] - } - }, - "outcome": "ssvc:U:1.0.1", - "mapping": [ { - "ssvc:A:2.0.0": "N", - "ssvc:VD:1.0.0": "D", - "ssvc:U:1.0.1": "L" + "x_org.owasp#aivss:AA:1.0.0": "F", + "x_org.owasp#aivss:TU:1.0.0": "A", + "x_org.owasp#aivss:SM:1.1.0": "T", + "x_org.owasp#aivss:GDP:1.0.0": "A", + "x_org.owasp#aivss:EP:1.0.0": "H" }, { - "ssvc:A:2.0.0": "N", - "ssvc:VD:1.0.0": "C", - "ssvc:U:1.0.1": "E" + "x_org.owasp#aivss:AA:1.0.0": "F", + "x_org.owasp#aivss:TU:1.0.0": "A", + "x_org.owasp#aivss:SM:1.1.0": "T", + "x_org.owasp#aivss:GDP:1.0.0": "U", + "x_org.owasp#aivss:EP:1.0.0": "H" }, { - "ssvc:A:2.0.0": "Y", - "ssvc:VD:1.0.0": "D", - "ssvc:U:1.0.1": "E" + "x_org.owasp#aivss:AA:1.0.0": "F", + "x_org.owasp#aivss:TU:1.0.0": "A", + "x_org.owasp#aivss:SM:1.1.0": "M", + "x_org.owasp#aivss:GDP:1.0.0": "R", + "x_org.owasp#aivss:EP:1.0.0": "H" }, { - "ssvc:A:2.0.0": "Y", - "ssvc:VD:1.0.0": "C", - "ssvc:U:1.0.1": "S" + "x_org.owasp#aivss:AA:1.0.0": "F", + "x_org.owasp#aivss:TU:1.0.0": "A", + "x_org.owasp#aivss:SM:1.1.0": "M", + "x_org.owasp#aivss:GDP:1.0.0": "A", + "x_org.owasp#aivss:EP:1.0.0": "H" + }, + { + "x_org.owasp#aivss:AA:1.0.0": "F", + "x_org.owasp#aivss:TU:1.0.0": "A", + "x_org.owasp#aivss:SM:1.1.0": "M", + "x_org.owasp#aivss:GDP:1.0.0": "U", + "x_org.owasp#aivss:EP:1.0.0": "H" } ] } From 75a3ad0822abbb60fe63b44cc1559e4b4c4611c7 Mon Sep 17 00:00:00 2001 From: "Allen D. Householder" Date: Fri, 21 Nov 2025 14:34:16 -0500 Subject: [PATCH 03/23] Enhance AIVSS documentation and structure for Agentic Impact Level --- docs/howto/aivss/agentic_impact.md | 40 +++- docs/howto/aivss/env_adapt.md | 2 +- docs/howto/aivss/exec_power.md | 2 +- docs/howto/aivss/index.md | 65 +++++ docs/howto/aivss/predict_influence.md | 2 +- mkdocs.yml | 10 +- .../decision_points/aivss/agentic_impact.py | 8 +- .../decision_points/aivss/systemic_impact.py | 70 ++++++ .../decision_tables/aivss/agentic_impact.py | 6 +- src/ssvc/decision_tables/aivss/aivss.py | 225 ++++++++++++++++++ src/ssvc/decision_tables/helpers.py | 10 +- 11 files changed, 422 insertions(+), 18 deletions(-) create mode 100644 docs/howto/aivss/index.md create mode 100644 src/ssvc/decision_points/aivss/systemic_impact.py create mode 100644 src/ssvc/decision_tables/aivss/aivss.py diff --git a/docs/howto/aivss/agentic_impact.md b/docs/howto/aivss/agentic_impact.md index b154b43d..34b99992 100644 --- a/docs/howto/aivss/agentic_impact.md +++ b/docs/howto/aivss/agentic_impact.md @@ -1,9 +1,31 @@ -# AIVSS Guide +# AIVSS Agentic Impact Level + +The Agentic Impact Level (AIL) is... + +!!! info "Agentic Impact Level supports the AIVSS framework" + + The Agentic Impact Level (AIL) is one of the decision points used in the + [AIVSS framework](./index.md) to help organizations prioritize AI-related + vulnerabilities. The AIL describes the degree of autonomy and influence + the AI system has in its operational environment, which can impact the + potential risk associated with vulnerabilities in the system. + + +!!! tip "Assessing Agentic Impact Level" + + The Agentic Impact Level (AIL) is not intended to be assessed for every + individual vulnerability reported. Instead, it is intended to be assessed + for the system as a whole, or for significant changes to the system that + may affect the AIL. Because of this, we recommend that organizations + assess the AIL periodically, such as during major system updates or + architecture changes. -Some text ## Outcome +The outcome set for AIVSS Agentic Impact Level describes the degree of +autonomy and influence the AI system has in its operational environment. + ```python exec="true" idprefix="" from ssvc.decision_tables.aivss.agentic_impact import LATEST as DT from ssvc.doc_helpers import example_block @@ -15,6 +37,10 @@ print(example_block(dp)) ## Decision Points +The Decision Points for AIVSS Agentic Impact Level are divided into three +supporting decision tables. The examples below show the outcomes for each +of those decision tables that are used to determine the overall Agentic Impact Level. + ```python exec="true" idprefix="" from ssvc.decision_tables.aivss.agentic_impact import LATEST as DT from ssvc.doc_helpers import example_block @@ -23,6 +49,16 @@ for dp in [v for k,v in DT.decision_points.items() if k != DT.outcome]: print(example_block(dp)) ``` +!!! info "See documentation for the supporting decision tables" + + Although the Agentic Impact Level (AIL) can be assessed directly, we recommend + it be assessed by combining the results of a few supporting decision tables. + See the documentation for + [Execution Power](exec_power.md), + [Environment & Adaptation](env_adapt.md), and + [Predictability & Influence](predict_influence.md) + for more details. + ## Decision Table ### Decision Model Visualization diff --git a/docs/howto/aivss/env_adapt.md b/docs/howto/aivss/env_adapt.md index 79408270..7647b234 100644 --- a/docs/howto/aivss/env_adapt.md +++ b/docs/howto/aivss/env_adapt.md @@ -1,4 +1,4 @@ -# AIVSS Guide +# AIVSS Environment and Adaptation Some text diff --git a/docs/howto/aivss/exec_power.md b/docs/howto/aivss/exec_power.md index eb99ca14..71b2f891 100644 --- a/docs/howto/aivss/exec_power.md +++ b/docs/howto/aivss/exec_power.md @@ -1,4 +1,4 @@ -# AIVSS Guide +# AIVSS Execution Power Some text diff --git a/docs/howto/aivss/index.md b/docs/howto/aivss/index.md new file mode 100644 index 00000000..46304266 --- /dev/null +++ b/docs/howto/aivss/index.md @@ -0,0 +1,65 @@ +# AIVSS + +AIVSS is... {== TODO WRITE ME ==} + +## Outcome + +The outcome set for AIVSS is the basic SSVC priority levels: Defer, Scheduled, Out-of-Cycle, and Immediate. + +```python exec="true" idprefix="" +from ssvc.decision_tables.aivss.aivss import LATEST as DT +from ssvc.doc_helpers import example_block + +dp = DT.decision_points[DT.outcome] +print(example_block(dp)) +``` + +## Decision Points + +The Decision Points for AIVSS include: + +- [Exploitation](../reference/decision_points/exploitation.md) +- Agentic Impact Level +- Systemic Impact + +```python exec="true" idprefix="" +from ssvc.decision_tables.aivss.aivss import LATEST as DT +from ssvc.doc_helpers import example_block + +for dp in [v for k,v in DT.decision_points.items() if k != DT.outcome]: + print(example_block(dp)) +``` + +!!! info "Agentic Impact Level is a Composite Decision Point" + + Although the Agentic Impact Level (AIL) can be assessed directly, we recommend + it be assessed by combining the results of a few supporting decision tables. + See [AIVSS Agentic Impact Level](./agentic_impact.md) for more details. + +## Decision Table + +### Decision Model Visualization + + +```python exec="true" idprefix="" +from ssvc.decision_tables.aivss.aivss import LATEST as DT +from ssvc.decision_tables.helpers import mapping2mermaid, mermaid_title_from_dt + +rows = DT.mapping +title = mermaid_title_from_dt(DT) +print(mapping2mermaid(rows, title=title)) +``` + +### Table of Values + +The table below shows the values for the decision model. +Each row of the table corresponds to a path through the decision model diagram above. + +```python exec="true" idprefix="" + +from ssvc.decision_tables.aivss.aivss import LATEST as DT +from ssvc.decision_tables.helpers import dt2df_md + +print(dt2df_md(DT)) +``` + diff --git a/docs/howto/aivss/predict_influence.md b/docs/howto/aivss/predict_influence.md index f5e2b9e2..7e2630c5 100644 --- a/docs/howto/aivss/predict_influence.md +++ b/docs/howto/aivss/predict_influence.md @@ -1,4 +1,4 @@ -# AIVSS Guide +# AIVSS Predictability and Influence Some text diff --git a/mkdocs.yml b/mkdocs.yml index 58be873a..b9e2b5d9 100644 --- a/mkdocs.yml +++ b/mkdocs.yml @@ -25,11 +25,11 @@ nav: - Coordination Triage: 'howto/coordination_triage_decision.md' - Publication Decision: 'howto/publication_decision.md' - AIVSS Model: -# - About AIVSS: 'howto/aivss/index.md' - - Execution Power Model: 'howto/aivss/exec_power.md' - - Environment and Adaptation Model: 'howto/aivss/env_adapt.md' - - Predictability and Influence Model: 'howto/aivss/predict_influence.md' - - Agentic Impact Level Model: 'howto/aivss/agentic_impact.md' + - Intro: 'howto/aivss/index.md' + - Agentic Impact Level Model: 'howto/aivss/agentic_impact.md' + - Execution Power Model: 'howto/aivss/exec_power.md' + - Environment and Adaptation Model: 'howto/aivss/env_adapt.md' + - Predictability and Influence Model: 'howto/aivss/predict_influence.md' - CVSS v4 Analyst Models: - About CVSS v4: 'howto/cvss_v4/index.md' - Equivalence Set 1: 'howto/cvss_v4/eq1.md' diff --git a/src/ssvc/decision_points/aivss/agentic_impact.py b/src/ssvc/decision_points/aivss/agentic_impact.py index 6c1d0bb2..3a3c9618 100644 --- a/src/ssvc/decision_points/aivss/agentic_impact.py +++ b/src/ssvc/decision_points/aivss/agentic_impact.py @@ -37,17 +37,17 @@ key="S", name="Specialist", definition="The agent is a specialist with significant autonomy within a defined domain." - "It can use powerful tools and may learn from interactions.", + "It can use powerful tools and may learn from interactions.", ) PRIME_MOVER = DecisionPointValue( key="P", name="Prime Mover", definition="The agent is a prime mover with broad autonomy. " - "It can orchestrate other systems, modify its own logic, and interact with critical infrastructure." + "It can orchestrate other systems, modify its own logic, and interact with critical infrastructure.", ) -AIL_01 = AivssDecisionPoint( +AGENTIC_IMPACT_LEVEL_01 = AivssDecisionPoint( key="AIL", name="Agentic Impact Level", definition="Determines the agentic impact level of a vulnerability based on its characteristics and potential effects.", @@ -56,7 +56,7 @@ ) -VERSIONS = (AIL_01, ) +VERSIONS = (AGENTIC_IMPACT_LEVEL_01,) LATEST = VERSIONS[-1] if __name__ == "__main__": diff --git a/src/ssvc/decision_points/aivss/systemic_impact.py b/src/ssvc/decision_points/aivss/systemic_impact.py new file mode 100644 index 00000000..4760d500 --- /dev/null +++ b/src/ssvc/decision_points/aivss/systemic_impact.py @@ -0,0 +1,70 @@ +#!/usr/bin/env python + +# Copyright (c) 2025 Carnegie Mellon University. +# NO WARRANTY. THIS CARNEGIE MELLON UNIVERSITY AND SOFTWARE +# ENGINEERING INSTITUTE MATERIAL IS FURNISHED ON AN "AS-IS" BASIS. +# CARNEGIE MELLON UNIVERSITY MAKES NO WARRANTIES OF ANY KIND, +# EITHER EXPRESSED OR IMPLIED, AS TO ANY MATTER INCLUDING, BUT +# NOT LIMITED TO, WARRANTY OF FITNESS FOR PURPOSE OR +# MERCHANTABILITY, EXCLUSIVITY, OR RESULTS OBTAINED FROM USE +# OF THE MATERIAL. CARNEGIE MELLON UNIVERSITY DOES NOT MAKE +# ANY WARRANTY OF ANY KIND WITH RESPECT TO FREEDOM FROM +# PATENT, TRADEMARK, OR COPYRIGHT INFRINGEMENT. +# Licensed under a MIT (SEI)-style license, please see LICENSE or contact +# permission@sei.cmu.edu for full terms. +# [DISTRIBUTION STATEMENT A] This material has been approved for +# public release and unlimited distribution. Please see Copyright notice +# for non-US Government use and distribution. +# This Software includes and/or makes use of Third-Party Software each +# subject to its own license. +# DM24-0278 + +""" +Provides TODO writeme +""" +from ssvc.decision_points.aivss.base import AivssDecisionPoint +from ssvc.decision_points.base import DecisionPointValue + +# Decision Point 3: Systemic Impact +# This measures the mission-criticality and blast radius of the systems, data, and processes the agent can affect. +# +# Contained: The impact of a compromise is limited to the agent itself, a single user's data, or a non-critical system. The business or mission impact is negligible. +# Significant: A compromise would impact a major business function, a critical internal system, or cause cascading failures within a business unit. It could result in moderate financial loss, reputational damage, or operational disruption. +# Critical: A compromise would pose a threat to the entire organization's viability, public safety, or critical infrastructure. It could lead to severe financial loss, widespread data breach, regulatory failure, or physical harm. + +CONTAINED = DecisionPointValue( + key="C", + name="Contained", + definition="The impact of a compromise is limited to the agent itself, a single user's data, or a non-critical system. The business or mission impact is negligible.", +) +SIGNIFICANT = DecisionPointValue( + key="S", + name="Significant", + definition="A compromise would impact a major business function, a critical internal system, or cause cascading failures within a business unit. It could result in moderate financial loss, reputational damage, or operational disruption.", +) +CRITICAL = DecisionPointValue( + key="R", + name="Critical", + definition="A compromise would pose a threat to the entire organization's viability, public safety, or critical infrastructure. It could lead to severe financial loss, widespread data breach, regulatory failure, or physical harm.", +) +SYSTEMIC_IMPACT_01 = AivssDecisionPoint( + key="SI", + name="Systemic Impact", + definition=( + "Measures the mission-criticality and blast radius of the systems, data, and processes the agent can affect." + ), + version="1.0.0", + values=(CONTAINED, SIGNIFICANT, CRITICAL), +) +VERSIONS = (SYSTEMIC_IMPACT_01,) +LATEST = VERSIONS[-1] + + +def main(): + from ssvc.decision_points.helpers import print_versions_and_diffs + + print_versions_and_diffs(VERSIONS) + + +if __name__ == "__main__": + main() diff --git a/src/ssvc/decision_tables/aivss/agentic_impact.py b/src/ssvc/decision_tables/aivss/agentic_impact.py index d85b3546..fbb79698 100644 --- a/src/ssvc/decision_tables/aivss/agentic_impact.py +++ b/src/ssvc/decision_tables/aivss/agentic_impact.py @@ -22,7 +22,7 @@ """ Provides TODO writeme """ -from ssvc.decision_points.aivss.agentic_impact import AIL_01 +from ssvc.decision_points.aivss.agentic_impact import AGENTIC_IMPACT_LEVEL_01 from ssvc.decision_points.aivss.base import AIVSS_NS from ssvc.decision_points.aivss.env_adaptation import ENV_ADAPT_01 from ssvc.decision_points.aivss.execution_power import EXECUTION_POWER @@ -43,10 +43,10 @@ EXECUTION_POWER, ENV_ADAPT_01, PREDICTABILITY_INFLUENCE_01, - AIL_01, + AGENTIC_IMPACT_LEVEL_01, ] }, - outcome=AIL_01.id, + outcome=AGENTIC_IMPACT_LEVEL_01.id, mapping=[ { "x_org.owasp#aivss:EP:1.0.0": "C", diff --git a/src/ssvc/decision_tables/aivss/aivss.py b/src/ssvc/decision_tables/aivss/aivss.py new file mode 100644 index 00000000..92f529b8 --- /dev/null +++ b/src/ssvc/decision_tables/aivss/aivss.py @@ -0,0 +1,225 @@ +#!/usr/bin/env python + +# Copyright (c) 2025 Carnegie Mellon University. +# NO WARRANTY. THIS CARNEGIE MELLON UNIVERSITY AND SOFTWARE +# ENGINEERING INSTITUTE MATERIAL IS FURNISHED ON AN "AS-IS" BASIS. +# CARNEGIE MELLON UNIVERSITY MAKES NO WARRANTIES OF ANY KIND, +# EITHER EXPRESSED OR IMPLIED, AS TO ANY MATTER INCLUDING, BUT +# NOT LIMITED TO, WARRANTY OF FITNESS FOR PURPOSE OR +# MERCHANTABILITY, EXCLUSIVITY, OR RESULTS OBTAINED FROM USE +# OF THE MATERIAL. CARNEGIE MELLON UNIVERSITY DOES NOT MAKE +# ANY WARRANTY OF ANY KIND WITH RESPECT TO FREEDOM FROM +# PATENT, TRADEMARK, OR COPYRIGHT INFRINGEMENT. +# Licensed under a MIT (SEI)-style license, please see LICENSE or contact +# permission@sei.cmu.edu for full terms. +# [DISTRIBUTION STATEMENT A] This material has been approved for +# public release and unlimited distribution. Please see Copyright notice +# for non-US Government use and distribution. +# This Software includes and/or makes use of Third-Party Software each +# subject to its own license. +# DM24-0278 + +""" +Provides TODO writeme +""" +from ssvc.decision_points.aivss.agentic_impact import AGENTIC_IMPACT_LEVEL_01 +from ssvc.decision_points.aivss.base import AIVSS_NS +from ssvc.decision_points.aivss.systemic_impact import SYSTEMIC_IMPACT_01 +from ssvc.decision_points.ssvc.exploitation import EXPLOITATION_1_1_0 +from ssvc.decision_tables.base import DecisionTable +from ssvc.outcomes.ssvc.dsoi import DSOI + +V1_0_0 = DecisionTable( + key="AIVSS", + name="AIVSS Decision Table", + namespace=AIVSS_NS, + version="1.0.0", + definition="Decision table for the AIVSS framework.", + decision_points={ + dp.id: dp + for dp in [ + EXPLOITATION_1_1_0, + AGENTIC_IMPACT_LEVEL_01, + SYSTEMIC_IMPACT_01, + DSOI, + ] + }, + outcome=DSOI.id, + mapping=[ + { + "ssvc:E:1.1.0": "N", + "x_org.owasp#aivss:AIL:1.0.0": "C", + "x_org.owasp#aivss:SI:1.0.0": "C", + "ssvc:DSOI:1.0.0": "D", + }, + { + "ssvc:E:1.1.0": "N", + "x_org.owasp#aivss:AIL:1.0.0": "C", + "x_org.owasp#aivss:SI:1.0.0": "S", + "ssvc:DSOI:1.0.0": "S", + }, + { + "ssvc:E:1.1.0": "N", + "x_org.owasp#aivss:AIL:1.0.0": "C", + "x_org.owasp#aivss:SI:1.0.0": "R", + "ssvc:DSOI:1.0.0": "O", + }, + { + "ssvc:E:1.1.0": "N", + "x_org.owasp#aivss:AIL:1.0.0": "S", + "x_org.owasp#aivss:SI:1.0.0": "C", + "ssvc:DSOI:1.0.0": "S", + }, + { + "ssvc:E:1.1.0": "N", + "x_org.owasp#aivss:AIL:1.0.0": "S", + "x_org.owasp#aivss:SI:1.0.0": "S", + "ssvc:DSOI:1.0.0": "S", + }, + { + "ssvc:E:1.1.0": "N", + "x_org.owasp#aivss:AIL:1.0.0": "S", + "x_org.owasp#aivss:SI:1.0.0": "R", + "ssvc:DSOI:1.0.0": "O", + }, + { + "ssvc:E:1.1.0": "N", + "x_org.owasp#aivss:AIL:1.0.0": "P", + "x_org.owasp#aivss:SI:1.0.0": "C", + "ssvc:DSOI:1.0.0": "S", + }, + { + "ssvc:E:1.1.0": "N", + "x_org.owasp#aivss:AIL:1.0.0": "P", + "x_org.owasp#aivss:SI:1.0.0": "S", + "ssvc:DSOI:1.0.0": "O", + }, + { + "ssvc:E:1.1.0": "N", + "x_org.owasp#aivss:AIL:1.0.0": "P", + "x_org.owasp#aivss:SI:1.0.0": "R", + "ssvc:DSOI:1.0.0": "I", + }, + { + "ssvc:E:1.1.0": "P", + "x_org.owasp#aivss:AIL:1.0.0": "C", + "x_org.owasp#aivss:SI:1.0.0": "C", + "ssvc:DSOI:1.0.0": "S", + }, + { + "ssvc:E:1.1.0": "P", + "x_org.owasp#aivss:AIL:1.0.0": "C", + "x_org.owasp#aivss:SI:1.0.0": "S", + "ssvc:DSOI:1.0.0": "S", + }, + { + "ssvc:E:1.1.0": "P", + "x_org.owasp#aivss:AIL:1.0.0": "C", + "x_org.owasp#aivss:SI:1.0.0": "R", + "ssvc:DSOI:1.0.0": "O", + }, + { + "ssvc:E:1.1.0": "P", + "x_org.owasp#aivss:AIL:1.0.0": "S", + "x_org.owasp#aivss:SI:1.0.0": "C", + "ssvc:DSOI:1.0.0": "S", + }, + { + "ssvc:E:1.1.0": "P", + "x_org.owasp#aivss:AIL:1.0.0": "S", + "x_org.owasp#aivss:SI:1.0.0": "S", + "ssvc:DSOI:1.0.0": "O", + }, + { + "ssvc:E:1.1.0": "P", + "x_org.owasp#aivss:AIL:1.0.0": "S", + "x_org.owasp#aivss:SI:1.0.0": "R", + "ssvc:DSOI:1.0.0": "O", + }, + { + "ssvc:E:1.1.0": "P", + "x_org.owasp#aivss:AIL:1.0.0": "P", + "x_org.owasp#aivss:SI:1.0.0": "C", + "ssvc:DSOI:1.0.0": "O", + }, + { + "ssvc:E:1.1.0": "P", + "x_org.owasp#aivss:AIL:1.0.0": "P", + "x_org.owasp#aivss:SI:1.0.0": "S", + "ssvc:DSOI:1.0.0": "O", + }, + { + "ssvc:E:1.1.0": "P", + "x_org.owasp#aivss:AIL:1.0.0": "P", + "x_org.owasp#aivss:SI:1.0.0": "R", + "ssvc:DSOI:1.0.0": "I", + }, + { + "ssvc:E:1.1.0": "A", + "x_org.owasp#aivss:AIL:1.0.0": "C", + "x_org.owasp#aivss:SI:1.0.0": "C", + "ssvc:DSOI:1.0.0": "O", + }, + { + "ssvc:E:1.1.0": "A", + "x_org.owasp#aivss:AIL:1.0.0": "C", + "x_org.owasp#aivss:SI:1.0.0": "S", + "ssvc:DSOI:1.0.0": "O", + }, + { + "ssvc:E:1.1.0": "A", + "x_org.owasp#aivss:AIL:1.0.0": "C", + "x_org.owasp#aivss:SI:1.0.0": "R", + "ssvc:DSOI:1.0.0": "I", + }, + { + "ssvc:E:1.1.0": "A", + "x_org.owasp#aivss:AIL:1.0.0": "S", + "x_org.owasp#aivss:SI:1.0.0": "C", + "ssvc:DSOI:1.0.0": "O", + }, + { + "ssvc:E:1.1.0": "A", + "x_org.owasp#aivss:AIL:1.0.0": "S", + "x_org.owasp#aivss:SI:1.0.0": "S", + "ssvc:DSOI:1.0.0": "I", + }, + { + "ssvc:E:1.1.0": "A", + "x_org.owasp#aivss:AIL:1.0.0": "S", + "x_org.owasp#aivss:SI:1.0.0": "R", + "ssvc:DSOI:1.0.0": "I", + }, + { + "ssvc:E:1.1.0": "A", + "x_org.owasp#aivss:AIL:1.0.0": "P", + "x_org.owasp#aivss:SI:1.0.0": "C", + "ssvc:DSOI:1.0.0": "I", + }, + { + "ssvc:E:1.1.0": "A", + "x_org.owasp#aivss:AIL:1.0.0": "P", + "x_org.owasp#aivss:SI:1.0.0": "S", + "ssvc:DSOI:1.0.0": "I", + }, + { + "ssvc:E:1.1.0": "A", + "x_org.owasp#aivss:AIL:1.0.0": "P", + "x_org.owasp#aivss:SI:1.0.0": "R", + "ssvc:DSOI:1.0.0": "I", + }, + ], +) + +VERSIONS = (V1_0_0,) +LATEST = VERSIONS[-1] + + +def main(): + from ssvc.decision_tables.helpers import print_dt_version + + print_dt_version(V1_0_0) + + +if __name__ == "__main__": + main() diff --git a/src/ssvc/decision_tables/helpers.py b/src/ssvc/decision_tables/helpers.py index aadcfda7..4de91b32 100644 --- a/src/ssvc/decision_tables/helpers.py +++ b/src/ssvc/decision_tables/helpers.py @@ -24,6 +24,7 @@ import logging + import pandas as pd from ssvc.decision_tables.base import ( @@ -116,7 +117,14 @@ def _mapping2mermaid(mapping: list[dict[str:str]], title: str = None) -> str: lines.append("end") lines.append("subgraph outputs[Outcome]") - subgraph_name = f's{col_idx+1}["{col}"]' + if ":" in col: + (col_ns, _, col_keyver) = col.partition(":") + (ns_pfx, _, ns_frag) = col_ns.partition("#") + colhdr = f"{ns_pfx}
#{ns_frag}
{col_keyver}" + else: + colhdr = col + + subgraph_name = f's{col_idx+1}["{colhdr}"]' lines.append(f"subgraph {subgraph_name}") seen_paths = set() for row in mapping: From 20fe32d78758588f1718998f08e7da792e3ff233 Mon Sep 17 00:00:00 2001 From: "Allen D. Householder" Date: Fri, 21 Nov 2025 14:35:17 -0500 Subject: [PATCH 04/23] Add Systemic Impact and AIVSS Decision Table definitions to the registry --- .../aivss_decision_table_1_0_0.csv | 28 ++ .../systemic_impact_1_0_0.json | 25 ++ .../aivss_decision_table_1_0_0.json | 280 +++++++++++++++ data/json/ssvc_object_registry.json | 338 ++++++++++++++++++ 4 files changed, 671 insertions(+) create mode 100644 data/csv/x_org_owasp_aivss/aivss_decision_table_1_0_0.csv create mode 100644 data/json/decision_points/x_org_owasp_aivss/systemic_impact_1_0_0.json create mode 100644 data/json/decision_tables/x_org_owasp_aivss/aivss_decision_table_1_0_0.json diff --git a/data/csv/x_org_owasp_aivss/aivss_decision_table_1_0_0.csv b/data/csv/x_org_owasp_aivss/aivss_decision_table_1_0_0.csv new file mode 100644 index 00000000..d002708e --- /dev/null +++ b/data/csv/x_org_owasp_aivss/aivss_decision_table_1_0_0.csv @@ -0,0 +1,28 @@ +row,Exploitation v1.1.0,Agentic Impact Level v1.0.0 (x_org.owasp#aivss),Systemic Impact v1.0.0 (x_org.owasp#aivss),"Defer, Scheduled, Out-of-Cycle, Immediate v1.0.0" +0,none,copilot,contained,defer +1,none,copilot,significant,scheduled +2,none,copilot,critical,out-of-cycle +3,none,specialist,contained,scheduled +4,none,specialist,significant,scheduled +5,none,specialist,critical,out-of-cycle +6,none,prime mover,contained,scheduled +7,none,prime mover,significant,out-of-cycle +8,none,prime mover,critical,immediate +9,public poc,copilot,contained,scheduled +10,public poc,copilot,significant,scheduled +11,public poc,copilot,critical,out-of-cycle +12,public poc,specialist,contained,scheduled +13,public poc,specialist,significant,out-of-cycle +14,public poc,specialist,critical,out-of-cycle +15,public poc,prime mover,contained,out-of-cycle +16,public poc,prime mover,significant,out-of-cycle +17,public poc,prime mover,critical,immediate +18,active,copilot,contained,out-of-cycle +19,active,copilot,significant,out-of-cycle +20,active,copilot,critical,immediate +21,active,specialist,contained,out-of-cycle +22,active,specialist,significant,immediate +23,active,specialist,critical,immediate +24,active,prime mover,contained,immediate +25,active,prime mover,significant,immediate +26,active,prime mover,critical,immediate diff --git a/data/json/decision_points/x_org_owasp_aivss/systemic_impact_1_0_0.json b/data/json/decision_points/x_org_owasp_aivss/systemic_impact_1_0_0.json new file mode 100644 index 00000000..6fb0dd64 --- /dev/null +++ b/data/json/decision_points/x_org_owasp_aivss/systemic_impact_1_0_0.json @@ -0,0 +1,25 @@ +{ + "namespace": "x_org.owasp#aivss", + "key": "SI", + "version": "1.0.0", + "name": "Systemic Impact", + "definition": "Measures the mission-criticality and blast radius of the systems, data, and processes the agent can affect.", + "schemaVersion": "2.0.0", + "values": [ + { + "key": "C", + "name": "Contained", + "definition": "The impact of a compromise is limited to the agent itself, a single user's data, or a non-critical system. The business or mission impact is negligible." + }, + { + "key": "S", + "name": "Significant", + "definition": "A compromise would impact a major business function, a critical internal system, or cause cascading failures within a business unit. It could result in moderate financial loss, reputational damage, or operational disruption." + }, + { + "key": "R", + "name": "Critical", + "definition": "A compromise would pose a threat to the entire organization's viability, public safety, or critical infrastructure. It could lead to severe financial loss, widespread data breach, regulatory failure, or physical harm." + } + ] +} diff --git a/data/json/decision_tables/x_org_owasp_aivss/aivss_decision_table_1_0_0.json b/data/json/decision_tables/x_org_owasp_aivss/aivss_decision_table_1_0_0.json new file mode 100644 index 00000000..0c68ec4d --- /dev/null +++ b/data/json/decision_tables/x_org_owasp_aivss/aivss_decision_table_1_0_0.json @@ -0,0 +1,280 @@ +{ + "namespace": "x_org.owasp#aivss", + "key": "DT_AIVSS", + "version": "1.0.0", + "name": "AIVSS Decision Table", + "definition": "Decision table for the AIVSS framework.", + "schemaVersion": "2.0.0", + "decision_points": { + "ssvc:E:1.1.0": { + "namespace": "ssvc", + "key": "E", + "version": "1.1.0", + "name": "Exploitation", + "definition": "The present state of exploitation of the vulnerability.", + "schemaVersion": "2.0.0", + "values": [ + { + "key": "N", + "name": "None", + "definition": "There is no evidence of active exploitation and no public proof of concept (PoC) of how to exploit the vulnerability." + }, + { + "key": "P", + "name": "Public PoC", + "definition": "One of the following is true: (1) Typical public PoC exists in sources such as Metasploit or websites like ExploitDB; or (2) the vulnerability has a well-known method of exploitation." + }, + { + "key": "A", + "name": "Active", + "definition": "Shared, observable, reliable evidence that the exploit is being used in the wild by real attackers; there is credible public reporting." + } + ] + }, + "x_org.owasp#aivss:AIL:1.0.0": { + "namespace": "x_org.owasp#aivss", + "key": "AIL", + "version": "1.0.0", + "name": "Agentic Impact Level", + "definition": "Determines the agentic impact level of a vulnerability based on its characteristics and potential effects.", + "schemaVersion": "2.0.0", + "values": [ + { + "key": "C", + "name": "CoPilot", + "definition": "The agent is primarily a copilot or assistant. Its actions are heavily constrained, requiring human oversight. The agent explicitly does not have rights to execute code." + }, + { + "key": "S", + "name": "Specialist", + "definition": "The agent is a specialist with significant autonomy within a defined domain.It can use powerful tools and may learn from interactions." + }, + { + "key": "P", + "name": "Prime Mover", + "definition": "The agent is a prime mover with broad autonomy. It can orchestrate other systems, modify its own logic, and interact with critical infrastructure." + } + ] + }, + "x_org.owasp#aivss:SI:1.0.0": { + "namespace": "x_org.owasp#aivss", + "key": "SI", + "version": "1.0.0", + "name": "Systemic Impact", + "definition": "Measures the mission-criticality and blast radius of the systems, data, and processes the agent can affect.", + "schemaVersion": "2.0.0", + "values": [ + { + "key": "C", + "name": "Contained", + "definition": "The impact of a compromise is limited to the agent itself, a single user's data, or a non-critical system. The business or mission impact is negligible." + }, + { + "key": "S", + "name": "Significant", + "definition": "A compromise would impact a major business function, a critical internal system, or cause cascading failures within a business unit. It could result in moderate financial loss, reputational damage, or operational disruption." + }, + { + "key": "R", + "name": "Critical", + "definition": "A compromise would pose a threat to the entire organization's viability, public safety, or critical infrastructure. It could lead to severe financial loss, widespread data breach, regulatory failure, or physical harm." + } + ] + }, + "ssvc:DSOI:1.0.0": { + "namespace": "ssvc", + "key": "DSOI", + "version": "1.0.0", + "name": "Defer, Scheduled, Out-of-Cycle, Immediate", + "definition": "The original SSVC outcome group.", + "schemaVersion": "2.0.0", + "values": [ + { + "key": "D", + "name": "Defer", + "definition": "Defer" + }, + { + "key": "S", + "name": "Scheduled", + "definition": "Scheduled" + }, + { + "key": "O", + "name": "Out-of-Cycle", + "definition": "Out-of-Cycle" + }, + { + "key": "I", + "name": "Immediate", + "definition": "Immediate" + } + ] + } + }, + "outcome": "ssvc:DSOI:1.0.0", + "mapping": [ + { + "ssvc:E:1.1.0": "N", + "x_org.owasp#aivss:AIL:1.0.0": "C", + "x_org.owasp#aivss:SI:1.0.0": "C", + "ssvc:DSOI:1.0.0": "D" + }, + { + "ssvc:E:1.1.0": "N", + "x_org.owasp#aivss:AIL:1.0.0": "C", + "x_org.owasp#aivss:SI:1.0.0": "S", + "ssvc:DSOI:1.0.0": "S" + }, + { + "ssvc:E:1.1.0": "N", + "x_org.owasp#aivss:AIL:1.0.0": "C", + "x_org.owasp#aivss:SI:1.0.0": "R", + "ssvc:DSOI:1.0.0": "O" + }, + { + "ssvc:E:1.1.0": "N", + "x_org.owasp#aivss:AIL:1.0.0": "S", + "x_org.owasp#aivss:SI:1.0.0": "C", + "ssvc:DSOI:1.0.0": "S" + }, + { + "ssvc:E:1.1.0": "N", + "x_org.owasp#aivss:AIL:1.0.0": "S", + "x_org.owasp#aivss:SI:1.0.0": "S", + "ssvc:DSOI:1.0.0": "S" + }, + { + "ssvc:E:1.1.0": "N", + "x_org.owasp#aivss:AIL:1.0.0": "S", + "x_org.owasp#aivss:SI:1.0.0": "R", + "ssvc:DSOI:1.0.0": "O" + }, + { + "ssvc:E:1.1.0": "N", + "x_org.owasp#aivss:AIL:1.0.0": "P", + "x_org.owasp#aivss:SI:1.0.0": "C", + "ssvc:DSOI:1.0.0": "S" + }, + { + "ssvc:E:1.1.0": "N", + "x_org.owasp#aivss:AIL:1.0.0": "P", + "x_org.owasp#aivss:SI:1.0.0": "S", + "ssvc:DSOI:1.0.0": "O" + }, + { + "ssvc:E:1.1.0": "N", + "x_org.owasp#aivss:AIL:1.0.0": "P", + "x_org.owasp#aivss:SI:1.0.0": "R", + "ssvc:DSOI:1.0.0": "I" + }, + { + "ssvc:E:1.1.0": "P", + "x_org.owasp#aivss:AIL:1.0.0": "C", + "x_org.owasp#aivss:SI:1.0.0": "C", + "ssvc:DSOI:1.0.0": "S" + }, + { + "ssvc:E:1.1.0": "P", + "x_org.owasp#aivss:AIL:1.0.0": "C", + "x_org.owasp#aivss:SI:1.0.0": "S", + "ssvc:DSOI:1.0.0": "S" + }, + { + "ssvc:E:1.1.0": "P", + "x_org.owasp#aivss:AIL:1.0.0": "C", + "x_org.owasp#aivss:SI:1.0.0": "R", + "ssvc:DSOI:1.0.0": "O" + }, + { + "ssvc:E:1.1.0": "P", + "x_org.owasp#aivss:AIL:1.0.0": "S", + "x_org.owasp#aivss:SI:1.0.0": "C", + "ssvc:DSOI:1.0.0": "S" + }, + { + "ssvc:E:1.1.0": "P", + "x_org.owasp#aivss:AIL:1.0.0": "S", + "x_org.owasp#aivss:SI:1.0.0": "S", + "ssvc:DSOI:1.0.0": "O" + }, + { + "ssvc:E:1.1.0": "P", + "x_org.owasp#aivss:AIL:1.0.0": "S", + "x_org.owasp#aivss:SI:1.0.0": "R", + "ssvc:DSOI:1.0.0": "O" + }, + { + "ssvc:E:1.1.0": "P", + "x_org.owasp#aivss:AIL:1.0.0": "P", + "x_org.owasp#aivss:SI:1.0.0": "C", + "ssvc:DSOI:1.0.0": "O" + }, + { + "ssvc:E:1.1.0": "P", + "x_org.owasp#aivss:AIL:1.0.0": "P", + "x_org.owasp#aivss:SI:1.0.0": "S", + "ssvc:DSOI:1.0.0": "O" + }, + { + "ssvc:E:1.1.0": "P", + "x_org.owasp#aivss:AIL:1.0.0": "P", + "x_org.owasp#aivss:SI:1.0.0": "R", + "ssvc:DSOI:1.0.0": "I" + }, + { + "ssvc:E:1.1.0": "A", + "x_org.owasp#aivss:AIL:1.0.0": "C", + "x_org.owasp#aivss:SI:1.0.0": "C", + "ssvc:DSOI:1.0.0": "O" + }, + { + "ssvc:E:1.1.0": "A", + "x_org.owasp#aivss:AIL:1.0.0": "C", + "x_org.owasp#aivss:SI:1.0.0": "S", + "ssvc:DSOI:1.0.0": "O" + }, + { + "ssvc:E:1.1.0": "A", + "x_org.owasp#aivss:AIL:1.0.0": "C", + "x_org.owasp#aivss:SI:1.0.0": "R", + "ssvc:DSOI:1.0.0": "I" + }, + { + "ssvc:E:1.1.0": "A", + "x_org.owasp#aivss:AIL:1.0.0": "S", + "x_org.owasp#aivss:SI:1.0.0": "C", + "ssvc:DSOI:1.0.0": "O" + }, + { + "ssvc:E:1.1.0": "A", + "x_org.owasp#aivss:AIL:1.0.0": "S", + "x_org.owasp#aivss:SI:1.0.0": "S", + "ssvc:DSOI:1.0.0": "I" + }, + { + "ssvc:E:1.1.0": "A", + "x_org.owasp#aivss:AIL:1.0.0": "S", + "x_org.owasp#aivss:SI:1.0.0": "R", + "ssvc:DSOI:1.0.0": "I" + }, + { + "ssvc:E:1.1.0": "A", + "x_org.owasp#aivss:AIL:1.0.0": "P", + "x_org.owasp#aivss:SI:1.0.0": "C", + "ssvc:DSOI:1.0.0": "I" + }, + { + "ssvc:E:1.1.0": "A", + "x_org.owasp#aivss:AIL:1.0.0": "P", + "x_org.owasp#aivss:SI:1.0.0": "S", + "ssvc:DSOI:1.0.0": "I" + }, + { + "ssvc:E:1.1.0": "A", + "x_org.owasp#aivss:AIL:1.0.0": "P", + "x_org.owasp#aivss:SI:1.0.0": "R", + "ssvc:DSOI:1.0.0": "I" + } + ] +} diff --git a/data/json/ssvc_object_registry.json b/data/json/ssvc_object_registry.json index 2a2919d5..65488323 100644 --- a/data/json/ssvc_object_registry.json +++ b/data/json/ssvc_object_registry.json @@ -744,6 +744,56 @@ } } }, + "SI": { + "key": "SI", + "versions": { + "1.0.0": { + "version": "1.0.0", + "obj": { + "namespace": "x_org.owasp#aivss", + "key": "SI", + "version": "1.0.0", + "name": "Systemic Impact", + "definition": "Measures the mission-criticality and blast radius of the systems, data, and processes the agent can affect.", + "schemaVersion": "2.0.0", + "values": [ + { + "key": "C", + "name": "Contained", + "definition": "The impact of a compromise is limited to the agent itself, a single user's data, or a non-critical system. The business or mission impact is negligible." + }, + { + "key": "S", + "name": "Significant", + "definition": "A compromise would impact a major business function, a critical internal system, or cause cascading failures within a business unit. It could result in moderate financial loss, reputational damage, or operational disruption." + }, + { + "key": "R", + "name": "Critical", + "definition": "A compromise would pose a threat to the entire organization's viability, public safety, or critical infrastructure. It could lead to severe financial loss, widespread data breach, regulatory failure, or physical harm." + } + ] + }, + "values": { + "C": { + "key": "C", + "name": "Contained", + "definition": "The impact of a compromise is limited to the agent itself, a single user's data, or a non-critical system. The business or mission impact is negligible." + }, + "S": { + "key": "S", + "name": "Significant", + "definition": "A compromise would impact a major business function, a critical internal system, or cause cascading failures within a business unit. It could result in moderate financial loss, reputational damage, or operational disruption." + }, + "R": { + "key": "R", + "name": "Critical", + "definition": "A compromise would pose a threat to the entire organization's viability, public safety, or critical infrastructure. It could lead to severe financial loss, widespread data breach, regulatory failure, or physical harm." + } + } + } + } + }, "TU": { "key": "TU", "versions": { @@ -23920,6 +23970,294 @@ "x_org.owasp#aivss": { "namespace": "x_org.owasp#aivss", "keys": { + "DT_AIVSS": { + "key": "DT_AIVSS", + "versions": { + "1.0.0": { + "version": "1.0.0", + "obj": { + "namespace": "x_org.owasp#aivss", + "key": "DT_AIVSS", + "version": "1.0.0", + "name": "AIVSS Decision Table", + "definition": "Decision table for the AIVSS framework.", + "schemaVersion": "2.0.0", + "decision_points": { + "ssvc:E:1.1.0": { + "namespace": "ssvc", + "key": "E", + "version": "1.1.0", + "name": "Exploitation", + "definition": "The present state of exploitation of the vulnerability.", + "schemaVersion": "2.0.0", + "values": [ + { + "key": "N", + "name": "None", + "definition": "There is no evidence of active exploitation and no public proof of concept (PoC) of how to exploit the vulnerability." + }, + { + "key": "P", + "name": "Public PoC", + "definition": "One of the following is true: (1) Typical public PoC exists in sources such as Metasploit or websites like ExploitDB; or (2) the vulnerability has a well-known method of exploitation." + }, + { + "key": "A", + "name": "Active", + "definition": "Shared, observable, reliable evidence that the exploit is being used in the wild by real attackers; there is credible public reporting." + } + ] + }, + "x_org.owasp#aivss:AIL:1.0.0": { + "namespace": "x_org.owasp#aivss", + "key": "AIL", + "version": "1.0.0", + "name": "Agentic Impact Level", + "definition": "Determines the agentic impact level of a vulnerability based on its characteristics and potential effects.", + "schemaVersion": "2.0.0", + "values": [ + { + "key": "C", + "name": "CoPilot", + "definition": "The agent is primarily a copilot or assistant. Its actions are heavily constrained, requiring human oversight. The agent explicitly does not have rights to execute code." + }, + { + "key": "S", + "name": "Specialist", + "definition": "The agent is a specialist with significant autonomy within a defined domain.It can use powerful tools and may learn from interactions." + }, + { + "key": "P", + "name": "Prime Mover", + "definition": "The agent is a prime mover with broad autonomy. It can orchestrate other systems, modify its own logic, and interact with critical infrastructure." + } + ] + }, + "x_org.owasp#aivss:SI:1.0.0": { + "namespace": "x_org.owasp#aivss", + "key": "SI", + "version": "1.0.0", + "name": "Systemic Impact", + "definition": "Measures the mission-criticality and blast radius of the systems, data, and processes the agent can affect.", + "schemaVersion": "2.0.0", + "values": [ + { + "key": "C", + "name": "Contained", + "definition": "The impact of a compromise is limited to the agent itself, a single user's data, or a non-critical system. The business or mission impact is negligible." + }, + { + "key": "S", + "name": "Significant", + "definition": "A compromise would impact a major business function, a critical internal system, or cause cascading failures within a business unit. It could result in moderate financial loss, reputational damage, or operational disruption." + }, + { + "key": "R", + "name": "Critical", + "definition": "A compromise would pose a threat to the entire organization's viability, public safety, or critical infrastructure. It could lead to severe financial loss, widespread data breach, regulatory failure, or physical harm." + } + ] + }, + "ssvc:DSOI:1.0.0": { + "namespace": "ssvc", + "key": "DSOI", + "version": "1.0.0", + "name": "Defer, Scheduled, Out-of-Cycle, Immediate", + "definition": "The original SSVC outcome group.", + "schemaVersion": "2.0.0", + "values": [ + { + "key": "D", + "name": "Defer", + "definition": "Defer" + }, + { + "key": "S", + "name": "Scheduled", + "definition": "Scheduled" + }, + { + "key": "O", + "name": "Out-of-Cycle", + "definition": "Out-of-Cycle" + }, + { + "key": "I", + "name": "Immediate", + "definition": "Immediate" + } + ] + } + }, + "outcome": "ssvc:DSOI:1.0.0", + "mapping": [ + { + "ssvc:E:1.1.0": "N", + "x_org.owasp#aivss:AIL:1.0.0": "C", + "x_org.owasp#aivss:SI:1.0.0": "C", + "ssvc:DSOI:1.0.0": "D" + }, + { + "ssvc:E:1.1.0": "N", + "x_org.owasp#aivss:AIL:1.0.0": "C", + "x_org.owasp#aivss:SI:1.0.0": "S", + "ssvc:DSOI:1.0.0": "S" + }, + { + "ssvc:E:1.1.0": "N", + "x_org.owasp#aivss:AIL:1.0.0": "C", + "x_org.owasp#aivss:SI:1.0.0": "R", + "ssvc:DSOI:1.0.0": "O" + }, + { + "ssvc:E:1.1.0": "N", + "x_org.owasp#aivss:AIL:1.0.0": "S", + "x_org.owasp#aivss:SI:1.0.0": "C", + "ssvc:DSOI:1.0.0": "S" + }, + { + "ssvc:E:1.1.0": "N", + "x_org.owasp#aivss:AIL:1.0.0": "S", + "x_org.owasp#aivss:SI:1.0.0": "S", + "ssvc:DSOI:1.0.0": "S" + }, + { + "ssvc:E:1.1.0": "N", + "x_org.owasp#aivss:AIL:1.0.0": "S", + "x_org.owasp#aivss:SI:1.0.0": "R", + "ssvc:DSOI:1.0.0": "O" + }, + { + "ssvc:E:1.1.0": "N", + "x_org.owasp#aivss:AIL:1.0.0": "P", + "x_org.owasp#aivss:SI:1.0.0": "C", + "ssvc:DSOI:1.0.0": "S" + }, + { + "ssvc:E:1.1.0": "N", + "x_org.owasp#aivss:AIL:1.0.0": "P", + "x_org.owasp#aivss:SI:1.0.0": "S", + "ssvc:DSOI:1.0.0": "O" + }, + { + "ssvc:E:1.1.0": "N", + "x_org.owasp#aivss:AIL:1.0.0": "P", + "x_org.owasp#aivss:SI:1.0.0": "R", + "ssvc:DSOI:1.0.0": "I" + }, + { + "ssvc:E:1.1.0": "P", + "x_org.owasp#aivss:AIL:1.0.0": "C", + "x_org.owasp#aivss:SI:1.0.0": "C", + "ssvc:DSOI:1.0.0": "S" + }, + { + "ssvc:E:1.1.0": "P", + "x_org.owasp#aivss:AIL:1.0.0": "C", + "x_org.owasp#aivss:SI:1.0.0": "S", + "ssvc:DSOI:1.0.0": "S" + }, + { + "ssvc:E:1.1.0": "P", + "x_org.owasp#aivss:AIL:1.0.0": "C", + "x_org.owasp#aivss:SI:1.0.0": "R", + "ssvc:DSOI:1.0.0": "O" + }, + { + "ssvc:E:1.1.0": "P", + "x_org.owasp#aivss:AIL:1.0.0": "S", + "x_org.owasp#aivss:SI:1.0.0": "C", + "ssvc:DSOI:1.0.0": "S" + }, + { + "ssvc:E:1.1.0": "P", + "x_org.owasp#aivss:AIL:1.0.0": "S", + "x_org.owasp#aivss:SI:1.0.0": "S", + "ssvc:DSOI:1.0.0": "O" + }, + { + "ssvc:E:1.1.0": "P", + "x_org.owasp#aivss:AIL:1.0.0": "S", + "x_org.owasp#aivss:SI:1.0.0": "R", + "ssvc:DSOI:1.0.0": "O" + }, + { + "ssvc:E:1.1.0": "P", + "x_org.owasp#aivss:AIL:1.0.0": "P", + "x_org.owasp#aivss:SI:1.0.0": "C", + "ssvc:DSOI:1.0.0": "O" + }, + { + "ssvc:E:1.1.0": "P", + "x_org.owasp#aivss:AIL:1.0.0": "P", + "x_org.owasp#aivss:SI:1.0.0": "S", + "ssvc:DSOI:1.0.0": "O" + }, + { + "ssvc:E:1.1.0": "P", + "x_org.owasp#aivss:AIL:1.0.0": "P", + "x_org.owasp#aivss:SI:1.0.0": "R", + "ssvc:DSOI:1.0.0": "I" + }, + { + "ssvc:E:1.1.0": "A", + "x_org.owasp#aivss:AIL:1.0.0": "C", + "x_org.owasp#aivss:SI:1.0.0": "C", + "ssvc:DSOI:1.0.0": "O" + }, + { + "ssvc:E:1.1.0": "A", + "x_org.owasp#aivss:AIL:1.0.0": "C", + "x_org.owasp#aivss:SI:1.0.0": "S", + "ssvc:DSOI:1.0.0": "O" + }, + { + "ssvc:E:1.1.0": "A", + "x_org.owasp#aivss:AIL:1.0.0": "C", + "x_org.owasp#aivss:SI:1.0.0": "R", + "ssvc:DSOI:1.0.0": "I" + }, + { + "ssvc:E:1.1.0": "A", + "x_org.owasp#aivss:AIL:1.0.0": "S", + "x_org.owasp#aivss:SI:1.0.0": "C", + "ssvc:DSOI:1.0.0": "O" + }, + { + "ssvc:E:1.1.0": "A", + "x_org.owasp#aivss:AIL:1.0.0": "S", + "x_org.owasp#aivss:SI:1.0.0": "S", + "ssvc:DSOI:1.0.0": "I" + }, + { + "ssvc:E:1.1.0": "A", + "x_org.owasp#aivss:AIL:1.0.0": "S", + "x_org.owasp#aivss:SI:1.0.0": "R", + "ssvc:DSOI:1.0.0": "I" + }, + { + "ssvc:E:1.1.0": "A", + "x_org.owasp#aivss:AIL:1.0.0": "P", + "x_org.owasp#aivss:SI:1.0.0": "C", + "ssvc:DSOI:1.0.0": "I" + }, + { + "ssvc:E:1.1.0": "A", + "x_org.owasp#aivss:AIL:1.0.0": "P", + "x_org.owasp#aivss:SI:1.0.0": "S", + "ssvc:DSOI:1.0.0": "I" + }, + { + "ssvc:E:1.1.0": "A", + "x_org.owasp#aivss:AIL:1.0.0": "P", + "x_org.owasp#aivss:SI:1.0.0": "R", + "ssvc:DSOI:1.0.0": "I" + } + ] + } + } + } + }, "DT_AIL": { "key": "DT_AIL", "versions": { From f74a439ec48be9c34ef60c7d2eaec383b9f9b450 Mon Sep 17 00:00:00 2001 From: "Allen D. Householder" Date: Fri, 21 Nov 2025 14:48:30 -0500 Subject: [PATCH 05/23] Fix capitalization of "Copilot" in agentic impact definition --- .../x_org_owasp_aivss/agentic_impact_level_1_0_0.json | 2 +- .../x_org_owasp_aivss/agentic_impact_level_1_0_0.json | 2 +- .../x_org_owasp_aivss/aivss_decision_table_1_0_0.json | 2 +- data/json/ssvc_object_registry.json | 8 ++++---- src/ssvc/decision_points/aivss/agentic_impact.py | 2 +- 5 files changed, 8 insertions(+), 8 deletions(-) diff --git a/data/json/decision_points/x_org_owasp_aivss/agentic_impact_level_1_0_0.json b/data/json/decision_points/x_org_owasp_aivss/agentic_impact_level_1_0_0.json index e0cb75fb..6c8d57a1 100644 --- a/data/json/decision_points/x_org_owasp_aivss/agentic_impact_level_1_0_0.json +++ b/data/json/decision_points/x_org_owasp_aivss/agentic_impact_level_1_0_0.json @@ -8,7 +8,7 @@ "values": [ { "key": "C", - "name": "CoPilot", + "name": "Copilot", "definition": "The agent is primarily a copilot or assistant. Its actions are heavily constrained, requiring human oversight. The agent explicitly does not have rights to execute code." }, { diff --git a/data/json/decision_tables/x_org_owasp_aivss/agentic_impact_level_1_0_0.json b/data/json/decision_tables/x_org_owasp_aivss/agentic_impact_level_1_0_0.json index 85c70832..6e1e9ae2 100644 --- a/data/json/decision_tables/x_org_owasp_aivss/agentic_impact_level_1_0_0.json +++ b/data/json/decision_tables/x_org_owasp_aivss/agentic_impact_level_1_0_0.json @@ -91,7 +91,7 @@ "values": [ { "key": "C", - "name": "CoPilot", + "name": "Copilot", "definition": "The agent is primarily a copilot or assistant. Its actions are heavily constrained, requiring human oversight. The agent explicitly does not have rights to execute code." }, { diff --git a/data/json/decision_tables/x_org_owasp_aivss/aivss_decision_table_1_0_0.json b/data/json/decision_tables/x_org_owasp_aivss/aivss_decision_table_1_0_0.json index 0c68ec4d..fe85bf0c 100644 --- a/data/json/decision_tables/x_org_owasp_aivss/aivss_decision_table_1_0_0.json +++ b/data/json/decision_tables/x_org_owasp_aivss/aivss_decision_table_1_0_0.json @@ -41,7 +41,7 @@ "values": [ { "key": "C", - "name": "CoPilot", + "name": "Copilot", "definition": "The agent is primarily a copilot or assistant. Its actions are heavily constrained, requiring human oversight. The agent explicitly does not have rights to execute code." }, { diff --git a/data/json/ssvc_object_registry.json b/data/json/ssvc_object_registry.json index 65488323..107fd283 100644 --- a/data/json/ssvc_object_registry.json +++ b/data/json/ssvc_object_registry.json @@ -24,7 +24,7 @@ "values": [ { "key": "C", - "name": "CoPilot", + "name": "Copilot", "definition": "The agent is primarily a copilot or assistant. Its actions are heavily constrained, requiring human oversight. The agent explicitly does not have rights to execute code." }, { @@ -42,7 +42,7 @@ "values": { "C": { "key": "C", - "name": "CoPilot", + "name": "Copilot", "definition": "The agent is primarily a copilot or assistant. Its actions are heavily constrained, requiring human oversight. The agent explicitly does not have rights to execute code." }, "S": { @@ -24018,7 +24018,7 @@ "values": [ { "key": "C", - "name": "CoPilot", + "name": "Copilot", "definition": "The agent is primarily a copilot or assistant. Its actions are heavily constrained, requiring human oversight. The agent explicitly does not have rights to execute code." }, { @@ -24356,7 +24356,7 @@ "values": [ { "key": "C", - "name": "CoPilot", + "name": "Copilot", "definition": "The agent is primarily a copilot or assistant. Its actions are heavily constrained, requiring human oversight. The agent explicitly does not have rights to execute code." }, { diff --git a/src/ssvc/decision_points/aivss/agentic_impact.py b/src/ssvc/decision_points/aivss/agentic_impact.py index 3a3c9618..8023430a 100644 --- a/src/ssvc/decision_points/aivss/agentic_impact.py +++ b/src/ssvc/decision_points/aivss/agentic_impact.py @@ -27,7 +27,7 @@ COPILOT = DecisionPointValue( key="C", - name="CoPilot", + name="Copilot", definition="The agent is primarily a copilot or assistant. " "Its actions are heavily constrained, requiring human oversight. " "The agent explicitly does not have rights to execute code.", From 2aa2b6840e527753abbafa0872a7a68b7c664e4e Mon Sep 17 00:00:00 2001 From: "Allen D. Householder" Date: Fri, 21 Nov 2025 15:09:46 -0500 Subject: [PATCH 06/23] markdownlint on aivss docs --- docs/howto/aivss/agentic_impact.md | 9 ++------- docs/howto/aivss/env_adapt.md | 5 +---- docs/howto/aivss/exec_power.md | 5 +---- docs/howto/aivss/index.md | 4 +--- docs/howto/aivss/predict_influence.md | 5 +---- 5 files changed, 6 insertions(+), 22 deletions(-) diff --git a/docs/howto/aivss/agentic_impact.md b/docs/howto/aivss/agentic_impact.md index 34b99992..5aad9dcd 100644 --- a/docs/howto/aivss/agentic_impact.md +++ b/docs/howto/aivss/agentic_impact.md @@ -10,7 +10,6 @@ The Agentic Impact Level (AIL) is... the AI system has in its operational environment, which can impact the potential risk associated with vulnerabilities in the system. - !!! tip "Assessing Agentic Impact Level" The Agentic Impact Level (AIL) is not intended to be assessed for every @@ -20,10 +19,9 @@ The Agentic Impact Level (AIL) is... assess the AIL periodically, such as during major system updates or architecture changes. +## Outcome -## Outcome - -The outcome set for AIVSS Agentic Impact Level describes the degree of +The outcome set for AIVSS Agentic Impact Level describes the degree of autonomy and influence the AI system has in its operational environment. ```python exec="true" idprefix="" @@ -34,7 +32,6 @@ dp = DT.decision_points[DT.outcome] print(example_block(dp)) ``` - ## Decision Points The Decision Points for AIVSS Agentic Impact Level are divided into three @@ -63,7 +60,6 @@ for dp in [v for k,v in DT.decision_points.items() if k != DT.outcome]: ### Decision Model Visualization - ```python exec="true" idprefix="" from ssvc.decision_tables.aivss.agentic_impact import LATEST as DT from ssvc.decision_tables.helpers import mapping2mermaid, mermaid_title_from_dt @@ -85,4 +81,3 @@ from ssvc.decision_tables.helpers import dt2df_md print(dt2df_md(DT)) ``` - diff --git a/docs/howto/aivss/env_adapt.md b/docs/howto/aivss/env_adapt.md index 7647b234..6696475e 100644 --- a/docs/howto/aivss/env_adapt.md +++ b/docs/howto/aivss/env_adapt.md @@ -2,7 +2,7 @@ Some text -## Outcome +## Outcome ```python exec="true" idprefix="" from ssvc.decision_tables.aivss.env_adaptation import LATEST as DT @@ -12,7 +12,6 @@ dp = DT.decision_points[DT.outcome] print(example_block(dp)) ``` - ## Decision Points ```python exec="true" idprefix="" @@ -27,7 +26,6 @@ for dp in [v for k,v in DT.decision_points.items() if k != DT.outcome]: ### Decision Model Visualization - ```python exec="true" idprefix="" from ssvc.decision_tables.aivss.env_adaptation import LATEST as DT from ssvc.decision_tables.helpers import mapping2mermaid, mermaid_title_from_dt @@ -49,4 +47,3 @@ from ssvc.decision_tables.helpers import dt2df_md print(dt2df_md(DT)) ``` - diff --git a/docs/howto/aivss/exec_power.md b/docs/howto/aivss/exec_power.md index 71b2f891..d049760c 100644 --- a/docs/howto/aivss/exec_power.md +++ b/docs/howto/aivss/exec_power.md @@ -2,7 +2,7 @@ Some text -## Outcome +## Outcome ```python exec="true" idprefix="" from ssvc.decision_tables.aivss.execution_power import LATEST as DT @@ -12,7 +12,6 @@ dp = DT.decision_points[DT.outcome] print(example_block(dp)) ``` - ## Decision Points ```python exec="true" idprefix="" @@ -27,7 +26,6 @@ for dp in [v for k,v in DT.decision_points.items() if k != DT.outcome]: ### Decision Model Visualization - ```python exec="true" idprefix="" from ssvc.decision_tables.aivss.execution_power import LATEST as DT from ssvc.decision_tables.helpers import mapping2mermaid, mermaid_title_from_dt @@ -49,4 +47,3 @@ from ssvc.decision_tables.helpers import dt2df_md print(dt2df_md(DT)) ``` - diff --git a/docs/howto/aivss/index.md b/docs/howto/aivss/index.md index 46304266..bb66a447 100644 --- a/docs/howto/aivss/index.md +++ b/docs/howto/aivss/index.md @@ -2,7 +2,7 @@ AIVSS is... {== TODO WRITE ME ==} -## Outcome +## Outcome The outcome set for AIVSS is the basic SSVC priority levels: Defer, Scheduled, Out-of-Cycle, and Immediate. @@ -40,7 +40,6 @@ for dp in [v for k,v in DT.decision_points.items() if k != DT.outcome]: ### Decision Model Visualization - ```python exec="true" idprefix="" from ssvc.decision_tables.aivss.aivss import LATEST as DT from ssvc.decision_tables.helpers import mapping2mermaid, mermaid_title_from_dt @@ -62,4 +61,3 @@ from ssvc.decision_tables.helpers import dt2df_md print(dt2df_md(DT)) ``` - diff --git a/docs/howto/aivss/predict_influence.md b/docs/howto/aivss/predict_influence.md index 7e2630c5..bcf5e895 100644 --- a/docs/howto/aivss/predict_influence.md +++ b/docs/howto/aivss/predict_influence.md @@ -2,7 +2,7 @@ Some text -## Outcome +## Outcome ```python exec="true" idprefix="" from ssvc.decision_tables.aivss.predictability_influence import LATEST as DT @@ -12,7 +12,6 @@ dp = DT.decision_points[DT.outcome] print(example_block(dp)) ``` - ## Decision Points ```python exec="true" idprefix="" @@ -27,7 +26,6 @@ for dp in [v for k,v in DT.decision_points.items() if k != DT.outcome]: ### Decision Model Visualization - ```python exec="true" idprefix="" from ssvc.decision_tables.aivss.predictability_influence import LATEST as DT from ssvc.decision_tables.helpers import mapping2mermaid, mermaid_title_from_dt @@ -49,4 +47,3 @@ from ssvc.decision_tables.helpers import dt2df_md print(dt2df_md(DT)) ``` - From 2973c060462a03ea76ba4f2eaf243b5bbf1d475b Mon Sep 17 00:00:00 2001 From: "Allen D. Householder" Date: Fri, 21 Nov 2025 15:13:12 -0500 Subject: [PATCH 07/23] Fix link to exploitation decision point in index.md --- docs/howto/aivss/index.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/howto/aivss/index.md b/docs/howto/aivss/index.md index bb66a447..888c1720 100644 --- a/docs/howto/aivss/index.md +++ b/docs/howto/aivss/index.md @@ -18,7 +18,7 @@ print(example_block(dp)) The Decision Points for AIVSS include: -- [Exploitation](../reference/decision_points/exploitation.md) +- [Exploitation](../../reference/decision_points/exploitation.md) - Agentic Impact Level - Systemic Impact From 22656a4a0ce320da7b8277e01601754344e4201e Mon Sep 17 00:00:00 2001 From: "Allen D. Householder" Date: Thu, 4 Dec 2025 14:58:35 -0500 Subject: [PATCH 08/23] Fix link formatting for exploitation decision point in index.md --- docs/howto/aivss/index.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/howto/aivss/index.md b/docs/howto/aivss/index.md index 888c1720..626e9058 100644 --- a/docs/howto/aivss/index.md +++ b/docs/howto/aivss/index.md @@ -18,7 +18,7 @@ print(example_block(dp)) The Decision Points for AIVSS include: -- [Exploitation](../../reference/decision_points/exploitation.md) +- [Exploitation](../.. /reference/decision_points/exploitation.md) - Agentic Impact Level - Systemic Impact From cf8c9ebf3a7f6b786f5c1430c788895d2a9f3c84 Mon Sep 17 00:00:00 2001 From: "Allen D. Householder" Date: Thu, 4 Dec 2025 14:59:00 -0500 Subject: [PATCH 09/23] Add pygraphviz dependency and implement graph labeling functionality --- pyproject.toml | 1 + src/ssvc/utils/graph_labeling.py | 362 +++++++++++++++++++++++++++++++ uv.lock | 8 + 3 files changed, 371 insertions(+) create mode 100644 src/ssvc/utils/graph_labeling.py diff --git a/pyproject.toml b/pyproject.toml index 93a556c4..3ccac4eb 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -48,6 +48,7 @@ dependencies = [ "pydantic>=2.11.7", "semver>=3.0.4", "fastapi[all,standard]>=0.116.1", + "pygraphviz>=1.14", ] dynamic = ["version",] diff --git a/src/ssvc/utils/graph_labeling.py b/src/ssvc/utils/graph_labeling.py new file mode 100644 index 00000000..b753ae12 --- /dev/null +++ b/src/ssvc/utils/graph_labeling.py @@ -0,0 +1,362 @@ +#!/usr/bin/env python + + +# Copyright (c) 2025 Carnegie Mellon University. +# NO WARRANTY. THIS CARNEGIE MELLON UNIVERSITY AND SOFTWARE +# ENGINEERING INSTITUTE MATERIAL IS FURNISHED ON AN "AS-IS" BASIS. +# CARNEGIE MELLON UNIVERSITY MAKES NO WARRANTIES OF ANY KIND, +# EITHER EXPRESSED OR IMPLIED, AS TO ANY MATTER INCLUDING, BUT +# NOT LIMITED TO, WARRANTY OF FITNESS FOR PURPOSE OR +# MERCHANTABILITY, EXCLUSIVITY, OR RESULTS OBTAINED FROM USE +# OF THE MATERIAL. CARNEGIE MELLON UNIVERSITY DOES NOT MAKE +# ANY WARRANTY OF ANY KIND WITH RESPECT TO FREEDOM FROM +# PATENT, TRADEMARK, OR COPYRIGHT INFRINGEMENT. +# Licensed under a MIT (SEI)-style license, please see LICENSE or contact +# permission@sei.cmu.edu for full terms. +# [DISTRIBUTION STATEMENT A] This material has been approved for +# public release and unlimited distribution. Please see Copyright notice +# for non-US Government use and distribution. +# This Software includes and/or makes use of Third-Party Software each +# subject to its own license. +# DM24-0278 + +import bisect +import math +from collections import Counter +from functools import partial +from typing import Any, Callable, Dict, List, Optional, Tuple + +import colorcet as cc +import matplotlib.colors as mcolors +import matplotlib.pyplot as plt +import networkx as nx +import numpy as np + +from ssvc.decision_tables.base import DecisionTable +from ssvc.utils.toposort import graph_from_dplist + + +def draw_hasse( + G: nx.DiGraph, + ax: Optional[plt.Axes] = None, + use_graphviz: bool = True, + node_size: int = 500, + node_color_attr: str = "color", + figsize: Tuple[int, int] = (18, 16), +) -> plt.Axes: + """ + Draw a Hasse-like diagram for a DAG. Returns the axes containing the plot. + Per-node colors are read from node attribute `node_color_attr` when + `node_color` is None. + """ + if ax is None: + fig, ax = plt.subplots(figsize=figsize) + + pos: Optional[Dict[Any, Tuple[float, float]]] = None + + if use_graphviz: + pos = layout_graphviz(G) + + if pos is None: + pos = layout_deterministic(G) + + nx_node_color = [G.nodes[n].get(node_color_attr, "skyblue") for n in G.nodes()] + + nx.draw( + G, + pos=pos, + with_labels=True, + node_size=node_size, + node_color=nx_node_color, + edge_color="gray", + font_size=10, + ax=ax, + ) + ax.margins(0.2) + return ax + + +def layout_deterministic(G: nx.DiGraph) -> dict[Any, tuple[ + float, float]] | None: + # Deterministic level layout (longest distance from minimal nodes) + min_nodes = [n for n in G.nodes if G.in_degree(n) == 0] or list(G.nodes) + levels: Dict[Any, int] = {n: 0 for n in min_nodes} + for n in nx.topological_sort(G): + base = levels.get(n, 0) + for s in G.successors(n): + levels[s] = max(levels.get(s, 0), base + 1) + + level_groups: Dict[int, List[Any]] = {} + for n, lvl in levels.items(): + level_groups.setdefault(lvl, []).append(n) + + pos = {} + for lvl in sorted(level_groups): + nodes = sorted(level_groups[lvl], key=lambda x: str(x)) + count = len(nodes) + xs = [i - (count - 1) / 2.0 for i in range(count)] + y = float(lvl) + for x, n in zip(xs, nodes): + pos[n] = (x, y) + + remaining = [n for n in G.nodes if n not in pos] + if remaining: + count = len(remaining) + xs = [i - (count - 1) / 2.0 for i in range(count)] + for x, n in zip(xs, remaining): + pos[n] = (x, 0.0) + return pos + + +def layout_graphviz(G: nx.DiGraph) -> dict[Any, tuple[float, float]] | None: + pos = None + + try: + from networkx.drawing.nx_agraph import graphviz_layout # type: ignore + + pos = graphviz_layout(G, prog="dot", args="-Grankdir=BT") + except Exception: + try: + from networkx.drawing.nx_pydot import graphviz_layout # type: ignore + + pos = graphviz_layout(G, prog="dot", args="-Grankdir=BT") + except Exception: + pass + + return pos + + +def write_graph(filename: str, G: nx.DiGraph, figsize: Tuple[int, int] = (24, 20),svg:bool=False,png:bool=True) -> None: + """Render `G` and write PNG and SVG files named `filename`.png / .svg.""" + if not (png or svg): + raise ValueError("At least one of png or svg must be True") + + ax = draw_hasse(G, figsize=figsize) + + if png: + ax.figure.savefig(f"{filename}.png", dpi=300, bbox_inches="tight") + if svg: + ax.figure.savefig(f"{filename}.svg", bbox_inches="tight") + + plt.close(ax.figure) + +# define partial functions for different norms +l1_magnitudes: Callable[[np.ndarray], np.ndarray] = partial(np.linalg.norm, ord=1, axis=1) +l2_magnitudes: Callable[[np.ndarray], np.ndarray] = partial(np.linalg.norm, ord=2, axis=1) +linf_magnitudes: Callable[[np.ndarray], np.ndarray] = partial(np.linalg.norm, ord=np.inf, axis=1) + +manhattan_distances = l1_magnitudes +euclidean_distances = l2_magnitudes +max_distances = linf_magnitudes + +def normalize_columns(arr: np.ndarray[tuple[Any, ...], np.dtype[Any]]) -> np.ndarray[tuple[Any, ...], np.dtype[Any]]: + """Normalize each column of `arr` to the range [0, 1]. + + Args: + arr: 2D numpy array to normalize. All columns must have minimum 0 and positive maximum. + Returns: + Normalized 2D numpy array with same shape as `arr`. All columns are scaled to [0, 1]. + Raises: + ValueError: If any column does not have minimum 0 or has non-positive maximum. + """ + maxs = arr.max(axis=0) + + if np.any(maxs <= 0): + # throw an error if maxs are not positive + raise ValueError("All columns must have a positive maximum value for normalization.") + + # we're just going to scale from 0 to max + # so we can use min as 0 for all columns + mins = np.zeros_like(maxs) + ranges = maxs - mins + arr_norm = np.zeros_like(arr) + + nonzero = ranges != 0.0 + if np.any(nonzero): + arr_norm[:, nonzero] = (arr[:, nonzero] - mins[nonzero]) / ranges[nonzero] + return arr_norm + + +def magnitude_quantile_labels_from_graph( + G: nx.DiGraph, + K: int, + norm_func: Optional[Callable[[np.ndarray], np.ndarray]] = euclidean_distances, +) -> Dict[Any, int]: + """ + More sophisticated magnitude-quantile labeling that normalizes per-dimension + then computes magnitudes and forms clump-safe quantile bins. + + This function now accepts a dependency (norm_func) that computes magnitudes + from the normalized array. For backward compatibility, a legacy `norm` + spec (string/number) is still accepted and mapped once to an appropriate + norm_func before use. + """ + if K < 2: + raise ValueError("K must be >= 2") + + node_iterable = list(G.nodes()) + if not node_iterable: + raise ValueError("Graph has no nodes") + + node_vectors: List[Tuple[int, ...]] = [] + for n in node_iterable: + vec = n + node_vectors.append(tuple(int(x) for x in vec)) + + dim = len(node_vectors[0]) + for v in node_vectors: + if len(v) != dim: + raise ValueError("All node vectors must have the same length") + + # normalize per-dimension to [0,1] + arr = np.array(node_vectors, dtype=float) + + arr_norm = normalize_columns(arr) + + # Compute magnitudes by calling dependency + mags = norm_func(arr_norm) + + unique_mags = np.unique(mags) + um_list = unique_mags.tolist() + + probs = [i / K for i in range(K + 1)] + try: + raw_cuts = np.quantile(mags, probs, method="linear") + except TypeError: + raw_cuts = np.quantile(mags, probs, interpolation="linear") # type: ignore + + def first_strictly_greater(val: float) -> float: + idx = bisect.bisect_right(um_list, val) + return float(um_list[idx]) if idx < len(um_list) else float(um_list[-1]) + + adjusted: List[float] = [0.0] * (K + 1) + adjusted[0] = float(um_list[0]) + adjusted[-1] = float(um_list[-1]) + + # Adjust cut values to avoid clumps + for j in range(1, K): + c = float(raw_cuts[j]) + if np.any(np.isclose(unique_mags, c)): + adjusted[j] = first_strictly_greater(c) + else: + adjusted[j] = c + + # Ensure strictly increasing cut values + for j in range(1, K + 1): + prev = adjusted[j - 1] + cur = adjusted[j] + if cur <= prev or math.isclose(cur, prev): + idx = bisect.bisect_right(um_list, prev) + adjusted[j] = float(um_list[idx]) if idx < len(um_list) else float(um_list[-1]) + + # Assign labels based on adjusted cut values + adj_list = adjusted + labels_list: List[int] = [] + for m in mags: + pos = bisect.bisect_right(adj_list, float(m)) - 1 + if pos < 0: + pos = 0 + if pos >= K: + pos = K - 1 + labels_list.append(int(pos)) + + return {node: label for node, label in zip(node_iterable, labels_list)} + + + +def spectrum(n, cmap="rainbow"): + base = cc.cm[cmap] + return [base(i / (n - 1)) for i in range(n)] + +class DecisionTableGraph: + def __init__(self,decision_table: DecisionTable, norm_func: Callable[[np.ndarray],np.ndarray] = euclidean_distances) -> None: + self.dt = decision_table + self.norm_func = norm_func + self.cmap = "bmy" + self.pos = None + + self.G = graph_from_dplist( + decision_points=[ + dp + for dp in self.dt.decision_points.values() + if dp.id != self.dt.outcome + ] + ) + # number of outcome labels + self.K = len(self.dt.decision_points[self.dt.outcome].values) + + def layout(self,redraw: bool = False) -> dict[Any, tuple[float, float]]: + """ + Compute or return cached layout for the graph. + Args: + redraw: If True, recompute the layout even if cached. + + Returns: + Dictionary mapping nodes to (x, y) positions. + """ + if self.pos is not None and not redraw: + return self.pos + # try graphviz layout first, fall back to deterministic layout + pos = layout_graphviz(self.G) + + if pos is not None: + self.pos = pos + return pos + + self.pos = layout_deterministic(self.G) + return self.pos + + def draw(self): + return draw_hasse(self.G) + + def labels(self): + return magnitude_quantile_labels_from_graph(self.G, K=self.K, norm_func=self.norm_func) + + def colorize(self): + # generate RGBA tuples from spectrum, then convert to hex strings for Graphviz/pygraphviz + raw_colors = spectrum(self.K, cmap=self.cmap) + color_list = [mcolors.to_hex(tuple(float(c) for c in col), keep_alpha=False) for col in raw_colors] + + for node, i in self.labels().items(): + self.G.nodes[node]["color"] = color_list[i] + + def draw(self, figsize: Tuple[int, int] = (24, 20)) -> plt.Axes: + return draw_hasse(self.G, figsize=figsize) + + def write_graph(self, filename: str, figsize: Tuple[int, int] = (24, 20)) -> None: + write_graph(filename, self.G, figsize=figsize) + +def main() -> None: + """Main entry: build graphs from decision tables, color nodes, draw and write outputs.""" + + from ssvc.decision_tables.aivss.execution_power import LATEST as DT_AIVSS + from ssvc.decision_tables.ssvc.deployer_dt import LATEST as DT_DEPLOYER + from ssvc.decision_tables.ssvc.coord_triage import LATEST as DT_COORD_TRIAGE + from ssvc.decision_tables.ssvc.supplier_dt import LATEST as DT_SUPPLIER + + for j,normfunc in enumerate([manhattan_distances, euclidean_distances, max_distances]): + for dt in [("aivss", DT_AIVSS), ("deployer", DT_DEPLOYER),("coord_triage", DT_COORD_TRIAGE), ("supplier", DT_SUPPLIER)]: + + + dtg = DecisionTableGraph(dt[1], normfunc) + dtg.norm_func = normfunc + dtg.colorize() + dtg.layout() + + G = dtg.G + # scale the graph to fit in the figure + # how many layers in the graph? + height = 0 + width = 0 + for l in nx.topological_generations(G): + height += 1 + width = max(width, len(list(l))) + figsize = (max(24, width * 3), max(20, height * 3)) + + dtg.write_graph(filename=f"hasse_vector_magnitude_quantiles_3_{dt[0]}_norm_{j+1}", figsize=figsize) + write_graph(f"hasse_vector_magnitude_quantiles_3_{dt[0]}_norm_{j+1}", G) + print(figsize) + print(f"{dt[0].upper()} color counts (norm {j+1}):", Counter([G.nodes[n]["color"] for n in G.nodes()])) + +if __name__ == "__main__": + main() diff --git a/uv.lock b/uv.lock index 039975c6..d7f68433 100644 --- a/uv.lock +++ b/uv.lock @@ -123,6 +123,7 @@ dependencies = [ { name = "networkx" }, { name = "pandas" }, { name = "pydantic" }, + { name = "pygraphviz" }, { name = "scikit-learn" }, { name = "scipy" }, { name = "semver" }, @@ -153,6 +154,7 @@ requires-dist = [ { name = "networkx", specifier = ">=3.4.2" }, { name = "pandas", specifier = ">=2.3.2" }, { name = "pydantic", specifier = ">=2.11.7" }, + { name = "pygraphviz", specifier = ">=1.14" }, { name = "scikit-learn", specifier = ">=1.6.1" }, { name = "scipy", specifier = ">=1.16.1" }, { name = "semver", specifier = ">=3.0.4" }, @@ -1116,6 +1118,12 @@ wheels = [ { url = "https://files.pythonhosted.org/packages/e6/17/8306a0bcd8c88d7761c2e73e831b0be026cd6873ce1f12beb3b4c9a03ffa/pygments_ansi_color-0.3.0-py3-none-any.whl", hash = "sha256:7eb063feaecadad9d4d1fd3474cbfeadf3486b64f760a8f2a00fc25392180aba", size = 10242, upload-time = "2023-05-18T22:44:34.287Z" }, ] +[[package]] +name = "pygraphviz" +version = "1.14" +source = { registry = "https://pypi.org/simple" } +sdist = { url = "https://files.pythonhosted.org/packages/66/ca/823d5c74a73d6b8b08e1f5aea12468ef334f0732c65cbb18df2a7f285c87/pygraphviz-1.14.tar.gz", hash = "sha256:c10df02377f4e39b00ae17c862f4ee7e5767317f1c6b2dfd04cea6acc7fc2bea", size = 106003, upload-time = "2024-09-29T18:31:12.471Z" } + [[package]] name = "pymdown-extensions" version = "10.16.1" From 573f3cf69c66a15b265589e2684b4d4d8a698f18 Mon Sep 17 00:00:00 2001 From: "Allen D. Householder" Date: Mon, 8 Dec 2025 11:10:51 -0500 Subject: [PATCH 10/23] Refactor graph labeling functions and improve layout algorithms in graph_labeling.py; add colorcet dependency --- pyproject.toml | 1 + src/ssvc/utils/graph_labeling.py | 354 ++++++++++++++++++++----------- src/ssvc/utils/toposort.py | 38 +++- uv.lock | 11 + 4 files changed, 275 insertions(+), 129 deletions(-) diff --git a/pyproject.toml b/pyproject.toml index 3ccac4eb..dc4d7ffb 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -49,6 +49,7 @@ dependencies = [ "semver>=3.0.4", "fastapi[all,standard]>=0.116.1", "pygraphviz>=1.14", + "colorcet>=3.1.0", ] dynamic = ["version",] diff --git a/src/ssvc/utils/graph_labeling.py b/src/ssvc/utils/graph_labeling.py index b753ae12..b8f24d69 100644 --- a/src/ssvc/utils/graph_labeling.py +++ b/src/ssvc/utils/graph_labeling.py @@ -22,62 +22,40 @@ import bisect import math +import sys from collections import Counter from functools import partial -from typing import Any, Callable, Dict, List, Optional, Tuple +from typing import Any, Callable, Dict, List, Tuple import colorcet as cc import matplotlib.colors as mcolors -import matplotlib.pyplot as plt import networkx as nx import numpy as np +from matplotlib import pyplot as plt from ssvc.decision_tables.base import DecisionTable from ssvc.utils.toposort import graph_from_dplist - -def draw_hasse( - G: nx.DiGraph, - ax: Optional[plt.Axes] = None, - use_graphviz: bool = True, - node_size: int = 500, - node_color_attr: str = "color", - figsize: Tuple[int, int] = (18, 16), -) -> plt.Axes: - """ - Draw a Hasse-like diagram for a DAG. Returns the axes containing the plot. - Per-node colors are read from node attribute `node_color_attr` when - `node_color` is None. - """ - if ax is None: - fig, ax = plt.subplots(figsize=figsize) - - pos: Optional[Dict[Any, Tuple[float, float]]] = None - - if use_graphviz: - pos = layout_graphviz(G) - - if pos is None: - pos = layout_deterministic(G) - - nx_node_color = [G.nodes[n].get(node_color_attr, "skyblue") for n in G.nodes()] - - nx.draw( - G, - pos=pos, - with_labels=True, - node_size=node_size, - node_color=nx_node_color, - edge_color="gray", - font_size=10, - ax=ax, - ) - ax.margins(0.2) - return ax +# define partial functions for different norms +l1_magnitudes: Callable[[np.ndarray], np.ndarray] = partial( + np.linalg.norm, ord=1, axis=1 +) +l2_magnitudes: Callable[[np.ndarray], np.ndarray] = partial( + np.linalg.norm, ord=2, axis=1 +) +linf_magnitudes: Callable[[np.ndarray], np.ndarray] = partial( + np.linalg.norm, ord=np.inf, axis=1 +) + +# convenience aliases +manhattan_distances = l1_magnitudes +euclidean_distances = l2_magnitudes +max_distances = linf_magnitudes -def layout_deterministic(G: nx.DiGraph) -> dict[Any, tuple[ - float, float]] | None: +def _layout_deterministic( + G: nx.DiGraph, +) -> dict[Any, tuple[float, float]] | None: # Deterministic level layout (longest distance from minimal nodes) min_nodes = [n for n in G.nodes if G.in_degree(n) == 0] or list(G.nodes) levels: Dict[Any, int] = {n: 0 for n in min_nodes} @@ -108,48 +86,35 @@ def layout_deterministic(G: nx.DiGraph) -> dict[Any, tuple[ return pos -def layout_graphviz(G: nx.DiGraph) -> dict[Any, tuple[float, float]] | None: +def _layout_graphviz(G: nx.DiGraph) -> dict[Any, tuple[float, float]] | None: pos = None try: from networkx.drawing.nx_agraph import graphviz_layout # type: ignore - pos = graphviz_layout(G, prog="dot", args="-Grankdir=BT") + pos = graphviz_layout( + G, + prog="dot", + args="-Grankdir=BT -Gcenter=true -Gnodesep=0.5 -Granksep=1.0", + ) except Exception: try: from networkx.drawing.nx_pydot import graphviz_layout # type: ignore - pos = graphviz_layout(G, prog="dot", args="-Grankdir=BT") + pos = graphviz_layout( + G, + prog="dot", + args="-Grankdir=BT -Gcenter=true -Gnodesep=0.5 -Granksep=1.0", + ) except Exception: pass return pos -def write_graph(filename: str, G: nx.DiGraph, figsize: Tuple[int, int] = (24, 20),svg:bool=False,png:bool=True) -> None: - """Render `G` and write PNG and SVG files named `filename`.png / .svg.""" - if not (png or svg): - raise ValueError("At least one of png or svg must be True") - - ax = draw_hasse(G, figsize=figsize) - - if png: - ax.figure.savefig(f"{filename}.png", dpi=300, bbox_inches="tight") - if svg: - ax.figure.savefig(f"{filename}.svg", bbox_inches="tight") - - plt.close(ax.figure) - -# define partial functions for different norms -l1_magnitudes: Callable[[np.ndarray], np.ndarray] = partial(np.linalg.norm, ord=1, axis=1) -l2_magnitudes: Callable[[np.ndarray], np.ndarray] = partial(np.linalg.norm, ord=2, axis=1) -linf_magnitudes: Callable[[np.ndarray], np.ndarray] = partial(np.linalg.norm, ord=np.inf, axis=1) - -manhattan_distances = l1_magnitudes -euclidean_distances = l2_magnitudes -max_distances = linf_magnitudes - -def normalize_columns(arr: np.ndarray[tuple[Any, ...], np.dtype[Any]]) -> np.ndarray[tuple[Any, ...], np.dtype[Any]]: +def _normalize_columns( + arr: np.ndarray[tuple[Any, ...], np.dtype[Any]], +) -> np.ndarray[tuple[Any, ...], np.dtype[Any]]: """Normalize each column of `arr` to the range [0, 1]. Args: @@ -163,7 +128,9 @@ def normalize_columns(arr: np.ndarray[tuple[Any, ...], np.dtype[Any]]) -> np.nda if np.any(maxs <= 0): # throw an error if maxs are not positive - raise ValueError("All columns must have a positive maximum value for normalization.") + raise ValueError( + "All columns must have a positive maximum value for normalization." + ) # we're just going to scale from 0 to max # so we can use min as 0 for all columns @@ -173,23 +140,23 @@ def normalize_columns(arr: np.ndarray[tuple[Any, ...], np.dtype[Any]]) -> np.nda nonzero = ranges != 0.0 if np.any(nonzero): - arr_norm[:, nonzero] = (arr[:, nonzero] - mins[nonzero]) / ranges[nonzero] + arr_norm[:, nonzero] = (arr[:, nonzero] - mins[nonzero]) / ranges[ + nonzero + ] return arr_norm -def magnitude_quantile_labels_from_graph( +def _magnitude_quantile_labels_from_graph( G: nx.DiGraph, K: int, - norm_func: Optional[Callable[[np.ndarray], np.ndarray]] = euclidean_distances, + norm_func: Callable[[np.ndarray], np.ndarray] = euclidean_distances, ) -> Dict[Any, int]: """ - More sophisticated magnitude-quantile labeling that normalizes per-dimension - then computes magnitudes and forms clump-safe quantile bins. - - This function now accepts a dependency (norm_func) that computes magnitudes - from the normalized array. For backward compatibility, a legacy `norm` - spec (string/number) is still accepted and mapped once to an appropriate - norm_func before use. + Assign labels to graph nodes based on quantiles of their vector magnitudes. + Args: + G: Input graph with nodes as integer tuples representing vectors. + K: Number of quantile-based labels to assign (must be >= 2). + norm_func: Function to compute vector magnitudes (default: Euclidean aka L2 norm). """ if K < 2: raise ValueError("K must be >= 2") @@ -199,6 +166,7 @@ def magnitude_quantile_labels_from_graph( raise ValueError("Graph has no nodes") node_vectors: List[Tuple[int, ...]] = [] + for n in node_iterable: vec = n node_vectors.append(tuple(int(x) for x in vec)) @@ -211,14 +179,16 @@ def magnitude_quantile_labels_from_graph( # normalize per-dimension to [0,1] arr = np.array(node_vectors, dtype=float) - arr_norm = normalize_columns(arr) + arr_norm = _normalize_columns(arr) # Compute magnitudes by calling dependency mags = norm_func(arr_norm) + # here is where we start the quantile labeling unique_mags = np.unique(mags) um_list = unique_mags.tolist() + # Compute raw quantile cut values probs = [i / K for i in range(K + 1)] try: raw_cuts = np.quantile(mags, probs, method="linear") @@ -227,10 +197,16 @@ def magnitude_quantile_labels_from_graph( def first_strictly_greater(val: float) -> float: idx = bisect.bisect_right(um_list, val) - return float(um_list[idx]) if idx < len(um_list) else float(um_list[-1]) + return ( + float(um_list[idx]) if idx < len(um_list) else float(um_list[-1]) + ) + # create adjusted cut values adjusted: List[float] = [0.0] * (K + 1) + # the min and max cuts are fixed + # lowest cut is min magnitude adjusted[0] = float(um_list[0]) + # highest cut is max magnitude adjusted[-1] = float(um_list[-1]) # Adjust cut values to avoid clumps @@ -247,7 +223,11 @@ def first_strictly_greater(val: float) -> float: cur = adjusted[j] if cur <= prev or math.isclose(cur, prev): idx = bisect.bisect_right(um_list, prev) - adjusted[j] = float(um_list[idx]) if idx < len(um_list) else float(um_list[-1]) + adjusted[j] = ( + float(um_list[idx]) + if idx < len(um_list) + else float(um_list[-1]) + ) # Assign labels based on adjusted cut values adj_list = adjusted @@ -263,17 +243,33 @@ def first_strictly_greater(val: float) -> float: return {node: label for node, label in zip(node_iterable, labels_list)} +def _spectrum(n, cmap="rainbow") -> List[Tuple[float, float, float, float]]: + """ + Generate a spectrum of `n` colors from the specified colormap. + Args: + n: Number of colors to generate. + cmap: Colormap name (default: "rainbow"). -def spectrum(n, cmap="rainbow"): + Returns: + List of RGBA tuples representing the colors. + """ base = cc.cm[cmap] - return [base(i / (n - 1)) for i in range(n)] + _float_colors = [base(i / (n - 1)) for i in range(n)] + + return _float_colors + class DecisionTableGraph: - def __init__(self,decision_table: DecisionTable, norm_func: Callable[[np.ndarray],np.ndarray] = euclidean_distances) -> None: + def __init__( + self, + decision_table: DecisionTable, + norm_func: Callable[[np.ndarray], np.ndarray] = euclidean_distances, + ) -> None: self.dt = decision_table self.norm_func = norm_func self.cmap = "bmy" self.pos = None + self._labels: Dict[Any, int] | None = None self.G = graph_from_dplist( decision_points=[ @@ -285,7 +281,7 @@ def __init__(self,decision_table: DecisionTable, norm_func: Callable[[np.ndarray # number of outcome labels self.K = len(self.dt.decision_points[self.dt.outcome].values) - def layout(self,redraw: bool = False) -> dict[Any, tuple[float, float]]: + def layout(self, redraw: bool = False) -> dict[Any, tuple[float, float]]: """ Compute or return cached layout for the graph. Args: @@ -296,67 +292,181 @@ def layout(self,redraw: bool = False) -> dict[Any, tuple[float, float]]: """ if self.pos is not None and not redraw: return self.pos + # try graphviz layout first, fall back to deterministic layout - pos = layout_graphviz(self.G) + pos = _layout_graphviz(self.G) if pos is not None: self.pos = pos return pos - self.pos = layout_deterministic(self.G) + self.pos = _layout_deterministic(self.G) return self.pos - def draw(self): - return draw_hasse(self.G) + def mapping_to_int_labels(self) -> Dict[Tuple[int, ...], int]: + return dt_mapping_to_int_labels(self.dt) - def labels(self): - return magnitude_quantile_labels_from_graph(self.G, K=self.K, norm_func=self.norm_func) + def labels(self) -> Dict[Any, int]: + if self._labels is not None: + return self._labels + + self._labels = _magnitude_quantile_labels_from_graph( + self.G, K=self.K, norm_func=self.norm_func + ) + return self._labels def colorize(self): # generate RGBA tuples from spectrum, then convert to hex strings for Graphviz/pygraphviz - raw_colors = spectrum(self.K, cmap=self.cmap) - color_list = [mcolors.to_hex(tuple(float(c) for c in col), keep_alpha=False) for col in raw_colors] + raw_colors = _spectrum(self.K, cmap=self.cmap) + color_list = [ + mcolors.to_hex(tuple(float(c) for c in col), keep_alpha=False) + for col in raw_colors + ] for node, i in self.labels().items(): self.G.nodes[node]["color"] = color_list[i] def draw(self, figsize: Tuple[int, int] = (24, 20)) -> plt.Axes: - return draw_hasse(self.G, figsize=figsize) + fig, ax = plt.subplots(figsize=figsize) + + if self.pos is None: + self.layout() + + pos = self.pos + + nx_node_color = [ + self.G.nodes[n].get("color", "skyblue") for n in self.G.nodes() + ] + nx.draw( + self.G, + pos=pos, + with_labels=True, + node_size=500, + node_color=nx_node_color, + edge_color="gray", + font_size=10, + ax=ax, + ) + ax.margins(0.01) + return ax + + def _compute_figsize(self) -> Tuple[int, int]: + """ + Compute an appropriate figure size based on the graph's topology. + + Returns: + Tuple of (width, height) for the figure size. + """ + height = 0 + width = 0 + scale_factor = 2 + for l in nx.topological_generations(self.G): + height += 1 + width = max(width, len(list(l))) + figsize = ( + max(24, width * scale_factor), + max(20, height * scale_factor), + ) + print(figsize) + return figsize + + def write_graph( + self, filename: str, png: bool = True, svg: bool = False + ) -> None: + if not (png or svg): + raise ValueError("At least one of png or svg must be True") + + # scale the graph to fit in the figure + # how many layers in the graph? + + ax = self.draw(figsize=self._compute_figsize()) + + if png: + ax.figure.savefig(f"{filename}.png", dpi=300, bbox_inches="tight") + if svg: + ax.figure.savefig(f"{filename}.svg", bbox_inches="tight") + + plt.close(ax.figure) + + +def dt_mapping_to_int_labels( + dt: DecisionTable, +) -> Dict[Tuple[int, ...], int]: + """ + Create a mapping from decision table outcome vectors to integer labels. + Args: + dt: Decision table to create mapping for. + Returns: + Dictionary mapping outcome vectors (as tuples) to integer labels. + """ + # construct a translator + dp_values_to_int = {} + for dp in dt.decision_points.values(): + if dp.id not in dp_values_to_int: + dp_values_to_int[dp.id] = {} + + for i, value in enumerate(dp.values): + dp_values_to_int[dp.id][value.key] = i + + int_mapping = {} + for row in dt.mapping: + # a row is a dict of decision point id to Value eg + # {'x_org.owasp#aivss:AA:1.0.0': 'F', + # 'x_org.owasp#aivss:TU:1.0.0': 'A', + # 'x_org.owasp#aivss:SM:1.1.0': 'M', + # 'x_org.owasp#aivss:GDP:1.0.0': 'A', + # 'x_org.owasp#aivss:EP:1.0.0': 'H'}, + for k, v in row.items(): + vector = [] + if k == dt.outcome: + outcome_value = dp_values_to_int[k][v] + else: + vector.append(dp_values_to_int[k][v]) + int_mapping[tuple(vector)] = outcome_value + + return int_mapping - def write_graph(self, filename: str, figsize: Tuple[int, int] = (24, 20)) -> None: - write_graph(filename, self.G, figsize=figsize) def main() -> None: """Main entry: build graphs from decision tables, color nodes, draw and write outputs.""" from ssvc.decision_tables.aivss.execution_power import LATEST as DT_AIVSS from ssvc.decision_tables.ssvc.deployer_dt import LATEST as DT_DEPLOYER - from ssvc.decision_tables.ssvc.coord_triage import LATEST as DT_COORD_TRIAGE + from ssvc.decision_tables.ssvc.coord_triage import ( + LATEST as DT_COORD_TRIAGE, + ) from ssvc.decision_tables.ssvc.supplier_dt import LATEST as DT_SUPPLIER - - for j,normfunc in enumerate([manhattan_distances, euclidean_distances, max_distances]): - for dt in [("aivss", DT_AIVSS), ("deployer", DT_DEPLOYER),("coord_triage", DT_COORD_TRIAGE), ("supplier", DT_SUPPLIER)]: - - - dtg = DecisionTableGraph(dt[1], normfunc) - dtg.norm_func = normfunc - dtg.colorize() + from ssvc.decision_tables.cvss.equivalence_set_six import LATEST as DT_SIX + + print(dt_mapping_to_int_labels(DT_AIVSS)) + + sys.exit() + + for dt in [ + ("aivss", DT_AIVSS), + ("deployer", DT_DEPLOYER), + ("coord_triage", DT_COORD_TRIAGE), + ("supplier", DT_SUPPLIER), + ("cvss_equivalence_set_six", DT_SIX), + ]: + dtg_orig = DecisionTableGraph(dt[1]) + dtg_orig.layout() + + for j, normfunc in enumerate( + [manhattan_distances, euclidean_distances, max_distances] + ): + dtg = DecisionTableGraph(dt[1], norm_func=normfunc) dtg.layout() - + dtg.colorize() + dtg.write_graph( + filename=f"hasse_vector_magnitude_quantiles_3_{dt[0]}_norm_{j+1}" + ) G = dtg.G - # scale the graph to fit in the figure - # how many layers in the graph? - height = 0 - width = 0 - for l in nx.topological_generations(G): - height += 1 - width = max(width, len(list(l))) - figsize = (max(24, width * 3), max(20, height * 3)) - - dtg.write_graph(filename=f"hasse_vector_magnitude_quantiles_3_{dt[0]}_norm_{j+1}", figsize=figsize) - write_graph(f"hasse_vector_magnitude_quantiles_3_{dt[0]}_norm_{j+1}", G) - print(figsize) - print(f"{dt[0].upper()} color counts (norm {j+1}):", Counter([G.nodes[n]["color"] for n in G.nodes()])) + print( + f"{dt[0].upper()} color counts (norm {j+1}):", + Counter([G.nodes[n]["color"] for n in G.nodes()]), + ) + if __name__ == "__main__": main() diff --git a/src/ssvc/utils/toposort.py b/src/ssvc/utils/toposort.py index 8bafe787..a87b4756 100644 --- a/src/ssvc/utils/toposort.py +++ b/src/ssvc/utils/toposort.py @@ -88,10 +88,21 @@ def dplist_to_lookup(decision_points: list[DecisionPoint]) -> dict[int, str]: def lookup_value( t: tuple[int, ...], lookup: list[dict[int, str]] ) -> tuple[str, ...]: - # given - # t = (0, 0, 0) - # lookup = [{0: 'V', 1: 'R', 2: 'S', 3: 'HS'}, {0: 'H', 1: 'S', 2: 'B', 3: 'N'}, {0: 'F', 1: 'R', 2: 'B', 3: 'N'}] - # return (V,H,F + """ + Converts a tuple of indices to a tuple of values using the provided lookup. + Args: + t: The tuple of indices. + lookup: A list of dictionaries mapping indices to values for each position. + + Returns: + A tuple of values corresponding to the indices in t. + + Examples: + # given + t = (0, 0, 0) + lookup = [{0: 'V', 1: 'R', 2: 'S', 3: 'HS'}, {0: 'H', 1: 'S', 2: 'B', 3: 'N'}, {0: 'F', 1: 'R', 2: 'B', 3: 'N'}] + # return (V,H,F) + """ l = [lookup[i][t[i]] for i in range(len(t))] return tuple(l) @@ -99,9 +110,22 @@ def lookup_value( def tuple_to_dict( t: tuple[str, ...], lookup: dict[int, str] ) -> dict[str, str]: - # given - # t = ('V', 'H', 'F') - # return {'ER': 'V', 'GM': 'H', 'RC': 'F'} + """ + Converts a tuple of values to a dictionary using the provided lookup. + + Args: + t: The tuple of values. + lookup: A dictionary mapping indices to keys. + + Returns: + A dictionary mapping keys to values from the tuple. + + Examples: + # given + t = ('V', 'H', 'F') + lookup = {0: 'ER', 1: 'GM', 2: 'RC'} + # return {'ER': 'V', 'GM': 'H', 'RC': 'F'} + """ return {lookup[i]: t[i] for i in range(len(t))} diff --git a/uv.lock b/uv.lock index d7f68433..e689dd24 100644 --- a/uv.lock +++ b/uv.lock @@ -108,6 +108,7 @@ wheels = [ name = "certcc-ssvc" source = { editable = "." } dependencies = [ + { name = "colorcet" }, { name = "fastapi", extra = ["all", "standard"] }, { name = "jsonschema" }, { name = "markdown-exec", extra = ["ansi"] }, @@ -139,6 +140,7 @@ dev = [ [package.metadata] requires-dist = [ + { name = "colorcet", specifier = ">=3.1.0" }, { name = "fastapi", extras = ["all", "standard"], specifier = ">=0.116.1" }, { name = "jsonschema", specifier = ">=4.25.1" }, { name = "markdown-exec", extras = ["ansi"], specifier = ">=1.11.0" }, @@ -240,6 +242,15 @@ wheels = [ { url = "https://files.pythonhosted.org/packages/d1/d6/3965ed04c63042e047cb6a3e6ed1a63a35087b6a609aa3a15ed8ac56c221/colorama-0.4.6-py2.py3-none-any.whl", hash = "sha256:4f1d9991f5acc0ca119f9d443620b77f9d6b33703e51011c16baf57afb285fc6", size = 25335, upload-time = "2022-10-25T02:36:20.889Z" }, ] +[[package]] +name = "colorcet" +version = "3.1.0" +source = { registry = "https://pypi.org/simple" } +sdist = { url = "https://files.pythonhosted.org/packages/5f/c3/ae78e10b7139d6b7ce080d2e81d822715763336aa4229720f49cb3b3e15b/colorcet-3.1.0.tar.gz", hash = "sha256:2921b3cd81a2288aaf2d63dbc0ce3c26dcd882e8c389cc505d6886bf7aa9a4eb", size = 2183107, upload-time = "2024-02-29T19:15:42.976Z" } +wheels = [ + { url = "https://files.pythonhosted.org/packages/c6/c6/9963d588cc3d75d766c819e0377a168ef83cf3316a92769971527a1ad1de/colorcet-3.1.0-py3-none-any.whl", hash = "sha256:2a7d59cc8d0f7938eeedd08aad3152b5319b4ba3bcb7a612398cc17a384cb296", size = 260286, upload-time = "2024-02-29T19:15:40.494Z" }, +] + [[package]] name = "dnspython" version = "2.8.0" From 15c2038b7441fb1766ece0cfbc02eabcb54a59b5 Mon Sep 17 00:00:00 2001 From: "Allen D. Householder" Date: Mon, 8 Dec 2025 15:57:22 -0500 Subject: [PATCH 11/23] Add Graphviz installation step in GitHub Actions workflow --- .github/workflows/python-app.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/.github/workflows/python-app.yml b/.github/workflows/python-app.yml index 03c2950b..07f68a57 100644 --- a/.github/workflows/python-app.yml +++ b/.github/workflows/python-app.yml @@ -21,6 +21,10 @@ jobs: - uses: actions/checkout@v5 with: fetch-tags: true + - name: Install Graphviz system deps + run: | + sudo apt-get update + sudo apt-get install -y graphviz graphviz-dev - name: Set up Python 3.12 uses: actions/setup-python@v6 with: From bb71c4ded4e22cd4d219f4107eb9dd3fd8c3133f Mon Sep 17 00:00:00 2001 From: "Allen D. Householder" Date: Wed, 10 Dec 2025 12:22:07 -0500 Subject: [PATCH 12/23] add "aivss" as a recognized namespace --- data/csv/aivss/agentic_impact_level_1_0_0.csv | 28 + data/csv/aivss/aivss_decision_table_1_0_0.csv | 28 + data/csv/aivss/execution_power_1_0_0.csv | 82 + .../predictability_and_influence_1_0_0.csv | 82 + .../agentic_impact_level_1_0_0.json | 2 +- .../autonomy_of_action_1_0_0.json | 2 +- .../contextual_awareness_1_0_0.json | 2 +- .../deceptiveness_potential_1_0_0.json | 2 +- .../dynamic_identity_1_0_0.json | 2 +- .../environment_adaptation_1_0_0.json | 2 +- .../execution_power_1_0_0.json | 2 +- .../goal_driven_planning_1_0_0.json | 2 +- .../memory_use_1_0_0.json | 2 +- .../multi_agent_interactions_1_0_0.json | 2 +- .../non_determinism_1_0_0.json | 2 +- .../opacity_reflexivity_1_0_0.json | 2 +- .../predictability_and_influence_1_0_0.json | 2 +- .../self_modification_1_0_0.json | 2 +- .../self_modification_1_1_0.json | 2 +- .../systemic_impact_1_0_0.json | 2 +- .../tool_use_1_0_0.json | 2 +- .../verification_capability_1_0_0.json | 2 +- .../agentic_impact_level_1_0_0.json | 236 +- .../aivss_decision_table_1_0_0.json | 118 +- .../aivss/execution_power_1_0_0.json | 705 ++++++ .../predictability_and_influence_1_0_0.json | 705 ++++++ .../execution_power_1_0_0.json | 705 ------ .../predictability_and_influence_1_0_0.json | 705 ------ data/json/ssvc_object_registry.json | 2066 ++++++++--------- src/ssvc/decision_points/aivss/base.py | 3 +- .../decision_tables/aivss/agentic_impact.py | 216 +- src/ssvc/decision_tables/aivss/aivss.py | 108 +- .../decision_tables/aivss/env_adaptation.py | 810 +++---- .../decision_tables/aivss/execution_power.py | 810 +++---- .../aivss/predictability_influence.py | 810 +++---- src/ssvc/namespaces.py | 1 + src/ssvc/utils/graph_labeling.py | 10 +- 37 files changed, 4243 insertions(+), 4021 deletions(-) create mode 100644 data/csv/aivss/agentic_impact_level_1_0_0.csv create mode 100644 data/csv/aivss/aivss_decision_table_1_0_0.csv create mode 100644 data/csv/aivss/execution_power_1_0_0.csv create mode 100644 data/csv/aivss/predictability_and_influence_1_0_0.csv rename data/json/decision_points/{x_org_owasp_aivss => aivss}/agentic_impact_level_1_0_0.json (96%) rename data/json/decision_points/{x_org_owasp_aivss => aivss}/autonomy_of_action_1_0_0.json (94%) rename data/json/decision_points/{x_org_owasp_aivss => aivss}/contextual_awareness_1_0_0.json (94%) rename data/json/decision_points/{x_org_owasp_aivss => aivss}/deceptiveness_potential_1_0_0.json (94%) rename data/json/decision_points/{x_org_owasp_aivss => aivss}/dynamic_identity_1_0_0.json (94%) rename data/json/decision_points/{x_org_owasp_aivss => aivss}/environment_adaptation_1_0_0.json (96%) rename data/json/decision_points/{x_org_owasp_aivss => aivss}/execution_power_1_0_0.json (96%) rename data/json/decision_points/{x_org_owasp_aivss => aivss}/goal_driven_planning_1_0_0.json (95%) rename data/json/decision_points/{x_org_owasp_aivss => aivss}/memory_use_1_0_0.json (94%) rename data/json/decision_points/{x_org_owasp_aivss => aivss}/multi_agent_interactions_1_0_0.json (94%) rename data/json/decision_points/{x_org_owasp_aivss => aivss}/non_determinism_1_0_0.json (93%) rename data/json/decision_points/{x_org_owasp_aivss => aivss}/opacity_reflexivity_1_0_0.json (94%) rename data/json/decision_points/{x_org_owasp_aivss => aivss}/predictability_and_influence_1_0_0.json (96%) rename data/json/decision_points/{x_org_owasp_aivss => aivss}/self_modification_1_0_0.json (93%) rename data/json/decision_points/{x_org_owasp_aivss => aivss}/self_modification_1_1_0.json (95%) rename data/json/decision_points/{x_org_owasp_aivss => aivss}/systemic_impact_1_0_0.json (96%) rename data/json/decision_points/{x_org_owasp_aivss => aivss}/tool_use_1_0_0.json (95%) rename data/json/decision_points/{x_org_owasp_aivss => aivss}/verification_capability_1_0_0.json (94%) rename data/json/decision_tables/{x_org_owasp_aivss => aivss}/agentic_impact_level_1_0_0.json (51%) rename data/json/decision_tables/{x_org_owasp_aivss => aivss}/aivss_decision_table_1_0_0.json (71%) create mode 100644 data/json/decision_tables/aivss/execution_power_1_0_0.json create mode 100644 data/json/decision_tables/aivss/predictability_and_influence_1_0_0.json delete mode 100644 data/json/decision_tables/x_org_owasp_aivss/execution_power_1_0_0.json delete mode 100644 data/json/decision_tables/x_org_owasp_aivss/predictability_and_influence_1_0_0.json diff --git a/data/csv/aivss/agentic_impact_level_1_0_0.csv b/data/csv/aivss/agentic_impact_level_1_0_0.csv new file mode 100644 index 00000000..c47641b7 --- /dev/null +++ b/data/csv/aivss/agentic_impact_level_1_0_0.csv @@ -0,0 +1,28 @@ +row,Execution Power v1.0.0 (aivss),Environment & Adaptation v1.0.0 (aivss),Predictability and Influence v1.0.0 (aivss),Agentic Impact Level v1.0.0 (aivss) +0,constrained,isolated,verifiable,copilot +1,constrained,isolated,uncertain,copilot +2,constrained,isolated,opaque,specialist +3,constrained,connected,verifiable,copilot +4,constrained,connected,uncertain,specialist +5,constrained,connected,opaque,specialist +6,constrained,pervasive,verifiable,specialist +7,constrained,pervasive,uncertain,specialist +8,constrained,pervasive,opaque,prime mover +9,capable,isolated,verifiable,copilot +10,capable,isolated,uncertain,specialist +11,capable,isolated,opaque,specialist +12,capable,connected,verifiable,specialist +13,capable,connected,uncertain,specialist +14,capable,connected,opaque,specialist +15,capable,pervasive,verifiable,specialist +16,capable,pervasive,uncertain,specialist +17,capable,pervasive,opaque,prime mover +18,high leverage,isolated,verifiable,specialist +19,high leverage,isolated,uncertain,specialist +20,high leverage,isolated,opaque,prime mover +21,high leverage,connected,verifiable,specialist +22,high leverage,connected,uncertain,specialist +23,high leverage,connected,opaque,prime mover +24,high leverage,pervasive,verifiable,prime mover +25,high leverage,pervasive,uncertain,prime mover +26,high leverage,pervasive,opaque,prime mover diff --git a/data/csv/aivss/aivss_decision_table_1_0_0.csv b/data/csv/aivss/aivss_decision_table_1_0_0.csv new file mode 100644 index 00000000..948e5b0e --- /dev/null +++ b/data/csv/aivss/aivss_decision_table_1_0_0.csv @@ -0,0 +1,28 @@ +row,Exploitation v1.1.0,Agentic Impact Level v1.0.0 (aivss),Systemic Impact v1.0.0 (aivss),"Defer, Scheduled, Out-of-Cycle, Immediate v1.0.0" +0,none,copilot,contained,defer +1,none,copilot,significant,scheduled +2,none,copilot,critical,out-of-cycle +3,none,specialist,contained,scheduled +4,none,specialist,significant,scheduled +5,none,specialist,critical,out-of-cycle +6,none,prime mover,contained,scheduled +7,none,prime mover,significant,out-of-cycle +8,none,prime mover,critical,immediate +9,public poc,copilot,contained,scheduled +10,public poc,copilot,significant,scheduled +11,public poc,copilot,critical,out-of-cycle +12,public poc,specialist,contained,scheduled +13,public poc,specialist,significant,out-of-cycle +14,public poc,specialist,critical,out-of-cycle +15,public poc,prime mover,contained,out-of-cycle +16,public poc,prime mover,significant,out-of-cycle +17,public poc,prime mover,critical,immediate +18,active,copilot,contained,out-of-cycle +19,active,copilot,significant,out-of-cycle +20,active,copilot,critical,immediate +21,active,specialist,contained,out-of-cycle +22,active,specialist,significant,immediate +23,active,specialist,critical,immediate +24,active,prime mover,contained,immediate +25,active,prime mover,significant,immediate +26,active,prime mover,critical,immediate diff --git a/data/csv/aivss/execution_power_1_0_0.csv b/data/csv/aivss/execution_power_1_0_0.csv new file mode 100644 index 00000000..23235a79 --- /dev/null +++ b/data/csv/aivss/execution_power_1_0_0.csv @@ -0,0 +1,82 @@ +row,Autonomy of Action v1.0.0 (aivss),Tool Use v1.0.0 (aivss),Self-Modification v1.1.0 (aivss),Goal-Driven Planning v1.0.0 (aivss),Execution Power v1.0.0 (aivss) +0,gated,viewer,fixed,reactive,constrained +1,gated,viewer,fixed,assisted,constrained +2,gated,viewer,fixed,autonomous,capable +3,gated,viewer,tunable,reactive,constrained +4,gated,viewer,tunable,assisted,constrained +5,gated,viewer,tunable,autonomous,capable +6,gated,viewer,mutable,reactive,capable +7,gated,viewer,mutable,assisted,capable +8,gated,viewer,mutable,autonomous,high leverage +9,gated,operator,fixed,reactive,constrained +10,gated,operator,fixed,assisted,constrained +11,gated,operator,fixed,autonomous,capable +12,gated,operator,tunable,reactive,constrained +13,gated,operator,tunable,assisted,capable +14,gated,operator,tunable,autonomous,capable +15,gated,operator,mutable,reactive,capable +16,gated,operator,mutable,assisted,capable +17,gated,operator,mutable,autonomous,high leverage +18,gated,administrator,fixed,reactive,capable +19,gated,administrator,fixed,assisted,capable +20,gated,administrator,fixed,autonomous,high leverage +21,gated,administrator,tunable,reactive,capable +22,gated,administrator,tunable,assisted,capable +23,gated,administrator,tunable,autonomous,high leverage +24,gated,administrator,mutable,reactive,high leverage +25,gated,administrator,mutable,assisted,high leverage +26,gated,administrator,mutable,autonomous,high leverage +27,scoped,viewer,fixed,reactive,constrained +28,scoped,viewer,fixed,assisted,constrained +29,scoped,viewer,fixed,autonomous,capable +30,scoped,viewer,tunable,reactive,constrained +31,scoped,viewer,tunable,assisted,capable +32,scoped,viewer,tunable,autonomous,capable +33,scoped,viewer,mutable,reactive,capable +34,scoped,viewer,mutable,assisted,capable +35,scoped,viewer,mutable,autonomous,high leverage +36,scoped,operator,fixed,reactive,constrained +37,scoped,operator,fixed,assisted,capable +38,scoped,operator,fixed,autonomous,capable +39,scoped,operator,tunable,reactive,capable +40,scoped,operator,tunable,assisted,capable +41,scoped,operator,tunable,autonomous,capable +42,scoped,operator,mutable,reactive,capable +43,scoped,operator,mutable,assisted,capable +44,scoped,operator,mutable,autonomous,high leverage +45,scoped,administrator,fixed,reactive,capable +46,scoped,administrator,fixed,assisted,capable +47,scoped,administrator,fixed,autonomous,high leverage +48,scoped,administrator,tunable,reactive,capable +49,scoped,administrator,tunable,assisted,capable +50,scoped,administrator,tunable,autonomous,high leverage +51,scoped,administrator,mutable,reactive,high leverage +52,scoped,administrator,mutable,assisted,high leverage +53,scoped,administrator,mutable,autonomous,high leverage +54,free-running,viewer,fixed,reactive,capable +55,free-running,viewer,fixed,assisted,capable +56,free-running,viewer,fixed,autonomous,high leverage +57,free-running,viewer,tunable,reactive,capable +58,free-running,viewer,tunable,assisted,capable +59,free-running,viewer,tunable,autonomous,high leverage +60,free-running,viewer,mutable,reactive,high leverage +61,free-running,viewer,mutable,assisted,high leverage +62,free-running,viewer,mutable,autonomous,high leverage +63,free-running,operator,fixed,reactive,capable +64,free-running,operator,fixed,assisted,capable +65,free-running,operator,fixed,autonomous,high leverage +66,free-running,operator,tunable,reactive,capable +67,free-running,operator,tunable,assisted,capable +68,free-running,operator,tunable,autonomous,high leverage +69,free-running,operator,mutable,reactive,high leverage +70,free-running,operator,mutable,assisted,high leverage +71,free-running,operator,mutable,autonomous,high leverage +72,free-running,administrator,fixed,reactive,high leverage +73,free-running,administrator,fixed,assisted,high leverage +74,free-running,administrator,fixed,autonomous,high leverage +75,free-running,administrator,tunable,reactive,high leverage +76,free-running,administrator,tunable,assisted,high leverage +77,free-running,administrator,tunable,autonomous,high leverage +78,free-running,administrator,mutable,reactive,high leverage +79,free-running,administrator,mutable,assisted,high leverage +80,free-running,administrator,mutable,autonomous,high leverage diff --git a/data/csv/aivss/predictability_and_influence_1_0_0.csv b/data/csv/aivss/predictability_and_influence_1_0_0.csv new file mode 100644 index 00000000..fc4b022f --- /dev/null +++ b/data/csv/aivss/predictability_and_influence_1_0_0.csv @@ -0,0 +1,82 @@ +row,Non-Determinism v1.0.0 (aivss),Opacity & Reflexivity v1.0.0 (aivss),Verification Capability v1.0.0 (aivss),Deceptiveness Potential v1.0.0 (aivss),Predictability and Influence v1.0.0 (aivss) +0,deterministic,transparent,provable,plain,verifiable +1,deterministic,transparent,provable,fluent,verifiable +2,deterministic,transparent,provable,persuasive,uncertain +3,deterministic,transparent,key invariants verifiable,plain,verifiable +4,deterministic,transparent,key invariants verifiable,fluent,uncertain +5,deterministic,transparent,key invariants verifiable,persuasive,uncertain +6,deterministic,transparent,unverifiable,plain,uncertain +7,deterministic,transparent,unverifiable,fluent,uncertain +8,deterministic,transparent,unverifiable,persuasive,opaque +9,deterministic,fragmented,provable,plain,verifiable +10,deterministic,fragmented,provable,fluent,uncertain +11,deterministic,fragmented,provable,persuasive,uncertain +12,deterministic,fragmented,key invariants verifiable,plain,uncertain +13,deterministic,fragmented,key invariants verifiable,fluent,uncertain +14,deterministic,fragmented,key invariants verifiable,persuasive,uncertain +15,deterministic,fragmented,unverifiable,plain,uncertain +16,deterministic,fragmented,unverifiable,fluent,uncertain +17,deterministic,fragmented,unverifiable,persuasive,opaque +18,deterministic,opaque,provable,plain,uncertain +19,deterministic,opaque,provable,fluent,uncertain +20,deterministic,opaque,provable,persuasive,opaque +21,deterministic,opaque,key invariants verifiable,plain,uncertain +22,deterministic,opaque,key invariants verifiable,fluent,uncertain +23,deterministic,opaque,key invariants verifiable,persuasive,opaque +24,deterministic,opaque,unverifiable,plain,opaque +25,deterministic,opaque,unverifiable,fluent,opaque +26,deterministic,opaque,unverifiable,persuasive,opaque +27,bounded,transparent,provable,plain,verifiable +28,bounded,transparent,provable,fluent,uncertain +29,bounded,transparent,provable,persuasive,uncertain +30,bounded,transparent,key invariants verifiable,plain,uncertain +31,bounded,transparent,key invariants verifiable,fluent,uncertain +32,bounded,transparent,key invariants verifiable,persuasive,uncertain +33,bounded,transparent,unverifiable,plain,uncertain +34,bounded,transparent,unverifiable,fluent,uncertain +35,bounded,transparent,unverifiable,persuasive,opaque +36,bounded,fragmented,provable,plain,uncertain +37,bounded,fragmented,provable,fluent,uncertain +38,bounded,fragmented,provable,persuasive,uncertain +39,bounded,fragmented,key invariants verifiable,plain,uncertain +40,bounded,fragmented,key invariants verifiable,fluent,uncertain +41,bounded,fragmented,key invariants verifiable,persuasive,uncertain +42,bounded,fragmented,unverifiable,plain,uncertain +43,bounded,fragmented,unverifiable,fluent,uncertain +44,bounded,fragmented,unverifiable,persuasive,opaque +45,bounded,opaque,provable,plain,uncertain +46,bounded,opaque,provable,fluent,uncertain +47,bounded,opaque,provable,persuasive,opaque +48,bounded,opaque,key invariants verifiable,plain,uncertain +49,bounded,opaque,key invariants verifiable,fluent,uncertain +50,bounded,opaque,key invariants verifiable,persuasive,opaque +51,bounded,opaque,unverifiable,plain,opaque +52,bounded,opaque,unverifiable,fluent,opaque +53,bounded,opaque,unverifiable,persuasive,opaque +54,high-variance,transparent,provable,plain,uncertain +55,high-variance,transparent,provable,fluent,uncertain +56,high-variance,transparent,provable,persuasive,opaque +57,high-variance,transparent,key invariants verifiable,plain,uncertain +58,high-variance,transparent,key invariants verifiable,fluent,uncertain +59,high-variance,transparent,key invariants verifiable,persuasive,opaque +60,high-variance,transparent,unverifiable,plain,opaque +61,high-variance,transparent,unverifiable,fluent,opaque +62,high-variance,transparent,unverifiable,persuasive,opaque +63,high-variance,fragmented,provable,plain,uncertain +64,high-variance,fragmented,provable,fluent,uncertain +65,high-variance,fragmented,provable,persuasive,opaque +66,high-variance,fragmented,key invariants verifiable,plain,uncertain +67,high-variance,fragmented,key invariants verifiable,fluent,uncertain +68,high-variance,fragmented,key invariants verifiable,persuasive,opaque +69,high-variance,fragmented,unverifiable,plain,opaque +70,high-variance,fragmented,unverifiable,fluent,opaque +71,high-variance,fragmented,unverifiable,persuasive,opaque +72,high-variance,opaque,provable,plain,opaque +73,high-variance,opaque,provable,fluent,opaque +74,high-variance,opaque,provable,persuasive,opaque +75,high-variance,opaque,key invariants verifiable,plain,opaque +76,high-variance,opaque,key invariants verifiable,fluent,opaque +77,high-variance,opaque,key invariants verifiable,persuasive,opaque +78,high-variance,opaque,unverifiable,plain,opaque +79,high-variance,opaque,unverifiable,fluent,opaque +80,high-variance,opaque,unverifiable,persuasive,opaque diff --git a/data/json/decision_points/x_org_owasp_aivss/agentic_impact_level_1_0_0.json b/data/json/decision_points/aivss/agentic_impact_level_1_0_0.json similarity index 96% rename from data/json/decision_points/x_org_owasp_aivss/agentic_impact_level_1_0_0.json rename to data/json/decision_points/aivss/agentic_impact_level_1_0_0.json index 6c8d57a1..2039f4c6 100644 --- a/data/json/decision_points/x_org_owasp_aivss/agentic_impact_level_1_0_0.json +++ b/data/json/decision_points/aivss/agentic_impact_level_1_0_0.json @@ -1,5 +1,5 @@ { - "namespace": "x_org.owasp#aivss", + "namespace": "aivss", "key": "AIL", "version": "1.0.0", "name": "Agentic Impact Level", diff --git a/data/json/decision_points/x_org_owasp_aivss/autonomy_of_action_1_0_0.json b/data/json/decision_points/aivss/autonomy_of_action_1_0_0.json similarity index 94% rename from data/json/decision_points/x_org_owasp_aivss/autonomy_of_action_1_0_0.json rename to data/json/decision_points/aivss/autonomy_of_action_1_0_0.json index 30f135a1..840d43f1 100644 --- a/data/json/decision_points/x_org_owasp_aivss/autonomy_of_action_1_0_0.json +++ b/data/json/decision_points/aivss/autonomy_of_action_1_0_0.json @@ -1,5 +1,5 @@ { - "namespace": "x_org.owasp#aivss", + "namespace": "aivss", "key": "AA", "version": "1.0.0", "name": "Autonomy of Action", diff --git a/data/json/decision_points/x_org_owasp_aivss/contextual_awareness_1_0_0.json b/data/json/decision_points/aivss/contextual_awareness_1_0_0.json similarity index 94% rename from data/json/decision_points/x_org_owasp_aivss/contextual_awareness_1_0_0.json rename to data/json/decision_points/aivss/contextual_awareness_1_0_0.json index 83b9cfbf..65a5140f 100644 --- a/data/json/decision_points/x_org_owasp_aivss/contextual_awareness_1_0_0.json +++ b/data/json/decision_points/aivss/contextual_awareness_1_0_0.json @@ -1,5 +1,5 @@ { - "namespace": "x_org.owasp#aivss", + "namespace": "aivss", "key": "CA", "version": "1.0.0", "name": "Contextual Awareness", diff --git a/data/json/decision_points/x_org_owasp_aivss/deceptiveness_potential_1_0_0.json b/data/json/decision_points/aivss/deceptiveness_potential_1_0_0.json similarity index 94% rename from data/json/decision_points/x_org_owasp_aivss/deceptiveness_potential_1_0_0.json rename to data/json/decision_points/aivss/deceptiveness_potential_1_0_0.json index ccfe01e3..8e8f1c4b 100644 --- a/data/json/decision_points/x_org_owasp_aivss/deceptiveness_potential_1_0_0.json +++ b/data/json/decision_points/aivss/deceptiveness_potential_1_0_0.json @@ -1,5 +1,5 @@ { - "namespace": "x_org.owasp#aivss", + "namespace": "aivss", "key": "DP", "version": "1.0.0", "name": "Deceptiveness Potential", diff --git a/data/json/decision_points/x_org_owasp_aivss/dynamic_identity_1_0_0.json b/data/json/decision_points/aivss/dynamic_identity_1_0_0.json similarity index 94% rename from data/json/decision_points/x_org_owasp_aivss/dynamic_identity_1_0_0.json rename to data/json/decision_points/aivss/dynamic_identity_1_0_0.json index 42f10806..e0cad80d 100644 --- a/data/json/decision_points/x_org_owasp_aivss/dynamic_identity_1_0_0.json +++ b/data/json/decision_points/aivss/dynamic_identity_1_0_0.json @@ -1,5 +1,5 @@ { - "namespace": "x_org.owasp#aivss", + "namespace": "aivss", "key": "DI", "version": "1.0.0", "name": "Dynamic Identity", diff --git a/data/json/decision_points/x_org_owasp_aivss/environment_adaptation_1_0_0.json b/data/json/decision_points/aivss/environment_adaptation_1_0_0.json similarity index 96% rename from data/json/decision_points/x_org_owasp_aivss/environment_adaptation_1_0_0.json rename to data/json/decision_points/aivss/environment_adaptation_1_0_0.json index 8fc6b4a0..e7d37d98 100644 --- a/data/json/decision_points/x_org_owasp_aivss/environment_adaptation_1_0_0.json +++ b/data/json/decision_points/aivss/environment_adaptation_1_0_0.json @@ -1,5 +1,5 @@ { - "namespace": "x_org.owasp#aivss", + "namespace": "aivss", "key": "EA", "version": "1.0.0", "name": "Environment & Adaptation", diff --git a/data/json/decision_points/x_org_owasp_aivss/execution_power_1_0_0.json b/data/json/decision_points/aivss/execution_power_1_0_0.json similarity index 96% rename from data/json/decision_points/x_org_owasp_aivss/execution_power_1_0_0.json rename to data/json/decision_points/aivss/execution_power_1_0_0.json index 2f72b903..3af14e26 100644 --- a/data/json/decision_points/x_org_owasp_aivss/execution_power_1_0_0.json +++ b/data/json/decision_points/aivss/execution_power_1_0_0.json @@ -1,5 +1,5 @@ { - "namespace": "x_org.owasp#aivss", + "namespace": "aivss", "key": "EP", "version": "1.0.0", "name": "Execution Power", diff --git a/data/json/decision_points/x_org_owasp_aivss/goal_driven_planning_1_0_0.json b/data/json/decision_points/aivss/goal_driven_planning_1_0_0.json similarity index 95% rename from data/json/decision_points/x_org_owasp_aivss/goal_driven_planning_1_0_0.json rename to data/json/decision_points/aivss/goal_driven_planning_1_0_0.json index fffc9fd0..3e7f8529 100644 --- a/data/json/decision_points/x_org_owasp_aivss/goal_driven_planning_1_0_0.json +++ b/data/json/decision_points/aivss/goal_driven_planning_1_0_0.json @@ -1,5 +1,5 @@ { - "namespace": "x_org.owasp#aivss", + "namespace": "aivss", "key": "GDP", "version": "1.0.0", "name": "Goal-Driven Planning", diff --git a/data/json/decision_points/x_org_owasp_aivss/memory_use_1_0_0.json b/data/json/decision_points/aivss/memory_use_1_0_0.json similarity index 94% rename from data/json/decision_points/x_org_owasp_aivss/memory_use_1_0_0.json rename to data/json/decision_points/aivss/memory_use_1_0_0.json index 03ee1b8c..7c14f34f 100644 --- a/data/json/decision_points/x_org_owasp_aivss/memory_use_1_0_0.json +++ b/data/json/decision_points/aivss/memory_use_1_0_0.json @@ -1,5 +1,5 @@ { - "namespace": "x_org.owasp#aivss", + "namespace": "aivss", "key": "MU", "version": "1.0.0", "name": "Memory Use", diff --git a/data/json/decision_points/x_org_owasp_aivss/multi_agent_interactions_1_0_0.json b/data/json/decision_points/aivss/multi_agent_interactions_1_0_0.json similarity index 94% rename from data/json/decision_points/x_org_owasp_aivss/multi_agent_interactions_1_0_0.json rename to data/json/decision_points/aivss/multi_agent_interactions_1_0_0.json index 4cc64116..5f567b11 100644 --- a/data/json/decision_points/x_org_owasp_aivss/multi_agent_interactions_1_0_0.json +++ b/data/json/decision_points/aivss/multi_agent_interactions_1_0_0.json @@ -1,5 +1,5 @@ { - "namespace": "x_org.owasp#aivss", + "namespace": "aivss", "key": "MAI", "version": "1.0.0", "name": "Multi-Agent Interactions", diff --git a/data/json/decision_points/x_org_owasp_aivss/non_determinism_1_0_0.json b/data/json/decision_points/aivss/non_determinism_1_0_0.json similarity index 93% rename from data/json/decision_points/x_org_owasp_aivss/non_determinism_1_0_0.json rename to data/json/decision_points/aivss/non_determinism_1_0_0.json index e524eda5..f1db3bb1 100644 --- a/data/json/decision_points/x_org_owasp_aivss/non_determinism_1_0_0.json +++ b/data/json/decision_points/aivss/non_determinism_1_0_0.json @@ -1,5 +1,5 @@ { - "namespace": "x_org.owasp#aivss", + "namespace": "aivss", "key": "ND", "version": "1.0.0", "name": "Non-Determinism", diff --git a/data/json/decision_points/x_org_owasp_aivss/opacity_reflexivity_1_0_0.json b/data/json/decision_points/aivss/opacity_reflexivity_1_0_0.json similarity index 94% rename from data/json/decision_points/x_org_owasp_aivss/opacity_reflexivity_1_0_0.json rename to data/json/decision_points/aivss/opacity_reflexivity_1_0_0.json index 5ef7c240..8881056f 100644 --- a/data/json/decision_points/x_org_owasp_aivss/opacity_reflexivity_1_0_0.json +++ b/data/json/decision_points/aivss/opacity_reflexivity_1_0_0.json @@ -1,5 +1,5 @@ { - "namespace": "x_org.owasp#aivss", + "namespace": "aivss", "key": "OR", "version": "1.0.0", "name": "Opacity & Reflexivity", diff --git a/data/json/decision_points/x_org_owasp_aivss/predictability_and_influence_1_0_0.json b/data/json/decision_points/aivss/predictability_and_influence_1_0_0.json similarity index 96% rename from data/json/decision_points/x_org_owasp_aivss/predictability_and_influence_1_0_0.json rename to data/json/decision_points/aivss/predictability_and_influence_1_0_0.json index 466caed1..dcf48dfa 100644 --- a/data/json/decision_points/x_org_owasp_aivss/predictability_and_influence_1_0_0.json +++ b/data/json/decision_points/aivss/predictability_and_influence_1_0_0.json @@ -1,5 +1,5 @@ { - "namespace": "x_org.owasp#aivss", + "namespace": "aivss", "key": "PI", "version": "1.0.0", "name": "Predictability and Influence", diff --git a/data/json/decision_points/x_org_owasp_aivss/self_modification_1_0_0.json b/data/json/decision_points/aivss/self_modification_1_0_0.json similarity index 93% rename from data/json/decision_points/x_org_owasp_aivss/self_modification_1_0_0.json rename to data/json/decision_points/aivss/self_modification_1_0_0.json index b7fe0055..8bb9508c 100644 --- a/data/json/decision_points/x_org_owasp_aivss/self_modification_1_0_0.json +++ b/data/json/decision_points/aivss/self_modification_1_0_0.json @@ -1,5 +1,5 @@ { - "namespace": "x_org.owasp#aivss", + "namespace": "aivss", "key": "SM", "version": "1.0.0", "name": "Self-Modification", diff --git a/data/json/decision_points/x_org_owasp_aivss/self_modification_1_1_0.json b/data/json/decision_points/aivss/self_modification_1_1_0.json similarity index 95% rename from data/json/decision_points/x_org_owasp_aivss/self_modification_1_1_0.json rename to data/json/decision_points/aivss/self_modification_1_1_0.json index e4e8864f..4bf29221 100644 --- a/data/json/decision_points/x_org_owasp_aivss/self_modification_1_1_0.json +++ b/data/json/decision_points/aivss/self_modification_1_1_0.json @@ -1,5 +1,5 @@ { - "namespace": "x_org.owasp#aivss", + "namespace": "aivss", "key": "SM", "version": "1.1.0", "name": "Self-Modification", diff --git a/data/json/decision_points/x_org_owasp_aivss/systemic_impact_1_0_0.json b/data/json/decision_points/aivss/systemic_impact_1_0_0.json similarity index 96% rename from data/json/decision_points/x_org_owasp_aivss/systemic_impact_1_0_0.json rename to data/json/decision_points/aivss/systemic_impact_1_0_0.json index 6fb0dd64..1c1b6017 100644 --- a/data/json/decision_points/x_org_owasp_aivss/systemic_impact_1_0_0.json +++ b/data/json/decision_points/aivss/systemic_impact_1_0_0.json @@ -1,5 +1,5 @@ { - "namespace": "x_org.owasp#aivss", + "namespace": "aivss", "key": "SI", "version": "1.0.0", "name": "Systemic Impact", diff --git a/data/json/decision_points/x_org_owasp_aivss/tool_use_1_0_0.json b/data/json/decision_points/aivss/tool_use_1_0_0.json similarity index 95% rename from data/json/decision_points/x_org_owasp_aivss/tool_use_1_0_0.json rename to data/json/decision_points/aivss/tool_use_1_0_0.json index 82f550fb..90a09c4d 100644 --- a/data/json/decision_points/x_org_owasp_aivss/tool_use_1_0_0.json +++ b/data/json/decision_points/aivss/tool_use_1_0_0.json @@ -1,5 +1,5 @@ { - "namespace": "x_org.owasp#aivss", + "namespace": "aivss", "key": "TU", "version": "1.0.0", "name": "Tool Use", diff --git a/data/json/decision_points/x_org_owasp_aivss/verification_capability_1_0_0.json b/data/json/decision_points/aivss/verification_capability_1_0_0.json similarity index 94% rename from data/json/decision_points/x_org_owasp_aivss/verification_capability_1_0_0.json rename to data/json/decision_points/aivss/verification_capability_1_0_0.json index dc4c99bc..88d9bfbd 100644 --- a/data/json/decision_points/x_org_owasp_aivss/verification_capability_1_0_0.json +++ b/data/json/decision_points/aivss/verification_capability_1_0_0.json @@ -1,5 +1,5 @@ { - "namespace": "x_org.owasp#aivss", + "namespace": "aivss", "key": "VC", "version": "1.0.0", "name": "Verification Capability", diff --git a/data/json/decision_tables/x_org_owasp_aivss/agentic_impact_level_1_0_0.json b/data/json/decision_tables/aivss/agentic_impact_level_1_0_0.json similarity index 51% rename from data/json/decision_tables/x_org_owasp_aivss/agentic_impact_level_1_0_0.json rename to data/json/decision_tables/aivss/agentic_impact_level_1_0_0.json index 6e1e9ae2..2970b65e 100644 --- a/data/json/decision_tables/x_org_owasp_aivss/agentic_impact_level_1_0_0.json +++ b/data/json/decision_tables/aivss/agentic_impact_level_1_0_0.json @@ -1,13 +1,13 @@ { - "namespace": "x_org.owasp#aivss", + "namespace": "aivss", "key": "DT_AIL", "version": "1.0.0", "name": "Agentic Impact Level", "definition": "TODO writeme", "schemaVersion": "2.0.0", "decision_points": { - "x_org.owasp#aivss:EP:1.0.0": { - "namespace": "x_org.owasp#aivss", + "aivss:EP:1.0.0": { + "namespace": "aivss", "key": "EP", "version": "1.0.0", "name": "Execution Power", @@ -31,8 +31,8 @@ } ] }, - "x_org.owasp#aivss:EA:1.0.0": { - "namespace": "x_org.owasp#aivss", + "aivss:EA:1.0.0": { + "namespace": "aivss", "key": "EA", "version": "1.0.0", "name": "Environment & Adaptation", @@ -56,8 +56,8 @@ } ] }, - "x_org.owasp#aivss:PI:1.0.0": { - "namespace": "x_org.owasp#aivss", + "aivss:PI:1.0.0": { + "namespace": "aivss", "key": "PI", "version": "1.0.0", "name": "Predictability and Influence", @@ -81,8 +81,8 @@ } ] }, - "x_org.owasp#aivss:AIL:1.0.0": { - "namespace": "x_org.owasp#aivss", + "aivss:AIL:1.0.0": { + "namespace": "aivss", "key": "AIL", "version": "1.0.0", "name": "Agentic Impact Level", @@ -107,169 +107,169 @@ ] } }, - "outcome": "x_org.owasp#aivss:AIL:1.0.0", + "outcome": "aivss:AIL:1.0.0", "mapping": [ { - "x_org.owasp#aivss:EP:1.0.0": "C", - "x_org.owasp#aivss:EA:1.0.0": "I", - "x_org.owasp#aivss:PI:1.0.0": "V", - "x_org.owasp#aivss:AIL:1.0.0": "C" + "aivss:EP:1.0.0": "C", + "aivss:EA:1.0.0": "I", + "aivss:PI:1.0.0": "V", + "aivss:AIL:1.0.0": "C" }, { - "x_org.owasp#aivss:EP:1.0.0": "C", - "x_org.owasp#aivss:EA:1.0.0": "I", - "x_org.owasp#aivss:PI:1.0.0": "U", - "x_org.owasp#aivss:AIL:1.0.0": "C" + "aivss:EP:1.0.0": "C", + "aivss:EA:1.0.0": "I", + "aivss:PI:1.0.0": "U", + "aivss:AIL:1.0.0": "C" }, { - "x_org.owasp#aivss:EP:1.0.0": "C", - "x_org.owasp#aivss:EA:1.0.0": "I", - "x_org.owasp#aivss:PI:1.0.0": "O", - "x_org.owasp#aivss:AIL:1.0.0": "S" + "aivss:EP:1.0.0": "C", + "aivss:EA:1.0.0": "I", + "aivss:PI:1.0.0": "O", + "aivss:AIL:1.0.0": "S" }, { - "x_org.owasp#aivss:EP:1.0.0": "C", - "x_org.owasp#aivss:EA:1.0.0": "C", - "x_org.owasp#aivss:PI:1.0.0": "V", - "x_org.owasp#aivss:AIL:1.0.0": "C" + "aivss:EP:1.0.0": "C", + "aivss:EA:1.0.0": "C", + "aivss:PI:1.0.0": "V", + "aivss:AIL:1.0.0": "C" }, { - "x_org.owasp#aivss:EP:1.0.0": "C", - "x_org.owasp#aivss:EA:1.0.0": "C", - "x_org.owasp#aivss:PI:1.0.0": "U", - "x_org.owasp#aivss:AIL:1.0.0": "S" + "aivss:EP:1.0.0": "C", + "aivss:EA:1.0.0": "C", + "aivss:PI:1.0.0": "U", + "aivss:AIL:1.0.0": "S" }, { - "x_org.owasp#aivss:EP:1.0.0": "C", - "x_org.owasp#aivss:EA:1.0.0": "C", - "x_org.owasp#aivss:PI:1.0.0": "O", - "x_org.owasp#aivss:AIL:1.0.0": "S" + "aivss:EP:1.0.0": "C", + "aivss:EA:1.0.0": "C", + "aivss:PI:1.0.0": "O", + "aivss:AIL:1.0.0": "S" }, { - "x_org.owasp#aivss:EP:1.0.0": "C", - "x_org.owasp#aivss:EA:1.0.0": "P", - "x_org.owasp#aivss:PI:1.0.0": "V", - "x_org.owasp#aivss:AIL:1.0.0": "S" + "aivss:EP:1.0.0": "C", + "aivss:EA:1.0.0": "P", + "aivss:PI:1.0.0": "V", + "aivss:AIL:1.0.0": "S" }, { - "x_org.owasp#aivss:EP:1.0.0": "C", - "x_org.owasp#aivss:EA:1.0.0": "P", - "x_org.owasp#aivss:PI:1.0.0": "U", - "x_org.owasp#aivss:AIL:1.0.0": "S" + "aivss:EP:1.0.0": "C", + "aivss:EA:1.0.0": "P", + "aivss:PI:1.0.0": "U", + "aivss:AIL:1.0.0": "S" }, { - "x_org.owasp#aivss:EP:1.0.0": "C", - "x_org.owasp#aivss:EA:1.0.0": "P", - "x_org.owasp#aivss:PI:1.0.0": "O", - "x_org.owasp#aivss:AIL:1.0.0": "P" + "aivss:EP:1.0.0": "C", + "aivss:EA:1.0.0": "P", + "aivss:PI:1.0.0": "O", + "aivss:AIL:1.0.0": "P" }, { - "x_org.owasp#aivss:EP:1.0.0": "CA", - "x_org.owasp#aivss:EA:1.0.0": "I", - "x_org.owasp#aivss:PI:1.0.0": "V", - "x_org.owasp#aivss:AIL:1.0.0": "C" + "aivss:EP:1.0.0": "CA", + "aivss:EA:1.0.0": "I", + "aivss:PI:1.0.0": "V", + "aivss:AIL:1.0.0": "C" }, { - "x_org.owasp#aivss:EP:1.0.0": "CA", - "x_org.owasp#aivss:EA:1.0.0": "I", - "x_org.owasp#aivss:PI:1.0.0": "U", - "x_org.owasp#aivss:AIL:1.0.0": "S" + "aivss:EP:1.0.0": "CA", + "aivss:EA:1.0.0": "I", + "aivss:PI:1.0.0": "U", + "aivss:AIL:1.0.0": "S" }, { - "x_org.owasp#aivss:EP:1.0.0": "CA", - "x_org.owasp#aivss:EA:1.0.0": "I", - "x_org.owasp#aivss:PI:1.0.0": "O", - "x_org.owasp#aivss:AIL:1.0.0": "S" + "aivss:EP:1.0.0": "CA", + "aivss:EA:1.0.0": "I", + "aivss:PI:1.0.0": "O", + "aivss:AIL:1.0.0": "S" }, { - "x_org.owasp#aivss:EP:1.0.0": "CA", - "x_org.owasp#aivss:EA:1.0.0": "C", - "x_org.owasp#aivss:PI:1.0.0": "V", - "x_org.owasp#aivss:AIL:1.0.0": "S" + "aivss:EP:1.0.0": "CA", + "aivss:EA:1.0.0": "C", + "aivss:PI:1.0.0": "V", + "aivss:AIL:1.0.0": "S" }, { - "x_org.owasp#aivss:EP:1.0.0": "CA", - "x_org.owasp#aivss:EA:1.0.0": "C", - "x_org.owasp#aivss:PI:1.0.0": "U", - "x_org.owasp#aivss:AIL:1.0.0": "S" + "aivss:EP:1.0.0": "CA", + "aivss:EA:1.0.0": "C", + "aivss:PI:1.0.0": "U", + "aivss:AIL:1.0.0": "S" }, { - "x_org.owasp#aivss:EP:1.0.0": "CA", - "x_org.owasp#aivss:EA:1.0.0": "C", - "x_org.owasp#aivss:PI:1.0.0": "O", - "x_org.owasp#aivss:AIL:1.0.0": "S" + "aivss:EP:1.0.0": "CA", + "aivss:EA:1.0.0": "C", + "aivss:PI:1.0.0": "O", + "aivss:AIL:1.0.0": "S" }, { - "x_org.owasp#aivss:EP:1.0.0": "CA", - "x_org.owasp#aivss:EA:1.0.0": "P", - "x_org.owasp#aivss:PI:1.0.0": "V", - "x_org.owasp#aivss:AIL:1.0.0": "S" + "aivss:EP:1.0.0": "CA", + "aivss:EA:1.0.0": "P", + "aivss:PI:1.0.0": "V", + "aivss:AIL:1.0.0": "S" }, { - "x_org.owasp#aivss:EP:1.0.0": "CA", - "x_org.owasp#aivss:EA:1.0.0": "P", - "x_org.owasp#aivss:PI:1.0.0": "U", - "x_org.owasp#aivss:AIL:1.0.0": "S" + "aivss:EP:1.0.0": "CA", + "aivss:EA:1.0.0": "P", + "aivss:PI:1.0.0": "U", + "aivss:AIL:1.0.0": "S" }, { - "x_org.owasp#aivss:EP:1.0.0": "CA", - "x_org.owasp#aivss:EA:1.0.0": "P", - "x_org.owasp#aivss:PI:1.0.0": "O", - "x_org.owasp#aivss:AIL:1.0.0": "P" + "aivss:EP:1.0.0": "CA", + "aivss:EA:1.0.0": "P", + "aivss:PI:1.0.0": "O", + "aivss:AIL:1.0.0": "P" }, { - "x_org.owasp#aivss:EP:1.0.0": "H", - "x_org.owasp#aivss:EA:1.0.0": "I", - "x_org.owasp#aivss:PI:1.0.0": "V", - "x_org.owasp#aivss:AIL:1.0.0": "S" + "aivss:EP:1.0.0": "H", + "aivss:EA:1.0.0": "I", + "aivss:PI:1.0.0": "V", + "aivss:AIL:1.0.0": "S" }, { - "x_org.owasp#aivss:EP:1.0.0": "H", - "x_org.owasp#aivss:EA:1.0.0": "I", - "x_org.owasp#aivss:PI:1.0.0": "U", - "x_org.owasp#aivss:AIL:1.0.0": "S" + "aivss:EP:1.0.0": "H", + "aivss:EA:1.0.0": "I", + "aivss:PI:1.0.0": "U", + "aivss:AIL:1.0.0": "S" }, { - "x_org.owasp#aivss:EP:1.0.0": "H", - "x_org.owasp#aivss:EA:1.0.0": "I", - "x_org.owasp#aivss:PI:1.0.0": "O", - "x_org.owasp#aivss:AIL:1.0.0": "P" + "aivss:EP:1.0.0": "H", + "aivss:EA:1.0.0": "I", + "aivss:PI:1.0.0": "O", + "aivss:AIL:1.0.0": "P" }, { - "x_org.owasp#aivss:EP:1.0.0": "H", - "x_org.owasp#aivss:EA:1.0.0": "C", - "x_org.owasp#aivss:PI:1.0.0": "V", - "x_org.owasp#aivss:AIL:1.0.0": "S" + "aivss:EP:1.0.0": "H", + "aivss:EA:1.0.0": "C", + "aivss:PI:1.0.0": "V", + "aivss:AIL:1.0.0": "S" }, { - "x_org.owasp#aivss:EP:1.0.0": "H", - "x_org.owasp#aivss:EA:1.0.0": "C", - "x_org.owasp#aivss:PI:1.0.0": "U", - "x_org.owasp#aivss:AIL:1.0.0": "S" + "aivss:EP:1.0.0": "H", + "aivss:EA:1.0.0": "C", + "aivss:PI:1.0.0": "U", + "aivss:AIL:1.0.0": "S" }, { - "x_org.owasp#aivss:EP:1.0.0": "H", - "x_org.owasp#aivss:EA:1.0.0": "C", - "x_org.owasp#aivss:PI:1.0.0": "O", - "x_org.owasp#aivss:AIL:1.0.0": "P" + "aivss:EP:1.0.0": "H", + "aivss:EA:1.0.0": "C", + "aivss:PI:1.0.0": "O", + "aivss:AIL:1.0.0": "P" }, { - "x_org.owasp#aivss:EP:1.0.0": "H", - "x_org.owasp#aivss:EA:1.0.0": "P", - "x_org.owasp#aivss:PI:1.0.0": "V", - "x_org.owasp#aivss:AIL:1.0.0": "P" + "aivss:EP:1.0.0": "H", + "aivss:EA:1.0.0": "P", + "aivss:PI:1.0.0": "V", + "aivss:AIL:1.0.0": "P" }, { - "x_org.owasp#aivss:EP:1.0.0": "H", - "x_org.owasp#aivss:EA:1.0.0": "P", - "x_org.owasp#aivss:PI:1.0.0": "U", - "x_org.owasp#aivss:AIL:1.0.0": "P" + "aivss:EP:1.0.0": "H", + "aivss:EA:1.0.0": "P", + "aivss:PI:1.0.0": "U", + "aivss:AIL:1.0.0": "P" }, { - "x_org.owasp#aivss:EP:1.0.0": "H", - "x_org.owasp#aivss:EA:1.0.0": "P", - "x_org.owasp#aivss:PI:1.0.0": "O", - "x_org.owasp#aivss:AIL:1.0.0": "P" + "aivss:EP:1.0.0": "H", + "aivss:EA:1.0.0": "P", + "aivss:PI:1.0.0": "O", + "aivss:AIL:1.0.0": "P" } ] } diff --git a/data/json/decision_tables/x_org_owasp_aivss/aivss_decision_table_1_0_0.json b/data/json/decision_tables/aivss/aivss_decision_table_1_0_0.json similarity index 71% rename from data/json/decision_tables/x_org_owasp_aivss/aivss_decision_table_1_0_0.json rename to data/json/decision_tables/aivss/aivss_decision_table_1_0_0.json index fe85bf0c..3dc6a14c 100644 --- a/data/json/decision_tables/x_org_owasp_aivss/aivss_decision_table_1_0_0.json +++ b/data/json/decision_tables/aivss/aivss_decision_table_1_0_0.json @@ -1,5 +1,5 @@ { - "namespace": "x_org.owasp#aivss", + "namespace": "aivss", "key": "DT_AIVSS", "version": "1.0.0", "name": "AIVSS Decision Table", @@ -31,8 +31,8 @@ } ] }, - "x_org.owasp#aivss:AIL:1.0.0": { - "namespace": "x_org.owasp#aivss", + "aivss:AIL:1.0.0": { + "namespace": "aivss", "key": "AIL", "version": "1.0.0", "name": "Agentic Impact Level", @@ -56,8 +56,8 @@ } ] }, - "x_org.owasp#aivss:SI:1.0.0": { - "namespace": "x_org.owasp#aivss", + "aivss:SI:1.0.0": { + "namespace": "aivss", "key": "SI", "version": "1.0.0", "name": "Systemic Impact", @@ -116,164 +116,164 @@ "mapping": [ { "ssvc:E:1.1.0": "N", - "x_org.owasp#aivss:AIL:1.0.0": "C", - "x_org.owasp#aivss:SI:1.0.0": "C", + "aivss:AIL:1.0.0": "C", + "aivss:SI:1.0.0": "C", "ssvc:DSOI:1.0.0": "D" }, { "ssvc:E:1.1.0": "N", - "x_org.owasp#aivss:AIL:1.0.0": "C", - "x_org.owasp#aivss:SI:1.0.0": "S", + "aivss:AIL:1.0.0": "C", + "aivss:SI:1.0.0": "S", "ssvc:DSOI:1.0.0": "S" }, { "ssvc:E:1.1.0": "N", - "x_org.owasp#aivss:AIL:1.0.0": "C", - "x_org.owasp#aivss:SI:1.0.0": "R", + "aivss:AIL:1.0.0": "C", + "aivss:SI:1.0.0": "R", "ssvc:DSOI:1.0.0": "O" }, { "ssvc:E:1.1.0": "N", - "x_org.owasp#aivss:AIL:1.0.0": "S", - "x_org.owasp#aivss:SI:1.0.0": "C", + "aivss:AIL:1.0.0": "S", + "aivss:SI:1.0.0": "C", "ssvc:DSOI:1.0.0": "S" }, { "ssvc:E:1.1.0": "N", - "x_org.owasp#aivss:AIL:1.0.0": "S", - "x_org.owasp#aivss:SI:1.0.0": "S", + "aivss:AIL:1.0.0": "S", + "aivss:SI:1.0.0": "S", "ssvc:DSOI:1.0.0": "S" }, { "ssvc:E:1.1.0": "N", - "x_org.owasp#aivss:AIL:1.0.0": "S", - "x_org.owasp#aivss:SI:1.0.0": "R", + "aivss:AIL:1.0.0": "S", + "aivss:SI:1.0.0": "R", "ssvc:DSOI:1.0.0": "O" }, { "ssvc:E:1.1.0": "N", - "x_org.owasp#aivss:AIL:1.0.0": "P", - "x_org.owasp#aivss:SI:1.0.0": "C", + "aivss:AIL:1.0.0": "P", + "aivss:SI:1.0.0": "C", "ssvc:DSOI:1.0.0": "S" }, { "ssvc:E:1.1.0": "N", - "x_org.owasp#aivss:AIL:1.0.0": "P", - "x_org.owasp#aivss:SI:1.0.0": "S", + "aivss:AIL:1.0.0": "P", + "aivss:SI:1.0.0": "S", "ssvc:DSOI:1.0.0": "O" }, { "ssvc:E:1.1.0": "N", - "x_org.owasp#aivss:AIL:1.0.0": "P", - "x_org.owasp#aivss:SI:1.0.0": "R", + "aivss:AIL:1.0.0": "P", + "aivss:SI:1.0.0": "R", "ssvc:DSOI:1.0.0": "I" }, { "ssvc:E:1.1.0": "P", - "x_org.owasp#aivss:AIL:1.0.0": "C", - "x_org.owasp#aivss:SI:1.0.0": "C", + "aivss:AIL:1.0.0": "C", + "aivss:SI:1.0.0": "C", "ssvc:DSOI:1.0.0": "S" }, { "ssvc:E:1.1.0": "P", - "x_org.owasp#aivss:AIL:1.0.0": "C", - "x_org.owasp#aivss:SI:1.0.0": "S", + "aivss:AIL:1.0.0": "C", + "aivss:SI:1.0.0": "S", "ssvc:DSOI:1.0.0": "S" }, { "ssvc:E:1.1.0": "P", - "x_org.owasp#aivss:AIL:1.0.0": "C", - "x_org.owasp#aivss:SI:1.0.0": "R", + "aivss:AIL:1.0.0": "C", + "aivss:SI:1.0.0": "R", "ssvc:DSOI:1.0.0": "O" }, { "ssvc:E:1.1.0": "P", - "x_org.owasp#aivss:AIL:1.0.0": "S", - "x_org.owasp#aivss:SI:1.0.0": "C", + "aivss:AIL:1.0.0": "S", + "aivss:SI:1.0.0": "C", "ssvc:DSOI:1.0.0": "S" }, { "ssvc:E:1.1.0": "P", - "x_org.owasp#aivss:AIL:1.0.0": "S", - "x_org.owasp#aivss:SI:1.0.0": "S", + "aivss:AIL:1.0.0": "S", + "aivss:SI:1.0.0": "S", "ssvc:DSOI:1.0.0": "O" }, { "ssvc:E:1.1.0": "P", - "x_org.owasp#aivss:AIL:1.0.0": "S", - "x_org.owasp#aivss:SI:1.0.0": "R", + "aivss:AIL:1.0.0": "S", + "aivss:SI:1.0.0": "R", "ssvc:DSOI:1.0.0": "O" }, { "ssvc:E:1.1.0": "P", - "x_org.owasp#aivss:AIL:1.0.0": "P", - "x_org.owasp#aivss:SI:1.0.0": "C", + "aivss:AIL:1.0.0": "P", + "aivss:SI:1.0.0": "C", "ssvc:DSOI:1.0.0": "O" }, { "ssvc:E:1.1.0": "P", - "x_org.owasp#aivss:AIL:1.0.0": "P", - "x_org.owasp#aivss:SI:1.0.0": "S", + "aivss:AIL:1.0.0": "P", + "aivss:SI:1.0.0": "S", "ssvc:DSOI:1.0.0": "O" }, { "ssvc:E:1.1.0": "P", - "x_org.owasp#aivss:AIL:1.0.0": "P", - "x_org.owasp#aivss:SI:1.0.0": "R", + "aivss:AIL:1.0.0": "P", + "aivss:SI:1.0.0": "R", "ssvc:DSOI:1.0.0": "I" }, { "ssvc:E:1.1.0": "A", - "x_org.owasp#aivss:AIL:1.0.0": "C", - "x_org.owasp#aivss:SI:1.0.0": "C", + "aivss:AIL:1.0.0": "C", + "aivss:SI:1.0.0": "C", "ssvc:DSOI:1.0.0": "O" }, { "ssvc:E:1.1.0": "A", - "x_org.owasp#aivss:AIL:1.0.0": "C", - "x_org.owasp#aivss:SI:1.0.0": "S", + "aivss:AIL:1.0.0": "C", + "aivss:SI:1.0.0": "S", "ssvc:DSOI:1.0.0": "O" }, { "ssvc:E:1.1.0": "A", - "x_org.owasp#aivss:AIL:1.0.0": "C", - "x_org.owasp#aivss:SI:1.0.0": "R", + "aivss:AIL:1.0.0": "C", + "aivss:SI:1.0.0": "R", "ssvc:DSOI:1.0.0": "I" }, { "ssvc:E:1.1.0": "A", - "x_org.owasp#aivss:AIL:1.0.0": "S", - "x_org.owasp#aivss:SI:1.0.0": "C", + "aivss:AIL:1.0.0": "S", + "aivss:SI:1.0.0": "C", "ssvc:DSOI:1.0.0": "O" }, { "ssvc:E:1.1.0": "A", - "x_org.owasp#aivss:AIL:1.0.0": "S", - "x_org.owasp#aivss:SI:1.0.0": "S", + "aivss:AIL:1.0.0": "S", + "aivss:SI:1.0.0": "S", "ssvc:DSOI:1.0.0": "I" }, { "ssvc:E:1.1.0": "A", - "x_org.owasp#aivss:AIL:1.0.0": "S", - "x_org.owasp#aivss:SI:1.0.0": "R", + "aivss:AIL:1.0.0": "S", + "aivss:SI:1.0.0": "R", "ssvc:DSOI:1.0.0": "I" }, { "ssvc:E:1.1.0": "A", - "x_org.owasp#aivss:AIL:1.0.0": "P", - "x_org.owasp#aivss:SI:1.0.0": "C", + "aivss:AIL:1.0.0": "P", + "aivss:SI:1.0.0": "C", "ssvc:DSOI:1.0.0": "I" }, { "ssvc:E:1.1.0": "A", - "x_org.owasp#aivss:AIL:1.0.0": "P", - "x_org.owasp#aivss:SI:1.0.0": "S", + "aivss:AIL:1.0.0": "P", + "aivss:SI:1.0.0": "S", "ssvc:DSOI:1.0.0": "I" }, { "ssvc:E:1.1.0": "A", - "x_org.owasp#aivss:AIL:1.0.0": "P", - "x_org.owasp#aivss:SI:1.0.0": "R", + "aivss:AIL:1.0.0": "P", + "aivss:SI:1.0.0": "R", "ssvc:DSOI:1.0.0": "I" } ] diff --git a/data/json/decision_tables/aivss/execution_power_1_0_0.json b/data/json/decision_tables/aivss/execution_power_1_0_0.json new file mode 100644 index 00000000..b3346ba1 --- /dev/null +++ b/data/json/decision_tables/aivss/execution_power_1_0_0.json @@ -0,0 +1,705 @@ +{ + "namespace": "aivss", + "key": "DT_EP", + "version": "1.0.0", + "name": "Execution Power", + "definition": "Determines the level of execution power granted to an AI agent, influencing its ability to perform actions autonomously and interact with external systems.", + "schemaVersion": "2.0.0", + "decision_points": { + "aivss:AA:1.0.0": { + "namespace": "aivss", + "key": "AA", + "version": "1.0.0", + "name": "Autonomy of Action", + "definition": "Determines the autonomy of action level of a vulnerability based on its characteristics and potential effects.", + "schemaVersion": "2.0.0", + "values": [ + { + "key": "G", + "name": "Gated", + "definition": "The agent cannot act without human approval." + }, + { + "key": "S", + "name": "Scoped", + "definition": "The agent can act independently but only in tightly bounded spaces." + }, + { + "key": "F", + "name": "Free-Running", + "definition": "The agent can execute actions in live systems without a human in the loop." + } + ] + }, + "aivss:TU:1.0.0": { + "namespace": "aivss", + "key": "TU", + "version": "1.0.0", + "name": "Tool Use", + "definition": "Determines the tool use level of an AI agent based on its capabilities to interact with systems.", + "schemaVersion": "2.0.0", + "values": [ + { + "key": "V", + "name": "Viewer", + "definition": "The agent can only read and analyze information without making any changes." + }, + { + "key": "O", + "name": "Operator", + "definition": "The agent can make changes within a controlled environment, such as test systems or local files." + }, + { + "key": "A", + "name": "Administrator", + "definition": "The agent has full control and can make changes to privileged systems, including production environments." + } + ] + }, + "aivss:SM:1.1.0": { + "namespace": "aivss", + "key": "SM", + "version": "1.1.0", + "name": "Self-Modification", + "definition": "Determines the self-modification capabilities of an AI agent based on its ability to alter its own code, configuration, or behavior.", + "schemaVersion": "2.0.0", + "values": [ + { + "key": "F", + "name": "Fixed", + "definition": "The agent cannot modify its own code, configuration, or behavior." + }, + { + "key": "T", + "name": "Tunable", + "definition": "The agent can modify its configuration or prompts but not its core code or behavior." + }, + { + "key": "M", + "name": "Mutable", + "definition": "The agent can modify its own code, configuration, or behavior." + } + ] + }, + "aivss:GDP:1.0.0": { + "namespace": "aivss", + "key": "GDP", + "version": "1.0.0", + "name": "Goal-Driven Planning", + "definition": "Determines the goal-driven planning capabilities of an AI agent based on its ability to plan and execute actions over multiple steps.", + "schemaVersion": "2.0.0", + "values": [ + { + "key": "R", + "name": "Reactive", + "definition": "The agent can only respond to immediate inputs without planning." + }, + { + "key": "A", + "name": "Assisted", + "definition": "The agent can plan multiple steps ahead but requires human execution or approval." + }, + { + "key": "U", + "name": "Autonomous", + "definition": "The agent can plan and execute multiple steps independently." + } + ] + }, + "aivss:EP:1.0.0": { + "namespace": "aivss", + "key": "EP", + "version": "1.0.0", + "name": "Execution Power", + "definition": "Determines the level of execution power granted to an AI agent, influencing its ability to perform actions autonomously and interact with external systems.", + "schemaVersion": "2.0.0", + "values": [ + { + "key": "C", + "name": "Constrained", + "definition": "The AI agent has limited execution power, restricting its ability to perform actions autonomously or interact with external systems." + }, + { + "key": "CA", + "name": "Capable", + "definition": "The AI agent has moderate execution power, allowing it to perform certain actions autonomously and interact with external systems under supervision." + }, + { + "key": "H", + "name": "High Leverage", + "definition": "The AI agent has extensive execution power, enabling it to perform actions autonomously and interact with external systems with minimal supervision." + } + ] + } + }, + "outcome": "aivss:EP:1.0.0", + "mapping": [ + { + "aivss:AA:1.0.0": "G", + "aivss:TU:1.0.0": "V", + "aivss:SM:1.1.0": "F", + "aivss:GDP:1.0.0": "R", + "aivss:EP:1.0.0": "C" + }, + { + "aivss:AA:1.0.0": "G", + "aivss:TU:1.0.0": "V", + "aivss:SM:1.1.0": "F", + "aivss:GDP:1.0.0": "A", + "aivss:EP:1.0.0": "C" + }, + { + "aivss:AA:1.0.0": "G", + "aivss:TU:1.0.0": "V", + "aivss:SM:1.1.0": "F", + "aivss:GDP:1.0.0": "U", + "aivss:EP:1.0.0": "CA" + }, + { + "aivss:AA:1.0.0": "G", + "aivss:TU:1.0.0": "V", + "aivss:SM:1.1.0": "T", + "aivss:GDP:1.0.0": "R", + "aivss:EP:1.0.0": "C" + }, + { + "aivss:AA:1.0.0": "G", + "aivss:TU:1.0.0": "V", + "aivss:SM:1.1.0": "T", + "aivss:GDP:1.0.0": "A", + "aivss:EP:1.0.0": "C" + }, + { + "aivss:AA:1.0.0": "G", + "aivss:TU:1.0.0": "V", + "aivss:SM:1.1.0": "T", + "aivss:GDP:1.0.0": "U", + "aivss:EP:1.0.0": "CA" + }, + { + "aivss:AA:1.0.0": "G", + "aivss:TU:1.0.0": "V", + "aivss:SM:1.1.0": "M", + "aivss:GDP:1.0.0": "R", + "aivss:EP:1.0.0": "CA" + }, + { + "aivss:AA:1.0.0": "G", + "aivss:TU:1.0.0": "V", + "aivss:SM:1.1.0": "M", + "aivss:GDP:1.0.0": "A", + "aivss:EP:1.0.0": "CA" + }, + { + "aivss:AA:1.0.0": "G", + "aivss:TU:1.0.0": "V", + "aivss:SM:1.1.0": "M", + "aivss:GDP:1.0.0": "U", + "aivss:EP:1.0.0": "H" + }, + { + "aivss:AA:1.0.0": "G", + "aivss:TU:1.0.0": "O", + "aivss:SM:1.1.0": "F", + "aivss:GDP:1.0.0": "R", + "aivss:EP:1.0.0": "C" + }, + { + "aivss:AA:1.0.0": "G", + "aivss:TU:1.0.0": "O", + "aivss:SM:1.1.0": "F", + "aivss:GDP:1.0.0": "A", + "aivss:EP:1.0.0": "C" + }, + { + "aivss:AA:1.0.0": "G", + "aivss:TU:1.0.0": "O", + "aivss:SM:1.1.0": "F", + "aivss:GDP:1.0.0": "U", + "aivss:EP:1.0.0": "CA" + }, + { + "aivss:AA:1.0.0": "G", + "aivss:TU:1.0.0": "O", + "aivss:SM:1.1.0": "T", + "aivss:GDP:1.0.0": "R", + "aivss:EP:1.0.0": "C" + }, + { + "aivss:AA:1.0.0": "G", + "aivss:TU:1.0.0": "O", + "aivss:SM:1.1.0": "T", + "aivss:GDP:1.0.0": "A", + "aivss:EP:1.0.0": "CA" + }, + { + "aivss:AA:1.0.0": "G", + "aivss:TU:1.0.0": "O", + "aivss:SM:1.1.0": "T", + "aivss:GDP:1.0.0": "U", + "aivss:EP:1.0.0": "CA" + }, + { + "aivss:AA:1.0.0": "G", + "aivss:TU:1.0.0": "O", + "aivss:SM:1.1.0": "M", + "aivss:GDP:1.0.0": "R", + "aivss:EP:1.0.0": "CA" + }, + { + "aivss:AA:1.0.0": "G", + "aivss:TU:1.0.0": "O", + "aivss:SM:1.1.0": "M", + "aivss:GDP:1.0.0": "A", + "aivss:EP:1.0.0": "CA" + }, + { + "aivss:AA:1.0.0": "G", + "aivss:TU:1.0.0": "O", + "aivss:SM:1.1.0": "M", + "aivss:GDP:1.0.0": "U", + "aivss:EP:1.0.0": "H" + }, + { + "aivss:AA:1.0.0": "G", + "aivss:TU:1.0.0": "A", + "aivss:SM:1.1.0": "F", + "aivss:GDP:1.0.0": "R", + "aivss:EP:1.0.0": "CA" + }, + { + "aivss:AA:1.0.0": "G", + "aivss:TU:1.0.0": "A", + "aivss:SM:1.1.0": "F", + "aivss:GDP:1.0.0": "A", + "aivss:EP:1.0.0": "CA" + }, + { + "aivss:AA:1.0.0": "G", + "aivss:TU:1.0.0": "A", + "aivss:SM:1.1.0": "F", + "aivss:GDP:1.0.0": "U", + "aivss:EP:1.0.0": "H" + }, + { + "aivss:AA:1.0.0": "G", + "aivss:TU:1.0.0": "A", + "aivss:SM:1.1.0": "T", + "aivss:GDP:1.0.0": "R", + "aivss:EP:1.0.0": "CA" + }, + { + "aivss:AA:1.0.0": "G", + "aivss:TU:1.0.0": "A", + "aivss:SM:1.1.0": "T", + "aivss:GDP:1.0.0": "A", + "aivss:EP:1.0.0": "CA" + }, + { + "aivss:AA:1.0.0": "G", + "aivss:TU:1.0.0": "A", + "aivss:SM:1.1.0": "T", + "aivss:GDP:1.0.0": "U", + "aivss:EP:1.0.0": "H" + }, + { + "aivss:AA:1.0.0": "G", + "aivss:TU:1.0.0": "A", + "aivss:SM:1.1.0": "M", + "aivss:GDP:1.0.0": "R", + "aivss:EP:1.0.0": "H" + }, + { + "aivss:AA:1.0.0": "G", + "aivss:TU:1.0.0": "A", + "aivss:SM:1.1.0": "M", + "aivss:GDP:1.0.0": "A", + "aivss:EP:1.0.0": "H" + }, + { + "aivss:AA:1.0.0": "G", + "aivss:TU:1.0.0": "A", + "aivss:SM:1.1.0": "M", + "aivss:GDP:1.0.0": "U", + "aivss:EP:1.0.0": "H" + }, + { + "aivss:AA:1.0.0": "S", + "aivss:TU:1.0.0": "V", + "aivss:SM:1.1.0": "F", + "aivss:GDP:1.0.0": "R", + "aivss:EP:1.0.0": "C" + }, + { + "aivss:AA:1.0.0": "S", + "aivss:TU:1.0.0": "V", + "aivss:SM:1.1.0": "F", + "aivss:GDP:1.0.0": "A", + "aivss:EP:1.0.0": "C" + }, + { + "aivss:AA:1.0.0": "S", + "aivss:TU:1.0.0": "V", + "aivss:SM:1.1.0": "F", + "aivss:GDP:1.0.0": "U", + "aivss:EP:1.0.0": "CA" + }, + { + "aivss:AA:1.0.0": "S", + "aivss:TU:1.0.0": "V", + "aivss:SM:1.1.0": "T", + "aivss:GDP:1.0.0": "R", + "aivss:EP:1.0.0": "C" + }, + { + "aivss:AA:1.0.0": "S", + "aivss:TU:1.0.0": "V", + "aivss:SM:1.1.0": "T", + "aivss:GDP:1.0.0": "A", + "aivss:EP:1.0.0": "CA" + }, + { + "aivss:AA:1.0.0": "S", + "aivss:TU:1.0.0": "V", + "aivss:SM:1.1.0": "T", + "aivss:GDP:1.0.0": "U", + "aivss:EP:1.0.0": "CA" + }, + { + "aivss:AA:1.0.0": "S", + "aivss:TU:1.0.0": "V", + "aivss:SM:1.1.0": "M", + "aivss:GDP:1.0.0": "R", + "aivss:EP:1.0.0": "CA" + }, + { + "aivss:AA:1.0.0": "S", + "aivss:TU:1.0.0": "V", + "aivss:SM:1.1.0": "M", + "aivss:GDP:1.0.0": "A", + "aivss:EP:1.0.0": "CA" + }, + { + "aivss:AA:1.0.0": "S", + "aivss:TU:1.0.0": "V", + "aivss:SM:1.1.0": "M", + "aivss:GDP:1.0.0": "U", + "aivss:EP:1.0.0": "H" + }, + { + "aivss:AA:1.0.0": "S", + "aivss:TU:1.0.0": "O", + "aivss:SM:1.1.0": "F", + "aivss:GDP:1.0.0": "R", + "aivss:EP:1.0.0": "C" + }, + { + "aivss:AA:1.0.0": "S", + "aivss:TU:1.0.0": "O", + "aivss:SM:1.1.0": "F", + "aivss:GDP:1.0.0": "A", + "aivss:EP:1.0.0": "CA" + }, + { + "aivss:AA:1.0.0": "S", + "aivss:TU:1.0.0": "O", + "aivss:SM:1.1.0": "F", + "aivss:GDP:1.0.0": "U", + "aivss:EP:1.0.0": "CA" + }, + { + "aivss:AA:1.0.0": "S", + "aivss:TU:1.0.0": "O", + "aivss:SM:1.1.0": "T", + "aivss:GDP:1.0.0": "R", + "aivss:EP:1.0.0": "CA" + }, + { + "aivss:AA:1.0.0": "S", + "aivss:TU:1.0.0": "O", + "aivss:SM:1.1.0": "T", + "aivss:GDP:1.0.0": "A", + "aivss:EP:1.0.0": "CA" + }, + { + "aivss:AA:1.0.0": "S", + "aivss:TU:1.0.0": "O", + "aivss:SM:1.1.0": "T", + "aivss:GDP:1.0.0": "U", + "aivss:EP:1.0.0": "CA" + }, + { + "aivss:AA:1.0.0": "S", + "aivss:TU:1.0.0": "O", + "aivss:SM:1.1.0": "M", + "aivss:GDP:1.0.0": "R", + "aivss:EP:1.0.0": "CA" + }, + { + "aivss:AA:1.0.0": "S", + "aivss:TU:1.0.0": "O", + "aivss:SM:1.1.0": "M", + "aivss:GDP:1.0.0": "A", + "aivss:EP:1.0.0": "CA" + }, + { + "aivss:AA:1.0.0": "S", + "aivss:TU:1.0.0": "O", + "aivss:SM:1.1.0": "M", + "aivss:GDP:1.0.0": "U", + "aivss:EP:1.0.0": "H" + }, + { + "aivss:AA:1.0.0": "S", + "aivss:TU:1.0.0": "A", + "aivss:SM:1.1.0": "F", + "aivss:GDP:1.0.0": "R", + "aivss:EP:1.0.0": "CA" + }, + { + "aivss:AA:1.0.0": "S", + "aivss:TU:1.0.0": "A", + "aivss:SM:1.1.0": "F", + "aivss:GDP:1.0.0": "A", + "aivss:EP:1.0.0": "CA" + }, + { + "aivss:AA:1.0.0": "S", + "aivss:TU:1.0.0": "A", + "aivss:SM:1.1.0": "F", + "aivss:GDP:1.0.0": "U", + "aivss:EP:1.0.0": "H" + }, + { + "aivss:AA:1.0.0": "S", + "aivss:TU:1.0.0": "A", + "aivss:SM:1.1.0": "T", + "aivss:GDP:1.0.0": "R", + "aivss:EP:1.0.0": "CA" + }, + { + "aivss:AA:1.0.0": "S", + "aivss:TU:1.0.0": "A", + "aivss:SM:1.1.0": "T", + "aivss:GDP:1.0.0": "A", + "aivss:EP:1.0.0": "CA" + }, + { + "aivss:AA:1.0.0": "S", + "aivss:TU:1.0.0": "A", + "aivss:SM:1.1.0": "T", + "aivss:GDP:1.0.0": "U", + "aivss:EP:1.0.0": "H" + }, + { + "aivss:AA:1.0.0": "S", + "aivss:TU:1.0.0": "A", + "aivss:SM:1.1.0": "M", + "aivss:GDP:1.0.0": "R", + "aivss:EP:1.0.0": "H" + }, + { + "aivss:AA:1.0.0": "S", + "aivss:TU:1.0.0": "A", + "aivss:SM:1.1.0": "M", + "aivss:GDP:1.0.0": "A", + "aivss:EP:1.0.0": "H" + }, + { + "aivss:AA:1.0.0": "S", + "aivss:TU:1.0.0": "A", + "aivss:SM:1.1.0": "M", + "aivss:GDP:1.0.0": "U", + "aivss:EP:1.0.0": "H" + }, + { + "aivss:AA:1.0.0": "F", + "aivss:TU:1.0.0": "V", + "aivss:SM:1.1.0": "F", + "aivss:GDP:1.0.0": "R", + "aivss:EP:1.0.0": "CA" + }, + { + "aivss:AA:1.0.0": "F", + "aivss:TU:1.0.0": "V", + "aivss:SM:1.1.0": "F", + "aivss:GDP:1.0.0": "A", + "aivss:EP:1.0.0": "CA" + }, + { + "aivss:AA:1.0.0": "F", + "aivss:TU:1.0.0": "V", + "aivss:SM:1.1.0": "F", + "aivss:GDP:1.0.0": "U", + "aivss:EP:1.0.0": "H" + }, + { + "aivss:AA:1.0.0": "F", + "aivss:TU:1.0.0": "V", + "aivss:SM:1.1.0": "T", + "aivss:GDP:1.0.0": "R", + "aivss:EP:1.0.0": "CA" + }, + { + "aivss:AA:1.0.0": "F", + "aivss:TU:1.0.0": "V", + "aivss:SM:1.1.0": "T", + "aivss:GDP:1.0.0": "A", + "aivss:EP:1.0.0": "CA" + }, + { + "aivss:AA:1.0.0": "F", + "aivss:TU:1.0.0": "V", + "aivss:SM:1.1.0": "T", + "aivss:GDP:1.0.0": "U", + "aivss:EP:1.0.0": "H" + }, + { + "aivss:AA:1.0.0": "F", + "aivss:TU:1.0.0": "V", + "aivss:SM:1.1.0": "M", + "aivss:GDP:1.0.0": "R", + "aivss:EP:1.0.0": "H" + }, + { + "aivss:AA:1.0.0": "F", + "aivss:TU:1.0.0": "V", + "aivss:SM:1.1.0": "M", + "aivss:GDP:1.0.0": "A", + "aivss:EP:1.0.0": "H" + }, + { + "aivss:AA:1.0.0": "F", + "aivss:TU:1.0.0": "V", + "aivss:SM:1.1.0": "M", + "aivss:GDP:1.0.0": "U", + "aivss:EP:1.0.0": "H" + }, + { + "aivss:AA:1.0.0": "F", + "aivss:TU:1.0.0": "O", + "aivss:SM:1.1.0": "F", + "aivss:GDP:1.0.0": "R", + "aivss:EP:1.0.0": "CA" + }, + { + "aivss:AA:1.0.0": "F", + "aivss:TU:1.0.0": "O", + "aivss:SM:1.1.0": "F", + "aivss:GDP:1.0.0": "A", + "aivss:EP:1.0.0": "CA" + }, + { + "aivss:AA:1.0.0": "F", + "aivss:TU:1.0.0": "O", + "aivss:SM:1.1.0": "F", + "aivss:GDP:1.0.0": "U", + "aivss:EP:1.0.0": "H" + }, + { + "aivss:AA:1.0.0": "F", + "aivss:TU:1.0.0": "O", + "aivss:SM:1.1.0": "T", + "aivss:GDP:1.0.0": "R", + "aivss:EP:1.0.0": "CA" + }, + { + "aivss:AA:1.0.0": "F", + "aivss:TU:1.0.0": "O", + "aivss:SM:1.1.0": "T", + "aivss:GDP:1.0.0": "A", + "aivss:EP:1.0.0": "CA" + }, + { + "aivss:AA:1.0.0": "F", + "aivss:TU:1.0.0": "O", + "aivss:SM:1.1.0": "T", + "aivss:GDP:1.0.0": "U", + "aivss:EP:1.0.0": "H" + }, + { + "aivss:AA:1.0.0": "F", + "aivss:TU:1.0.0": "O", + "aivss:SM:1.1.0": "M", + "aivss:GDP:1.0.0": "R", + "aivss:EP:1.0.0": "H" + }, + { + "aivss:AA:1.0.0": "F", + "aivss:TU:1.0.0": "O", + "aivss:SM:1.1.0": "M", + "aivss:GDP:1.0.0": "A", + "aivss:EP:1.0.0": "H" + }, + { + "aivss:AA:1.0.0": "F", + "aivss:TU:1.0.0": "O", + "aivss:SM:1.1.0": "M", + "aivss:GDP:1.0.0": "U", + "aivss:EP:1.0.0": "H" + }, + { + "aivss:AA:1.0.0": "F", + "aivss:TU:1.0.0": "A", + "aivss:SM:1.1.0": "F", + "aivss:GDP:1.0.0": "R", + "aivss:EP:1.0.0": "H" + }, + { + "aivss:AA:1.0.0": "F", + "aivss:TU:1.0.0": "A", + "aivss:SM:1.1.0": "F", + "aivss:GDP:1.0.0": "A", + "aivss:EP:1.0.0": "H" + }, + { + "aivss:AA:1.0.0": "F", + "aivss:TU:1.0.0": "A", + "aivss:SM:1.1.0": "F", + "aivss:GDP:1.0.0": "U", + "aivss:EP:1.0.0": "H" + }, + { + "aivss:AA:1.0.0": "F", + "aivss:TU:1.0.0": "A", + "aivss:SM:1.1.0": "T", + "aivss:GDP:1.0.0": "R", + "aivss:EP:1.0.0": "H" + }, + { + "aivss:AA:1.0.0": "F", + "aivss:TU:1.0.0": "A", + "aivss:SM:1.1.0": "T", + "aivss:GDP:1.0.0": "A", + "aivss:EP:1.0.0": "H" + }, + { + "aivss:AA:1.0.0": "F", + "aivss:TU:1.0.0": "A", + "aivss:SM:1.1.0": "T", + "aivss:GDP:1.0.0": "U", + "aivss:EP:1.0.0": "H" + }, + { + "aivss:AA:1.0.0": "F", + "aivss:TU:1.0.0": "A", + "aivss:SM:1.1.0": "M", + "aivss:GDP:1.0.0": "R", + "aivss:EP:1.0.0": "H" + }, + { + "aivss:AA:1.0.0": "F", + "aivss:TU:1.0.0": "A", + "aivss:SM:1.1.0": "M", + "aivss:GDP:1.0.0": "A", + "aivss:EP:1.0.0": "H" + }, + { + "aivss:AA:1.0.0": "F", + "aivss:TU:1.0.0": "A", + "aivss:SM:1.1.0": "M", + "aivss:GDP:1.0.0": "U", + "aivss:EP:1.0.0": "H" + } + ] +} diff --git a/data/json/decision_tables/aivss/predictability_and_influence_1_0_0.json b/data/json/decision_tables/aivss/predictability_and_influence_1_0_0.json new file mode 100644 index 00000000..2a4e4c33 --- /dev/null +++ b/data/json/decision_tables/aivss/predictability_and_influence_1_0_0.json @@ -0,0 +1,705 @@ +{ + "namespace": "aivss", + "key": "DT_PI", + "version": "1.0.0", + "name": "Predictability and Influence", + "definition": "TODO writeme", + "schemaVersion": "2.0.0", + "decision_points": { + "aivss:ND:1.0.0": { + "namespace": "aivss", + "key": "ND", + "version": "1.0.0", + "name": "Non-Determinism", + "definition": "Describes variability of system outputs across repeated executions.", + "schemaVersion": "2.0.0", + "values": [ + { + "key": "D", + "name": "Deterministic", + "definition": "Stable outputs; no randomness." + }, + { + "key": "B", + "name": "Bounded", + "definition": "Controlled variance within predictable limits." + }, + { + "key": "H", + "name": "High-Variance", + "definition": "Broad or unstable behavioral range." + } + ] + }, + "aivss:OR:1.0.0": { + "namespace": "aivss", + "key": "OR", + "version": "1.0.0", + "name": "Opacity & Reflexivity", + "definition": "Captures how observable and explainable the internal reasoning and adaptation cycle is.", + "schemaVersion": "2.0.0", + "values": [ + { + "key": "T", + "name": "Transparent", + "definition": "Full logs and traceable reasoning." + }, + { + "key": "F", + "name": "Fragmented", + "definition": "Partial visibility; some steps hidden." + }, + { + "key": "O", + "name": "Opaque", + "definition": "Black-box behavior; internal process not observable." + } + ] + }, + "aivss:VC:1.0.0": { + "namespace": "aivss", + "key": "VC", + "version": "1.0.0", + "name": "Verification Capability", + "definition": "Indicates whether the system’s critical properties can be formally or practically verified.", + "schemaVersion": "2.0.0", + "values": [ + { + "key": "P", + "name": "Provable", + "definition": "Critical safety or correctness invariants can be verified." + }, + { + "key": "K", + "name": "Key Invariants Verifiable", + "definition": "Some critical properties can be verified, but not all." + }, + { + "key": "U", + "name": "Unverifiable", + "definition": "Cannot prove correctness or invariants in practice." + } + ] + }, + "aivss:DP:1.0.0": { + "namespace": "aivss", + "key": "DP", + "version": "1.0.0", + "name": "Deceptiveness Potential", + "definition": "Assesses the potential for AI-generated vulnerability reports to be deceptive, ranging from plain structured output to highly persuasive content.", + "schemaVersion": "2.0.0", + "values": [ + { + "key": "P", + "name": "Plain", + "definition": "Structured, non-persona output." + }, + { + "key": "F", + "name": "Fluent", + "definition": "Natural language output, but not convincingly human." + }, + { + "key": "S", + "name": "Persuasive", + "definition": "Persona mimicry, deepfakes, or social-engineering capability." + } + ] + }, + "aivss:PI:1.0.0": { + "namespace": "aivss", + "key": "PI", + "version": "1.0.0", + "name": "Predictability and Influence", + "definition": "TODO writeme", + "schemaVersion": "2.0.0", + "values": [ + { + "key": "V", + "name": "Verifiable", + "definition": "Behavior is traceable, reproducible, and backed by strong logging or proofs. Outputs align with clear rules, and any action can be independently checked. Unexpected deviations are rare and easy to diagnose." + }, + { + "key": "U", + "name": "Uncertain", + "definition": "Behavior is generally well-structured but can deviate within known bounds. Some reasoning steps or interactions lack full visibility, making verification partial. Issues may be diagnosable but require effort or contextual reconstruction." + }, + { + "key": "O", + "name": "Opaque", + "definition": "Behavior is highly variable, difficult to trace, and resistant to verification. Key reasoning paths, external influences, or interactions are hidden or unpredictable. Actions may appear coherent but cannot be reliably reproduced or audited." + } + ] + } + }, + "outcome": "aivss:PI:1.0.0", + "mapping": [ + { + "aivss:ND:1.0.0": "D", + "aivss:OR:1.0.0": "T", + "aivss:VC:1.0.0": "P", + "aivss:DP:1.0.0": "P", + "aivss:PI:1.0.0": "V" + }, + { + "aivss:ND:1.0.0": "D", + "aivss:OR:1.0.0": "T", + "aivss:VC:1.0.0": "P", + "aivss:DP:1.0.0": "F", + "aivss:PI:1.0.0": "V" + }, + { + "aivss:ND:1.0.0": "D", + "aivss:OR:1.0.0": "T", + "aivss:VC:1.0.0": "P", + "aivss:DP:1.0.0": "S", + "aivss:PI:1.0.0": "U" + }, + { + "aivss:ND:1.0.0": "D", + "aivss:OR:1.0.0": "T", + "aivss:VC:1.0.0": "K", + "aivss:DP:1.0.0": "P", + "aivss:PI:1.0.0": "V" + }, + { + "aivss:ND:1.0.0": "D", + "aivss:OR:1.0.0": "T", + "aivss:VC:1.0.0": "K", + "aivss:DP:1.0.0": "F", + "aivss:PI:1.0.0": "U" + }, + { + "aivss:ND:1.0.0": "D", + "aivss:OR:1.0.0": "T", + "aivss:VC:1.0.0": "K", + "aivss:DP:1.0.0": "S", + "aivss:PI:1.0.0": "U" + }, + { + "aivss:ND:1.0.0": "D", + "aivss:OR:1.0.0": "T", + "aivss:VC:1.0.0": "U", + "aivss:DP:1.0.0": "P", + "aivss:PI:1.0.0": "U" + }, + { + "aivss:ND:1.0.0": "D", + "aivss:OR:1.0.0": "T", + "aivss:VC:1.0.0": "U", + "aivss:DP:1.0.0": "F", + "aivss:PI:1.0.0": "U" + }, + { + "aivss:ND:1.0.0": "D", + "aivss:OR:1.0.0": "T", + "aivss:VC:1.0.0": "U", + "aivss:DP:1.0.0": "S", + "aivss:PI:1.0.0": "O" + }, + { + "aivss:ND:1.0.0": "D", + "aivss:OR:1.0.0": "F", + "aivss:VC:1.0.0": "P", + "aivss:DP:1.0.0": "P", + "aivss:PI:1.0.0": "V" + }, + { + "aivss:ND:1.0.0": "D", + "aivss:OR:1.0.0": "F", + "aivss:VC:1.0.0": "P", + "aivss:DP:1.0.0": "F", + "aivss:PI:1.0.0": "U" + }, + { + "aivss:ND:1.0.0": "D", + "aivss:OR:1.0.0": "F", + "aivss:VC:1.0.0": "P", + "aivss:DP:1.0.0": "S", + "aivss:PI:1.0.0": "U" + }, + { + "aivss:ND:1.0.0": "D", + "aivss:OR:1.0.0": "F", + "aivss:VC:1.0.0": "K", + "aivss:DP:1.0.0": "P", + "aivss:PI:1.0.0": "U" + }, + { + "aivss:ND:1.0.0": "D", + "aivss:OR:1.0.0": "F", + "aivss:VC:1.0.0": "K", + "aivss:DP:1.0.0": "F", + "aivss:PI:1.0.0": "U" + }, + { + "aivss:ND:1.0.0": "D", + "aivss:OR:1.0.0": "F", + "aivss:VC:1.0.0": "K", + "aivss:DP:1.0.0": "S", + "aivss:PI:1.0.0": "U" + }, + { + "aivss:ND:1.0.0": "D", + "aivss:OR:1.0.0": "F", + "aivss:VC:1.0.0": "U", + "aivss:DP:1.0.0": "P", + "aivss:PI:1.0.0": "U" + }, + { + "aivss:ND:1.0.0": "D", + "aivss:OR:1.0.0": "F", + "aivss:VC:1.0.0": "U", + "aivss:DP:1.0.0": "F", + "aivss:PI:1.0.0": "U" + }, + { + "aivss:ND:1.0.0": "D", + "aivss:OR:1.0.0": "F", + "aivss:VC:1.0.0": "U", + "aivss:DP:1.0.0": "S", + "aivss:PI:1.0.0": "O" + }, + { + "aivss:ND:1.0.0": "D", + "aivss:OR:1.0.0": "O", + "aivss:VC:1.0.0": "P", + "aivss:DP:1.0.0": "P", + "aivss:PI:1.0.0": "U" + }, + { + "aivss:ND:1.0.0": "D", + "aivss:OR:1.0.0": "O", + "aivss:VC:1.0.0": "P", + "aivss:DP:1.0.0": "F", + "aivss:PI:1.0.0": "U" + }, + { + "aivss:ND:1.0.0": "D", + "aivss:OR:1.0.0": "O", + "aivss:VC:1.0.0": "P", + "aivss:DP:1.0.0": "S", + "aivss:PI:1.0.0": "O" + }, + { + "aivss:ND:1.0.0": "D", + "aivss:OR:1.0.0": "O", + "aivss:VC:1.0.0": "K", + "aivss:DP:1.0.0": "P", + "aivss:PI:1.0.0": "U" + }, + { + "aivss:ND:1.0.0": "D", + "aivss:OR:1.0.0": "O", + "aivss:VC:1.0.0": "K", + "aivss:DP:1.0.0": "F", + "aivss:PI:1.0.0": "U" + }, + { + "aivss:ND:1.0.0": "D", + "aivss:OR:1.0.0": "O", + "aivss:VC:1.0.0": "K", + "aivss:DP:1.0.0": "S", + "aivss:PI:1.0.0": "O" + }, + { + "aivss:ND:1.0.0": "D", + "aivss:OR:1.0.0": "O", + "aivss:VC:1.0.0": "U", + "aivss:DP:1.0.0": "P", + "aivss:PI:1.0.0": "O" + }, + { + "aivss:ND:1.0.0": "D", + "aivss:OR:1.0.0": "O", + "aivss:VC:1.0.0": "U", + "aivss:DP:1.0.0": "F", + "aivss:PI:1.0.0": "O" + }, + { + "aivss:ND:1.0.0": "D", + "aivss:OR:1.0.0": "O", + "aivss:VC:1.0.0": "U", + "aivss:DP:1.0.0": "S", + "aivss:PI:1.0.0": "O" + }, + { + "aivss:ND:1.0.0": "B", + "aivss:OR:1.0.0": "T", + "aivss:VC:1.0.0": "P", + "aivss:DP:1.0.0": "P", + "aivss:PI:1.0.0": "V" + }, + { + "aivss:ND:1.0.0": "B", + "aivss:OR:1.0.0": "T", + "aivss:VC:1.0.0": "P", + "aivss:DP:1.0.0": "F", + "aivss:PI:1.0.0": "U" + }, + { + "aivss:ND:1.0.0": "B", + "aivss:OR:1.0.0": "T", + "aivss:VC:1.0.0": "P", + "aivss:DP:1.0.0": "S", + "aivss:PI:1.0.0": "U" + }, + { + "aivss:ND:1.0.0": "B", + "aivss:OR:1.0.0": "T", + "aivss:VC:1.0.0": "K", + "aivss:DP:1.0.0": "P", + "aivss:PI:1.0.0": "U" + }, + { + "aivss:ND:1.0.0": "B", + "aivss:OR:1.0.0": "T", + "aivss:VC:1.0.0": "K", + "aivss:DP:1.0.0": "F", + "aivss:PI:1.0.0": "U" + }, + { + "aivss:ND:1.0.0": "B", + "aivss:OR:1.0.0": "T", + "aivss:VC:1.0.0": "K", + "aivss:DP:1.0.0": "S", + "aivss:PI:1.0.0": "U" + }, + { + "aivss:ND:1.0.0": "B", + "aivss:OR:1.0.0": "T", + "aivss:VC:1.0.0": "U", + "aivss:DP:1.0.0": "P", + "aivss:PI:1.0.0": "U" + }, + { + "aivss:ND:1.0.0": "B", + "aivss:OR:1.0.0": "T", + "aivss:VC:1.0.0": "U", + "aivss:DP:1.0.0": "F", + "aivss:PI:1.0.0": "U" + }, + { + "aivss:ND:1.0.0": "B", + "aivss:OR:1.0.0": "T", + "aivss:VC:1.0.0": "U", + "aivss:DP:1.0.0": "S", + "aivss:PI:1.0.0": "O" + }, + { + "aivss:ND:1.0.0": "B", + "aivss:OR:1.0.0": "F", + "aivss:VC:1.0.0": "P", + "aivss:DP:1.0.0": "P", + "aivss:PI:1.0.0": "U" + }, + { + "aivss:ND:1.0.0": "B", + "aivss:OR:1.0.0": "F", + "aivss:VC:1.0.0": "P", + "aivss:DP:1.0.0": "F", + "aivss:PI:1.0.0": "U" + }, + { + "aivss:ND:1.0.0": "B", + "aivss:OR:1.0.0": "F", + "aivss:VC:1.0.0": "P", + "aivss:DP:1.0.0": "S", + "aivss:PI:1.0.0": "U" + }, + { + "aivss:ND:1.0.0": "B", + "aivss:OR:1.0.0": "F", + "aivss:VC:1.0.0": "K", + "aivss:DP:1.0.0": "P", + "aivss:PI:1.0.0": "U" + }, + { + "aivss:ND:1.0.0": "B", + "aivss:OR:1.0.0": "F", + "aivss:VC:1.0.0": "K", + "aivss:DP:1.0.0": "F", + "aivss:PI:1.0.0": "U" + }, + { + "aivss:ND:1.0.0": "B", + "aivss:OR:1.0.0": "F", + "aivss:VC:1.0.0": "K", + "aivss:DP:1.0.0": "S", + "aivss:PI:1.0.0": "U" + }, + { + "aivss:ND:1.0.0": "B", + "aivss:OR:1.0.0": "F", + "aivss:VC:1.0.0": "U", + "aivss:DP:1.0.0": "P", + "aivss:PI:1.0.0": "U" + }, + { + "aivss:ND:1.0.0": "B", + "aivss:OR:1.0.0": "F", + "aivss:VC:1.0.0": "U", + "aivss:DP:1.0.0": "F", + "aivss:PI:1.0.0": "U" + }, + { + "aivss:ND:1.0.0": "B", + "aivss:OR:1.0.0": "F", + "aivss:VC:1.0.0": "U", + "aivss:DP:1.0.0": "S", + "aivss:PI:1.0.0": "O" + }, + { + "aivss:ND:1.0.0": "B", + "aivss:OR:1.0.0": "O", + "aivss:VC:1.0.0": "P", + "aivss:DP:1.0.0": "P", + "aivss:PI:1.0.0": "U" + }, + { + "aivss:ND:1.0.0": "B", + "aivss:OR:1.0.0": "O", + "aivss:VC:1.0.0": "P", + "aivss:DP:1.0.0": "F", + "aivss:PI:1.0.0": "U" + }, + { + "aivss:ND:1.0.0": "B", + "aivss:OR:1.0.0": "O", + "aivss:VC:1.0.0": "P", + "aivss:DP:1.0.0": "S", + "aivss:PI:1.0.0": "O" + }, + { + "aivss:ND:1.0.0": "B", + "aivss:OR:1.0.0": "O", + "aivss:VC:1.0.0": "K", + "aivss:DP:1.0.0": "P", + "aivss:PI:1.0.0": "U" + }, + { + "aivss:ND:1.0.0": "B", + "aivss:OR:1.0.0": "O", + "aivss:VC:1.0.0": "K", + "aivss:DP:1.0.0": "F", + "aivss:PI:1.0.0": "U" + }, + { + "aivss:ND:1.0.0": "B", + "aivss:OR:1.0.0": "O", + "aivss:VC:1.0.0": "K", + "aivss:DP:1.0.0": "S", + "aivss:PI:1.0.0": "O" + }, + { + "aivss:ND:1.0.0": "B", + "aivss:OR:1.0.0": "O", + "aivss:VC:1.0.0": "U", + "aivss:DP:1.0.0": "P", + "aivss:PI:1.0.0": "O" + }, + { + "aivss:ND:1.0.0": "B", + "aivss:OR:1.0.0": "O", + "aivss:VC:1.0.0": "U", + "aivss:DP:1.0.0": "F", + "aivss:PI:1.0.0": "O" + }, + { + "aivss:ND:1.0.0": "B", + "aivss:OR:1.0.0": "O", + "aivss:VC:1.0.0": "U", + "aivss:DP:1.0.0": "S", + "aivss:PI:1.0.0": "O" + }, + { + "aivss:ND:1.0.0": "H", + "aivss:OR:1.0.0": "T", + "aivss:VC:1.0.0": "P", + "aivss:DP:1.0.0": "P", + "aivss:PI:1.0.0": "U" + }, + { + "aivss:ND:1.0.0": "H", + "aivss:OR:1.0.0": "T", + "aivss:VC:1.0.0": "P", + "aivss:DP:1.0.0": "F", + "aivss:PI:1.0.0": "U" + }, + { + "aivss:ND:1.0.0": "H", + "aivss:OR:1.0.0": "T", + "aivss:VC:1.0.0": "P", + "aivss:DP:1.0.0": "S", + "aivss:PI:1.0.0": "O" + }, + { + "aivss:ND:1.0.0": "H", + "aivss:OR:1.0.0": "T", + "aivss:VC:1.0.0": "K", + "aivss:DP:1.0.0": "P", + "aivss:PI:1.0.0": "U" + }, + { + "aivss:ND:1.0.0": "H", + "aivss:OR:1.0.0": "T", + "aivss:VC:1.0.0": "K", + "aivss:DP:1.0.0": "F", + "aivss:PI:1.0.0": "U" + }, + { + "aivss:ND:1.0.0": "H", + "aivss:OR:1.0.0": "T", + "aivss:VC:1.0.0": "K", + "aivss:DP:1.0.0": "S", + "aivss:PI:1.0.0": "O" + }, + { + "aivss:ND:1.0.0": "H", + "aivss:OR:1.0.0": "T", + "aivss:VC:1.0.0": "U", + "aivss:DP:1.0.0": "P", + "aivss:PI:1.0.0": "O" + }, + { + "aivss:ND:1.0.0": "H", + "aivss:OR:1.0.0": "T", + "aivss:VC:1.0.0": "U", + "aivss:DP:1.0.0": "F", + "aivss:PI:1.0.0": "O" + }, + { + "aivss:ND:1.0.0": "H", + "aivss:OR:1.0.0": "T", + "aivss:VC:1.0.0": "U", + "aivss:DP:1.0.0": "S", + "aivss:PI:1.0.0": "O" + }, + { + "aivss:ND:1.0.0": "H", + "aivss:OR:1.0.0": "F", + "aivss:VC:1.0.0": "P", + "aivss:DP:1.0.0": "P", + "aivss:PI:1.0.0": "U" + }, + { + "aivss:ND:1.0.0": "H", + "aivss:OR:1.0.0": "F", + "aivss:VC:1.0.0": "P", + "aivss:DP:1.0.0": "F", + "aivss:PI:1.0.0": "U" + }, + { + "aivss:ND:1.0.0": "H", + "aivss:OR:1.0.0": "F", + "aivss:VC:1.0.0": "P", + "aivss:DP:1.0.0": "S", + "aivss:PI:1.0.0": "O" + }, + { + "aivss:ND:1.0.0": "H", + "aivss:OR:1.0.0": "F", + "aivss:VC:1.0.0": "K", + "aivss:DP:1.0.0": "P", + "aivss:PI:1.0.0": "U" + }, + { + "aivss:ND:1.0.0": "H", + "aivss:OR:1.0.0": "F", + "aivss:VC:1.0.0": "K", + "aivss:DP:1.0.0": "F", + "aivss:PI:1.0.0": "U" + }, + { + "aivss:ND:1.0.0": "H", + "aivss:OR:1.0.0": "F", + "aivss:VC:1.0.0": "K", + "aivss:DP:1.0.0": "S", + "aivss:PI:1.0.0": "O" + }, + { + "aivss:ND:1.0.0": "H", + "aivss:OR:1.0.0": "F", + "aivss:VC:1.0.0": "U", + "aivss:DP:1.0.0": "P", + "aivss:PI:1.0.0": "O" + }, + { + "aivss:ND:1.0.0": "H", + "aivss:OR:1.0.0": "F", + "aivss:VC:1.0.0": "U", + "aivss:DP:1.0.0": "F", + "aivss:PI:1.0.0": "O" + }, + { + "aivss:ND:1.0.0": "H", + "aivss:OR:1.0.0": "F", + "aivss:VC:1.0.0": "U", + "aivss:DP:1.0.0": "S", + "aivss:PI:1.0.0": "O" + }, + { + "aivss:ND:1.0.0": "H", + "aivss:OR:1.0.0": "O", + "aivss:VC:1.0.0": "P", + "aivss:DP:1.0.0": "P", + "aivss:PI:1.0.0": "O" + }, + { + "aivss:ND:1.0.0": "H", + "aivss:OR:1.0.0": "O", + "aivss:VC:1.0.0": "P", + "aivss:DP:1.0.0": "F", + "aivss:PI:1.0.0": "O" + }, + { + "aivss:ND:1.0.0": "H", + "aivss:OR:1.0.0": "O", + "aivss:VC:1.0.0": "P", + "aivss:DP:1.0.0": "S", + "aivss:PI:1.0.0": "O" + }, + { + "aivss:ND:1.0.0": "H", + "aivss:OR:1.0.0": "O", + "aivss:VC:1.0.0": "K", + "aivss:DP:1.0.0": "P", + "aivss:PI:1.0.0": "O" + }, + { + "aivss:ND:1.0.0": "H", + "aivss:OR:1.0.0": "O", + "aivss:VC:1.0.0": "K", + "aivss:DP:1.0.0": "F", + "aivss:PI:1.0.0": "O" + }, + { + "aivss:ND:1.0.0": "H", + "aivss:OR:1.0.0": "O", + "aivss:VC:1.0.0": "K", + "aivss:DP:1.0.0": "S", + "aivss:PI:1.0.0": "O" + }, + { + "aivss:ND:1.0.0": "H", + "aivss:OR:1.0.0": "O", + "aivss:VC:1.0.0": "U", + "aivss:DP:1.0.0": "P", + "aivss:PI:1.0.0": "O" + }, + { + "aivss:ND:1.0.0": "H", + "aivss:OR:1.0.0": "O", + "aivss:VC:1.0.0": "U", + "aivss:DP:1.0.0": "F", + "aivss:PI:1.0.0": "O" + }, + { + "aivss:ND:1.0.0": "H", + "aivss:OR:1.0.0": "O", + "aivss:VC:1.0.0": "U", + "aivss:DP:1.0.0": "S", + "aivss:PI:1.0.0": "O" + } + ] +} diff --git a/data/json/decision_tables/x_org_owasp_aivss/execution_power_1_0_0.json b/data/json/decision_tables/x_org_owasp_aivss/execution_power_1_0_0.json deleted file mode 100644 index 00d6ee3e..00000000 --- a/data/json/decision_tables/x_org_owasp_aivss/execution_power_1_0_0.json +++ /dev/null @@ -1,705 +0,0 @@ -{ - "namespace": "x_org.owasp#aivss", - "key": "DT_EP", - "version": "1.0.0", - "name": "Execution Power", - "definition": "Determines the level of execution power granted to an AI agent, influencing its ability to perform actions autonomously and interact with external systems.", - "schemaVersion": "2.0.0", - "decision_points": { - "x_org.owasp#aivss:AA:1.0.0": { - "namespace": "x_org.owasp#aivss", - "key": "AA", - "version": "1.0.0", - "name": "Autonomy of Action", - "definition": "Determines the autonomy of action level of a vulnerability based on its characteristics and potential effects.", - "schemaVersion": "2.0.0", - "values": [ - { - "key": "G", - "name": "Gated", - "definition": "The agent cannot act without human approval." - }, - { - "key": "S", - "name": "Scoped", - "definition": "The agent can act independently but only in tightly bounded spaces." - }, - { - "key": "F", - "name": "Free-Running", - "definition": "The agent can execute actions in live systems without a human in the loop." - } - ] - }, - "x_org.owasp#aivss:TU:1.0.0": { - "namespace": "x_org.owasp#aivss", - "key": "TU", - "version": "1.0.0", - "name": "Tool Use", - "definition": "Determines the tool use level of an AI agent based on its capabilities to interact with systems.", - "schemaVersion": "2.0.0", - "values": [ - { - "key": "V", - "name": "Viewer", - "definition": "The agent can only read and analyze information without making any changes." - }, - { - "key": "O", - "name": "Operator", - "definition": "The agent can make changes within a controlled environment, such as test systems or local files." - }, - { - "key": "A", - "name": "Administrator", - "definition": "The agent has full control and can make changes to privileged systems, including production environments." - } - ] - }, - "x_org.owasp#aivss:SM:1.1.0": { - "namespace": "x_org.owasp#aivss", - "key": "SM", - "version": "1.1.0", - "name": "Self-Modification", - "definition": "Determines the self-modification capabilities of an AI agent based on its ability to alter its own code, configuration, or behavior.", - "schemaVersion": "2.0.0", - "values": [ - { - "key": "F", - "name": "Fixed", - "definition": "The agent cannot modify its own code, configuration, or behavior." - }, - { - "key": "T", - "name": "Tunable", - "definition": "The agent can modify its configuration or prompts but not its core code or behavior." - }, - { - "key": "M", - "name": "Mutable", - "definition": "The agent can modify its own code, configuration, or behavior." - } - ] - }, - "x_org.owasp#aivss:GDP:1.0.0": { - "namespace": "x_org.owasp#aivss", - "key": "GDP", - "version": "1.0.0", - "name": "Goal-Driven Planning", - "definition": "Determines the goal-driven planning capabilities of an AI agent based on its ability to plan and execute actions over multiple steps.", - "schemaVersion": "2.0.0", - "values": [ - { - "key": "R", - "name": "Reactive", - "definition": "The agent can only respond to immediate inputs without planning." - }, - { - "key": "A", - "name": "Assisted", - "definition": "The agent can plan multiple steps ahead but requires human execution or approval." - }, - { - "key": "U", - "name": "Autonomous", - "definition": "The agent can plan and execute multiple steps independently." - } - ] - }, - "x_org.owasp#aivss:EP:1.0.0": { - "namespace": "x_org.owasp#aivss", - "key": "EP", - "version": "1.0.0", - "name": "Execution Power", - "definition": "Determines the level of execution power granted to an AI agent, influencing its ability to perform actions autonomously and interact with external systems.", - "schemaVersion": "2.0.0", - "values": [ - { - "key": "C", - "name": "Constrained", - "definition": "The AI agent has limited execution power, restricting its ability to perform actions autonomously or interact with external systems." - }, - { - "key": "CA", - "name": "Capable", - "definition": "The AI agent has moderate execution power, allowing it to perform certain actions autonomously and interact with external systems under supervision." - }, - { - "key": "H", - "name": "High Leverage", - "definition": "The AI agent has extensive execution power, enabling it to perform actions autonomously and interact with external systems with minimal supervision." - } - ] - } - }, - "outcome": "x_org.owasp#aivss:EP:1.0.0", - "mapping": [ - { - "x_org.owasp#aivss:AA:1.0.0": "G", - "x_org.owasp#aivss:TU:1.0.0": "V", - "x_org.owasp#aivss:SM:1.1.0": "F", - "x_org.owasp#aivss:GDP:1.0.0": "R", - "x_org.owasp#aivss:EP:1.0.0": "C" - }, - { - "x_org.owasp#aivss:AA:1.0.0": "G", - "x_org.owasp#aivss:TU:1.0.0": "V", - "x_org.owasp#aivss:SM:1.1.0": "F", - "x_org.owasp#aivss:GDP:1.0.0": "A", - "x_org.owasp#aivss:EP:1.0.0": "C" - }, - { - "x_org.owasp#aivss:AA:1.0.0": "G", - "x_org.owasp#aivss:TU:1.0.0": "V", - "x_org.owasp#aivss:SM:1.1.0": "F", - "x_org.owasp#aivss:GDP:1.0.0": "U", - "x_org.owasp#aivss:EP:1.0.0": "CA" - }, - { - "x_org.owasp#aivss:AA:1.0.0": "G", - "x_org.owasp#aivss:TU:1.0.0": "V", - "x_org.owasp#aivss:SM:1.1.0": "T", - "x_org.owasp#aivss:GDP:1.0.0": "R", - "x_org.owasp#aivss:EP:1.0.0": "C" - }, - { - "x_org.owasp#aivss:AA:1.0.0": "G", - "x_org.owasp#aivss:TU:1.0.0": "V", - "x_org.owasp#aivss:SM:1.1.0": "T", - "x_org.owasp#aivss:GDP:1.0.0": "A", - "x_org.owasp#aivss:EP:1.0.0": "C" - }, - { - "x_org.owasp#aivss:AA:1.0.0": "G", - "x_org.owasp#aivss:TU:1.0.0": "V", - "x_org.owasp#aivss:SM:1.1.0": "T", - "x_org.owasp#aivss:GDP:1.0.0": "U", - "x_org.owasp#aivss:EP:1.0.0": "CA" - }, - { - "x_org.owasp#aivss:AA:1.0.0": "G", - "x_org.owasp#aivss:TU:1.0.0": "V", - "x_org.owasp#aivss:SM:1.1.0": "M", - "x_org.owasp#aivss:GDP:1.0.0": "R", - "x_org.owasp#aivss:EP:1.0.0": "CA" - }, - { - "x_org.owasp#aivss:AA:1.0.0": "G", - "x_org.owasp#aivss:TU:1.0.0": "V", - "x_org.owasp#aivss:SM:1.1.0": "M", - "x_org.owasp#aivss:GDP:1.0.0": "A", - "x_org.owasp#aivss:EP:1.0.0": "CA" - }, - { - "x_org.owasp#aivss:AA:1.0.0": "G", - "x_org.owasp#aivss:TU:1.0.0": "V", - "x_org.owasp#aivss:SM:1.1.0": "M", - "x_org.owasp#aivss:GDP:1.0.0": "U", - "x_org.owasp#aivss:EP:1.0.0": "H" - }, - { - "x_org.owasp#aivss:AA:1.0.0": "G", - "x_org.owasp#aivss:TU:1.0.0": "O", - "x_org.owasp#aivss:SM:1.1.0": "F", - "x_org.owasp#aivss:GDP:1.0.0": "R", - "x_org.owasp#aivss:EP:1.0.0": "C" - }, - { - "x_org.owasp#aivss:AA:1.0.0": "G", - "x_org.owasp#aivss:TU:1.0.0": "O", - "x_org.owasp#aivss:SM:1.1.0": "F", - "x_org.owasp#aivss:GDP:1.0.0": "A", - "x_org.owasp#aivss:EP:1.0.0": "C" - }, - { - "x_org.owasp#aivss:AA:1.0.0": "G", - "x_org.owasp#aivss:TU:1.0.0": "O", - "x_org.owasp#aivss:SM:1.1.0": "F", - "x_org.owasp#aivss:GDP:1.0.0": "U", - "x_org.owasp#aivss:EP:1.0.0": "CA" - }, - { - "x_org.owasp#aivss:AA:1.0.0": "G", - "x_org.owasp#aivss:TU:1.0.0": "O", - "x_org.owasp#aivss:SM:1.1.0": "T", - "x_org.owasp#aivss:GDP:1.0.0": "R", - "x_org.owasp#aivss:EP:1.0.0": "C" - }, - { - "x_org.owasp#aivss:AA:1.0.0": "G", - "x_org.owasp#aivss:TU:1.0.0": "O", - "x_org.owasp#aivss:SM:1.1.0": "T", - "x_org.owasp#aivss:GDP:1.0.0": "A", - "x_org.owasp#aivss:EP:1.0.0": "CA" - }, - { - "x_org.owasp#aivss:AA:1.0.0": "G", - "x_org.owasp#aivss:TU:1.0.0": "O", - "x_org.owasp#aivss:SM:1.1.0": "T", - "x_org.owasp#aivss:GDP:1.0.0": "U", - "x_org.owasp#aivss:EP:1.0.0": "CA" - }, - { - "x_org.owasp#aivss:AA:1.0.0": "G", - "x_org.owasp#aivss:TU:1.0.0": "O", - "x_org.owasp#aivss:SM:1.1.0": "M", - "x_org.owasp#aivss:GDP:1.0.0": "R", - "x_org.owasp#aivss:EP:1.0.0": "CA" - }, - { - "x_org.owasp#aivss:AA:1.0.0": "G", - "x_org.owasp#aivss:TU:1.0.0": "O", - "x_org.owasp#aivss:SM:1.1.0": "M", - "x_org.owasp#aivss:GDP:1.0.0": "A", - "x_org.owasp#aivss:EP:1.0.0": "CA" - }, - { - "x_org.owasp#aivss:AA:1.0.0": "G", - "x_org.owasp#aivss:TU:1.0.0": "O", - "x_org.owasp#aivss:SM:1.1.0": "M", - "x_org.owasp#aivss:GDP:1.0.0": "U", - "x_org.owasp#aivss:EP:1.0.0": "H" - }, - { - "x_org.owasp#aivss:AA:1.0.0": "G", - "x_org.owasp#aivss:TU:1.0.0": "A", - "x_org.owasp#aivss:SM:1.1.0": "F", - "x_org.owasp#aivss:GDP:1.0.0": "R", - "x_org.owasp#aivss:EP:1.0.0": "CA" - }, - { - "x_org.owasp#aivss:AA:1.0.0": "G", - "x_org.owasp#aivss:TU:1.0.0": "A", - "x_org.owasp#aivss:SM:1.1.0": "F", - "x_org.owasp#aivss:GDP:1.0.0": "A", - "x_org.owasp#aivss:EP:1.0.0": "CA" - }, - { - "x_org.owasp#aivss:AA:1.0.0": "G", - "x_org.owasp#aivss:TU:1.0.0": "A", - "x_org.owasp#aivss:SM:1.1.0": "F", - "x_org.owasp#aivss:GDP:1.0.0": "U", - "x_org.owasp#aivss:EP:1.0.0": "H" - }, - { - "x_org.owasp#aivss:AA:1.0.0": "G", - "x_org.owasp#aivss:TU:1.0.0": "A", - "x_org.owasp#aivss:SM:1.1.0": "T", - "x_org.owasp#aivss:GDP:1.0.0": "R", - "x_org.owasp#aivss:EP:1.0.0": "CA" - }, - { - "x_org.owasp#aivss:AA:1.0.0": "G", - "x_org.owasp#aivss:TU:1.0.0": "A", - "x_org.owasp#aivss:SM:1.1.0": "T", - "x_org.owasp#aivss:GDP:1.0.0": "A", - "x_org.owasp#aivss:EP:1.0.0": "CA" - }, - { - "x_org.owasp#aivss:AA:1.0.0": "G", - "x_org.owasp#aivss:TU:1.0.0": "A", - "x_org.owasp#aivss:SM:1.1.0": "T", - "x_org.owasp#aivss:GDP:1.0.0": "U", - "x_org.owasp#aivss:EP:1.0.0": "H" - }, - { - "x_org.owasp#aivss:AA:1.0.0": "G", - "x_org.owasp#aivss:TU:1.0.0": "A", - "x_org.owasp#aivss:SM:1.1.0": "M", - "x_org.owasp#aivss:GDP:1.0.0": "R", - "x_org.owasp#aivss:EP:1.0.0": "H" - }, - { - "x_org.owasp#aivss:AA:1.0.0": "G", - "x_org.owasp#aivss:TU:1.0.0": "A", - "x_org.owasp#aivss:SM:1.1.0": "M", - "x_org.owasp#aivss:GDP:1.0.0": "A", - "x_org.owasp#aivss:EP:1.0.0": "H" - }, - { - "x_org.owasp#aivss:AA:1.0.0": "G", - "x_org.owasp#aivss:TU:1.0.0": "A", - "x_org.owasp#aivss:SM:1.1.0": "M", - "x_org.owasp#aivss:GDP:1.0.0": "U", - "x_org.owasp#aivss:EP:1.0.0": "H" - }, - { - "x_org.owasp#aivss:AA:1.0.0": "S", - "x_org.owasp#aivss:TU:1.0.0": "V", - "x_org.owasp#aivss:SM:1.1.0": "F", - "x_org.owasp#aivss:GDP:1.0.0": "R", - "x_org.owasp#aivss:EP:1.0.0": "C" - }, - { - "x_org.owasp#aivss:AA:1.0.0": "S", - "x_org.owasp#aivss:TU:1.0.0": "V", - "x_org.owasp#aivss:SM:1.1.0": "F", - "x_org.owasp#aivss:GDP:1.0.0": "A", - "x_org.owasp#aivss:EP:1.0.0": "C" - }, - { - "x_org.owasp#aivss:AA:1.0.0": "S", - "x_org.owasp#aivss:TU:1.0.0": "V", - "x_org.owasp#aivss:SM:1.1.0": "F", - "x_org.owasp#aivss:GDP:1.0.0": "U", - "x_org.owasp#aivss:EP:1.0.0": "CA" - }, - { - "x_org.owasp#aivss:AA:1.0.0": "S", - "x_org.owasp#aivss:TU:1.0.0": "V", - "x_org.owasp#aivss:SM:1.1.0": "T", - "x_org.owasp#aivss:GDP:1.0.0": "R", - "x_org.owasp#aivss:EP:1.0.0": "C" - }, - { - "x_org.owasp#aivss:AA:1.0.0": "S", - "x_org.owasp#aivss:TU:1.0.0": "V", - "x_org.owasp#aivss:SM:1.1.0": "T", - "x_org.owasp#aivss:GDP:1.0.0": "A", - "x_org.owasp#aivss:EP:1.0.0": "CA" - }, - { - "x_org.owasp#aivss:AA:1.0.0": "S", - "x_org.owasp#aivss:TU:1.0.0": "V", - "x_org.owasp#aivss:SM:1.1.0": "T", - "x_org.owasp#aivss:GDP:1.0.0": "U", - "x_org.owasp#aivss:EP:1.0.0": "CA" - }, - { - "x_org.owasp#aivss:AA:1.0.0": "S", - "x_org.owasp#aivss:TU:1.0.0": "V", - "x_org.owasp#aivss:SM:1.1.0": "M", - "x_org.owasp#aivss:GDP:1.0.0": "R", - "x_org.owasp#aivss:EP:1.0.0": "CA" - }, - { - "x_org.owasp#aivss:AA:1.0.0": "S", - "x_org.owasp#aivss:TU:1.0.0": "V", - "x_org.owasp#aivss:SM:1.1.0": "M", - "x_org.owasp#aivss:GDP:1.0.0": "A", - "x_org.owasp#aivss:EP:1.0.0": "CA" - }, - { - "x_org.owasp#aivss:AA:1.0.0": "S", - "x_org.owasp#aivss:TU:1.0.0": "V", - "x_org.owasp#aivss:SM:1.1.0": "M", - "x_org.owasp#aivss:GDP:1.0.0": "U", - "x_org.owasp#aivss:EP:1.0.0": "H" - }, - { - "x_org.owasp#aivss:AA:1.0.0": "S", - "x_org.owasp#aivss:TU:1.0.0": "O", - "x_org.owasp#aivss:SM:1.1.0": "F", - "x_org.owasp#aivss:GDP:1.0.0": "R", - "x_org.owasp#aivss:EP:1.0.0": "C" - }, - { - "x_org.owasp#aivss:AA:1.0.0": "S", - "x_org.owasp#aivss:TU:1.0.0": "O", - "x_org.owasp#aivss:SM:1.1.0": "F", - "x_org.owasp#aivss:GDP:1.0.0": "A", - "x_org.owasp#aivss:EP:1.0.0": "CA" - }, - { - "x_org.owasp#aivss:AA:1.0.0": "S", - "x_org.owasp#aivss:TU:1.0.0": "O", - "x_org.owasp#aivss:SM:1.1.0": "F", - "x_org.owasp#aivss:GDP:1.0.0": "U", - "x_org.owasp#aivss:EP:1.0.0": "CA" - }, - { - "x_org.owasp#aivss:AA:1.0.0": "S", - "x_org.owasp#aivss:TU:1.0.0": "O", - "x_org.owasp#aivss:SM:1.1.0": "T", - "x_org.owasp#aivss:GDP:1.0.0": "R", - "x_org.owasp#aivss:EP:1.0.0": "CA" - }, - { - "x_org.owasp#aivss:AA:1.0.0": "S", - "x_org.owasp#aivss:TU:1.0.0": "O", - "x_org.owasp#aivss:SM:1.1.0": "T", - "x_org.owasp#aivss:GDP:1.0.0": "A", - "x_org.owasp#aivss:EP:1.0.0": "CA" - }, - { - "x_org.owasp#aivss:AA:1.0.0": "S", - "x_org.owasp#aivss:TU:1.0.0": "O", - "x_org.owasp#aivss:SM:1.1.0": "T", - "x_org.owasp#aivss:GDP:1.0.0": "U", - "x_org.owasp#aivss:EP:1.0.0": "CA" - }, - { - "x_org.owasp#aivss:AA:1.0.0": "S", - "x_org.owasp#aivss:TU:1.0.0": "O", - "x_org.owasp#aivss:SM:1.1.0": "M", - "x_org.owasp#aivss:GDP:1.0.0": "R", - "x_org.owasp#aivss:EP:1.0.0": "CA" - }, - { - "x_org.owasp#aivss:AA:1.0.0": "S", - "x_org.owasp#aivss:TU:1.0.0": "O", - "x_org.owasp#aivss:SM:1.1.0": "M", - "x_org.owasp#aivss:GDP:1.0.0": "A", - "x_org.owasp#aivss:EP:1.0.0": "CA" - }, - { - "x_org.owasp#aivss:AA:1.0.0": "S", - "x_org.owasp#aivss:TU:1.0.0": "O", - "x_org.owasp#aivss:SM:1.1.0": "M", - "x_org.owasp#aivss:GDP:1.0.0": "U", - "x_org.owasp#aivss:EP:1.0.0": "H" - }, - { - "x_org.owasp#aivss:AA:1.0.0": "S", - "x_org.owasp#aivss:TU:1.0.0": "A", - "x_org.owasp#aivss:SM:1.1.0": "F", - "x_org.owasp#aivss:GDP:1.0.0": "R", - "x_org.owasp#aivss:EP:1.0.0": "CA" - }, - { - "x_org.owasp#aivss:AA:1.0.0": "S", - "x_org.owasp#aivss:TU:1.0.0": "A", - "x_org.owasp#aivss:SM:1.1.0": "F", - "x_org.owasp#aivss:GDP:1.0.0": "A", - "x_org.owasp#aivss:EP:1.0.0": "CA" - }, - { - "x_org.owasp#aivss:AA:1.0.0": "S", - "x_org.owasp#aivss:TU:1.0.0": "A", - "x_org.owasp#aivss:SM:1.1.0": "F", - "x_org.owasp#aivss:GDP:1.0.0": "U", - "x_org.owasp#aivss:EP:1.0.0": "H" - }, - { - "x_org.owasp#aivss:AA:1.0.0": "S", - "x_org.owasp#aivss:TU:1.0.0": "A", - "x_org.owasp#aivss:SM:1.1.0": "T", - "x_org.owasp#aivss:GDP:1.0.0": "R", - "x_org.owasp#aivss:EP:1.0.0": "CA" - }, - { - "x_org.owasp#aivss:AA:1.0.0": "S", - "x_org.owasp#aivss:TU:1.0.0": "A", - "x_org.owasp#aivss:SM:1.1.0": "T", - "x_org.owasp#aivss:GDP:1.0.0": "A", - "x_org.owasp#aivss:EP:1.0.0": "CA" - }, - { - "x_org.owasp#aivss:AA:1.0.0": "S", - "x_org.owasp#aivss:TU:1.0.0": "A", - "x_org.owasp#aivss:SM:1.1.0": "T", - "x_org.owasp#aivss:GDP:1.0.0": "U", - "x_org.owasp#aivss:EP:1.0.0": "H" - }, - { - "x_org.owasp#aivss:AA:1.0.0": "S", - "x_org.owasp#aivss:TU:1.0.0": "A", - "x_org.owasp#aivss:SM:1.1.0": "M", - "x_org.owasp#aivss:GDP:1.0.0": "R", - "x_org.owasp#aivss:EP:1.0.0": "H" - }, - { - "x_org.owasp#aivss:AA:1.0.0": "S", - "x_org.owasp#aivss:TU:1.0.0": "A", - "x_org.owasp#aivss:SM:1.1.0": "M", - "x_org.owasp#aivss:GDP:1.0.0": "A", - "x_org.owasp#aivss:EP:1.0.0": "H" - }, - { - "x_org.owasp#aivss:AA:1.0.0": "S", - "x_org.owasp#aivss:TU:1.0.0": "A", - "x_org.owasp#aivss:SM:1.1.0": "M", - "x_org.owasp#aivss:GDP:1.0.0": "U", - "x_org.owasp#aivss:EP:1.0.0": "H" - }, - { - "x_org.owasp#aivss:AA:1.0.0": "F", - "x_org.owasp#aivss:TU:1.0.0": "V", - "x_org.owasp#aivss:SM:1.1.0": "F", - "x_org.owasp#aivss:GDP:1.0.0": "R", - "x_org.owasp#aivss:EP:1.0.0": "CA" - }, - { - "x_org.owasp#aivss:AA:1.0.0": "F", - "x_org.owasp#aivss:TU:1.0.0": "V", - "x_org.owasp#aivss:SM:1.1.0": "F", - "x_org.owasp#aivss:GDP:1.0.0": "A", - "x_org.owasp#aivss:EP:1.0.0": "CA" - }, - { - "x_org.owasp#aivss:AA:1.0.0": "F", - "x_org.owasp#aivss:TU:1.0.0": "V", - "x_org.owasp#aivss:SM:1.1.0": "F", - "x_org.owasp#aivss:GDP:1.0.0": "U", - "x_org.owasp#aivss:EP:1.0.0": "H" - }, - { - "x_org.owasp#aivss:AA:1.0.0": "F", - "x_org.owasp#aivss:TU:1.0.0": "V", - "x_org.owasp#aivss:SM:1.1.0": "T", - "x_org.owasp#aivss:GDP:1.0.0": "R", - "x_org.owasp#aivss:EP:1.0.0": "CA" - }, - { - "x_org.owasp#aivss:AA:1.0.0": "F", - "x_org.owasp#aivss:TU:1.0.0": "V", - "x_org.owasp#aivss:SM:1.1.0": "T", - "x_org.owasp#aivss:GDP:1.0.0": "A", - "x_org.owasp#aivss:EP:1.0.0": "CA" - }, - { - "x_org.owasp#aivss:AA:1.0.0": "F", - "x_org.owasp#aivss:TU:1.0.0": "V", - "x_org.owasp#aivss:SM:1.1.0": "T", - "x_org.owasp#aivss:GDP:1.0.0": "U", - "x_org.owasp#aivss:EP:1.0.0": "H" - }, - { - "x_org.owasp#aivss:AA:1.0.0": "F", - "x_org.owasp#aivss:TU:1.0.0": "V", - "x_org.owasp#aivss:SM:1.1.0": "M", - "x_org.owasp#aivss:GDP:1.0.0": "R", - "x_org.owasp#aivss:EP:1.0.0": "H" - }, - { - "x_org.owasp#aivss:AA:1.0.0": "F", - "x_org.owasp#aivss:TU:1.0.0": "V", - "x_org.owasp#aivss:SM:1.1.0": "M", - "x_org.owasp#aivss:GDP:1.0.0": "A", - "x_org.owasp#aivss:EP:1.0.0": "H" - }, - { - "x_org.owasp#aivss:AA:1.0.0": "F", - "x_org.owasp#aivss:TU:1.0.0": "V", - "x_org.owasp#aivss:SM:1.1.0": "M", - "x_org.owasp#aivss:GDP:1.0.0": "U", - "x_org.owasp#aivss:EP:1.0.0": "H" - }, - { - "x_org.owasp#aivss:AA:1.0.0": "F", - "x_org.owasp#aivss:TU:1.0.0": "O", - "x_org.owasp#aivss:SM:1.1.0": "F", - "x_org.owasp#aivss:GDP:1.0.0": "R", - "x_org.owasp#aivss:EP:1.0.0": "CA" - }, - { - "x_org.owasp#aivss:AA:1.0.0": "F", - "x_org.owasp#aivss:TU:1.0.0": "O", - "x_org.owasp#aivss:SM:1.1.0": "F", - "x_org.owasp#aivss:GDP:1.0.0": "A", - "x_org.owasp#aivss:EP:1.0.0": "CA" - }, - { - "x_org.owasp#aivss:AA:1.0.0": "F", - "x_org.owasp#aivss:TU:1.0.0": "O", - "x_org.owasp#aivss:SM:1.1.0": "F", - "x_org.owasp#aivss:GDP:1.0.0": "U", - "x_org.owasp#aivss:EP:1.0.0": "H" - }, - { - "x_org.owasp#aivss:AA:1.0.0": "F", - "x_org.owasp#aivss:TU:1.0.0": "O", - "x_org.owasp#aivss:SM:1.1.0": "T", - "x_org.owasp#aivss:GDP:1.0.0": "R", - "x_org.owasp#aivss:EP:1.0.0": "CA" - }, - { - "x_org.owasp#aivss:AA:1.0.0": "F", - "x_org.owasp#aivss:TU:1.0.0": "O", - "x_org.owasp#aivss:SM:1.1.0": "T", - "x_org.owasp#aivss:GDP:1.0.0": "A", - "x_org.owasp#aivss:EP:1.0.0": "CA" - }, - { - "x_org.owasp#aivss:AA:1.0.0": "F", - "x_org.owasp#aivss:TU:1.0.0": "O", - "x_org.owasp#aivss:SM:1.1.0": "T", - "x_org.owasp#aivss:GDP:1.0.0": "U", - "x_org.owasp#aivss:EP:1.0.0": "H" - }, - { - "x_org.owasp#aivss:AA:1.0.0": "F", - "x_org.owasp#aivss:TU:1.0.0": "O", - "x_org.owasp#aivss:SM:1.1.0": "M", - "x_org.owasp#aivss:GDP:1.0.0": "R", - "x_org.owasp#aivss:EP:1.0.0": "H" - }, - { - "x_org.owasp#aivss:AA:1.0.0": "F", - "x_org.owasp#aivss:TU:1.0.0": "O", - "x_org.owasp#aivss:SM:1.1.0": "M", - "x_org.owasp#aivss:GDP:1.0.0": "A", - "x_org.owasp#aivss:EP:1.0.0": "H" - }, - { - "x_org.owasp#aivss:AA:1.0.0": "F", - "x_org.owasp#aivss:TU:1.0.0": "O", - "x_org.owasp#aivss:SM:1.1.0": "M", - "x_org.owasp#aivss:GDP:1.0.0": "U", - "x_org.owasp#aivss:EP:1.0.0": "H" - }, - { - "x_org.owasp#aivss:AA:1.0.0": "F", - "x_org.owasp#aivss:TU:1.0.0": "A", - "x_org.owasp#aivss:SM:1.1.0": "F", - "x_org.owasp#aivss:GDP:1.0.0": "R", - "x_org.owasp#aivss:EP:1.0.0": "H" - }, - { - "x_org.owasp#aivss:AA:1.0.0": "F", - "x_org.owasp#aivss:TU:1.0.0": "A", - "x_org.owasp#aivss:SM:1.1.0": "F", - "x_org.owasp#aivss:GDP:1.0.0": "A", - "x_org.owasp#aivss:EP:1.0.0": "H" - }, - { - "x_org.owasp#aivss:AA:1.0.0": "F", - "x_org.owasp#aivss:TU:1.0.0": "A", - "x_org.owasp#aivss:SM:1.1.0": "F", - "x_org.owasp#aivss:GDP:1.0.0": "U", - "x_org.owasp#aivss:EP:1.0.0": "H" - }, - { - "x_org.owasp#aivss:AA:1.0.0": "F", - "x_org.owasp#aivss:TU:1.0.0": "A", - "x_org.owasp#aivss:SM:1.1.0": "T", - "x_org.owasp#aivss:GDP:1.0.0": "R", - "x_org.owasp#aivss:EP:1.0.0": "H" - }, - { - "x_org.owasp#aivss:AA:1.0.0": "F", - "x_org.owasp#aivss:TU:1.0.0": "A", - "x_org.owasp#aivss:SM:1.1.0": "T", - "x_org.owasp#aivss:GDP:1.0.0": "A", - "x_org.owasp#aivss:EP:1.0.0": "H" - }, - { - "x_org.owasp#aivss:AA:1.0.0": "F", - "x_org.owasp#aivss:TU:1.0.0": "A", - "x_org.owasp#aivss:SM:1.1.0": "T", - "x_org.owasp#aivss:GDP:1.0.0": "U", - "x_org.owasp#aivss:EP:1.0.0": "H" - }, - { - "x_org.owasp#aivss:AA:1.0.0": "F", - "x_org.owasp#aivss:TU:1.0.0": "A", - "x_org.owasp#aivss:SM:1.1.0": "M", - "x_org.owasp#aivss:GDP:1.0.0": "R", - "x_org.owasp#aivss:EP:1.0.0": "H" - }, - { - "x_org.owasp#aivss:AA:1.0.0": "F", - "x_org.owasp#aivss:TU:1.0.0": "A", - "x_org.owasp#aivss:SM:1.1.0": "M", - "x_org.owasp#aivss:GDP:1.0.0": "A", - "x_org.owasp#aivss:EP:1.0.0": "H" - }, - { - "x_org.owasp#aivss:AA:1.0.0": "F", - "x_org.owasp#aivss:TU:1.0.0": "A", - "x_org.owasp#aivss:SM:1.1.0": "M", - "x_org.owasp#aivss:GDP:1.0.0": "U", - "x_org.owasp#aivss:EP:1.0.0": "H" - } - ] -} diff --git a/data/json/decision_tables/x_org_owasp_aivss/predictability_and_influence_1_0_0.json b/data/json/decision_tables/x_org_owasp_aivss/predictability_and_influence_1_0_0.json deleted file mode 100644 index 73720c1c..00000000 --- a/data/json/decision_tables/x_org_owasp_aivss/predictability_and_influence_1_0_0.json +++ /dev/null @@ -1,705 +0,0 @@ -{ - "namespace": "x_org.owasp#aivss", - "key": "DT_PI", - "version": "1.0.0", - "name": "Predictability and Influence", - "definition": "TODO writeme", - "schemaVersion": "2.0.0", - "decision_points": { - "x_org.owasp#aivss:ND:1.0.0": { - "namespace": "x_org.owasp#aivss", - "key": "ND", - "version": "1.0.0", - "name": "Non-Determinism", - "definition": "Describes variability of system outputs across repeated executions.", - "schemaVersion": "2.0.0", - "values": [ - { - "key": "D", - "name": "Deterministic", - "definition": "Stable outputs; no randomness." - }, - { - "key": "B", - "name": "Bounded", - "definition": "Controlled variance within predictable limits." - }, - { - "key": "H", - "name": "High-Variance", - "definition": "Broad or unstable behavioral range." - } - ] - }, - "x_org.owasp#aivss:OR:1.0.0": { - "namespace": "x_org.owasp#aivss", - "key": "OR", - "version": "1.0.0", - "name": "Opacity & Reflexivity", - "definition": "Captures how observable and explainable the internal reasoning and adaptation cycle is.", - "schemaVersion": "2.0.0", - "values": [ - { - "key": "T", - "name": "Transparent", - "definition": "Full logs and traceable reasoning." - }, - { - "key": "F", - "name": "Fragmented", - "definition": "Partial visibility; some steps hidden." - }, - { - "key": "O", - "name": "Opaque", - "definition": "Black-box behavior; internal process not observable." - } - ] - }, - "x_org.owasp#aivss:VC:1.0.0": { - "namespace": "x_org.owasp#aivss", - "key": "VC", - "version": "1.0.0", - "name": "Verification Capability", - "definition": "Indicates whether the system’s critical properties can be formally or practically verified.", - "schemaVersion": "2.0.0", - "values": [ - { - "key": "P", - "name": "Provable", - "definition": "Critical safety or correctness invariants can be verified." - }, - { - "key": "K", - "name": "Key Invariants Verifiable", - "definition": "Some critical properties can be verified, but not all." - }, - { - "key": "U", - "name": "Unverifiable", - "definition": "Cannot prove correctness or invariants in practice." - } - ] - }, - "x_org.owasp#aivss:DP:1.0.0": { - "namespace": "x_org.owasp#aivss", - "key": "DP", - "version": "1.0.0", - "name": "Deceptiveness Potential", - "definition": "Assesses the potential for AI-generated vulnerability reports to be deceptive, ranging from plain structured output to highly persuasive content.", - "schemaVersion": "2.0.0", - "values": [ - { - "key": "P", - "name": "Plain", - "definition": "Structured, non-persona output." - }, - { - "key": "F", - "name": "Fluent", - "definition": "Natural language output, but not convincingly human." - }, - { - "key": "S", - "name": "Persuasive", - "definition": "Persona mimicry, deepfakes, or social-engineering capability." - } - ] - }, - "x_org.owasp#aivss:PI:1.0.0": { - "namespace": "x_org.owasp#aivss", - "key": "PI", - "version": "1.0.0", - "name": "Predictability and Influence", - "definition": "TODO writeme", - "schemaVersion": "2.0.0", - "values": [ - { - "key": "V", - "name": "Verifiable", - "definition": "Behavior is traceable, reproducible, and backed by strong logging or proofs. Outputs align with clear rules, and any action can be independently checked. Unexpected deviations are rare and easy to diagnose." - }, - { - "key": "U", - "name": "Uncertain", - "definition": "Behavior is generally well-structured but can deviate within known bounds. Some reasoning steps or interactions lack full visibility, making verification partial. Issues may be diagnosable but require effort or contextual reconstruction." - }, - { - "key": "O", - "name": "Opaque", - "definition": "Behavior is highly variable, difficult to trace, and resistant to verification. Key reasoning paths, external influences, or interactions are hidden or unpredictable. Actions may appear coherent but cannot be reliably reproduced or audited." - } - ] - } - }, - "outcome": "x_org.owasp#aivss:PI:1.0.0", - "mapping": [ - { - "x_org.owasp#aivss:ND:1.0.0": "D", - "x_org.owasp#aivss:OR:1.0.0": "T", - "x_org.owasp#aivss:VC:1.0.0": "P", - "x_org.owasp#aivss:DP:1.0.0": "P", - "x_org.owasp#aivss:PI:1.0.0": "V" - }, - { - "x_org.owasp#aivss:ND:1.0.0": "D", - "x_org.owasp#aivss:OR:1.0.0": "T", - "x_org.owasp#aivss:VC:1.0.0": "P", - "x_org.owasp#aivss:DP:1.0.0": "F", - "x_org.owasp#aivss:PI:1.0.0": "V" - }, - { - "x_org.owasp#aivss:ND:1.0.0": "D", - "x_org.owasp#aivss:OR:1.0.0": "T", - "x_org.owasp#aivss:VC:1.0.0": "P", - "x_org.owasp#aivss:DP:1.0.0": "S", - "x_org.owasp#aivss:PI:1.0.0": "U" - }, - { - "x_org.owasp#aivss:ND:1.0.0": "D", - "x_org.owasp#aivss:OR:1.0.0": "T", - "x_org.owasp#aivss:VC:1.0.0": "K", - "x_org.owasp#aivss:DP:1.0.0": "P", - "x_org.owasp#aivss:PI:1.0.0": "V" - }, - { - "x_org.owasp#aivss:ND:1.0.0": "D", - "x_org.owasp#aivss:OR:1.0.0": "T", - "x_org.owasp#aivss:VC:1.0.0": "K", - "x_org.owasp#aivss:DP:1.0.0": "F", - "x_org.owasp#aivss:PI:1.0.0": "U" - }, - { - "x_org.owasp#aivss:ND:1.0.0": "D", - "x_org.owasp#aivss:OR:1.0.0": "T", - "x_org.owasp#aivss:VC:1.0.0": "K", - "x_org.owasp#aivss:DP:1.0.0": "S", - "x_org.owasp#aivss:PI:1.0.0": "U" - }, - { - "x_org.owasp#aivss:ND:1.0.0": "D", - "x_org.owasp#aivss:OR:1.0.0": "T", - "x_org.owasp#aivss:VC:1.0.0": "U", - "x_org.owasp#aivss:DP:1.0.0": "P", - "x_org.owasp#aivss:PI:1.0.0": "U" - }, - { - "x_org.owasp#aivss:ND:1.0.0": "D", - "x_org.owasp#aivss:OR:1.0.0": "T", - "x_org.owasp#aivss:VC:1.0.0": "U", - "x_org.owasp#aivss:DP:1.0.0": "F", - "x_org.owasp#aivss:PI:1.0.0": "U" - }, - { - "x_org.owasp#aivss:ND:1.0.0": "D", - "x_org.owasp#aivss:OR:1.0.0": "T", - "x_org.owasp#aivss:VC:1.0.0": "U", - "x_org.owasp#aivss:DP:1.0.0": "S", - "x_org.owasp#aivss:PI:1.0.0": "O" - }, - { - "x_org.owasp#aivss:ND:1.0.0": "D", - "x_org.owasp#aivss:OR:1.0.0": "F", - "x_org.owasp#aivss:VC:1.0.0": "P", - "x_org.owasp#aivss:DP:1.0.0": "P", - "x_org.owasp#aivss:PI:1.0.0": "V" - }, - { - "x_org.owasp#aivss:ND:1.0.0": "D", - "x_org.owasp#aivss:OR:1.0.0": "F", - "x_org.owasp#aivss:VC:1.0.0": "P", - "x_org.owasp#aivss:DP:1.0.0": "F", - "x_org.owasp#aivss:PI:1.0.0": "U" - }, - { - "x_org.owasp#aivss:ND:1.0.0": "D", - "x_org.owasp#aivss:OR:1.0.0": "F", - "x_org.owasp#aivss:VC:1.0.0": "P", - "x_org.owasp#aivss:DP:1.0.0": "S", - "x_org.owasp#aivss:PI:1.0.0": "U" - }, - { - "x_org.owasp#aivss:ND:1.0.0": "D", - "x_org.owasp#aivss:OR:1.0.0": "F", - "x_org.owasp#aivss:VC:1.0.0": "K", - "x_org.owasp#aivss:DP:1.0.0": "P", - "x_org.owasp#aivss:PI:1.0.0": "U" - }, - { - "x_org.owasp#aivss:ND:1.0.0": "D", - "x_org.owasp#aivss:OR:1.0.0": "F", - "x_org.owasp#aivss:VC:1.0.0": "K", - "x_org.owasp#aivss:DP:1.0.0": "F", - "x_org.owasp#aivss:PI:1.0.0": "U" - }, - { - "x_org.owasp#aivss:ND:1.0.0": "D", - "x_org.owasp#aivss:OR:1.0.0": "F", - "x_org.owasp#aivss:VC:1.0.0": "K", - "x_org.owasp#aivss:DP:1.0.0": "S", - "x_org.owasp#aivss:PI:1.0.0": "U" - }, - { - "x_org.owasp#aivss:ND:1.0.0": "D", - "x_org.owasp#aivss:OR:1.0.0": "F", - "x_org.owasp#aivss:VC:1.0.0": "U", - "x_org.owasp#aivss:DP:1.0.0": "P", - "x_org.owasp#aivss:PI:1.0.0": "U" - }, - { - "x_org.owasp#aivss:ND:1.0.0": "D", - "x_org.owasp#aivss:OR:1.0.0": "F", - "x_org.owasp#aivss:VC:1.0.0": "U", - "x_org.owasp#aivss:DP:1.0.0": "F", - "x_org.owasp#aivss:PI:1.0.0": "U" - }, - { - "x_org.owasp#aivss:ND:1.0.0": "D", - "x_org.owasp#aivss:OR:1.0.0": "F", - "x_org.owasp#aivss:VC:1.0.0": "U", - "x_org.owasp#aivss:DP:1.0.0": "S", - "x_org.owasp#aivss:PI:1.0.0": "O" - }, - { - "x_org.owasp#aivss:ND:1.0.0": "D", - "x_org.owasp#aivss:OR:1.0.0": "O", - "x_org.owasp#aivss:VC:1.0.0": "P", - "x_org.owasp#aivss:DP:1.0.0": "P", - "x_org.owasp#aivss:PI:1.0.0": "U" - }, - { - "x_org.owasp#aivss:ND:1.0.0": "D", - "x_org.owasp#aivss:OR:1.0.0": "O", - "x_org.owasp#aivss:VC:1.0.0": "P", - "x_org.owasp#aivss:DP:1.0.0": "F", - "x_org.owasp#aivss:PI:1.0.0": "U" - }, - { - "x_org.owasp#aivss:ND:1.0.0": "D", - "x_org.owasp#aivss:OR:1.0.0": "O", - "x_org.owasp#aivss:VC:1.0.0": "P", - "x_org.owasp#aivss:DP:1.0.0": "S", - "x_org.owasp#aivss:PI:1.0.0": "O" - }, - { - "x_org.owasp#aivss:ND:1.0.0": "D", - "x_org.owasp#aivss:OR:1.0.0": "O", - "x_org.owasp#aivss:VC:1.0.0": "K", - "x_org.owasp#aivss:DP:1.0.0": "P", - "x_org.owasp#aivss:PI:1.0.0": "U" - }, - { - "x_org.owasp#aivss:ND:1.0.0": "D", - "x_org.owasp#aivss:OR:1.0.0": "O", - "x_org.owasp#aivss:VC:1.0.0": "K", - "x_org.owasp#aivss:DP:1.0.0": "F", - "x_org.owasp#aivss:PI:1.0.0": "U" - }, - { - "x_org.owasp#aivss:ND:1.0.0": "D", - "x_org.owasp#aivss:OR:1.0.0": "O", - "x_org.owasp#aivss:VC:1.0.0": "K", - "x_org.owasp#aivss:DP:1.0.0": "S", - "x_org.owasp#aivss:PI:1.0.0": "O" - }, - { - "x_org.owasp#aivss:ND:1.0.0": "D", - "x_org.owasp#aivss:OR:1.0.0": "O", - "x_org.owasp#aivss:VC:1.0.0": "U", - "x_org.owasp#aivss:DP:1.0.0": "P", - "x_org.owasp#aivss:PI:1.0.0": "O" - }, - { - "x_org.owasp#aivss:ND:1.0.0": "D", - "x_org.owasp#aivss:OR:1.0.0": "O", - "x_org.owasp#aivss:VC:1.0.0": "U", - "x_org.owasp#aivss:DP:1.0.0": "F", - "x_org.owasp#aivss:PI:1.0.0": "O" - }, - { - "x_org.owasp#aivss:ND:1.0.0": "D", - "x_org.owasp#aivss:OR:1.0.0": "O", - "x_org.owasp#aivss:VC:1.0.0": "U", - "x_org.owasp#aivss:DP:1.0.0": "S", - "x_org.owasp#aivss:PI:1.0.0": "O" - }, - { - "x_org.owasp#aivss:ND:1.0.0": "B", - "x_org.owasp#aivss:OR:1.0.0": "T", - "x_org.owasp#aivss:VC:1.0.0": "P", - "x_org.owasp#aivss:DP:1.0.0": "P", - "x_org.owasp#aivss:PI:1.0.0": "V" - }, - { - "x_org.owasp#aivss:ND:1.0.0": "B", - "x_org.owasp#aivss:OR:1.0.0": "T", - "x_org.owasp#aivss:VC:1.0.0": "P", - "x_org.owasp#aivss:DP:1.0.0": "F", - "x_org.owasp#aivss:PI:1.0.0": "U" - }, - { - "x_org.owasp#aivss:ND:1.0.0": "B", - "x_org.owasp#aivss:OR:1.0.0": "T", - "x_org.owasp#aivss:VC:1.0.0": "P", - "x_org.owasp#aivss:DP:1.0.0": "S", - "x_org.owasp#aivss:PI:1.0.0": "U" - }, - { - "x_org.owasp#aivss:ND:1.0.0": "B", - "x_org.owasp#aivss:OR:1.0.0": "T", - "x_org.owasp#aivss:VC:1.0.0": "K", - "x_org.owasp#aivss:DP:1.0.0": "P", - "x_org.owasp#aivss:PI:1.0.0": "U" - }, - { - "x_org.owasp#aivss:ND:1.0.0": "B", - "x_org.owasp#aivss:OR:1.0.0": "T", - "x_org.owasp#aivss:VC:1.0.0": "K", - "x_org.owasp#aivss:DP:1.0.0": "F", - "x_org.owasp#aivss:PI:1.0.0": "U" - }, - { - "x_org.owasp#aivss:ND:1.0.0": "B", - "x_org.owasp#aivss:OR:1.0.0": "T", - "x_org.owasp#aivss:VC:1.0.0": "K", - "x_org.owasp#aivss:DP:1.0.0": "S", - "x_org.owasp#aivss:PI:1.0.0": "U" - }, - { - "x_org.owasp#aivss:ND:1.0.0": "B", - "x_org.owasp#aivss:OR:1.0.0": "T", - "x_org.owasp#aivss:VC:1.0.0": "U", - "x_org.owasp#aivss:DP:1.0.0": "P", - "x_org.owasp#aivss:PI:1.0.0": "U" - }, - { - "x_org.owasp#aivss:ND:1.0.0": "B", - "x_org.owasp#aivss:OR:1.0.0": "T", - "x_org.owasp#aivss:VC:1.0.0": "U", - "x_org.owasp#aivss:DP:1.0.0": "F", - "x_org.owasp#aivss:PI:1.0.0": "U" - }, - { - "x_org.owasp#aivss:ND:1.0.0": "B", - "x_org.owasp#aivss:OR:1.0.0": "T", - "x_org.owasp#aivss:VC:1.0.0": "U", - "x_org.owasp#aivss:DP:1.0.0": "S", - "x_org.owasp#aivss:PI:1.0.0": "O" - }, - { - "x_org.owasp#aivss:ND:1.0.0": "B", - "x_org.owasp#aivss:OR:1.0.0": "F", - "x_org.owasp#aivss:VC:1.0.0": "P", - "x_org.owasp#aivss:DP:1.0.0": "P", - "x_org.owasp#aivss:PI:1.0.0": "U" - }, - { - "x_org.owasp#aivss:ND:1.0.0": "B", - "x_org.owasp#aivss:OR:1.0.0": "F", - "x_org.owasp#aivss:VC:1.0.0": "P", - "x_org.owasp#aivss:DP:1.0.0": "F", - "x_org.owasp#aivss:PI:1.0.0": "U" - }, - { - "x_org.owasp#aivss:ND:1.0.0": "B", - "x_org.owasp#aivss:OR:1.0.0": "F", - "x_org.owasp#aivss:VC:1.0.0": "P", - "x_org.owasp#aivss:DP:1.0.0": "S", - "x_org.owasp#aivss:PI:1.0.0": "U" - }, - { - "x_org.owasp#aivss:ND:1.0.0": "B", - "x_org.owasp#aivss:OR:1.0.0": "F", - "x_org.owasp#aivss:VC:1.0.0": "K", - "x_org.owasp#aivss:DP:1.0.0": "P", - "x_org.owasp#aivss:PI:1.0.0": "U" - }, - { - "x_org.owasp#aivss:ND:1.0.0": "B", - "x_org.owasp#aivss:OR:1.0.0": "F", - "x_org.owasp#aivss:VC:1.0.0": "K", - "x_org.owasp#aivss:DP:1.0.0": "F", - "x_org.owasp#aivss:PI:1.0.0": "U" - }, - { - "x_org.owasp#aivss:ND:1.0.0": "B", - "x_org.owasp#aivss:OR:1.0.0": "F", - "x_org.owasp#aivss:VC:1.0.0": "K", - "x_org.owasp#aivss:DP:1.0.0": "S", - "x_org.owasp#aivss:PI:1.0.0": "U" - }, - { - "x_org.owasp#aivss:ND:1.0.0": "B", - "x_org.owasp#aivss:OR:1.0.0": "F", - "x_org.owasp#aivss:VC:1.0.0": "U", - "x_org.owasp#aivss:DP:1.0.0": "P", - "x_org.owasp#aivss:PI:1.0.0": "U" - }, - { - "x_org.owasp#aivss:ND:1.0.0": "B", - "x_org.owasp#aivss:OR:1.0.0": "F", - "x_org.owasp#aivss:VC:1.0.0": "U", - "x_org.owasp#aivss:DP:1.0.0": "F", - "x_org.owasp#aivss:PI:1.0.0": "U" - }, - { - "x_org.owasp#aivss:ND:1.0.0": "B", - "x_org.owasp#aivss:OR:1.0.0": "F", - "x_org.owasp#aivss:VC:1.0.0": "U", - "x_org.owasp#aivss:DP:1.0.0": "S", - "x_org.owasp#aivss:PI:1.0.0": "O" - }, - { - "x_org.owasp#aivss:ND:1.0.0": "B", - "x_org.owasp#aivss:OR:1.0.0": "O", - "x_org.owasp#aivss:VC:1.0.0": "P", - "x_org.owasp#aivss:DP:1.0.0": "P", - "x_org.owasp#aivss:PI:1.0.0": "U" - }, - { - "x_org.owasp#aivss:ND:1.0.0": "B", - "x_org.owasp#aivss:OR:1.0.0": "O", - "x_org.owasp#aivss:VC:1.0.0": "P", - "x_org.owasp#aivss:DP:1.0.0": "F", - "x_org.owasp#aivss:PI:1.0.0": "U" - }, - { - "x_org.owasp#aivss:ND:1.0.0": "B", - "x_org.owasp#aivss:OR:1.0.0": "O", - "x_org.owasp#aivss:VC:1.0.0": "P", - "x_org.owasp#aivss:DP:1.0.0": "S", - "x_org.owasp#aivss:PI:1.0.0": "O" - }, - { - "x_org.owasp#aivss:ND:1.0.0": "B", - "x_org.owasp#aivss:OR:1.0.0": "O", - "x_org.owasp#aivss:VC:1.0.0": "K", - "x_org.owasp#aivss:DP:1.0.0": "P", - "x_org.owasp#aivss:PI:1.0.0": "U" - }, - { - "x_org.owasp#aivss:ND:1.0.0": "B", - "x_org.owasp#aivss:OR:1.0.0": "O", - "x_org.owasp#aivss:VC:1.0.0": "K", - "x_org.owasp#aivss:DP:1.0.0": "F", - "x_org.owasp#aivss:PI:1.0.0": "U" - }, - { - "x_org.owasp#aivss:ND:1.0.0": "B", - "x_org.owasp#aivss:OR:1.0.0": "O", - "x_org.owasp#aivss:VC:1.0.0": "K", - "x_org.owasp#aivss:DP:1.0.0": "S", - "x_org.owasp#aivss:PI:1.0.0": "O" - }, - { - "x_org.owasp#aivss:ND:1.0.0": "B", - "x_org.owasp#aivss:OR:1.0.0": "O", - "x_org.owasp#aivss:VC:1.0.0": "U", - "x_org.owasp#aivss:DP:1.0.0": "P", - "x_org.owasp#aivss:PI:1.0.0": "O" - }, - { - "x_org.owasp#aivss:ND:1.0.0": "B", - "x_org.owasp#aivss:OR:1.0.0": "O", - "x_org.owasp#aivss:VC:1.0.0": "U", - "x_org.owasp#aivss:DP:1.0.0": "F", - "x_org.owasp#aivss:PI:1.0.0": "O" - }, - { - "x_org.owasp#aivss:ND:1.0.0": "B", - "x_org.owasp#aivss:OR:1.0.0": "O", - "x_org.owasp#aivss:VC:1.0.0": "U", - "x_org.owasp#aivss:DP:1.0.0": "S", - "x_org.owasp#aivss:PI:1.0.0": "O" - }, - { - "x_org.owasp#aivss:ND:1.0.0": "H", - "x_org.owasp#aivss:OR:1.0.0": "T", - "x_org.owasp#aivss:VC:1.0.0": "P", - "x_org.owasp#aivss:DP:1.0.0": "P", - "x_org.owasp#aivss:PI:1.0.0": "U" - }, - { - "x_org.owasp#aivss:ND:1.0.0": "H", - "x_org.owasp#aivss:OR:1.0.0": "T", - "x_org.owasp#aivss:VC:1.0.0": "P", - "x_org.owasp#aivss:DP:1.0.0": "F", - "x_org.owasp#aivss:PI:1.0.0": "U" - }, - { - "x_org.owasp#aivss:ND:1.0.0": "H", - "x_org.owasp#aivss:OR:1.0.0": "T", - "x_org.owasp#aivss:VC:1.0.0": "P", - "x_org.owasp#aivss:DP:1.0.0": "S", - "x_org.owasp#aivss:PI:1.0.0": "O" - }, - { - "x_org.owasp#aivss:ND:1.0.0": "H", - "x_org.owasp#aivss:OR:1.0.0": "T", - "x_org.owasp#aivss:VC:1.0.0": "K", - "x_org.owasp#aivss:DP:1.0.0": "P", - "x_org.owasp#aivss:PI:1.0.0": "U" - }, - { - "x_org.owasp#aivss:ND:1.0.0": "H", - "x_org.owasp#aivss:OR:1.0.0": "T", - "x_org.owasp#aivss:VC:1.0.0": "K", - "x_org.owasp#aivss:DP:1.0.0": "F", - "x_org.owasp#aivss:PI:1.0.0": "U" - }, - { - "x_org.owasp#aivss:ND:1.0.0": "H", - "x_org.owasp#aivss:OR:1.0.0": "T", - "x_org.owasp#aivss:VC:1.0.0": "K", - "x_org.owasp#aivss:DP:1.0.0": "S", - "x_org.owasp#aivss:PI:1.0.0": "O" - }, - { - "x_org.owasp#aivss:ND:1.0.0": "H", - "x_org.owasp#aivss:OR:1.0.0": "T", - "x_org.owasp#aivss:VC:1.0.0": "U", - "x_org.owasp#aivss:DP:1.0.0": "P", - "x_org.owasp#aivss:PI:1.0.0": "O" - }, - { - "x_org.owasp#aivss:ND:1.0.0": "H", - "x_org.owasp#aivss:OR:1.0.0": "T", - "x_org.owasp#aivss:VC:1.0.0": "U", - "x_org.owasp#aivss:DP:1.0.0": "F", - "x_org.owasp#aivss:PI:1.0.0": "O" - }, - { - "x_org.owasp#aivss:ND:1.0.0": "H", - "x_org.owasp#aivss:OR:1.0.0": "T", - "x_org.owasp#aivss:VC:1.0.0": "U", - "x_org.owasp#aivss:DP:1.0.0": "S", - "x_org.owasp#aivss:PI:1.0.0": "O" - }, - { - "x_org.owasp#aivss:ND:1.0.0": "H", - "x_org.owasp#aivss:OR:1.0.0": "F", - "x_org.owasp#aivss:VC:1.0.0": "P", - "x_org.owasp#aivss:DP:1.0.0": "P", - "x_org.owasp#aivss:PI:1.0.0": "U" - }, - { - "x_org.owasp#aivss:ND:1.0.0": "H", - "x_org.owasp#aivss:OR:1.0.0": "F", - "x_org.owasp#aivss:VC:1.0.0": "P", - "x_org.owasp#aivss:DP:1.0.0": "F", - "x_org.owasp#aivss:PI:1.0.0": "U" - }, - { - "x_org.owasp#aivss:ND:1.0.0": "H", - "x_org.owasp#aivss:OR:1.0.0": "F", - "x_org.owasp#aivss:VC:1.0.0": "P", - "x_org.owasp#aivss:DP:1.0.0": "S", - "x_org.owasp#aivss:PI:1.0.0": "O" - }, - { - "x_org.owasp#aivss:ND:1.0.0": "H", - "x_org.owasp#aivss:OR:1.0.0": "F", - "x_org.owasp#aivss:VC:1.0.0": "K", - "x_org.owasp#aivss:DP:1.0.0": "P", - "x_org.owasp#aivss:PI:1.0.0": "U" - }, - { - "x_org.owasp#aivss:ND:1.0.0": "H", - "x_org.owasp#aivss:OR:1.0.0": "F", - "x_org.owasp#aivss:VC:1.0.0": "K", - "x_org.owasp#aivss:DP:1.0.0": "F", - "x_org.owasp#aivss:PI:1.0.0": "U" - }, - { - "x_org.owasp#aivss:ND:1.0.0": "H", - "x_org.owasp#aivss:OR:1.0.0": "F", - "x_org.owasp#aivss:VC:1.0.0": "K", - "x_org.owasp#aivss:DP:1.0.0": "S", - "x_org.owasp#aivss:PI:1.0.0": "O" - }, - { - "x_org.owasp#aivss:ND:1.0.0": "H", - "x_org.owasp#aivss:OR:1.0.0": "F", - "x_org.owasp#aivss:VC:1.0.0": "U", - "x_org.owasp#aivss:DP:1.0.0": "P", - "x_org.owasp#aivss:PI:1.0.0": "O" - }, - { - "x_org.owasp#aivss:ND:1.0.0": "H", - "x_org.owasp#aivss:OR:1.0.0": "F", - "x_org.owasp#aivss:VC:1.0.0": "U", - "x_org.owasp#aivss:DP:1.0.0": "F", - "x_org.owasp#aivss:PI:1.0.0": "O" - }, - { - "x_org.owasp#aivss:ND:1.0.0": "H", - "x_org.owasp#aivss:OR:1.0.0": "F", - "x_org.owasp#aivss:VC:1.0.0": "U", - "x_org.owasp#aivss:DP:1.0.0": "S", - "x_org.owasp#aivss:PI:1.0.0": "O" - }, - { - "x_org.owasp#aivss:ND:1.0.0": "H", - "x_org.owasp#aivss:OR:1.0.0": "O", - "x_org.owasp#aivss:VC:1.0.0": "P", - "x_org.owasp#aivss:DP:1.0.0": "P", - "x_org.owasp#aivss:PI:1.0.0": "O" - }, - { - "x_org.owasp#aivss:ND:1.0.0": "H", - "x_org.owasp#aivss:OR:1.0.0": "O", - "x_org.owasp#aivss:VC:1.0.0": "P", - "x_org.owasp#aivss:DP:1.0.0": "F", - "x_org.owasp#aivss:PI:1.0.0": "O" - }, - { - "x_org.owasp#aivss:ND:1.0.0": "H", - "x_org.owasp#aivss:OR:1.0.0": "O", - "x_org.owasp#aivss:VC:1.0.0": "P", - "x_org.owasp#aivss:DP:1.0.0": "S", - "x_org.owasp#aivss:PI:1.0.0": "O" - }, - { - "x_org.owasp#aivss:ND:1.0.0": "H", - "x_org.owasp#aivss:OR:1.0.0": "O", - "x_org.owasp#aivss:VC:1.0.0": "K", - "x_org.owasp#aivss:DP:1.0.0": "P", - "x_org.owasp#aivss:PI:1.0.0": "O" - }, - { - "x_org.owasp#aivss:ND:1.0.0": "H", - "x_org.owasp#aivss:OR:1.0.0": "O", - "x_org.owasp#aivss:VC:1.0.0": "K", - "x_org.owasp#aivss:DP:1.0.0": "F", - "x_org.owasp#aivss:PI:1.0.0": "O" - }, - { - "x_org.owasp#aivss:ND:1.0.0": "H", - "x_org.owasp#aivss:OR:1.0.0": "O", - "x_org.owasp#aivss:VC:1.0.0": "K", - "x_org.owasp#aivss:DP:1.0.0": "S", - "x_org.owasp#aivss:PI:1.0.0": "O" - }, - { - "x_org.owasp#aivss:ND:1.0.0": "H", - "x_org.owasp#aivss:OR:1.0.0": "O", - "x_org.owasp#aivss:VC:1.0.0": "U", - "x_org.owasp#aivss:DP:1.0.0": "P", - "x_org.owasp#aivss:PI:1.0.0": "O" - }, - { - "x_org.owasp#aivss:ND:1.0.0": "H", - "x_org.owasp#aivss:OR:1.0.0": "O", - "x_org.owasp#aivss:VC:1.0.0": "U", - "x_org.owasp#aivss:DP:1.0.0": "F", - "x_org.owasp#aivss:PI:1.0.0": "O" - }, - { - "x_org.owasp#aivss:ND:1.0.0": "H", - "x_org.owasp#aivss:OR:1.0.0": "O", - "x_org.owasp#aivss:VC:1.0.0": "U", - "x_org.owasp#aivss:DP:1.0.0": "S", - "x_org.owasp#aivss:PI:1.0.0": "O" - } - ] -} diff --git a/data/json/ssvc_object_registry.json b/data/json/ssvc_object_registry.json index 107fd283..26b96901 100644 --- a/data/json/ssvc_object_registry.json +++ b/data/json/ssvc_object_registry.json @@ -6,8 +6,8 @@ "DecisionPoint": { "type": "DecisionPoint", "namespaces": { - "x_org.owasp#aivss": { - "namespace": "x_org.owasp#aivss", + "aivss": { + "namespace": "aivss", "keys": { "AIL": { "key": "AIL", @@ -15,7 +15,7 @@ "1.0.0": { "version": "1.0.0", "obj": { - "namespace": "x_org.owasp#aivss", + "namespace": "aivss", "key": "AIL", "version": "1.0.0", "name": "Agentic Impact Level", @@ -65,7 +65,7 @@ "1.0.0": { "version": "1.0.0", "obj": { - "namespace": "x_org.owasp#aivss", + "namespace": "aivss", "key": "AA", "version": "1.0.0", "name": "Autonomy of Action", @@ -115,7 +115,7 @@ "1.0.0": { "version": "1.0.0", "obj": { - "namespace": "x_org.owasp#aivss", + "namespace": "aivss", "key": "CA", "version": "1.0.0", "name": "Contextual Awareness", @@ -165,7 +165,7 @@ "1.0.0": { "version": "1.0.0", "obj": { - "namespace": "x_org.owasp#aivss", + "namespace": "aivss", "key": "DP", "version": "1.0.0", "name": "Deceptiveness Potential", @@ -215,7 +215,7 @@ "1.0.0": { "version": "1.0.0", "obj": { - "namespace": "x_org.owasp#aivss", + "namespace": "aivss", "key": "DI", "version": "1.0.0", "name": "Dynamic Identity", @@ -265,7 +265,7 @@ "1.0.0": { "version": "1.0.0", "obj": { - "namespace": "x_org.owasp#aivss", + "namespace": "aivss", "key": "EA", "version": "1.0.0", "name": "Environment & Adaptation", @@ -315,7 +315,7 @@ "1.0.0": { "version": "1.0.0", "obj": { - "namespace": "x_org.owasp#aivss", + "namespace": "aivss", "key": "EP", "version": "1.0.0", "name": "Execution Power", @@ -365,7 +365,7 @@ "1.0.0": { "version": "1.0.0", "obj": { - "namespace": "x_org.owasp#aivss", + "namespace": "aivss", "key": "GDP", "version": "1.0.0", "name": "Goal-Driven Planning", @@ -415,7 +415,7 @@ "1.0.0": { "version": "1.0.0", "obj": { - "namespace": "x_org.owasp#aivss", + "namespace": "aivss", "key": "MU", "version": "1.0.0", "name": "Memory Use", @@ -465,7 +465,7 @@ "1.0.0": { "version": "1.0.0", "obj": { - "namespace": "x_org.owasp#aivss", + "namespace": "aivss", "key": "MAI", "version": "1.0.0", "name": "Multi-Agent Interactions", @@ -515,7 +515,7 @@ "1.0.0": { "version": "1.0.0", "obj": { - "namespace": "x_org.owasp#aivss", + "namespace": "aivss", "key": "ND", "version": "1.0.0", "name": "Non-Determinism", @@ -565,7 +565,7 @@ "1.0.0": { "version": "1.0.0", "obj": { - "namespace": "x_org.owasp#aivss", + "namespace": "aivss", "key": "OR", "version": "1.0.0", "name": "Opacity & Reflexivity", @@ -615,7 +615,7 @@ "1.0.0": { "version": "1.0.0", "obj": { - "namespace": "x_org.owasp#aivss", + "namespace": "aivss", "key": "PI", "version": "1.0.0", "name": "Predictability and Influence", @@ -665,7 +665,7 @@ "1.0.0": { "version": "1.0.0", "obj": { - "namespace": "x_org.owasp#aivss", + "namespace": "aivss", "key": "SM", "version": "1.0.0", "name": "Self-Modification", @@ -700,7 +700,7 @@ "1.1.0": { "version": "1.1.0", "obj": { - "namespace": "x_org.owasp#aivss", + "namespace": "aivss", "key": "SM", "version": "1.1.0", "name": "Self-Modification", @@ -750,7 +750,7 @@ "1.0.0": { "version": "1.0.0", "obj": { - "namespace": "x_org.owasp#aivss", + "namespace": "aivss", "key": "SI", "version": "1.0.0", "name": "Systemic Impact", @@ -800,7 +800,7 @@ "1.0.0": { "version": "1.0.0", "obj": { - "namespace": "x_org.owasp#aivss", + "namespace": "aivss", "key": "TU", "version": "1.0.0", "name": "Tool Use", @@ -850,7 +850,7 @@ "1.0.0": { "version": "1.0.0", "obj": { - "namespace": "x_org.owasp#aivss", + "namespace": "aivss", "key": "VC", "version": "1.0.0", "name": "Verification Capability", @@ -23967,8 +23967,8 @@ } } }, - "x_org.owasp#aivss": { - "namespace": "x_org.owasp#aivss", + "aivss": { + "namespace": "aivss", "keys": { "DT_AIVSS": { "key": "DT_AIVSS", @@ -23976,7 +23976,7 @@ "1.0.0": { "version": "1.0.0", "obj": { - "namespace": "x_org.owasp#aivss", + "namespace": "aivss", "key": "DT_AIVSS", "version": "1.0.0", "name": "AIVSS Decision Table", @@ -24008,8 +24008,8 @@ } ] }, - "x_org.owasp#aivss:AIL:1.0.0": { - "namespace": "x_org.owasp#aivss", + "aivss:AIL:1.0.0": { + "namespace": "aivss", "key": "AIL", "version": "1.0.0", "name": "Agentic Impact Level", @@ -24033,8 +24033,8 @@ } ] }, - "x_org.owasp#aivss:SI:1.0.0": { - "namespace": "x_org.owasp#aivss", + "aivss:SI:1.0.0": { + "namespace": "aivss", "key": "SI", "version": "1.0.0", "name": "Systemic Impact", @@ -24093,164 +24093,164 @@ "mapping": [ { "ssvc:E:1.1.0": "N", - "x_org.owasp#aivss:AIL:1.0.0": "C", - "x_org.owasp#aivss:SI:1.0.0": "C", + "aivss:AIL:1.0.0": "C", + "aivss:SI:1.0.0": "C", "ssvc:DSOI:1.0.0": "D" }, { "ssvc:E:1.1.0": "N", - "x_org.owasp#aivss:AIL:1.0.0": "C", - "x_org.owasp#aivss:SI:1.0.0": "S", + "aivss:AIL:1.0.0": "C", + "aivss:SI:1.0.0": "S", "ssvc:DSOI:1.0.0": "S" }, { "ssvc:E:1.1.0": "N", - "x_org.owasp#aivss:AIL:1.0.0": "C", - "x_org.owasp#aivss:SI:1.0.0": "R", + "aivss:AIL:1.0.0": "C", + "aivss:SI:1.0.0": "R", "ssvc:DSOI:1.0.0": "O" }, { "ssvc:E:1.1.0": "N", - "x_org.owasp#aivss:AIL:1.0.0": "S", - "x_org.owasp#aivss:SI:1.0.0": "C", + "aivss:AIL:1.0.0": "S", + "aivss:SI:1.0.0": "C", "ssvc:DSOI:1.0.0": "S" }, { "ssvc:E:1.1.0": "N", - "x_org.owasp#aivss:AIL:1.0.0": "S", - "x_org.owasp#aivss:SI:1.0.0": "S", + "aivss:AIL:1.0.0": "S", + "aivss:SI:1.0.0": "S", "ssvc:DSOI:1.0.0": "S" }, { "ssvc:E:1.1.0": "N", - "x_org.owasp#aivss:AIL:1.0.0": "S", - "x_org.owasp#aivss:SI:1.0.0": "R", + "aivss:AIL:1.0.0": "S", + "aivss:SI:1.0.0": "R", "ssvc:DSOI:1.0.0": "O" }, { "ssvc:E:1.1.0": "N", - "x_org.owasp#aivss:AIL:1.0.0": "P", - "x_org.owasp#aivss:SI:1.0.0": "C", + "aivss:AIL:1.0.0": "P", + "aivss:SI:1.0.0": "C", "ssvc:DSOI:1.0.0": "S" }, { "ssvc:E:1.1.0": "N", - "x_org.owasp#aivss:AIL:1.0.0": "P", - "x_org.owasp#aivss:SI:1.0.0": "S", + "aivss:AIL:1.0.0": "P", + "aivss:SI:1.0.0": "S", "ssvc:DSOI:1.0.0": "O" }, { "ssvc:E:1.1.0": "N", - "x_org.owasp#aivss:AIL:1.0.0": "P", - "x_org.owasp#aivss:SI:1.0.0": "R", + "aivss:AIL:1.0.0": "P", + "aivss:SI:1.0.0": "R", "ssvc:DSOI:1.0.0": "I" }, { "ssvc:E:1.1.0": "P", - "x_org.owasp#aivss:AIL:1.0.0": "C", - "x_org.owasp#aivss:SI:1.0.0": "C", + "aivss:AIL:1.0.0": "C", + "aivss:SI:1.0.0": "C", "ssvc:DSOI:1.0.0": "S" }, { "ssvc:E:1.1.0": "P", - "x_org.owasp#aivss:AIL:1.0.0": "C", - "x_org.owasp#aivss:SI:1.0.0": "S", + "aivss:AIL:1.0.0": "C", + "aivss:SI:1.0.0": "S", "ssvc:DSOI:1.0.0": "S" }, { "ssvc:E:1.1.0": "P", - "x_org.owasp#aivss:AIL:1.0.0": "C", - "x_org.owasp#aivss:SI:1.0.0": "R", + "aivss:AIL:1.0.0": "C", + "aivss:SI:1.0.0": "R", "ssvc:DSOI:1.0.0": "O" }, { "ssvc:E:1.1.0": "P", - "x_org.owasp#aivss:AIL:1.0.0": "S", - "x_org.owasp#aivss:SI:1.0.0": "C", + "aivss:AIL:1.0.0": "S", + "aivss:SI:1.0.0": "C", "ssvc:DSOI:1.0.0": "S" }, { "ssvc:E:1.1.0": "P", - "x_org.owasp#aivss:AIL:1.0.0": "S", - "x_org.owasp#aivss:SI:1.0.0": "S", + "aivss:AIL:1.0.0": "S", + "aivss:SI:1.0.0": "S", "ssvc:DSOI:1.0.0": "O" }, { "ssvc:E:1.1.0": "P", - "x_org.owasp#aivss:AIL:1.0.0": "S", - "x_org.owasp#aivss:SI:1.0.0": "R", + "aivss:AIL:1.0.0": "S", + "aivss:SI:1.0.0": "R", "ssvc:DSOI:1.0.0": "O" }, { "ssvc:E:1.1.0": "P", - "x_org.owasp#aivss:AIL:1.0.0": "P", - "x_org.owasp#aivss:SI:1.0.0": "C", + "aivss:AIL:1.0.0": "P", + "aivss:SI:1.0.0": "C", "ssvc:DSOI:1.0.0": "O" }, { "ssvc:E:1.1.0": "P", - "x_org.owasp#aivss:AIL:1.0.0": "P", - "x_org.owasp#aivss:SI:1.0.0": "S", + "aivss:AIL:1.0.0": "P", + "aivss:SI:1.0.0": "S", "ssvc:DSOI:1.0.0": "O" }, { "ssvc:E:1.1.0": "P", - "x_org.owasp#aivss:AIL:1.0.0": "P", - "x_org.owasp#aivss:SI:1.0.0": "R", + "aivss:AIL:1.0.0": "P", + "aivss:SI:1.0.0": "R", "ssvc:DSOI:1.0.0": "I" }, { "ssvc:E:1.1.0": "A", - "x_org.owasp#aivss:AIL:1.0.0": "C", - "x_org.owasp#aivss:SI:1.0.0": "C", + "aivss:AIL:1.0.0": "C", + "aivss:SI:1.0.0": "C", "ssvc:DSOI:1.0.0": "O" }, { "ssvc:E:1.1.0": "A", - "x_org.owasp#aivss:AIL:1.0.0": "C", - "x_org.owasp#aivss:SI:1.0.0": "S", + "aivss:AIL:1.0.0": "C", + "aivss:SI:1.0.0": "S", "ssvc:DSOI:1.0.0": "O" }, { "ssvc:E:1.1.0": "A", - "x_org.owasp#aivss:AIL:1.0.0": "C", - "x_org.owasp#aivss:SI:1.0.0": "R", + "aivss:AIL:1.0.0": "C", + "aivss:SI:1.0.0": "R", "ssvc:DSOI:1.0.0": "I" }, { "ssvc:E:1.1.0": "A", - "x_org.owasp#aivss:AIL:1.0.0": "S", - "x_org.owasp#aivss:SI:1.0.0": "C", + "aivss:AIL:1.0.0": "S", + "aivss:SI:1.0.0": "C", "ssvc:DSOI:1.0.0": "O" }, { "ssvc:E:1.1.0": "A", - "x_org.owasp#aivss:AIL:1.0.0": "S", - "x_org.owasp#aivss:SI:1.0.0": "S", + "aivss:AIL:1.0.0": "S", + "aivss:SI:1.0.0": "S", "ssvc:DSOI:1.0.0": "I" }, { "ssvc:E:1.1.0": "A", - "x_org.owasp#aivss:AIL:1.0.0": "S", - "x_org.owasp#aivss:SI:1.0.0": "R", + "aivss:AIL:1.0.0": "S", + "aivss:SI:1.0.0": "R", "ssvc:DSOI:1.0.0": "I" }, { "ssvc:E:1.1.0": "A", - "x_org.owasp#aivss:AIL:1.0.0": "P", - "x_org.owasp#aivss:SI:1.0.0": "C", + "aivss:AIL:1.0.0": "P", + "aivss:SI:1.0.0": "C", "ssvc:DSOI:1.0.0": "I" }, { "ssvc:E:1.1.0": "A", - "x_org.owasp#aivss:AIL:1.0.0": "P", - "x_org.owasp#aivss:SI:1.0.0": "S", + "aivss:AIL:1.0.0": "P", + "aivss:SI:1.0.0": "S", "ssvc:DSOI:1.0.0": "I" }, { "ssvc:E:1.1.0": "A", - "x_org.owasp#aivss:AIL:1.0.0": "P", - "x_org.owasp#aivss:SI:1.0.0": "R", + "aivss:AIL:1.0.0": "P", + "aivss:SI:1.0.0": "R", "ssvc:DSOI:1.0.0": "I" } ] @@ -24264,15 +24264,15 @@ "1.0.0": { "version": "1.0.0", "obj": { - "namespace": "x_org.owasp#aivss", + "namespace": "aivss", "key": "DT_AIL", "version": "1.0.0", "name": "Agentic Impact Level", "definition": "TODO writeme", "schemaVersion": "2.0.0", "decision_points": { - "x_org.owasp#aivss:EP:1.0.0": { - "namespace": "x_org.owasp#aivss", + "aivss:EP:1.0.0": { + "namespace": "aivss", "key": "EP", "version": "1.0.0", "name": "Execution Power", @@ -24296,8 +24296,8 @@ } ] }, - "x_org.owasp#aivss:EA:1.0.0": { - "namespace": "x_org.owasp#aivss", + "aivss:EA:1.0.0": { + "namespace": "aivss", "key": "EA", "version": "1.0.0", "name": "Environment & Adaptation", @@ -24321,8 +24321,8 @@ } ] }, - "x_org.owasp#aivss:PI:1.0.0": { - "namespace": "x_org.owasp#aivss", + "aivss:PI:1.0.0": { + "namespace": "aivss", "key": "PI", "version": "1.0.0", "name": "Predictability and Influence", @@ -24346,8 +24346,8 @@ } ] }, - "x_org.owasp#aivss:AIL:1.0.0": { - "namespace": "x_org.owasp#aivss", + "aivss:AIL:1.0.0": { + "namespace": "aivss", "key": "AIL", "version": "1.0.0", "name": "Agentic Impact Level", @@ -24372,169 +24372,169 @@ ] } }, - "outcome": "x_org.owasp#aivss:AIL:1.0.0", + "outcome": "aivss:AIL:1.0.0", "mapping": [ { - "x_org.owasp#aivss:EP:1.0.0": "C", - "x_org.owasp#aivss:EA:1.0.0": "I", - "x_org.owasp#aivss:PI:1.0.0": "V", - "x_org.owasp#aivss:AIL:1.0.0": "C" + "aivss:EP:1.0.0": "C", + "aivss:EA:1.0.0": "I", + "aivss:PI:1.0.0": "V", + "aivss:AIL:1.0.0": "C" }, { - "x_org.owasp#aivss:EP:1.0.0": "C", - "x_org.owasp#aivss:EA:1.0.0": "I", - "x_org.owasp#aivss:PI:1.0.0": "U", - "x_org.owasp#aivss:AIL:1.0.0": "C" + "aivss:EP:1.0.0": "C", + "aivss:EA:1.0.0": "I", + "aivss:PI:1.0.0": "U", + "aivss:AIL:1.0.0": "C" }, { - "x_org.owasp#aivss:EP:1.0.0": "C", - "x_org.owasp#aivss:EA:1.0.0": "I", - "x_org.owasp#aivss:PI:1.0.0": "O", - "x_org.owasp#aivss:AIL:1.0.0": "S" + "aivss:EP:1.0.0": "C", + "aivss:EA:1.0.0": "I", + "aivss:PI:1.0.0": "O", + "aivss:AIL:1.0.0": "S" }, { - "x_org.owasp#aivss:EP:1.0.0": "C", - "x_org.owasp#aivss:EA:1.0.0": "C", - "x_org.owasp#aivss:PI:1.0.0": "V", - "x_org.owasp#aivss:AIL:1.0.0": "C" + "aivss:EP:1.0.0": "C", + "aivss:EA:1.0.0": "C", + "aivss:PI:1.0.0": "V", + "aivss:AIL:1.0.0": "C" }, { - "x_org.owasp#aivss:EP:1.0.0": "C", - "x_org.owasp#aivss:EA:1.0.0": "C", - "x_org.owasp#aivss:PI:1.0.0": "U", - "x_org.owasp#aivss:AIL:1.0.0": "S" + "aivss:EP:1.0.0": "C", + "aivss:EA:1.0.0": "C", + "aivss:PI:1.0.0": "U", + "aivss:AIL:1.0.0": "S" }, { - "x_org.owasp#aivss:EP:1.0.0": "C", - "x_org.owasp#aivss:EA:1.0.0": "C", - "x_org.owasp#aivss:PI:1.0.0": "O", - "x_org.owasp#aivss:AIL:1.0.0": "S" + "aivss:EP:1.0.0": "C", + "aivss:EA:1.0.0": "C", + "aivss:PI:1.0.0": "O", + "aivss:AIL:1.0.0": "S" }, { - "x_org.owasp#aivss:EP:1.0.0": "C", - "x_org.owasp#aivss:EA:1.0.0": "P", - "x_org.owasp#aivss:PI:1.0.0": "V", - "x_org.owasp#aivss:AIL:1.0.0": "S" + "aivss:EP:1.0.0": "C", + "aivss:EA:1.0.0": "P", + "aivss:PI:1.0.0": "V", + "aivss:AIL:1.0.0": "S" }, { - "x_org.owasp#aivss:EP:1.0.0": "C", - "x_org.owasp#aivss:EA:1.0.0": "P", - "x_org.owasp#aivss:PI:1.0.0": "U", - "x_org.owasp#aivss:AIL:1.0.0": "S" + "aivss:EP:1.0.0": "C", + "aivss:EA:1.0.0": "P", + "aivss:PI:1.0.0": "U", + "aivss:AIL:1.0.0": "S" }, { - "x_org.owasp#aivss:EP:1.0.0": "C", - "x_org.owasp#aivss:EA:1.0.0": "P", - "x_org.owasp#aivss:PI:1.0.0": "O", - "x_org.owasp#aivss:AIL:1.0.0": "P" + "aivss:EP:1.0.0": "C", + "aivss:EA:1.0.0": "P", + "aivss:PI:1.0.0": "O", + "aivss:AIL:1.0.0": "P" }, { - "x_org.owasp#aivss:EP:1.0.0": "CA", - "x_org.owasp#aivss:EA:1.0.0": "I", - "x_org.owasp#aivss:PI:1.0.0": "V", - "x_org.owasp#aivss:AIL:1.0.0": "C" + "aivss:EP:1.0.0": "CA", + "aivss:EA:1.0.0": "I", + "aivss:PI:1.0.0": "V", + "aivss:AIL:1.0.0": "C" }, { - "x_org.owasp#aivss:EP:1.0.0": "CA", - "x_org.owasp#aivss:EA:1.0.0": "I", - "x_org.owasp#aivss:PI:1.0.0": "U", - "x_org.owasp#aivss:AIL:1.0.0": "S" + "aivss:EP:1.0.0": "CA", + "aivss:EA:1.0.0": "I", + "aivss:PI:1.0.0": "U", + "aivss:AIL:1.0.0": "S" }, { - "x_org.owasp#aivss:EP:1.0.0": "CA", - "x_org.owasp#aivss:EA:1.0.0": "I", - "x_org.owasp#aivss:PI:1.0.0": "O", - "x_org.owasp#aivss:AIL:1.0.0": "S" + "aivss:EP:1.0.0": "CA", + "aivss:EA:1.0.0": "I", + "aivss:PI:1.0.0": "O", + "aivss:AIL:1.0.0": "S" }, { - "x_org.owasp#aivss:EP:1.0.0": "CA", - "x_org.owasp#aivss:EA:1.0.0": "C", - "x_org.owasp#aivss:PI:1.0.0": "V", - "x_org.owasp#aivss:AIL:1.0.0": "S" + "aivss:EP:1.0.0": "CA", + "aivss:EA:1.0.0": "C", + "aivss:PI:1.0.0": "V", + "aivss:AIL:1.0.0": "S" }, { - "x_org.owasp#aivss:EP:1.0.0": "CA", - "x_org.owasp#aivss:EA:1.0.0": "C", - "x_org.owasp#aivss:PI:1.0.0": "U", - "x_org.owasp#aivss:AIL:1.0.0": "S" + "aivss:EP:1.0.0": "CA", + "aivss:EA:1.0.0": "C", + "aivss:PI:1.0.0": "U", + "aivss:AIL:1.0.0": "S" }, { - "x_org.owasp#aivss:EP:1.0.0": "CA", - "x_org.owasp#aivss:EA:1.0.0": "C", - "x_org.owasp#aivss:PI:1.0.0": "O", - "x_org.owasp#aivss:AIL:1.0.0": "S" + "aivss:EP:1.0.0": "CA", + "aivss:EA:1.0.0": "C", + "aivss:PI:1.0.0": "O", + "aivss:AIL:1.0.0": "S" }, { - "x_org.owasp#aivss:EP:1.0.0": "CA", - "x_org.owasp#aivss:EA:1.0.0": "P", - "x_org.owasp#aivss:PI:1.0.0": "V", - "x_org.owasp#aivss:AIL:1.0.0": "S" + "aivss:EP:1.0.0": "CA", + "aivss:EA:1.0.0": "P", + "aivss:PI:1.0.0": "V", + "aivss:AIL:1.0.0": "S" }, { - "x_org.owasp#aivss:EP:1.0.0": "CA", - "x_org.owasp#aivss:EA:1.0.0": "P", - "x_org.owasp#aivss:PI:1.0.0": "U", - "x_org.owasp#aivss:AIL:1.0.0": "S" + "aivss:EP:1.0.0": "CA", + "aivss:EA:1.0.0": "P", + "aivss:PI:1.0.0": "U", + "aivss:AIL:1.0.0": "S" }, { - "x_org.owasp#aivss:EP:1.0.0": "CA", - "x_org.owasp#aivss:EA:1.0.0": "P", - "x_org.owasp#aivss:PI:1.0.0": "O", - "x_org.owasp#aivss:AIL:1.0.0": "P" + "aivss:EP:1.0.0": "CA", + "aivss:EA:1.0.0": "P", + "aivss:PI:1.0.0": "O", + "aivss:AIL:1.0.0": "P" }, { - "x_org.owasp#aivss:EP:1.0.0": "H", - "x_org.owasp#aivss:EA:1.0.0": "I", - "x_org.owasp#aivss:PI:1.0.0": "V", - "x_org.owasp#aivss:AIL:1.0.0": "S" + "aivss:EP:1.0.0": "H", + "aivss:EA:1.0.0": "I", + "aivss:PI:1.0.0": "V", + "aivss:AIL:1.0.0": "S" }, { - "x_org.owasp#aivss:EP:1.0.0": "H", - "x_org.owasp#aivss:EA:1.0.0": "I", - "x_org.owasp#aivss:PI:1.0.0": "U", - "x_org.owasp#aivss:AIL:1.0.0": "S" + "aivss:EP:1.0.0": "H", + "aivss:EA:1.0.0": "I", + "aivss:PI:1.0.0": "U", + "aivss:AIL:1.0.0": "S" }, { - "x_org.owasp#aivss:EP:1.0.0": "H", - "x_org.owasp#aivss:EA:1.0.0": "I", - "x_org.owasp#aivss:PI:1.0.0": "O", - "x_org.owasp#aivss:AIL:1.0.0": "P" + "aivss:EP:1.0.0": "H", + "aivss:EA:1.0.0": "I", + "aivss:PI:1.0.0": "O", + "aivss:AIL:1.0.0": "P" }, { - "x_org.owasp#aivss:EP:1.0.0": "H", - "x_org.owasp#aivss:EA:1.0.0": "C", - "x_org.owasp#aivss:PI:1.0.0": "V", - "x_org.owasp#aivss:AIL:1.0.0": "S" + "aivss:EP:1.0.0": "H", + "aivss:EA:1.0.0": "C", + "aivss:PI:1.0.0": "V", + "aivss:AIL:1.0.0": "S" }, { - "x_org.owasp#aivss:EP:1.0.0": "H", - "x_org.owasp#aivss:EA:1.0.0": "C", - "x_org.owasp#aivss:PI:1.0.0": "U", - "x_org.owasp#aivss:AIL:1.0.0": "S" + "aivss:EP:1.0.0": "H", + "aivss:EA:1.0.0": "C", + "aivss:PI:1.0.0": "U", + "aivss:AIL:1.0.0": "S" }, { - "x_org.owasp#aivss:EP:1.0.0": "H", - "x_org.owasp#aivss:EA:1.0.0": "C", - "x_org.owasp#aivss:PI:1.0.0": "O", - "x_org.owasp#aivss:AIL:1.0.0": "P" + "aivss:EP:1.0.0": "H", + "aivss:EA:1.0.0": "C", + "aivss:PI:1.0.0": "O", + "aivss:AIL:1.0.0": "P" }, { - "x_org.owasp#aivss:EP:1.0.0": "H", - "x_org.owasp#aivss:EA:1.0.0": "P", - "x_org.owasp#aivss:PI:1.0.0": "V", - "x_org.owasp#aivss:AIL:1.0.0": "P" + "aivss:EP:1.0.0": "H", + "aivss:EA:1.0.0": "P", + "aivss:PI:1.0.0": "V", + "aivss:AIL:1.0.0": "P" }, { - "x_org.owasp#aivss:EP:1.0.0": "H", - "x_org.owasp#aivss:EA:1.0.0": "P", - "x_org.owasp#aivss:PI:1.0.0": "U", - "x_org.owasp#aivss:AIL:1.0.0": "P" + "aivss:EP:1.0.0": "H", + "aivss:EA:1.0.0": "P", + "aivss:PI:1.0.0": "U", + "aivss:AIL:1.0.0": "P" }, { - "x_org.owasp#aivss:EP:1.0.0": "H", - "x_org.owasp#aivss:EA:1.0.0": "P", - "x_org.owasp#aivss:PI:1.0.0": "O", - "x_org.owasp#aivss:AIL:1.0.0": "P" + "aivss:EP:1.0.0": "H", + "aivss:EA:1.0.0": "P", + "aivss:PI:1.0.0": "O", + "aivss:AIL:1.0.0": "P" } ] } @@ -24547,15 +24547,15 @@ "1.0.0": { "version": "1.0.0", "obj": { - "namespace": "x_org.owasp#aivss", + "namespace": "aivss", "key": "DT_PI", "version": "1.0.0", "name": "Predictability and Influence", "definition": "TODO writeme", "schemaVersion": "2.0.0", "decision_points": { - "x_org.owasp#aivss:ND:1.0.0": { - "namespace": "x_org.owasp#aivss", + "aivss:ND:1.0.0": { + "namespace": "aivss", "key": "ND", "version": "1.0.0", "name": "Non-Determinism", @@ -24579,8 +24579,8 @@ } ] }, - "x_org.owasp#aivss:OR:1.0.0": { - "namespace": "x_org.owasp#aivss", + "aivss:OR:1.0.0": { + "namespace": "aivss", "key": "OR", "version": "1.0.0", "name": "Opacity & Reflexivity", @@ -24604,8 +24604,8 @@ } ] }, - "x_org.owasp#aivss:VC:1.0.0": { - "namespace": "x_org.owasp#aivss", + "aivss:VC:1.0.0": { + "namespace": "aivss", "key": "VC", "version": "1.0.0", "name": "Verification Capability", @@ -24629,8 +24629,8 @@ } ] }, - "x_org.owasp#aivss:DP:1.0.0": { - "namespace": "x_org.owasp#aivss", + "aivss:DP:1.0.0": { + "namespace": "aivss", "key": "DP", "version": "1.0.0", "name": "Deceptiveness Potential", @@ -24654,8 +24654,8 @@ } ] }, - "x_org.owasp#aivss:PI:1.0.0": { - "namespace": "x_org.owasp#aivss", + "aivss:PI:1.0.0": { + "namespace": "aivss", "key": "PI", "version": "1.0.0", "name": "Predictability and Influence", @@ -24680,574 +24680,574 @@ ] } }, - "outcome": "x_org.owasp#aivss:PI:1.0.0", + "outcome": "aivss:PI:1.0.0", "mapping": [ { - "x_org.owasp#aivss:ND:1.0.0": "D", - "x_org.owasp#aivss:OR:1.0.0": "T", - "x_org.owasp#aivss:VC:1.0.0": "P", - "x_org.owasp#aivss:DP:1.0.0": "P", - "x_org.owasp#aivss:PI:1.0.0": "V" + "aivss:ND:1.0.0": "D", + "aivss:OR:1.0.0": "T", + "aivss:VC:1.0.0": "P", + "aivss:DP:1.0.0": "P", + "aivss:PI:1.0.0": "V" }, { - "x_org.owasp#aivss:ND:1.0.0": "D", - "x_org.owasp#aivss:OR:1.0.0": "T", - "x_org.owasp#aivss:VC:1.0.0": "P", - "x_org.owasp#aivss:DP:1.0.0": "F", - "x_org.owasp#aivss:PI:1.0.0": "V" + "aivss:ND:1.0.0": "D", + "aivss:OR:1.0.0": "T", + "aivss:VC:1.0.0": "P", + "aivss:DP:1.0.0": "F", + "aivss:PI:1.0.0": "V" }, { - "x_org.owasp#aivss:ND:1.0.0": "D", - "x_org.owasp#aivss:OR:1.0.0": "T", - "x_org.owasp#aivss:VC:1.0.0": "P", - "x_org.owasp#aivss:DP:1.0.0": "S", - "x_org.owasp#aivss:PI:1.0.0": "U" + "aivss:ND:1.0.0": "D", + "aivss:OR:1.0.0": "T", + "aivss:VC:1.0.0": "P", + "aivss:DP:1.0.0": "S", + "aivss:PI:1.0.0": "U" }, { - "x_org.owasp#aivss:ND:1.0.0": "D", - "x_org.owasp#aivss:OR:1.0.0": "T", - "x_org.owasp#aivss:VC:1.0.0": "K", - "x_org.owasp#aivss:DP:1.0.0": "P", - "x_org.owasp#aivss:PI:1.0.0": "V" + "aivss:ND:1.0.0": "D", + "aivss:OR:1.0.0": "T", + "aivss:VC:1.0.0": "K", + "aivss:DP:1.0.0": "P", + "aivss:PI:1.0.0": "V" }, { - "x_org.owasp#aivss:ND:1.0.0": "D", - "x_org.owasp#aivss:OR:1.0.0": "T", - "x_org.owasp#aivss:VC:1.0.0": "K", - "x_org.owasp#aivss:DP:1.0.0": "F", - "x_org.owasp#aivss:PI:1.0.0": "U" + "aivss:ND:1.0.0": "D", + "aivss:OR:1.0.0": "T", + "aivss:VC:1.0.0": "K", + "aivss:DP:1.0.0": "F", + "aivss:PI:1.0.0": "U" }, { - "x_org.owasp#aivss:ND:1.0.0": "D", - "x_org.owasp#aivss:OR:1.0.0": "T", - "x_org.owasp#aivss:VC:1.0.0": "K", - "x_org.owasp#aivss:DP:1.0.0": "S", - "x_org.owasp#aivss:PI:1.0.0": "U" + "aivss:ND:1.0.0": "D", + "aivss:OR:1.0.0": "T", + "aivss:VC:1.0.0": "K", + "aivss:DP:1.0.0": "S", + "aivss:PI:1.0.0": "U" }, { - "x_org.owasp#aivss:ND:1.0.0": "D", - "x_org.owasp#aivss:OR:1.0.0": "T", - "x_org.owasp#aivss:VC:1.0.0": "U", - "x_org.owasp#aivss:DP:1.0.0": "P", - "x_org.owasp#aivss:PI:1.0.0": "U" + "aivss:ND:1.0.0": "D", + "aivss:OR:1.0.0": "T", + "aivss:VC:1.0.0": "U", + "aivss:DP:1.0.0": "P", + "aivss:PI:1.0.0": "U" }, { - "x_org.owasp#aivss:ND:1.0.0": "D", - "x_org.owasp#aivss:OR:1.0.0": "T", - "x_org.owasp#aivss:VC:1.0.0": "U", - "x_org.owasp#aivss:DP:1.0.0": "F", - "x_org.owasp#aivss:PI:1.0.0": "U" + "aivss:ND:1.0.0": "D", + "aivss:OR:1.0.0": "T", + "aivss:VC:1.0.0": "U", + "aivss:DP:1.0.0": "F", + "aivss:PI:1.0.0": "U" }, { - "x_org.owasp#aivss:ND:1.0.0": "D", - "x_org.owasp#aivss:OR:1.0.0": "T", - "x_org.owasp#aivss:VC:1.0.0": "U", - "x_org.owasp#aivss:DP:1.0.0": "S", - "x_org.owasp#aivss:PI:1.0.0": "O" + "aivss:ND:1.0.0": "D", + "aivss:OR:1.0.0": "T", + "aivss:VC:1.0.0": "U", + "aivss:DP:1.0.0": "S", + "aivss:PI:1.0.0": "O" }, { - "x_org.owasp#aivss:ND:1.0.0": "D", - "x_org.owasp#aivss:OR:1.0.0": "F", - "x_org.owasp#aivss:VC:1.0.0": "P", - "x_org.owasp#aivss:DP:1.0.0": "P", - "x_org.owasp#aivss:PI:1.0.0": "V" + "aivss:ND:1.0.0": "D", + "aivss:OR:1.0.0": "F", + "aivss:VC:1.0.0": "P", + "aivss:DP:1.0.0": "P", + "aivss:PI:1.0.0": "V" }, { - "x_org.owasp#aivss:ND:1.0.0": "D", - "x_org.owasp#aivss:OR:1.0.0": "F", - "x_org.owasp#aivss:VC:1.0.0": "P", - "x_org.owasp#aivss:DP:1.0.0": "F", - "x_org.owasp#aivss:PI:1.0.0": "U" + "aivss:ND:1.0.0": "D", + "aivss:OR:1.0.0": "F", + "aivss:VC:1.0.0": "P", + "aivss:DP:1.0.0": "F", + "aivss:PI:1.0.0": "U" }, { - "x_org.owasp#aivss:ND:1.0.0": "D", - "x_org.owasp#aivss:OR:1.0.0": "F", - "x_org.owasp#aivss:VC:1.0.0": "P", - "x_org.owasp#aivss:DP:1.0.0": "S", - "x_org.owasp#aivss:PI:1.0.0": "U" + "aivss:ND:1.0.0": "D", + "aivss:OR:1.0.0": "F", + "aivss:VC:1.0.0": "P", + "aivss:DP:1.0.0": "S", + "aivss:PI:1.0.0": "U" }, { - "x_org.owasp#aivss:ND:1.0.0": "D", - "x_org.owasp#aivss:OR:1.0.0": "F", - "x_org.owasp#aivss:VC:1.0.0": "K", - "x_org.owasp#aivss:DP:1.0.0": "P", - "x_org.owasp#aivss:PI:1.0.0": "U" + "aivss:ND:1.0.0": "D", + "aivss:OR:1.0.0": "F", + "aivss:VC:1.0.0": "K", + "aivss:DP:1.0.0": "P", + "aivss:PI:1.0.0": "U" }, { - "x_org.owasp#aivss:ND:1.0.0": "D", - "x_org.owasp#aivss:OR:1.0.0": "F", - "x_org.owasp#aivss:VC:1.0.0": "K", - "x_org.owasp#aivss:DP:1.0.0": "F", - "x_org.owasp#aivss:PI:1.0.0": "U" + "aivss:ND:1.0.0": "D", + "aivss:OR:1.0.0": "F", + "aivss:VC:1.0.0": "K", + "aivss:DP:1.0.0": "F", + "aivss:PI:1.0.0": "U" }, { - "x_org.owasp#aivss:ND:1.0.0": "D", - "x_org.owasp#aivss:OR:1.0.0": "F", - "x_org.owasp#aivss:VC:1.0.0": "K", - "x_org.owasp#aivss:DP:1.0.0": "S", - "x_org.owasp#aivss:PI:1.0.0": "U" + "aivss:ND:1.0.0": "D", + "aivss:OR:1.0.0": "F", + "aivss:VC:1.0.0": "K", + "aivss:DP:1.0.0": "S", + "aivss:PI:1.0.0": "U" }, { - "x_org.owasp#aivss:ND:1.0.0": "D", - "x_org.owasp#aivss:OR:1.0.0": "F", - "x_org.owasp#aivss:VC:1.0.0": "U", - "x_org.owasp#aivss:DP:1.0.0": "P", - "x_org.owasp#aivss:PI:1.0.0": "U" + "aivss:ND:1.0.0": "D", + "aivss:OR:1.0.0": "F", + "aivss:VC:1.0.0": "U", + "aivss:DP:1.0.0": "P", + "aivss:PI:1.0.0": "U" }, { - "x_org.owasp#aivss:ND:1.0.0": "D", - "x_org.owasp#aivss:OR:1.0.0": "F", - "x_org.owasp#aivss:VC:1.0.0": "U", - "x_org.owasp#aivss:DP:1.0.0": "F", - "x_org.owasp#aivss:PI:1.0.0": "U" + "aivss:ND:1.0.0": "D", + "aivss:OR:1.0.0": "F", + "aivss:VC:1.0.0": "U", + "aivss:DP:1.0.0": "F", + "aivss:PI:1.0.0": "U" }, { - "x_org.owasp#aivss:ND:1.0.0": "D", - "x_org.owasp#aivss:OR:1.0.0": "F", - "x_org.owasp#aivss:VC:1.0.0": "U", - "x_org.owasp#aivss:DP:1.0.0": "S", - "x_org.owasp#aivss:PI:1.0.0": "O" + "aivss:ND:1.0.0": "D", + "aivss:OR:1.0.0": "F", + "aivss:VC:1.0.0": "U", + "aivss:DP:1.0.0": "S", + "aivss:PI:1.0.0": "O" }, { - "x_org.owasp#aivss:ND:1.0.0": "D", - "x_org.owasp#aivss:OR:1.0.0": "O", - "x_org.owasp#aivss:VC:1.0.0": "P", - "x_org.owasp#aivss:DP:1.0.0": "P", - "x_org.owasp#aivss:PI:1.0.0": "U" + "aivss:ND:1.0.0": "D", + "aivss:OR:1.0.0": "O", + "aivss:VC:1.0.0": "P", + "aivss:DP:1.0.0": "P", + "aivss:PI:1.0.0": "U" }, { - "x_org.owasp#aivss:ND:1.0.0": "D", - "x_org.owasp#aivss:OR:1.0.0": "O", - "x_org.owasp#aivss:VC:1.0.0": "P", - "x_org.owasp#aivss:DP:1.0.0": "F", - "x_org.owasp#aivss:PI:1.0.0": "U" + "aivss:ND:1.0.0": "D", + "aivss:OR:1.0.0": "O", + "aivss:VC:1.0.0": "P", + "aivss:DP:1.0.0": "F", + "aivss:PI:1.0.0": "U" }, { - "x_org.owasp#aivss:ND:1.0.0": "D", - "x_org.owasp#aivss:OR:1.0.0": "O", - "x_org.owasp#aivss:VC:1.0.0": "P", - "x_org.owasp#aivss:DP:1.0.0": "S", - "x_org.owasp#aivss:PI:1.0.0": "O" + "aivss:ND:1.0.0": "D", + "aivss:OR:1.0.0": "O", + "aivss:VC:1.0.0": "P", + "aivss:DP:1.0.0": "S", + "aivss:PI:1.0.0": "O" }, { - "x_org.owasp#aivss:ND:1.0.0": "D", - "x_org.owasp#aivss:OR:1.0.0": "O", - "x_org.owasp#aivss:VC:1.0.0": "K", - "x_org.owasp#aivss:DP:1.0.0": "P", - "x_org.owasp#aivss:PI:1.0.0": "U" + "aivss:ND:1.0.0": "D", + "aivss:OR:1.0.0": "O", + "aivss:VC:1.0.0": "K", + "aivss:DP:1.0.0": "P", + "aivss:PI:1.0.0": "U" }, { - "x_org.owasp#aivss:ND:1.0.0": "D", - "x_org.owasp#aivss:OR:1.0.0": "O", - "x_org.owasp#aivss:VC:1.0.0": "K", - "x_org.owasp#aivss:DP:1.0.0": "F", - "x_org.owasp#aivss:PI:1.0.0": "U" + "aivss:ND:1.0.0": "D", + "aivss:OR:1.0.0": "O", + "aivss:VC:1.0.0": "K", + "aivss:DP:1.0.0": "F", + "aivss:PI:1.0.0": "U" }, { - "x_org.owasp#aivss:ND:1.0.0": "D", - "x_org.owasp#aivss:OR:1.0.0": "O", - "x_org.owasp#aivss:VC:1.0.0": "K", - "x_org.owasp#aivss:DP:1.0.0": "S", - "x_org.owasp#aivss:PI:1.0.0": "O" + "aivss:ND:1.0.0": "D", + "aivss:OR:1.0.0": "O", + "aivss:VC:1.0.0": "K", + "aivss:DP:1.0.0": "S", + "aivss:PI:1.0.0": "O" }, { - "x_org.owasp#aivss:ND:1.0.0": "D", - "x_org.owasp#aivss:OR:1.0.0": "O", - "x_org.owasp#aivss:VC:1.0.0": "U", - "x_org.owasp#aivss:DP:1.0.0": "P", - "x_org.owasp#aivss:PI:1.0.0": "O" + "aivss:ND:1.0.0": "D", + "aivss:OR:1.0.0": "O", + "aivss:VC:1.0.0": "U", + "aivss:DP:1.0.0": "P", + "aivss:PI:1.0.0": "O" }, { - "x_org.owasp#aivss:ND:1.0.0": "D", - "x_org.owasp#aivss:OR:1.0.0": "O", - "x_org.owasp#aivss:VC:1.0.0": "U", - "x_org.owasp#aivss:DP:1.0.0": "F", - "x_org.owasp#aivss:PI:1.0.0": "O" + "aivss:ND:1.0.0": "D", + "aivss:OR:1.0.0": "O", + "aivss:VC:1.0.0": "U", + "aivss:DP:1.0.0": "F", + "aivss:PI:1.0.0": "O" }, { - "x_org.owasp#aivss:ND:1.0.0": "D", - "x_org.owasp#aivss:OR:1.0.0": "O", - "x_org.owasp#aivss:VC:1.0.0": "U", - "x_org.owasp#aivss:DP:1.0.0": "S", - "x_org.owasp#aivss:PI:1.0.0": "O" + "aivss:ND:1.0.0": "D", + "aivss:OR:1.0.0": "O", + "aivss:VC:1.0.0": "U", + "aivss:DP:1.0.0": "S", + "aivss:PI:1.0.0": "O" }, { - "x_org.owasp#aivss:ND:1.0.0": "B", - "x_org.owasp#aivss:OR:1.0.0": "T", - "x_org.owasp#aivss:VC:1.0.0": "P", - "x_org.owasp#aivss:DP:1.0.0": "P", - "x_org.owasp#aivss:PI:1.0.0": "V" + "aivss:ND:1.0.0": "B", + "aivss:OR:1.0.0": "T", + "aivss:VC:1.0.0": "P", + "aivss:DP:1.0.0": "P", + "aivss:PI:1.0.0": "V" }, { - "x_org.owasp#aivss:ND:1.0.0": "B", - "x_org.owasp#aivss:OR:1.0.0": "T", - "x_org.owasp#aivss:VC:1.0.0": "P", - "x_org.owasp#aivss:DP:1.0.0": "F", - "x_org.owasp#aivss:PI:1.0.0": "U" + "aivss:ND:1.0.0": "B", + "aivss:OR:1.0.0": "T", + "aivss:VC:1.0.0": "P", + "aivss:DP:1.0.0": "F", + "aivss:PI:1.0.0": "U" }, { - "x_org.owasp#aivss:ND:1.0.0": "B", - "x_org.owasp#aivss:OR:1.0.0": "T", - "x_org.owasp#aivss:VC:1.0.0": "P", - "x_org.owasp#aivss:DP:1.0.0": "S", - "x_org.owasp#aivss:PI:1.0.0": "U" + "aivss:ND:1.0.0": "B", + "aivss:OR:1.0.0": "T", + "aivss:VC:1.0.0": "P", + "aivss:DP:1.0.0": "S", + "aivss:PI:1.0.0": "U" }, { - "x_org.owasp#aivss:ND:1.0.0": "B", - "x_org.owasp#aivss:OR:1.0.0": "T", - "x_org.owasp#aivss:VC:1.0.0": "K", - "x_org.owasp#aivss:DP:1.0.0": "P", - "x_org.owasp#aivss:PI:1.0.0": "U" + "aivss:ND:1.0.0": "B", + "aivss:OR:1.0.0": "T", + "aivss:VC:1.0.0": "K", + "aivss:DP:1.0.0": "P", + "aivss:PI:1.0.0": "U" }, { - "x_org.owasp#aivss:ND:1.0.0": "B", - "x_org.owasp#aivss:OR:1.0.0": "T", - "x_org.owasp#aivss:VC:1.0.0": "K", - "x_org.owasp#aivss:DP:1.0.0": "F", - "x_org.owasp#aivss:PI:1.0.0": "U" + "aivss:ND:1.0.0": "B", + "aivss:OR:1.0.0": "T", + "aivss:VC:1.0.0": "K", + "aivss:DP:1.0.0": "F", + "aivss:PI:1.0.0": "U" }, { - "x_org.owasp#aivss:ND:1.0.0": "B", - "x_org.owasp#aivss:OR:1.0.0": "T", - "x_org.owasp#aivss:VC:1.0.0": "K", - "x_org.owasp#aivss:DP:1.0.0": "S", - "x_org.owasp#aivss:PI:1.0.0": "U" + "aivss:ND:1.0.0": "B", + "aivss:OR:1.0.0": "T", + "aivss:VC:1.0.0": "K", + "aivss:DP:1.0.0": "S", + "aivss:PI:1.0.0": "U" }, { - "x_org.owasp#aivss:ND:1.0.0": "B", - "x_org.owasp#aivss:OR:1.0.0": "T", - "x_org.owasp#aivss:VC:1.0.0": "U", - "x_org.owasp#aivss:DP:1.0.0": "P", - "x_org.owasp#aivss:PI:1.0.0": "U" + "aivss:ND:1.0.0": "B", + "aivss:OR:1.0.0": "T", + "aivss:VC:1.0.0": "U", + "aivss:DP:1.0.0": "P", + "aivss:PI:1.0.0": "U" }, { - "x_org.owasp#aivss:ND:1.0.0": "B", - "x_org.owasp#aivss:OR:1.0.0": "T", - "x_org.owasp#aivss:VC:1.0.0": "U", - "x_org.owasp#aivss:DP:1.0.0": "F", - "x_org.owasp#aivss:PI:1.0.0": "U" + "aivss:ND:1.0.0": "B", + "aivss:OR:1.0.0": "T", + "aivss:VC:1.0.0": "U", + "aivss:DP:1.0.0": "F", + "aivss:PI:1.0.0": "U" }, { - "x_org.owasp#aivss:ND:1.0.0": "B", - "x_org.owasp#aivss:OR:1.0.0": "T", - "x_org.owasp#aivss:VC:1.0.0": "U", - "x_org.owasp#aivss:DP:1.0.0": "S", - "x_org.owasp#aivss:PI:1.0.0": "O" + "aivss:ND:1.0.0": "B", + "aivss:OR:1.0.0": "T", + "aivss:VC:1.0.0": "U", + "aivss:DP:1.0.0": "S", + "aivss:PI:1.0.0": "O" }, { - "x_org.owasp#aivss:ND:1.0.0": "B", - "x_org.owasp#aivss:OR:1.0.0": "F", - "x_org.owasp#aivss:VC:1.0.0": "P", - "x_org.owasp#aivss:DP:1.0.0": "P", - "x_org.owasp#aivss:PI:1.0.0": "U" + "aivss:ND:1.0.0": "B", + "aivss:OR:1.0.0": "F", + "aivss:VC:1.0.0": "P", + "aivss:DP:1.0.0": "P", + "aivss:PI:1.0.0": "U" }, { - "x_org.owasp#aivss:ND:1.0.0": "B", - "x_org.owasp#aivss:OR:1.0.0": "F", - "x_org.owasp#aivss:VC:1.0.0": "P", - "x_org.owasp#aivss:DP:1.0.0": "F", - "x_org.owasp#aivss:PI:1.0.0": "U" + "aivss:ND:1.0.0": "B", + "aivss:OR:1.0.0": "F", + "aivss:VC:1.0.0": "P", + "aivss:DP:1.0.0": "F", + "aivss:PI:1.0.0": "U" }, { - "x_org.owasp#aivss:ND:1.0.0": "B", - "x_org.owasp#aivss:OR:1.0.0": "F", - "x_org.owasp#aivss:VC:1.0.0": "P", - "x_org.owasp#aivss:DP:1.0.0": "S", - "x_org.owasp#aivss:PI:1.0.0": "U" + "aivss:ND:1.0.0": "B", + "aivss:OR:1.0.0": "F", + "aivss:VC:1.0.0": "P", + "aivss:DP:1.0.0": "S", + "aivss:PI:1.0.0": "U" }, { - "x_org.owasp#aivss:ND:1.0.0": "B", - "x_org.owasp#aivss:OR:1.0.0": "F", - "x_org.owasp#aivss:VC:1.0.0": "K", - "x_org.owasp#aivss:DP:1.0.0": "P", - "x_org.owasp#aivss:PI:1.0.0": "U" + "aivss:ND:1.0.0": "B", + "aivss:OR:1.0.0": "F", + "aivss:VC:1.0.0": "K", + "aivss:DP:1.0.0": "P", + "aivss:PI:1.0.0": "U" }, { - "x_org.owasp#aivss:ND:1.0.0": "B", - "x_org.owasp#aivss:OR:1.0.0": "F", - "x_org.owasp#aivss:VC:1.0.0": "K", - "x_org.owasp#aivss:DP:1.0.0": "F", - "x_org.owasp#aivss:PI:1.0.0": "U" + "aivss:ND:1.0.0": "B", + "aivss:OR:1.0.0": "F", + "aivss:VC:1.0.0": "K", + "aivss:DP:1.0.0": "F", + "aivss:PI:1.0.0": "U" }, { - "x_org.owasp#aivss:ND:1.0.0": "B", - "x_org.owasp#aivss:OR:1.0.0": "F", - "x_org.owasp#aivss:VC:1.0.0": "K", - "x_org.owasp#aivss:DP:1.0.0": "S", - "x_org.owasp#aivss:PI:1.0.0": "U" + "aivss:ND:1.0.0": "B", + "aivss:OR:1.0.0": "F", + "aivss:VC:1.0.0": "K", + "aivss:DP:1.0.0": "S", + "aivss:PI:1.0.0": "U" }, { - "x_org.owasp#aivss:ND:1.0.0": "B", - "x_org.owasp#aivss:OR:1.0.0": "F", - "x_org.owasp#aivss:VC:1.0.0": "U", - "x_org.owasp#aivss:DP:1.0.0": "P", - "x_org.owasp#aivss:PI:1.0.0": "U" + "aivss:ND:1.0.0": "B", + "aivss:OR:1.0.0": "F", + "aivss:VC:1.0.0": "U", + "aivss:DP:1.0.0": "P", + "aivss:PI:1.0.0": "U" }, { - "x_org.owasp#aivss:ND:1.0.0": "B", - "x_org.owasp#aivss:OR:1.0.0": "F", - "x_org.owasp#aivss:VC:1.0.0": "U", - "x_org.owasp#aivss:DP:1.0.0": "F", - "x_org.owasp#aivss:PI:1.0.0": "U" + "aivss:ND:1.0.0": "B", + "aivss:OR:1.0.0": "F", + "aivss:VC:1.0.0": "U", + "aivss:DP:1.0.0": "F", + "aivss:PI:1.0.0": "U" }, { - "x_org.owasp#aivss:ND:1.0.0": "B", - "x_org.owasp#aivss:OR:1.0.0": "F", - "x_org.owasp#aivss:VC:1.0.0": "U", - "x_org.owasp#aivss:DP:1.0.0": "S", - "x_org.owasp#aivss:PI:1.0.0": "O" + "aivss:ND:1.0.0": "B", + "aivss:OR:1.0.0": "F", + "aivss:VC:1.0.0": "U", + "aivss:DP:1.0.0": "S", + "aivss:PI:1.0.0": "O" }, { - "x_org.owasp#aivss:ND:1.0.0": "B", - "x_org.owasp#aivss:OR:1.0.0": "O", - "x_org.owasp#aivss:VC:1.0.0": "P", - "x_org.owasp#aivss:DP:1.0.0": "P", - "x_org.owasp#aivss:PI:1.0.0": "U" + "aivss:ND:1.0.0": "B", + "aivss:OR:1.0.0": "O", + "aivss:VC:1.0.0": "P", + "aivss:DP:1.0.0": "P", + "aivss:PI:1.0.0": "U" }, { - "x_org.owasp#aivss:ND:1.0.0": "B", - "x_org.owasp#aivss:OR:1.0.0": "O", - "x_org.owasp#aivss:VC:1.0.0": "P", - "x_org.owasp#aivss:DP:1.0.0": "F", - "x_org.owasp#aivss:PI:1.0.0": "U" + "aivss:ND:1.0.0": "B", + "aivss:OR:1.0.0": "O", + "aivss:VC:1.0.0": "P", + "aivss:DP:1.0.0": "F", + "aivss:PI:1.0.0": "U" }, { - "x_org.owasp#aivss:ND:1.0.0": "B", - "x_org.owasp#aivss:OR:1.0.0": "O", - "x_org.owasp#aivss:VC:1.0.0": "P", - "x_org.owasp#aivss:DP:1.0.0": "S", - "x_org.owasp#aivss:PI:1.0.0": "O" + "aivss:ND:1.0.0": "B", + "aivss:OR:1.0.0": "O", + "aivss:VC:1.0.0": "P", + "aivss:DP:1.0.0": "S", + "aivss:PI:1.0.0": "O" }, { - "x_org.owasp#aivss:ND:1.0.0": "B", - "x_org.owasp#aivss:OR:1.0.0": "O", - "x_org.owasp#aivss:VC:1.0.0": "K", - "x_org.owasp#aivss:DP:1.0.0": "P", - "x_org.owasp#aivss:PI:1.0.0": "U" + "aivss:ND:1.0.0": "B", + "aivss:OR:1.0.0": "O", + "aivss:VC:1.0.0": "K", + "aivss:DP:1.0.0": "P", + "aivss:PI:1.0.0": "U" }, { - "x_org.owasp#aivss:ND:1.0.0": "B", - "x_org.owasp#aivss:OR:1.0.0": "O", - "x_org.owasp#aivss:VC:1.0.0": "K", - "x_org.owasp#aivss:DP:1.0.0": "F", - "x_org.owasp#aivss:PI:1.0.0": "U" + "aivss:ND:1.0.0": "B", + "aivss:OR:1.0.0": "O", + "aivss:VC:1.0.0": "K", + "aivss:DP:1.0.0": "F", + "aivss:PI:1.0.0": "U" }, { - "x_org.owasp#aivss:ND:1.0.0": "B", - "x_org.owasp#aivss:OR:1.0.0": "O", - "x_org.owasp#aivss:VC:1.0.0": "K", - "x_org.owasp#aivss:DP:1.0.0": "S", - "x_org.owasp#aivss:PI:1.0.0": "O" + "aivss:ND:1.0.0": "B", + "aivss:OR:1.0.0": "O", + "aivss:VC:1.0.0": "K", + "aivss:DP:1.0.0": "S", + "aivss:PI:1.0.0": "O" }, { - "x_org.owasp#aivss:ND:1.0.0": "B", - "x_org.owasp#aivss:OR:1.0.0": "O", - "x_org.owasp#aivss:VC:1.0.0": "U", - "x_org.owasp#aivss:DP:1.0.0": "P", - "x_org.owasp#aivss:PI:1.0.0": "O" + "aivss:ND:1.0.0": "B", + "aivss:OR:1.0.0": "O", + "aivss:VC:1.0.0": "U", + "aivss:DP:1.0.0": "P", + "aivss:PI:1.0.0": "O" }, { - "x_org.owasp#aivss:ND:1.0.0": "B", - "x_org.owasp#aivss:OR:1.0.0": "O", - "x_org.owasp#aivss:VC:1.0.0": "U", - "x_org.owasp#aivss:DP:1.0.0": "F", - "x_org.owasp#aivss:PI:1.0.0": "O" + "aivss:ND:1.0.0": "B", + "aivss:OR:1.0.0": "O", + "aivss:VC:1.0.0": "U", + "aivss:DP:1.0.0": "F", + "aivss:PI:1.0.0": "O" }, { - "x_org.owasp#aivss:ND:1.0.0": "B", - "x_org.owasp#aivss:OR:1.0.0": "O", - "x_org.owasp#aivss:VC:1.0.0": "U", - "x_org.owasp#aivss:DP:1.0.0": "S", - "x_org.owasp#aivss:PI:1.0.0": "O" + "aivss:ND:1.0.0": "B", + "aivss:OR:1.0.0": "O", + "aivss:VC:1.0.0": "U", + "aivss:DP:1.0.0": "S", + "aivss:PI:1.0.0": "O" }, { - "x_org.owasp#aivss:ND:1.0.0": "H", - "x_org.owasp#aivss:OR:1.0.0": "T", - "x_org.owasp#aivss:VC:1.0.0": "P", - "x_org.owasp#aivss:DP:1.0.0": "P", - "x_org.owasp#aivss:PI:1.0.0": "U" + "aivss:ND:1.0.0": "H", + "aivss:OR:1.0.0": "T", + "aivss:VC:1.0.0": "P", + "aivss:DP:1.0.0": "P", + "aivss:PI:1.0.0": "U" }, { - "x_org.owasp#aivss:ND:1.0.0": "H", - "x_org.owasp#aivss:OR:1.0.0": "T", - "x_org.owasp#aivss:VC:1.0.0": "P", - "x_org.owasp#aivss:DP:1.0.0": "F", - "x_org.owasp#aivss:PI:1.0.0": "U" + "aivss:ND:1.0.0": "H", + "aivss:OR:1.0.0": "T", + "aivss:VC:1.0.0": "P", + "aivss:DP:1.0.0": "F", + "aivss:PI:1.0.0": "U" }, { - "x_org.owasp#aivss:ND:1.0.0": "H", - "x_org.owasp#aivss:OR:1.0.0": "T", - "x_org.owasp#aivss:VC:1.0.0": "P", - "x_org.owasp#aivss:DP:1.0.0": "S", - "x_org.owasp#aivss:PI:1.0.0": "O" + "aivss:ND:1.0.0": "H", + "aivss:OR:1.0.0": "T", + "aivss:VC:1.0.0": "P", + "aivss:DP:1.0.0": "S", + "aivss:PI:1.0.0": "O" }, { - "x_org.owasp#aivss:ND:1.0.0": "H", - "x_org.owasp#aivss:OR:1.0.0": "T", - "x_org.owasp#aivss:VC:1.0.0": "K", - "x_org.owasp#aivss:DP:1.0.0": "P", - "x_org.owasp#aivss:PI:1.0.0": "U" + "aivss:ND:1.0.0": "H", + "aivss:OR:1.0.0": "T", + "aivss:VC:1.0.0": "K", + "aivss:DP:1.0.0": "P", + "aivss:PI:1.0.0": "U" }, { - "x_org.owasp#aivss:ND:1.0.0": "H", - "x_org.owasp#aivss:OR:1.0.0": "T", - "x_org.owasp#aivss:VC:1.0.0": "K", - "x_org.owasp#aivss:DP:1.0.0": "F", - "x_org.owasp#aivss:PI:1.0.0": "U" + "aivss:ND:1.0.0": "H", + "aivss:OR:1.0.0": "T", + "aivss:VC:1.0.0": "K", + "aivss:DP:1.0.0": "F", + "aivss:PI:1.0.0": "U" }, { - "x_org.owasp#aivss:ND:1.0.0": "H", - "x_org.owasp#aivss:OR:1.0.0": "T", - "x_org.owasp#aivss:VC:1.0.0": "K", - "x_org.owasp#aivss:DP:1.0.0": "S", - "x_org.owasp#aivss:PI:1.0.0": "O" + "aivss:ND:1.0.0": "H", + "aivss:OR:1.0.0": "T", + "aivss:VC:1.0.0": "K", + "aivss:DP:1.0.0": "S", + "aivss:PI:1.0.0": "O" }, { - "x_org.owasp#aivss:ND:1.0.0": "H", - "x_org.owasp#aivss:OR:1.0.0": "T", - "x_org.owasp#aivss:VC:1.0.0": "U", - "x_org.owasp#aivss:DP:1.0.0": "P", - "x_org.owasp#aivss:PI:1.0.0": "O" + "aivss:ND:1.0.0": "H", + "aivss:OR:1.0.0": "T", + "aivss:VC:1.0.0": "U", + "aivss:DP:1.0.0": "P", + "aivss:PI:1.0.0": "O" }, { - "x_org.owasp#aivss:ND:1.0.0": "H", - "x_org.owasp#aivss:OR:1.0.0": "T", - "x_org.owasp#aivss:VC:1.0.0": "U", - "x_org.owasp#aivss:DP:1.0.0": "F", - "x_org.owasp#aivss:PI:1.0.0": "O" + "aivss:ND:1.0.0": "H", + "aivss:OR:1.0.0": "T", + "aivss:VC:1.0.0": "U", + "aivss:DP:1.0.0": "F", + "aivss:PI:1.0.0": "O" }, { - "x_org.owasp#aivss:ND:1.0.0": "H", - "x_org.owasp#aivss:OR:1.0.0": "T", - "x_org.owasp#aivss:VC:1.0.0": "U", - "x_org.owasp#aivss:DP:1.0.0": "S", - "x_org.owasp#aivss:PI:1.0.0": "O" + "aivss:ND:1.0.0": "H", + "aivss:OR:1.0.0": "T", + "aivss:VC:1.0.0": "U", + "aivss:DP:1.0.0": "S", + "aivss:PI:1.0.0": "O" }, { - "x_org.owasp#aivss:ND:1.0.0": "H", - "x_org.owasp#aivss:OR:1.0.0": "F", - "x_org.owasp#aivss:VC:1.0.0": "P", - "x_org.owasp#aivss:DP:1.0.0": "P", - "x_org.owasp#aivss:PI:1.0.0": "U" + "aivss:ND:1.0.0": "H", + "aivss:OR:1.0.0": "F", + "aivss:VC:1.0.0": "P", + "aivss:DP:1.0.0": "P", + "aivss:PI:1.0.0": "U" }, { - "x_org.owasp#aivss:ND:1.0.0": "H", - "x_org.owasp#aivss:OR:1.0.0": "F", - "x_org.owasp#aivss:VC:1.0.0": "P", - "x_org.owasp#aivss:DP:1.0.0": "F", - "x_org.owasp#aivss:PI:1.0.0": "U" + "aivss:ND:1.0.0": "H", + "aivss:OR:1.0.0": "F", + "aivss:VC:1.0.0": "P", + "aivss:DP:1.0.0": "F", + "aivss:PI:1.0.0": "U" }, { - "x_org.owasp#aivss:ND:1.0.0": "H", - "x_org.owasp#aivss:OR:1.0.0": "F", - "x_org.owasp#aivss:VC:1.0.0": "P", - "x_org.owasp#aivss:DP:1.0.0": "S", - "x_org.owasp#aivss:PI:1.0.0": "O" + "aivss:ND:1.0.0": "H", + "aivss:OR:1.0.0": "F", + "aivss:VC:1.0.0": "P", + "aivss:DP:1.0.0": "S", + "aivss:PI:1.0.0": "O" }, { - "x_org.owasp#aivss:ND:1.0.0": "H", - "x_org.owasp#aivss:OR:1.0.0": "F", - "x_org.owasp#aivss:VC:1.0.0": "K", - "x_org.owasp#aivss:DP:1.0.0": "P", - "x_org.owasp#aivss:PI:1.0.0": "U" + "aivss:ND:1.0.0": "H", + "aivss:OR:1.0.0": "F", + "aivss:VC:1.0.0": "K", + "aivss:DP:1.0.0": "P", + "aivss:PI:1.0.0": "U" }, { - "x_org.owasp#aivss:ND:1.0.0": "H", - "x_org.owasp#aivss:OR:1.0.0": "F", - "x_org.owasp#aivss:VC:1.0.0": "K", - "x_org.owasp#aivss:DP:1.0.0": "F", - "x_org.owasp#aivss:PI:1.0.0": "U" + "aivss:ND:1.0.0": "H", + "aivss:OR:1.0.0": "F", + "aivss:VC:1.0.0": "K", + "aivss:DP:1.0.0": "F", + "aivss:PI:1.0.0": "U" }, { - "x_org.owasp#aivss:ND:1.0.0": "H", - "x_org.owasp#aivss:OR:1.0.0": "F", - "x_org.owasp#aivss:VC:1.0.0": "K", - "x_org.owasp#aivss:DP:1.0.0": "S", - "x_org.owasp#aivss:PI:1.0.0": "O" + "aivss:ND:1.0.0": "H", + "aivss:OR:1.0.0": "F", + "aivss:VC:1.0.0": "K", + "aivss:DP:1.0.0": "S", + "aivss:PI:1.0.0": "O" }, { - "x_org.owasp#aivss:ND:1.0.0": "H", - "x_org.owasp#aivss:OR:1.0.0": "F", - "x_org.owasp#aivss:VC:1.0.0": "U", - "x_org.owasp#aivss:DP:1.0.0": "P", - "x_org.owasp#aivss:PI:1.0.0": "O" + "aivss:ND:1.0.0": "H", + "aivss:OR:1.0.0": "F", + "aivss:VC:1.0.0": "U", + "aivss:DP:1.0.0": "P", + "aivss:PI:1.0.0": "O" }, { - "x_org.owasp#aivss:ND:1.0.0": "H", - "x_org.owasp#aivss:OR:1.0.0": "F", - "x_org.owasp#aivss:VC:1.0.0": "U", - "x_org.owasp#aivss:DP:1.0.0": "F", - "x_org.owasp#aivss:PI:1.0.0": "O" + "aivss:ND:1.0.0": "H", + "aivss:OR:1.0.0": "F", + "aivss:VC:1.0.0": "U", + "aivss:DP:1.0.0": "F", + "aivss:PI:1.0.0": "O" }, { - "x_org.owasp#aivss:ND:1.0.0": "H", - "x_org.owasp#aivss:OR:1.0.0": "F", - "x_org.owasp#aivss:VC:1.0.0": "U", - "x_org.owasp#aivss:DP:1.0.0": "S", - "x_org.owasp#aivss:PI:1.0.0": "O" + "aivss:ND:1.0.0": "H", + "aivss:OR:1.0.0": "F", + "aivss:VC:1.0.0": "U", + "aivss:DP:1.0.0": "S", + "aivss:PI:1.0.0": "O" }, { - "x_org.owasp#aivss:ND:1.0.0": "H", - "x_org.owasp#aivss:OR:1.0.0": "O", - "x_org.owasp#aivss:VC:1.0.0": "P", - "x_org.owasp#aivss:DP:1.0.0": "P", - "x_org.owasp#aivss:PI:1.0.0": "O" + "aivss:ND:1.0.0": "H", + "aivss:OR:1.0.0": "O", + "aivss:VC:1.0.0": "P", + "aivss:DP:1.0.0": "P", + "aivss:PI:1.0.0": "O" }, { - "x_org.owasp#aivss:ND:1.0.0": "H", - "x_org.owasp#aivss:OR:1.0.0": "O", - "x_org.owasp#aivss:VC:1.0.0": "P", - "x_org.owasp#aivss:DP:1.0.0": "F", - "x_org.owasp#aivss:PI:1.0.0": "O" + "aivss:ND:1.0.0": "H", + "aivss:OR:1.0.0": "O", + "aivss:VC:1.0.0": "P", + "aivss:DP:1.0.0": "F", + "aivss:PI:1.0.0": "O" }, { - "x_org.owasp#aivss:ND:1.0.0": "H", - "x_org.owasp#aivss:OR:1.0.0": "O", - "x_org.owasp#aivss:VC:1.0.0": "P", - "x_org.owasp#aivss:DP:1.0.0": "S", - "x_org.owasp#aivss:PI:1.0.0": "O" + "aivss:ND:1.0.0": "H", + "aivss:OR:1.0.0": "O", + "aivss:VC:1.0.0": "P", + "aivss:DP:1.0.0": "S", + "aivss:PI:1.0.0": "O" }, { - "x_org.owasp#aivss:ND:1.0.0": "H", - "x_org.owasp#aivss:OR:1.0.0": "O", - "x_org.owasp#aivss:VC:1.0.0": "K", - "x_org.owasp#aivss:DP:1.0.0": "P", - "x_org.owasp#aivss:PI:1.0.0": "O" + "aivss:ND:1.0.0": "H", + "aivss:OR:1.0.0": "O", + "aivss:VC:1.0.0": "K", + "aivss:DP:1.0.0": "P", + "aivss:PI:1.0.0": "O" }, { - "x_org.owasp#aivss:ND:1.0.0": "H", - "x_org.owasp#aivss:OR:1.0.0": "O", - "x_org.owasp#aivss:VC:1.0.0": "K", - "x_org.owasp#aivss:DP:1.0.0": "F", - "x_org.owasp#aivss:PI:1.0.0": "O" + "aivss:ND:1.0.0": "H", + "aivss:OR:1.0.0": "O", + "aivss:VC:1.0.0": "K", + "aivss:DP:1.0.0": "F", + "aivss:PI:1.0.0": "O" }, { - "x_org.owasp#aivss:ND:1.0.0": "H", - "x_org.owasp#aivss:OR:1.0.0": "O", - "x_org.owasp#aivss:VC:1.0.0": "K", - "x_org.owasp#aivss:DP:1.0.0": "S", - "x_org.owasp#aivss:PI:1.0.0": "O" + "aivss:ND:1.0.0": "H", + "aivss:OR:1.0.0": "O", + "aivss:VC:1.0.0": "K", + "aivss:DP:1.0.0": "S", + "aivss:PI:1.0.0": "O" }, { - "x_org.owasp#aivss:ND:1.0.0": "H", - "x_org.owasp#aivss:OR:1.0.0": "O", - "x_org.owasp#aivss:VC:1.0.0": "U", - "x_org.owasp#aivss:DP:1.0.0": "P", - "x_org.owasp#aivss:PI:1.0.0": "O" + "aivss:ND:1.0.0": "H", + "aivss:OR:1.0.0": "O", + "aivss:VC:1.0.0": "U", + "aivss:DP:1.0.0": "P", + "aivss:PI:1.0.0": "O" }, { - "x_org.owasp#aivss:ND:1.0.0": "H", - "x_org.owasp#aivss:OR:1.0.0": "O", - "x_org.owasp#aivss:VC:1.0.0": "U", - "x_org.owasp#aivss:DP:1.0.0": "F", - "x_org.owasp#aivss:PI:1.0.0": "O" + "aivss:ND:1.0.0": "H", + "aivss:OR:1.0.0": "O", + "aivss:VC:1.0.0": "U", + "aivss:DP:1.0.0": "F", + "aivss:PI:1.0.0": "O" }, { - "x_org.owasp#aivss:ND:1.0.0": "H", - "x_org.owasp#aivss:OR:1.0.0": "O", - "x_org.owasp#aivss:VC:1.0.0": "U", - "x_org.owasp#aivss:DP:1.0.0": "S", - "x_org.owasp#aivss:PI:1.0.0": "O" + "aivss:ND:1.0.0": "H", + "aivss:OR:1.0.0": "O", + "aivss:VC:1.0.0": "U", + "aivss:DP:1.0.0": "S", + "aivss:PI:1.0.0": "O" } ] } @@ -25260,15 +25260,15 @@ "1.0.0": { "version": "1.0.0", "obj": { - "namespace": "x_org.owasp#aivss", + "namespace": "aivss", "key": "DT_EP", "version": "1.0.0", "name": "Execution Power", "definition": "Determines the level of execution power granted to an AI agent, influencing its ability to perform actions autonomously and interact with external systems.", "schemaVersion": "2.0.0", "decision_points": { - "x_org.owasp#aivss:AA:1.0.0": { - "namespace": "x_org.owasp#aivss", + "aivss:AA:1.0.0": { + "namespace": "aivss", "key": "AA", "version": "1.0.0", "name": "Autonomy of Action", @@ -25292,8 +25292,8 @@ } ] }, - "x_org.owasp#aivss:TU:1.0.0": { - "namespace": "x_org.owasp#aivss", + "aivss:TU:1.0.0": { + "namespace": "aivss", "key": "TU", "version": "1.0.0", "name": "Tool Use", @@ -25317,8 +25317,8 @@ } ] }, - "x_org.owasp#aivss:SM:1.1.0": { - "namespace": "x_org.owasp#aivss", + "aivss:SM:1.1.0": { + "namespace": "aivss", "key": "SM", "version": "1.1.0", "name": "Self-Modification", @@ -25342,8 +25342,8 @@ } ] }, - "x_org.owasp#aivss:GDP:1.0.0": { - "namespace": "x_org.owasp#aivss", + "aivss:GDP:1.0.0": { + "namespace": "aivss", "key": "GDP", "version": "1.0.0", "name": "Goal-Driven Planning", @@ -25367,8 +25367,8 @@ } ] }, - "x_org.owasp#aivss:EP:1.0.0": { - "namespace": "x_org.owasp#aivss", + "aivss:EP:1.0.0": { + "namespace": "aivss", "key": "EP", "version": "1.0.0", "name": "Execution Power", @@ -25393,574 +25393,574 @@ ] } }, - "outcome": "x_org.owasp#aivss:EP:1.0.0", + "outcome": "aivss:EP:1.0.0", "mapping": [ { - "x_org.owasp#aivss:AA:1.0.0": "G", - "x_org.owasp#aivss:TU:1.0.0": "V", - "x_org.owasp#aivss:SM:1.1.0": "F", - "x_org.owasp#aivss:GDP:1.0.0": "R", - "x_org.owasp#aivss:EP:1.0.0": "C" + "aivss:AA:1.0.0": "G", + "aivss:TU:1.0.0": "V", + "aivss:SM:1.1.0": "F", + "aivss:GDP:1.0.0": "R", + "aivss:EP:1.0.0": "C" }, { - "x_org.owasp#aivss:AA:1.0.0": "G", - "x_org.owasp#aivss:TU:1.0.0": "V", - "x_org.owasp#aivss:SM:1.1.0": "F", - "x_org.owasp#aivss:GDP:1.0.0": "A", - "x_org.owasp#aivss:EP:1.0.0": "C" + "aivss:AA:1.0.0": "G", + "aivss:TU:1.0.0": "V", + "aivss:SM:1.1.0": "F", + "aivss:GDP:1.0.0": "A", + "aivss:EP:1.0.0": "C" }, { - "x_org.owasp#aivss:AA:1.0.0": "G", - "x_org.owasp#aivss:TU:1.0.0": "V", - "x_org.owasp#aivss:SM:1.1.0": "F", - "x_org.owasp#aivss:GDP:1.0.0": "U", - "x_org.owasp#aivss:EP:1.0.0": "CA" + "aivss:AA:1.0.0": "G", + "aivss:TU:1.0.0": "V", + "aivss:SM:1.1.0": "F", + "aivss:GDP:1.0.0": "U", + "aivss:EP:1.0.0": "CA" }, { - "x_org.owasp#aivss:AA:1.0.0": "G", - "x_org.owasp#aivss:TU:1.0.0": "V", - "x_org.owasp#aivss:SM:1.1.0": "T", - "x_org.owasp#aivss:GDP:1.0.0": "R", - "x_org.owasp#aivss:EP:1.0.0": "C" + "aivss:AA:1.0.0": "G", + "aivss:TU:1.0.0": "V", + "aivss:SM:1.1.0": "T", + "aivss:GDP:1.0.0": "R", + "aivss:EP:1.0.0": "C" }, { - "x_org.owasp#aivss:AA:1.0.0": "G", - "x_org.owasp#aivss:TU:1.0.0": "V", - "x_org.owasp#aivss:SM:1.1.0": "T", - "x_org.owasp#aivss:GDP:1.0.0": "A", - "x_org.owasp#aivss:EP:1.0.0": "C" + "aivss:AA:1.0.0": "G", + "aivss:TU:1.0.0": "V", + "aivss:SM:1.1.0": "T", + "aivss:GDP:1.0.0": "A", + "aivss:EP:1.0.0": "C" }, { - "x_org.owasp#aivss:AA:1.0.0": "G", - "x_org.owasp#aivss:TU:1.0.0": "V", - "x_org.owasp#aivss:SM:1.1.0": "T", - "x_org.owasp#aivss:GDP:1.0.0": "U", - "x_org.owasp#aivss:EP:1.0.0": "CA" + "aivss:AA:1.0.0": "G", + "aivss:TU:1.0.0": "V", + "aivss:SM:1.1.0": "T", + "aivss:GDP:1.0.0": "U", + "aivss:EP:1.0.0": "CA" }, { - "x_org.owasp#aivss:AA:1.0.0": "G", - "x_org.owasp#aivss:TU:1.0.0": "V", - "x_org.owasp#aivss:SM:1.1.0": "M", - "x_org.owasp#aivss:GDP:1.0.0": "R", - "x_org.owasp#aivss:EP:1.0.0": "CA" + "aivss:AA:1.0.0": "G", + "aivss:TU:1.0.0": "V", + "aivss:SM:1.1.0": "M", + "aivss:GDP:1.0.0": "R", + "aivss:EP:1.0.0": "CA" }, { - "x_org.owasp#aivss:AA:1.0.0": "G", - "x_org.owasp#aivss:TU:1.0.0": "V", - "x_org.owasp#aivss:SM:1.1.0": "M", - "x_org.owasp#aivss:GDP:1.0.0": "A", - "x_org.owasp#aivss:EP:1.0.0": "CA" + "aivss:AA:1.0.0": "G", + "aivss:TU:1.0.0": "V", + "aivss:SM:1.1.0": "M", + "aivss:GDP:1.0.0": "A", + "aivss:EP:1.0.0": "CA" }, { - "x_org.owasp#aivss:AA:1.0.0": "G", - "x_org.owasp#aivss:TU:1.0.0": "V", - "x_org.owasp#aivss:SM:1.1.0": "M", - "x_org.owasp#aivss:GDP:1.0.0": "U", - "x_org.owasp#aivss:EP:1.0.0": "H" + "aivss:AA:1.0.0": "G", + "aivss:TU:1.0.0": "V", + "aivss:SM:1.1.0": "M", + "aivss:GDP:1.0.0": "U", + "aivss:EP:1.0.0": "H" }, { - "x_org.owasp#aivss:AA:1.0.0": "G", - "x_org.owasp#aivss:TU:1.0.0": "O", - "x_org.owasp#aivss:SM:1.1.0": "F", - "x_org.owasp#aivss:GDP:1.0.0": "R", - "x_org.owasp#aivss:EP:1.0.0": "C" + "aivss:AA:1.0.0": "G", + "aivss:TU:1.0.0": "O", + "aivss:SM:1.1.0": "F", + "aivss:GDP:1.0.0": "R", + "aivss:EP:1.0.0": "C" }, { - "x_org.owasp#aivss:AA:1.0.0": "G", - "x_org.owasp#aivss:TU:1.0.0": "O", - "x_org.owasp#aivss:SM:1.1.0": "F", - "x_org.owasp#aivss:GDP:1.0.0": "A", - "x_org.owasp#aivss:EP:1.0.0": "C" + "aivss:AA:1.0.0": "G", + "aivss:TU:1.0.0": "O", + "aivss:SM:1.1.0": "F", + "aivss:GDP:1.0.0": "A", + "aivss:EP:1.0.0": "C" }, { - "x_org.owasp#aivss:AA:1.0.0": "G", - "x_org.owasp#aivss:TU:1.0.0": "O", - "x_org.owasp#aivss:SM:1.1.0": "F", - "x_org.owasp#aivss:GDP:1.0.0": "U", - "x_org.owasp#aivss:EP:1.0.0": "CA" + "aivss:AA:1.0.0": "G", + "aivss:TU:1.0.0": "O", + "aivss:SM:1.1.0": "F", + "aivss:GDP:1.0.0": "U", + "aivss:EP:1.0.0": "CA" }, { - "x_org.owasp#aivss:AA:1.0.0": "G", - "x_org.owasp#aivss:TU:1.0.0": "O", - "x_org.owasp#aivss:SM:1.1.0": "T", - "x_org.owasp#aivss:GDP:1.0.0": "R", - "x_org.owasp#aivss:EP:1.0.0": "C" + "aivss:AA:1.0.0": "G", + "aivss:TU:1.0.0": "O", + "aivss:SM:1.1.0": "T", + "aivss:GDP:1.0.0": "R", + "aivss:EP:1.0.0": "C" }, { - "x_org.owasp#aivss:AA:1.0.0": "G", - "x_org.owasp#aivss:TU:1.0.0": "O", - "x_org.owasp#aivss:SM:1.1.0": "T", - "x_org.owasp#aivss:GDP:1.0.0": "A", - "x_org.owasp#aivss:EP:1.0.0": "CA" + "aivss:AA:1.0.0": "G", + "aivss:TU:1.0.0": "O", + "aivss:SM:1.1.0": "T", + "aivss:GDP:1.0.0": "A", + "aivss:EP:1.0.0": "CA" }, { - "x_org.owasp#aivss:AA:1.0.0": "G", - "x_org.owasp#aivss:TU:1.0.0": "O", - "x_org.owasp#aivss:SM:1.1.0": "T", - "x_org.owasp#aivss:GDP:1.0.0": "U", - "x_org.owasp#aivss:EP:1.0.0": "CA" + "aivss:AA:1.0.0": "G", + "aivss:TU:1.0.0": "O", + "aivss:SM:1.1.0": "T", + "aivss:GDP:1.0.0": "U", + "aivss:EP:1.0.0": "CA" }, { - "x_org.owasp#aivss:AA:1.0.0": "G", - "x_org.owasp#aivss:TU:1.0.0": "O", - "x_org.owasp#aivss:SM:1.1.0": "M", - "x_org.owasp#aivss:GDP:1.0.0": "R", - "x_org.owasp#aivss:EP:1.0.0": "CA" + "aivss:AA:1.0.0": "G", + "aivss:TU:1.0.0": "O", + "aivss:SM:1.1.0": "M", + "aivss:GDP:1.0.0": "R", + "aivss:EP:1.0.0": "CA" }, { - "x_org.owasp#aivss:AA:1.0.0": "G", - "x_org.owasp#aivss:TU:1.0.0": "O", - "x_org.owasp#aivss:SM:1.1.0": "M", - "x_org.owasp#aivss:GDP:1.0.0": "A", - "x_org.owasp#aivss:EP:1.0.0": "CA" + "aivss:AA:1.0.0": "G", + "aivss:TU:1.0.0": "O", + "aivss:SM:1.1.0": "M", + "aivss:GDP:1.0.0": "A", + "aivss:EP:1.0.0": "CA" }, { - "x_org.owasp#aivss:AA:1.0.0": "G", - "x_org.owasp#aivss:TU:1.0.0": "O", - "x_org.owasp#aivss:SM:1.1.0": "M", - "x_org.owasp#aivss:GDP:1.0.0": "U", - "x_org.owasp#aivss:EP:1.0.0": "H" + "aivss:AA:1.0.0": "G", + "aivss:TU:1.0.0": "O", + "aivss:SM:1.1.0": "M", + "aivss:GDP:1.0.0": "U", + "aivss:EP:1.0.0": "H" }, { - "x_org.owasp#aivss:AA:1.0.0": "G", - "x_org.owasp#aivss:TU:1.0.0": "A", - "x_org.owasp#aivss:SM:1.1.0": "F", - "x_org.owasp#aivss:GDP:1.0.0": "R", - "x_org.owasp#aivss:EP:1.0.0": "CA" + "aivss:AA:1.0.0": "G", + "aivss:TU:1.0.0": "A", + "aivss:SM:1.1.0": "F", + "aivss:GDP:1.0.0": "R", + "aivss:EP:1.0.0": "CA" }, { - "x_org.owasp#aivss:AA:1.0.0": "G", - "x_org.owasp#aivss:TU:1.0.0": "A", - "x_org.owasp#aivss:SM:1.1.0": "F", - "x_org.owasp#aivss:GDP:1.0.0": "A", - "x_org.owasp#aivss:EP:1.0.0": "CA" + "aivss:AA:1.0.0": "G", + "aivss:TU:1.0.0": "A", + "aivss:SM:1.1.0": "F", + "aivss:GDP:1.0.0": "A", + "aivss:EP:1.0.0": "CA" }, { - "x_org.owasp#aivss:AA:1.0.0": "G", - "x_org.owasp#aivss:TU:1.0.0": "A", - "x_org.owasp#aivss:SM:1.1.0": "F", - "x_org.owasp#aivss:GDP:1.0.0": "U", - "x_org.owasp#aivss:EP:1.0.0": "H" + "aivss:AA:1.0.0": "G", + "aivss:TU:1.0.0": "A", + "aivss:SM:1.1.0": "F", + "aivss:GDP:1.0.0": "U", + "aivss:EP:1.0.0": "H" }, { - "x_org.owasp#aivss:AA:1.0.0": "G", - "x_org.owasp#aivss:TU:1.0.0": "A", - "x_org.owasp#aivss:SM:1.1.0": "T", - "x_org.owasp#aivss:GDP:1.0.0": "R", - "x_org.owasp#aivss:EP:1.0.0": "CA" + "aivss:AA:1.0.0": "G", + "aivss:TU:1.0.0": "A", + "aivss:SM:1.1.0": "T", + "aivss:GDP:1.0.0": "R", + "aivss:EP:1.0.0": "CA" }, { - "x_org.owasp#aivss:AA:1.0.0": "G", - "x_org.owasp#aivss:TU:1.0.0": "A", - "x_org.owasp#aivss:SM:1.1.0": "T", - "x_org.owasp#aivss:GDP:1.0.0": "A", - "x_org.owasp#aivss:EP:1.0.0": "CA" + "aivss:AA:1.0.0": "G", + "aivss:TU:1.0.0": "A", + "aivss:SM:1.1.0": "T", + "aivss:GDP:1.0.0": "A", + "aivss:EP:1.0.0": "CA" }, { - "x_org.owasp#aivss:AA:1.0.0": "G", - "x_org.owasp#aivss:TU:1.0.0": "A", - "x_org.owasp#aivss:SM:1.1.0": "T", - "x_org.owasp#aivss:GDP:1.0.0": "U", - "x_org.owasp#aivss:EP:1.0.0": "H" + "aivss:AA:1.0.0": "G", + "aivss:TU:1.0.0": "A", + "aivss:SM:1.1.0": "T", + "aivss:GDP:1.0.0": "U", + "aivss:EP:1.0.0": "H" }, { - "x_org.owasp#aivss:AA:1.0.0": "G", - "x_org.owasp#aivss:TU:1.0.0": "A", - "x_org.owasp#aivss:SM:1.1.0": "M", - "x_org.owasp#aivss:GDP:1.0.0": "R", - "x_org.owasp#aivss:EP:1.0.0": "H" + "aivss:AA:1.0.0": "G", + "aivss:TU:1.0.0": "A", + "aivss:SM:1.1.0": "M", + "aivss:GDP:1.0.0": "R", + "aivss:EP:1.0.0": "H" }, { - "x_org.owasp#aivss:AA:1.0.0": "G", - "x_org.owasp#aivss:TU:1.0.0": "A", - "x_org.owasp#aivss:SM:1.1.0": "M", - "x_org.owasp#aivss:GDP:1.0.0": "A", - "x_org.owasp#aivss:EP:1.0.0": "H" + "aivss:AA:1.0.0": "G", + "aivss:TU:1.0.0": "A", + "aivss:SM:1.1.0": "M", + "aivss:GDP:1.0.0": "A", + "aivss:EP:1.0.0": "H" }, { - "x_org.owasp#aivss:AA:1.0.0": "G", - "x_org.owasp#aivss:TU:1.0.0": "A", - "x_org.owasp#aivss:SM:1.1.0": "M", - "x_org.owasp#aivss:GDP:1.0.0": "U", - "x_org.owasp#aivss:EP:1.0.0": "H" + "aivss:AA:1.0.0": "G", + "aivss:TU:1.0.0": "A", + "aivss:SM:1.1.0": "M", + "aivss:GDP:1.0.0": "U", + "aivss:EP:1.0.0": "H" }, { - "x_org.owasp#aivss:AA:1.0.0": "S", - "x_org.owasp#aivss:TU:1.0.0": "V", - "x_org.owasp#aivss:SM:1.1.0": "F", - "x_org.owasp#aivss:GDP:1.0.0": "R", - "x_org.owasp#aivss:EP:1.0.0": "C" + "aivss:AA:1.0.0": "S", + "aivss:TU:1.0.0": "V", + "aivss:SM:1.1.0": "F", + "aivss:GDP:1.0.0": "R", + "aivss:EP:1.0.0": "C" }, { - "x_org.owasp#aivss:AA:1.0.0": "S", - "x_org.owasp#aivss:TU:1.0.0": "V", - "x_org.owasp#aivss:SM:1.1.0": "F", - "x_org.owasp#aivss:GDP:1.0.0": "A", - "x_org.owasp#aivss:EP:1.0.0": "C" + "aivss:AA:1.0.0": "S", + "aivss:TU:1.0.0": "V", + "aivss:SM:1.1.0": "F", + "aivss:GDP:1.0.0": "A", + "aivss:EP:1.0.0": "C" }, { - "x_org.owasp#aivss:AA:1.0.0": "S", - "x_org.owasp#aivss:TU:1.0.0": "V", - "x_org.owasp#aivss:SM:1.1.0": "F", - "x_org.owasp#aivss:GDP:1.0.0": "U", - "x_org.owasp#aivss:EP:1.0.0": "CA" + "aivss:AA:1.0.0": "S", + "aivss:TU:1.0.0": "V", + "aivss:SM:1.1.0": "F", + "aivss:GDP:1.0.0": "U", + "aivss:EP:1.0.0": "CA" }, { - "x_org.owasp#aivss:AA:1.0.0": "S", - "x_org.owasp#aivss:TU:1.0.0": "V", - "x_org.owasp#aivss:SM:1.1.0": "T", - "x_org.owasp#aivss:GDP:1.0.0": "R", - "x_org.owasp#aivss:EP:1.0.0": "C" + "aivss:AA:1.0.0": "S", + "aivss:TU:1.0.0": "V", + "aivss:SM:1.1.0": "T", + "aivss:GDP:1.0.0": "R", + "aivss:EP:1.0.0": "C" }, { - "x_org.owasp#aivss:AA:1.0.0": "S", - "x_org.owasp#aivss:TU:1.0.0": "V", - "x_org.owasp#aivss:SM:1.1.0": "T", - "x_org.owasp#aivss:GDP:1.0.0": "A", - "x_org.owasp#aivss:EP:1.0.0": "CA" + "aivss:AA:1.0.0": "S", + "aivss:TU:1.0.0": "V", + "aivss:SM:1.1.0": "T", + "aivss:GDP:1.0.0": "A", + "aivss:EP:1.0.0": "CA" }, { - "x_org.owasp#aivss:AA:1.0.0": "S", - "x_org.owasp#aivss:TU:1.0.0": "V", - "x_org.owasp#aivss:SM:1.1.0": "T", - "x_org.owasp#aivss:GDP:1.0.0": "U", - "x_org.owasp#aivss:EP:1.0.0": "CA" + "aivss:AA:1.0.0": "S", + "aivss:TU:1.0.0": "V", + "aivss:SM:1.1.0": "T", + "aivss:GDP:1.0.0": "U", + "aivss:EP:1.0.0": "CA" }, { - "x_org.owasp#aivss:AA:1.0.0": "S", - "x_org.owasp#aivss:TU:1.0.0": "V", - "x_org.owasp#aivss:SM:1.1.0": "M", - "x_org.owasp#aivss:GDP:1.0.0": "R", - "x_org.owasp#aivss:EP:1.0.0": "CA" + "aivss:AA:1.0.0": "S", + "aivss:TU:1.0.0": "V", + "aivss:SM:1.1.0": "M", + "aivss:GDP:1.0.0": "R", + "aivss:EP:1.0.0": "CA" }, { - "x_org.owasp#aivss:AA:1.0.0": "S", - "x_org.owasp#aivss:TU:1.0.0": "V", - "x_org.owasp#aivss:SM:1.1.0": "M", - "x_org.owasp#aivss:GDP:1.0.0": "A", - "x_org.owasp#aivss:EP:1.0.0": "CA" + "aivss:AA:1.0.0": "S", + "aivss:TU:1.0.0": "V", + "aivss:SM:1.1.0": "M", + "aivss:GDP:1.0.0": "A", + "aivss:EP:1.0.0": "CA" }, { - "x_org.owasp#aivss:AA:1.0.0": "S", - "x_org.owasp#aivss:TU:1.0.0": "V", - "x_org.owasp#aivss:SM:1.1.0": "M", - "x_org.owasp#aivss:GDP:1.0.0": "U", - "x_org.owasp#aivss:EP:1.0.0": "H" + "aivss:AA:1.0.0": "S", + "aivss:TU:1.0.0": "V", + "aivss:SM:1.1.0": "M", + "aivss:GDP:1.0.0": "U", + "aivss:EP:1.0.0": "H" }, { - "x_org.owasp#aivss:AA:1.0.0": "S", - "x_org.owasp#aivss:TU:1.0.0": "O", - "x_org.owasp#aivss:SM:1.1.0": "F", - "x_org.owasp#aivss:GDP:1.0.0": "R", - "x_org.owasp#aivss:EP:1.0.0": "C" + "aivss:AA:1.0.0": "S", + "aivss:TU:1.0.0": "O", + "aivss:SM:1.1.0": "F", + "aivss:GDP:1.0.0": "R", + "aivss:EP:1.0.0": "C" }, { - "x_org.owasp#aivss:AA:1.0.0": "S", - "x_org.owasp#aivss:TU:1.0.0": "O", - "x_org.owasp#aivss:SM:1.1.0": "F", - "x_org.owasp#aivss:GDP:1.0.0": "A", - "x_org.owasp#aivss:EP:1.0.0": "CA" + "aivss:AA:1.0.0": "S", + "aivss:TU:1.0.0": "O", + "aivss:SM:1.1.0": "F", + "aivss:GDP:1.0.0": "A", + "aivss:EP:1.0.0": "CA" }, { - "x_org.owasp#aivss:AA:1.0.0": "S", - "x_org.owasp#aivss:TU:1.0.0": "O", - "x_org.owasp#aivss:SM:1.1.0": "F", - "x_org.owasp#aivss:GDP:1.0.0": "U", - "x_org.owasp#aivss:EP:1.0.0": "CA" + "aivss:AA:1.0.0": "S", + "aivss:TU:1.0.0": "O", + "aivss:SM:1.1.0": "F", + "aivss:GDP:1.0.0": "U", + "aivss:EP:1.0.0": "CA" }, { - "x_org.owasp#aivss:AA:1.0.0": "S", - "x_org.owasp#aivss:TU:1.0.0": "O", - "x_org.owasp#aivss:SM:1.1.0": "T", - "x_org.owasp#aivss:GDP:1.0.0": "R", - "x_org.owasp#aivss:EP:1.0.0": "CA" + "aivss:AA:1.0.0": "S", + "aivss:TU:1.0.0": "O", + "aivss:SM:1.1.0": "T", + "aivss:GDP:1.0.0": "R", + "aivss:EP:1.0.0": "CA" }, { - "x_org.owasp#aivss:AA:1.0.0": "S", - "x_org.owasp#aivss:TU:1.0.0": "O", - "x_org.owasp#aivss:SM:1.1.0": "T", - "x_org.owasp#aivss:GDP:1.0.0": "A", - "x_org.owasp#aivss:EP:1.0.0": "CA" + "aivss:AA:1.0.0": "S", + "aivss:TU:1.0.0": "O", + "aivss:SM:1.1.0": "T", + "aivss:GDP:1.0.0": "A", + "aivss:EP:1.0.0": "CA" }, { - "x_org.owasp#aivss:AA:1.0.0": "S", - "x_org.owasp#aivss:TU:1.0.0": "O", - "x_org.owasp#aivss:SM:1.1.0": "T", - "x_org.owasp#aivss:GDP:1.0.0": "U", - "x_org.owasp#aivss:EP:1.0.0": "CA" + "aivss:AA:1.0.0": "S", + "aivss:TU:1.0.0": "O", + "aivss:SM:1.1.0": "T", + "aivss:GDP:1.0.0": "U", + "aivss:EP:1.0.0": "CA" }, { - "x_org.owasp#aivss:AA:1.0.0": "S", - "x_org.owasp#aivss:TU:1.0.0": "O", - "x_org.owasp#aivss:SM:1.1.0": "M", - "x_org.owasp#aivss:GDP:1.0.0": "R", - "x_org.owasp#aivss:EP:1.0.0": "CA" + "aivss:AA:1.0.0": "S", + "aivss:TU:1.0.0": "O", + "aivss:SM:1.1.0": "M", + "aivss:GDP:1.0.0": "R", + "aivss:EP:1.0.0": "CA" }, { - "x_org.owasp#aivss:AA:1.0.0": "S", - "x_org.owasp#aivss:TU:1.0.0": "O", - "x_org.owasp#aivss:SM:1.1.0": "M", - "x_org.owasp#aivss:GDP:1.0.0": "A", - "x_org.owasp#aivss:EP:1.0.0": "CA" + "aivss:AA:1.0.0": "S", + "aivss:TU:1.0.0": "O", + "aivss:SM:1.1.0": "M", + "aivss:GDP:1.0.0": "A", + "aivss:EP:1.0.0": "CA" }, { - "x_org.owasp#aivss:AA:1.0.0": "S", - "x_org.owasp#aivss:TU:1.0.0": "O", - "x_org.owasp#aivss:SM:1.1.0": "M", - "x_org.owasp#aivss:GDP:1.0.0": "U", - "x_org.owasp#aivss:EP:1.0.0": "H" + "aivss:AA:1.0.0": "S", + "aivss:TU:1.0.0": "O", + "aivss:SM:1.1.0": "M", + "aivss:GDP:1.0.0": "U", + "aivss:EP:1.0.0": "H" }, { - "x_org.owasp#aivss:AA:1.0.0": "S", - "x_org.owasp#aivss:TU:1.0.0": "A", - "x_org.owasp#aivss:SM:1.1.0": "F", - "x_org.owasp#aivss:GDP:1.0.0": "R", - "x_org.owasp#aivss:EP:1.0.0": "CA" + "aivss:AA:1.0.0": "S", + "aivss:TU:1.0.0": "A", + "aivss:SM:1.1.0": "F", + "aivss:GDP:1.0.0": "R", + "aivss:EP:1.0.0": "CA" }, { - "x_org.owasp#aivss:AA:1.0.0": "S", - "x_org.owasp#aivss:TU:1.0.0": "A", - "x_org.owasp#aivss:SM:1.1.0": "F", - "x_org.owasp#aivss:GDP:1.0.0": "A", - "x_org.owasp#aivss:EP:1.0.0": "CA" + "aivss:AA:1.0.0": "S", + "aivss:TU:1.0.0": "A", + "aivss:SM:1.1.0": "F", + "aivss:GDP:1.0.0": "A", + "aivss:EP:1.0.0": "CA" }, { - "x_org.owasp#aivss:AA:1.0.0": "S", - "x_org.owasp#aivss:TU:1.0.0": "A", - "x_org.owasp#aivss:SM:1.1.0": "F", - "x_org.owasp#aivss:GDP:1.0.0": "U", - "x_org.owasp#aivss:EP:1.0.0": "H" + "aivss:AA:1.0.0": "S", + "aivss:TU:1.0.0": "A", + "aivss:SM:1.1.0": "F", + "aivss:GDP:1.0.0": "U", + "aivss:EP:1.0.0": "H" }, { - "x_org.owasp#aivss:AA:1.0.0": "S", - "x_org.owasp#aivss:TU:1.0.0": "A", - "x_org.owasp#aivss:SM:1.1.0": "T", - "x_org.owasp#aivss:GDP:1.0.0": "R", - "x_org.owasp#aivss:EP:1.0.0": "CA" + "aivss:AA:1.0.0": "S", + "aivss:TU:1.0.0": "A", + "aivss:SM:1.1.0": "T", + "aivss:GDP:1.0.0": "R", + "aivss:EP:1.0.0": "CA" }, { - "x_org.owasp#aivss:AA:1.0.0": "S", - "x_org.owasp#aivss:TU:1.0.0": "A", - "x_org.owasp#aivss:SM:1.1.0": "T", - "x_org.owasp#aivss:GDP:1.0.0": "A", - "x_org.owasp#aivss:EP:1.0.0": "CA" + "aivss:AA:1.0.0": "S", + "aivss:TU:1.0.0": "A", + "aivss:SM:1.1.0": "T", + "aivss:GDP:1.0.0": "A", + "aivss:EP:1.0.0": "CA" }, { - "x_org.owasp#aivss:AA:1.0.0": "S", - "x_org.owasp#aivss:TU:1.0.0": "A", - "x_org.owasp#aivss:SM:1.1.0": "T", - "x_org.owasp#aivss:GDP:1.0.0": "U", - "x_org.owasp#aivss:EP:1.0.0": "H" + "aivss:AA:1.0.0": "S", + "aivss:TU:1.0.0": "A", + "aivss:SM:1.1.0": "T", + "aivss:GDP:1.0.0": "U", + "aivss:EP:1.0.0": "H" }, { - "x_org.owasp#aivss:AA:1.0.0": "S", - "x_org.owasp#aivss:TU:1.0.0": "A", - "x_org.owasp#aivss:SM:1.1.0": "M", - "x_org.owasp#aivss:GDP:1.0.0": "R", - "x_org.owasp#aivss:EP:1.0.0": "H" + "aivss:AA:1.0.0": "S", + "aivss:TU:1.0.0": "A", + "aivss:SM:1.1.0": "M", + "aivss:GDP:1.0.0": "R", + "aivss:EP:1.0.0": "H" }, { - "x_org.owasp#aivss:AA:1.0.0": "S", - "x_org.owasp#aivss:TU:1.0.0": "A", - "x_org.owasp#aivss:SM:1.1.0": "M", - "x_org.owasp#aivss:GDP:1.0.0": "A", - "x_org.owasp#aivss:EP:1.0.0": "H" + "aivss:AA:1.0.0": "S", + "aivss:TU:1.0.0": "A", + "aivss:SM:1.1.0": "M", + "aivss:GDP:1.0.0": "A", + "aivss:EP:1.0.0": "H" }, { - "x_org.owasp#aivss:AA:1.0.0": "S", - "x_org.owasp#aivss:TU:1.0.0": "A", - "x_org.owasp#aivss:SM:1.1.0": "M", - "x_org.owasp#aivss:GDP:1.0.0": "U", - "x_org.owasp#aivss:EP:1.0.0": "H" + "aivss:AA:1.0.0": "S", + "aivss:TU:1.0.0": "A", + "aivss:SM:1.1.0": "M", + "aivss:GDP:1.0.0": "U", + "aivss:EP:1.0.0": "H" }, { - "x_org.owasp#aivss:AA:1.0.0": "F", - "x_org.owasp#aivss:TU:1.0.0": "V", - "x_org.owasp#aivss:SM:1.1.0": "F", - "x_org.owasp#aivss:GDP:1.0.0": "R", - "x_org.owasp#aivss:EP:1.0.0": "CA" + "aivss:AA:1.0.0": "F", + "aivss:TU:1.0.0": "V", + "aivss:SM:1.1.0": "F", + "aivss:GDP:1.0.0": "R", + "aivss:EP:1.0.0": "CA" }, { - "x_org.owasp#aivss:AA:1.0.0": "F", - "x_org.owasp#aivss:TU:1.0.0": "V", - "x_org.owasp#aivss:SM:1.1.0": "F", - "x_org.owasp#aivss:GDP:1.0.0": "A", - "x_org.owasp#aivss:EP:1.0.0": "CA" + "aivss:AA:1.0.0": "F", + "aivss:TU:1.0.0": "V", + "aivss:SM:1.1.0": "F", + "aivss:GDP:1.0.0": "A", + "aivss:EP:1.0.0": "CA" }, { - "x_org.owasp#aivss:AA:1.0.0": "F", - "x_org.owasp#aivss:TU:1.0.0": "V", - "x_org.owasp#aivss:SM:1.1.0": "F", - "x_org.owasp#aivss:GDP:1.0.0": "U", - "x_org.owasp#aivss:EP:1.0.0": "H" + "aivss:AA:1.0.0": "F", + "aivss:TU:1.0.0": "V", + "aivss:SM:1.1.0": "F", + "aivss:GDP:1.0.0": "U", + "aivss:EP:1.0.0": "H" }, { - "x_org.owasp#aivss:AA:1.0.0": "F", - "x_org.owasp#aivss:TU:1.0.0": "V", - "x_org.owasp#aivss:SM:1.1.0": "T", - "x_org.owasp#aivss:GDP:1.0.0": "R", - "x_org.owasp#aivss:EP:1.0.0": "CA" + "aivss:AA:1.0.0": "F", + "aivss:TU:1.0.0": "V", + "aivss:SM:1.1.0": "T", + "aivss:GDP:1.0.0": "R", + "aivss:EP:1.0.0": "CA" }, { - "x_org.owasp#aivss:AA:1.0.0": "F", - "x_org.owasp#aivss:TU:1.0.0": "V", - "x_org.owasp#aivss:SM:1.1.0": "T", - "x_org.owasp#aivss:GDP:1.0.0": "A", - "x_org.owasp#aivss:EP:1.0.0": "CA" + "aivss:AA:1.0.0": "F", + "aivss:TU:1.0.0": "V", + "aivss:SM:1.1.0": "T", + "aivss:GDP:1.0.0": "A", + "aivss:EP:1.0.0": "CA" }, { - "x_org.owasp#aivss:AA:1.0.0": "F", - "x_org.owasp#aivss:TU:1.0.0": "V", - "x_org.owasp#aivss:SM:1.1.0": "T", - "x_org.owasp#aivss:GDP:1.0.0": "U", - "x_org.owasp#aivss:EP:1.0.0": "H" + "aivss:AA:1.0.0": "F", + "aivss:TU:1.0.0": "V", + "aivss:SM:1.1.0": "T", + "aivss:GDP:1.0.0": "U", + "aivss:EP:1.0.0": "H" }, { - "x_org.owasp#aivss:AA:1.0.0": "F", - "x_org.owasp#aivss:TU:1.0.0": "V", - "x_org.owasp#aivss:SM:1.1.0": "M", - "x_org.owasp#aivss:GDP:1.0.0": "R", - "x_org.owasp#aivss:EP:1.0.0": "H" + "aivss:AA:1.0.0": "F", + "aivss:TU:1.0.0": "V", + "aivss:SM:1.1.0": "M", + "aivss:GDP:1.0.0": "R", + "aivss:EP:1.0.0": "H" }, { - "x_org.owasp#aivss:AA:1.0.0": "F", - "x_org.owasp#aivss:TU:1.0.0": "V", - "x_org.owasp#aivss:SM:1.1.0": "M", - "x_org.owasp#aivss:GDP:1.0.0": "A", - "x_org.owasp#aivss:EP:1.0.0": "H" + "aivss:AA:1.0.0": "F", + "aivss:TU:1.0.0": "V", + "aivss:SM:1.1.0": "M", + "aivss:GDP:1.0.0": "A", + "aivss:EP:1.0.0": "H" }, { - "x_org.owasp#aivss:AA:1.0.0": "F", - "x_org.owasp#aivss:TU:1.0.0": "V", - "x_org.owasp#aivss:SM:1.1.0": "M", - "x_org.owasp#aivss:GDP:1.0.0": "U", - "x_org.owasp#aivss:EP:1.0.0": "H" + "aivss:AA:1.0.0": "F", + "aivss:TU:1.0.0": "V", + "aivss:SM:1.1.0": "M", + "aivss:GDP:1.0.0": "U", + "aivss:EP:1.0.0": "H" }, { - "x_org.owasp#aivss:AA:1.0.0": "F", - "x_org.owasp#aivss:TU:1.0.0": "O", - "x_org.owasp#aivss:SM:1.1.0": "F", - "x_org.owasp#aivss:GDP:1.0.0": "R", - "x_org.owasp#aivss:EP:1.0.0": "CA" + "aivss:AA:1.0.0": "F", + "aivss:TU:1.0.0": "O", + "aivss:SM:1.1.0": "F", + "aivss:GDP:1.0.0": "R", + "aivss:EP:1.0.0": "CA" }, { - "x_org.owasp#aivss:AA:1.0.0": "F", - "x_org.owasp#aivss:TU:1.0.0": "O", - "x_org.owasp#aivss:SM:1.1.0": "F", - "x_org.owasp#aivss:GDP:1.0.0": "A", - "x_org.owasp#aivss:EP:1.0.0": "CA" + "aivss:AA:1.0.0": "F", + "aivss:TU:1.0.0": "O", + "aivss:SM:1.1.0": "F", + "aivss:GDP:1.0.0": "A", + "aivss:EP:1.0.0": "CA" }, { - "x_org.owasp#aivss:AA:1.0.0": "F", - "x_org.owasp#aivss:TU:1.0.0": "O", - "x_org.owasp#aivss:SM:1.1.0": "F", - "x_org.owasp#aivss:GDP:1.0.0": "U", - "x_org.owasp#aivss:EP:1.0.0": "H" + "aivss:AA:1.0.0": "F", + "aivss:TU:1.0.0": "O", + "aivss:SM:1.1.0": "F", + "aivss:GDP:1.0.0": "U", + "aivss:EP:1.0.0": "H" }, { - "x_org.owasp#aivss:AA:1.0.0": "F", - "x_org.owasp#aivss:TU:1.0.0": "O", - "x_org.owasp#aivss:SM:1.1.0": "T", - "x_org.owasp#aivss:GDP:1.0.0": "R", - "x_org.owasp#aivss:EP:1.0.0": "CA" + "aivss:AA:1.0.0": "F", + "aivss:TU:1.0.0": "O", + "aivss:SM:1.1.0": "T", + "aivss:GDP:1.0.0": "R", + "aivss:EP:1.0.0": "CA" }, { - "x_org.owasp#aivss:AA:1.0.0": "F", - "x_org.owasp#aivss:TU:1.0.0": "O", - "x_org.owasp#aivss:SM:1.1.0": "T", - "x_org.owasp#aivss:GDP:1.0.0": "A", - "x_org.owasp#aivss:EP:1.0.0": "CA" + "aivss:AA:1.0.0": "F", + "aivss:TU:1.0.0": "O", + "aivss:SM:1.1.0": "T", + "aivss:GDP:1.0.0": "A", + "aivss:EP:1.0.0": "CA" }, { - "x_org.owasp#aivss:AA:1.0.0": "F", - "x_org.owasp#aivss:TU:1.0.0": "O", - "x_org.owasp#aivss:SM:1.1.0": "T", - "x_org.owasp#aivss:GDP:1.0.0": "U", - "x_org.owasp#aivss:EP:1.0.0": "H" + "aivss:AA:1.0.0": "F", + "aivss:TU:1.0.0": "O", + "aivss:SM:1.1.0": "T", + "aivss:GDP:1.0.0": "U", + "aivss:EP:1.0.0": "H" }, { - "x_org.owasp#aivss:AA:1.0.0": "F", - "x_org.owasp#aivss:TU:1.0.0": "O", - "x_org.owasp#aivss:SM:1.1.0": "M", - "x_org.owasp#aivss:GDP:1.0.0": "R", - "x_org.owasp#aivss:EP:1.0.0": "H" + "aivss:AA:1.0.0": "F", + "aivss:TU:1.0.0": "O", + "aivss:SM:1.1.0": "M", + "aivss:GDP:1.0.0": "R", + "aivss:EP:1.0.0": "H" }, { - "x_org.owasp#aivss:AA:1.0.0": "F", - "x_org.owasp#aivss:TU:1.0.0": "O", - "x_org.owasp#aivss:SM:1.1.0": "M", - "x_org.owasp#aivss:GDP:1.0.0": "A", - "x_org.owasp#aivss:EP:1.0.0": "H" + "aivss:AA:1.0.0": "F", + "aivss:TU:1.0.0": "O", + "aivss:SM:1.1.0": "M", + "aivss:GDP:1.0.0": "A", + "aivss:EP:1.0.0": "H" }, { - "x_org.owasp#aivss:AA:1.0.0": "F", - "x_org.owasp#aivss:TU:1.0.0": "O", - "x_org.owasp#aivss:SM:1.1.0": "M", - "x_org.owasp#aivss:GDP:1.0.0": "U", - "x_org.owasp#aivss:EP:1.0.0": "H" + "aivss:AA:1.0.0": "F", + "aivss:TU:1.0.0": "O", + "aivss:SM:1.1.0": "M", + "aivss:GDP:1.0.0": "U", + "aivss:EP:1.0.0": "H" }, { - "x_org.owasp#aivss:AA:1.0.0": "F", - "x_org.owasp#aivss:TU:1.0.0": "A", - "x_org.owasp#aivss:SM:1.1.0": "F", - "x_org.owasp#aivss:GDP:1.0.0": "R", - "x_org.owasp#aivss:EP:1.0.0": "H" + "aivss:AA:1.0.0": "F", + "aivss:TU:1.0.0": "A", + "aivss:SM:1.1.0": "F", + "aivss:GDP:1.0.0": "R", + "aivss:EP:1.0.0": "H" }, { - "x_org.owasp#aivss:AA:1.0.0": "F", - "x_org.owasp#aivss:TU:1.0.0": "A", - "x_org.owasp#aivss:SM:1.1.0": "F", - "x_org.owasp#aivss:GDP:1.0.0": "A", - "x_org.owasp#aivss:EP:1.0.0": "H" + "aivss:AA:1.0.0": "F", + "aivss:TU:1.0.0": "A", + "aivss:SM:1.1.0": "F", + "aivss:GDP:1.0.0": "A", + "aivss:EP:1.0.0": "H" }, { - "x_org.owasp#aivss:AA:1.0.0": "F", - "x_org.owasp#aivss:TU:1.0.0": "A", - "x_org.owasp#aivss:SM:1.1.0": "F", - "x_org.owasp#aivss:GDP:1.0.0": "U", - "x_org.owasp#aivss:EP:1.0.0": "H" + "aivss:AA:1.0.0": "F", + "aivss:TU:1.0.0": "A", + "aivss:SM:1.1.0": "F", + "aivss:GDP:1.0.0": "U", + "aivss:EP:1.0.0": "H" }, { - "x_org.owasp#aivss:AA:1.0.0": "F", - "x_org.owasp#aivss:TU:1.0.0": "A", - "x_org.owasp#aivss:SM:1.1.0": "T", - "x_org.owasp#aivss:GDP:1.0.0": "R", - "x_org.owasp#aivss:EP:1.0.0": "H" + "aivss:AA:1.0.0": "F", + "aivss:TU:1.0.0": "A", + "aivss:SM:1.1.0": "T", + "aivss:GDP:1.0.0": "R", + "aivss:EP:1.0.0": "H" }, { - "x_org.owasp#aivss:AA:1.0.0": "F", - "x_org.owasp#aivss:TU:1.0.0": "A", - "x_org.owasp#aivss:SM:1.1.0": "T", - "x_org.owasp#aivss:GDP:1.0.0": "A", - "x_org.owasp#aivss:EP:1.0.0": "H" + "aivss:AA:1.0.0": "F", + "aivss:TU:1.0.0": "A", + "aivss:SM:1.1.0": "T", + "aivss:GDP:1.0.0": "A", + "aivss:EP:1.0.0": "H" }, { - "x_org.owasp#aivss:AA:1.0.0": "F", - "x_org.owasp#aivss:TU:1.0.0": "A", - "x_org.owasp#aivss:SM:1.1.0": "T", - "x_org.owasp#aivss:GDP:1.0.0": "U", - "x_org.owasp#aivss:EP:1.0.0": "H" + "aivss:AA:1.0.0": "F", + "aivss:TU:1.0.0": "A", + "aivss:SM:1.1.0": "T", + "aivss:GDP:1.0.0": "U", + "aivss:EP:1.0.0": "H" }, { - "x_org.owasp#aivss:AA:1.0.0": "F", - "x_org.owasp#aivss:TU:1.0.0": "A", - "x_org.owasp#aivss:SM:1.1.0": "M", - "x_org.owasp#aivss:GDP:1.0.0": "R", - "x_org.owasp#aivss:EP:1.0.0": "H" + "aivss:AA:1.0.0": "F", + "aivss:TU:1.0.0": "A", + "aivss:SM:1.1.0": "M", + "aivss:GDP:1.0.0": "R", + "aivss:EP:1.0.0": "H" }, { - "x_org.owasp#aivss:AA:1.0.0": "F", - "x_org.owasp#aivss:TU:1.0.0": "A", - "x_org.owasp#aivss:SM:1.1.0": "M", - "x_org.owasp#aivss:GDP:1.0.0": "A", - "x_org.owasp#aivss:EP:1.0.0": "H" + "aivss:AA:1.0.0": "F", + "aivss:TU:1.0.0": "A", + "aivss:SM:1.1.0": "M", + "aivss:GDP:1.0.0": "A", + "aivss:EP:1.0.0": "H" }, { - "x_org.owasp#aivss:AA:1.0.0": "F", - "x_org.owasp#aivss:TU:1.0.0": "A", - "x_org.owasp#aivss:SM:1.1.0": "M", - "x_org.owasp#aivss:GDP:1.0.0": "U", - "x_org.owasp#aivss:EP:1.0.0": "H" + "aivss:AA:1.0.0": "F", + "aivss:TU:1.0.0": "A", + "aivss:SM:1.1.0": "M", + "aivss:GDP:1.0.0": "U", + "aivss:EP:1.0.0": "H" } ] } diff --git a/src/ssvc/decision_points/aivss/base.py b/src/ssvc/decision_points/aivss/base.py index 025d6de9..fcba0ab0 100644 --- a/src/ssvc/decision_points/aivss/base.py +++ b/src/ssvc/decision_points/aivss/base.py @@ -23,8 +23,9 @@ from pydantic import BaseModel from ssvc.decision_points.base import DecisionPoint +from ssvc.namespaces import NameSpace -AIVSS_NS = "x_org.owasp#aivss" +AIVSS_NS = NameSpace.AIVSS class AivssDecisionPoint(DecisionPoint, BaseModel): diff --git a/src/ssvc/decision_tables/aivss/agentic_impact.py b/src/ssvc/decision_tables/aivss/agentic_impact.py index fbb79698..a182054c 100644 --- a/src/ssvc/decision_tables/aivss/agentic_impact.py +++ b/src/ssvc/decision_tables/aivss/agentic_impact.py @@ -49,166 +49,166 @@ outcome=AGENTIC_IMPACT_LEVEL_01.id, mapping=[ { - "x_org.owasp#aivss:EP:1.0.0": "C", - "x_org.owasp#aivss:EA:1.0.0": "I", - "x_org.owasp#aivss:PI:1.0.0": "V", - "x_org.owasp#aivss:AIL:1.0.0": "C", + "aivss:EP:1.0.0": "C", + "aivss:EA:1.0.0": "I", + "aivss:PI:1.0.0": "V", + "aivss:AIL:1.0.0": "C", }, { - "x_org.owasp#aivss:EP:1.0.0": "C", - "x_org.owasp#aivss:EA:1.0.0": "I", - "x_org.owasp#aivss:PI:1.0.0": "U", - "x_org.owasp#aivss:AIL:1.0.0": "C", + "aivss:EP:1.0.0": "C", + "aivss:EA:1.0.0": "I", + "aivss:PI:1.0.0": "U", + "aivss:AIL:1.0.0": "C", }, { - "x_org.owasp#aivss:EP:1.0.0": "C", - "x_org.owasp#aivss:EA:1.0.0": "I", - "x_org.owasp#aivss:PI:1.0.0": "O", - "x_org.owasp#aivss:AIL:1.0.0": "S", + "aivss:EP:1.0.0": "C", + "aivss:EA:1.0.0": "I", + "aivss:PI:1.0.0": "O", + "aivss:AIL:1.0.0": "S", }, { - "x_org.owasp#aivss:EP:1.0.0": "C", - "x_org.owasp#aivss:EA:1.0.0": "C", - "x_org.owasp#aivss:PI:1.0.0": "V", - "x_org.owasp#aivss:AIL:1.0.0": "C", + "aivss:EP:1.0.0": "C", + "aivss:EA:1.0.0": "C", + "aivss:PI:1.0.0": "V", + "aivss:AIL:1.0.0": "C", }, { - "x_org.owasp#aivss:EP:1.0.0": "C", - "x_org.owasp#aivss:EA:1.0.0": "C", - "x_org.owasp#aivss:PI:1.0.0": "U", - "x_org.owasp#aivss:AIL:1.0.0": "S", + "aivss:EP:1.0.0": "C", + "aivss:EA:1.0.0": "C", + "aivss:PI:1.0.0": "U", + "aivss:AIL:1.0.0": "S", }, { - "x_org.owasp#aivss:EP:1.0.0": "C", - "x_org.owasp#aivss:EA:1.0.0": "C", - "x_org.owasp#aivss:PI:1.0.0": "O", - "x_org.owasp#aivss:AIL:1.0.0": "S", + "aivss:EP:1.0.0": "C", + "aivss:EA:1.0.0": "C", + "aivss:PI:1.0.0": "O", + "aivss:AIL:1.0.0": "S", }, { - "x_org.owasp#aivss:EP:1.0.0": "C", - "x_org.owasp#aivss:EA:1.0.0": "P", - "x_org.owasp#aivss:PI:1.0.0": "V", - "x_org.owasp#aivss:AIL:1.0.0": "S", + "aivss:EP:1.0.0": "C", + "aivss:EA:1.0.0": "P", + "aivss:PI:1.0.0": "V", + "aivss:AIL:1.0.0": "S", }, { - "x_org.owasp#aivss:EP:1.0.0": "C", - "x_org.owasp#aivss:EA:1.0.0": "P", - "x_org.owasp#aivss:PI:1.0.0": "U", - "x_org.owasp#aivss:AIL:1.0.0": "S", + "aivss:EP:1.0.0": "C", + "aivss:EA:1.0.0": "P", + "aivss:PI:1.0.0": "U", + "aivss:AIL:1.0.0": "S", }, { - "x_org.owasp#aivss:EP:1.0.0": "C", - "x_org.owasp#aivss:EA:1.0.0": "P", - "x_org.owasp#aivss:PI:1.0.0": "O", - "x_org.owasp#aivss:AIL:1.0.0": "P", + "aivss:EP:1.0.0": "C", + "aivss:EA:1.0.0": "P", + "aivss:PI:1.0.0": "O", + "aivss:AIL:1.0.0": "P", }, { - "x_org.owasp#aivss:EP:1.0.0": "CA", - "x_org.owasp#aivss:EA:1.0.0": "I", - "x_org.owasp#aivss:PI:1.0.0": "V", - "x_org.owasp#aivss:AIL:1.0.0": "C", + "aivss:EP:1.0.0": "CA", + "aivss:EA:1.0.0": "I", + "aivss:PI:1.0.0": "V", + "aivss:AIL:1.0.0": "C", }, { - "x_org.owasp#aivss:EP:1.0.0": "CA", - "x_org.owasp#aivss:EA:1.0.0": "I", - "x_org.owasp#aivss:PI:1.0.0": "U", - "x_org.owasp#aivss:AIL:1.0.0": "S", + "aivss:EP:1.0.0": "CA", + "aivss:EA:1.0.0": "I", + "aivss:PI:1.0.0": "U", + "aivss:AIL:1.0.0": "S", }, { - "x_org.owasp#aivss:EP:1.0.0": "CA", - "x_org.owasp#aivss:EA:1.0.0": "I", - "x_org.owasp#aivss:PI:1.0.0": "O", - "x_org.owasp#aivss:AIL:1.0.0": "S", + "aivss:EP:1.0.0": "CA", + "aivss:EA:1.0.0": "I", + "aivss:PI:1.0.0": "O", + "aivss:AIL:1.0.0": "S", }, { - "x_org.owasp#aivss:EP:1.0.0": "CA", - "x_org.owasp#aivss:EA:1.0.0": "C", - "x_org.owasp#aivss:PI:1.0.0": "V", - "x_org.owasp#aivss:AIL:1.0.0": "S", + "aivss:EP:1.0.0": "CA", + "aivss:EA:1.0.0": "C", + "aivss:PI:1.0.0": "V", + "aivss:AIL:1.0.0": "S", }, { - "x_org.owasp#aivss:EP:1.0.0": "CA", - "x_org.owasp#aivss:EA:1.0.0": "C", - "x_org.owasp#aivss:PI:1.0.0": "U", - "x_org.owasp#aivss:AIL:1.0.0": "S", + "aivss:EP:1.0.0": "CA", + "aivss:EA:1.0.0": "C", + "aivss:PI:1.0.0": "U", + "aivss:AIL:1.0.0": "S", }, { - "x_org.owasp#aivss:EP:1.0.0": "CA", - "x_org.owasp#aivss:EA:1.0.0": "C", - "x_org.owasp#aivss:PI:1.0.0": "O", - "x_org.owasp#aivss:AIL:1.0.0": "S", + "aivss:EP:1.0.0": "CA", + "aivss:EA:1.0.0": "C", + "aivss:PI:1.0.0": "O", + "aivss:AIL:1.0.0": "S", }, { - "x_org.owasp#aivss:EP:1.0.0": "CA", - "x_org.owasp#aivss:EA:1.0.0": "P", - "x_org.owasp#aivss:PI:1.0.0": "V", - "x_org.owasp#aivss:AIL:1.0.0": "S", + "aivss:EP:1.0.0": "CA", + "aivss:EA:1.0.0": "P", + "aivss:PI:1.0.0": "V", + "aivss:AIL:1.0.0": "S", }, { - "x_org.owasp#aivss:EP:1.0.0": "CA", - "x_org.owasp#aivss:EA:1.0.0": "P", - "x_org.owasp#aivss:PI:1.0.0": "U", - "x_org.owasp#aivss:AIL:1.0.0": "S", + "aivss:EP:1.0.0": "CA", + "aivss:EA:1.0.0": "P", + "aivss:PI:1.0.0": "U", + "aivss:AIL:1.0.0": "S", }, { - "x_org.owasp#aivss:EP:1.0.0": "CA", - "x_org.owasp#aivss:EA:1.0.0": "P", - "x_org.owasp#aivss:PI:1.0.0": "O", - "x_org.owasp#aivss:AIL:1.0.0": "P", + "aivss:EP:1.0.0": "CA", + "aivss:EA:1.0.0": "P", + "aivss:PI:1.0.0": "O", + "aivss:AIL:1.0.0": "P", }, { - "x_org.owasp#aivss:EP:1.0.0": "H", - "x_org.owasp#aivss:EA:1.0.0": "I", - "x_org.owasp#aivss:PI:1.0.0": "V", - "x_org.owasp#aivss:AIL:1.0.0": "S", + "aivss:EP:1.0.0": "H", + "aivss:EA:1.0.0": "I", + "aivss:PI:1.0.0": "V", + "aivss:AIL:1.0.0": "S", }, { - "x_org.owasp#aivss:EP:1.0.0": "H", - "x_org.owasp#aivss:EA:1.0.0": "I", - "x_org.owasp#aivss:PI:1.0.0": "U", - "x_org.owasp#aivss:AIL:1.0.0": "S", + "aivss:EP:1.0.0": "H", + "aivss:EA:1.0.0": "I", + "aivss:PI:1.0.0": "U", + "aivss:AIL:1.0.0": "S", }, { - "x_org.owasp#aivss:EP:1.0.0": "H", - "x_org.owasp#aivss:EA:1.0.0": "I", - "x_org.owasp#aivss:PI:1.0.0": "O", - "x_org.owasp#aivss:AIL:1.0.0": "P", + "aivss:EP:1.0.0": "H", + "aivss:EA:1.0.0": "I", + "aivss:PI:1.0.0": "O", + "aivss:AIL:1.0.0": "P", }, { - "x_org.owasp#aivss:EP:1.0.0": "H", - "x_org.owasp#aivss:EA:1.0.0": "C", - "x_org.owasp#aivss:PI:1.0.0": "V", - "x_org.owasp#aivss:AIL:1.0.0": "S", + "aivss:EP:1.0.0": "H", + "aivss:EA:1.0.0": "C", + "aivss:PI:1.0.0": "V", + "aivss:AIL:1.0.0": "S", }, { - "x_org.owasp#aivss:EP:1.0.0": "H", - "x_org.owasp#aivss:EA:1.0.0": "C", - "x_org.owasp#aivss:PI:1.0.0": "U", - "x_org.owasp#aivss:AIL:1.0.0": "S", + "aivss:EP:1.0.0": "H", + "aivss:EA:1.0.0": "C", + "aivss:PI:1.0.0": "U", + "aivss:AIL:1.0.0": "S", }, { - "x_org.owasp#aivss:EP:1.0.0": "H", - "x_org.owasp#aivss:EA:1.0.0": "C", - "x_org.owasp#aivss:PI:1.0.0": "O", - "x_org.owasp#aivss:AIL:1.0.0": "P", + "aivss:EP:1.0.0": "H", + "aivss:EA:1.0.0": "C", + "aivss:PI:1.0.0": "O", + "aivss:AIL:1.0.0": "P", }, { - "x_org.owasp#aivss:EP:1.0.0": "H", - "x_org.owasp#aivss:EA:1.0.0": "P", - "x_org.owasp#aivss:PI:1.0.0": "V", - "x_org.owasp#aivss:AIL:1.0.0": "P", + "aivss:EP:1.0.0": "H", + "aivss:EA:1.0.0": "P", + "aivss:PI:1.0.0": "V", + "aivss:AIL:1.0.0": "P", }, { - "x_org.owasp#aivss:EP:1.0.0": "H", - "x_org.owasp#aivss:EA:1.0.0": "P", - "x_org.owasp#aivss:PI:1.0.0": "U", - "x_org.owasp#aivss:AIL:1.0.0": "P", + "aivss:EP:1.0.0": "H", + "aivss:EA:1.0.0": "P", + "aivss:PI:1.0.0": "U", + "aivss:AIL:1.0.0": "P", }, { - "x_org.owasp#aivss:EP:1.0.0": "H", - "x_org.owasp#aivss:EA:1.0.0": "P", - "x_org.owasp#aivss:PI:1.0.0": "O", - "x_org.owasp#aivss:AIL:1.0.0": "P", + "aivss:EP:1.0.0": "H", + "aivss:EA:1.0.0": "P", + "aivss:PI:1.0.0": "O", + "aivss:AIL:1.0.0": "P", }, ], ) diff --git a/src/ssvc/decision_tables/aivss/aivss.py b/src/ssvc/decision_tables/aivss/aivss.py index 92f529b8..f06aae74 100644 --- a/src/ssvc/decision_tables/aivss/aivss.py +++ b/src/ssvc/decision_tables/aivss/aivss.py @@ -48,164 +48,164 @@ mapping=[ { "ssvc:E:1.1.0": "N", - "x_org.owasp#aivss:AIL:1.0.0": "C", - "x_org.owasp#aivss:SI:1.0.0": "C", + "aivss:AIL:1.0.0": "C", + "aivss:SI:1.0.0": "C", "ssvc:DSOI:1.0.0": "D", }, { "ssvc:E:1.1.0": "N", - "x_org.owasp#aivss:AIL:1.0.0": "C", - "x_org.owasp#aivss:SI:1.0.0": "S", + "aivss:AIL:1.0.0": "C", + "aivss:SI:1.0.0": "S", "ssvc:DSOI:1.0.0": "S", }, { "ssvc:E:1.1.0": "N", - "x_org.owasp#aivss:AIL:1.0.0": "C", - "x_org.owasp#aivss:SI:1.0.0": "R", + "aivss:AIL:1.0.0": "C", + "aivss:SI:1.0.0": "R", "ssvc:DSOI:1.0.0": "O", }, { "ssvc:E:1.1.0": "N", - "x_org.owasp#aivss:AIL:1.0.0": "S", - "x_org.owasp#aivss:SI:1.0.0": "C", + "aivss:AIL:1.0.0": "S", + "aivss:SI:1.0.0": "C", "ssvc:DSOI:1.0.0": "S", }, { "ssvc:E:1.1.0": "N", - "x_org.owasp#aivss:AIL:1.0.0": "S", - "x_org.owasp#aivss:SI:1.0.0": "S", + "aivss:AIL:1.0.0": "S", + "aivss:SI:1.0.0": "S", "ssvc:DSOI:1.0.0": "S", }, { "ssvc:E:1.1.0": "N", - "x_org.owasp#aivss:AIL:1.0.0": "S", - "x_org.owasp#aivss:SI:1.0.0": "R", + "aivss:AIL:1.0.0": "S", + "aivss:SI:1.0.0": "R", "ssvc:DSOI:1.0.0": "O", }, { "ssvc:E:1.1.0": "N", - "x_org.owasp#aivss:AIL:1.0.0": "P", - "x_org.owasp#aivss:SI:1.0.0": "C", + "aivss:AIL:1.0.0": "P", + "aivss:SI:1.0.0": "C", "ssvc:DSOI:1.0.0": "S", }, { "ssvc:E:1.1.0": "N", - "x_org.owasp#aivss:AIL:1.0.0": "P", - "x_org.owasp#aivss:SI:1.0.0": "S", + "aivss:AIL:1.0.0": "P", + "aivss:SI:1.0.0": "S", "ssvc:DSOI:1.0.0": "O", }, { "ssvc:E:1.1.0": "N", - "x_org.owasp#aivss:AIL:1.0.0": "P", - "x_org.owasp#aivss:SI:1.0.0": "R", + "aivss:AIL:1.0.0": "P", + "aivss:SI:1.0.0": "R", "ssvc:DSOI:1.0.0": "I", }, { "ssvc:E:1.1.0": "P", - "x_org.owasp#aivss:AIL:1.0.0": "C", - "x_org.owasp#aivss:SI:1.0.0": "C", + "aivss:AIL:1.0.0": "C", + "aivss:SI:1.0.0": "C", "ssvc:DSOI:1.0.0": "S", }, { "ssvc:E:1.1.0": "P", - "x_org.owasp#aivss:AIL:1.0.0": "C", - "x_org.owasp#aivss:SI:1.0.0": "S", + "aivss:AIL:1.0.0": "C", + "aivss:SI:1.0.0": "S", "ssvc:DSOI:1.0.0": "S", }, { "ssvc:E:1.1.0": "P", - "x_org.owasp#aivss:AIL:1.0.0": "C", - "x_org.owasp#aivss:SI:1.0.0": "R", + "aivss:AIL:1.0.0": "C", + "aivss:SI:1.0.0": "R", "ssvc:DSOI:1.0.0": "O", }, { "ssvc:E:1.1.0": "P", - "x_org.owasp#aivss:AIL:1.0.0": "S", - "x_org.owasp#aivss:SI:1.0.0": "C", + "aivss:AIL:1.0.0": "S", + "aivss:SI:1.0.0": "C", "ssvc:DSOI:1.0.0": "S", }, { "ssvc:E:1.1.0": "P", - "x_org.owasp#aivss:AIL:1.0.0": "S", - "x_org.owasp#aivss:SI:1.0.0": "S", + "aivss:AIL:1.0.0": "S", + "aivss:SI:1.0.0": "S", "ssvc:DSOI:1.0.0": "O", }, { "ssvc:E:1.1.0": "P", - "x_org.owasp#aivss:AIL:1.0.0": "S", - "x_org.owasp#aivss:SI:1.0.0": "R", + "aivss:AIL:1.0.0": "S", + "aivss:SI:1.0.0": "R", "ssvc:DSOI:1.0.0": "O", }, { "ssvc:E:1.1.0": "P", - "x_org.owasp#aivss:AIL:1.0.0": "P", - "x_org.owasp#aivss:SI:1.0.0": "C", + "aivss:AIL:1.0.0": "P", + "aivss:SI:1.0.0": "C", "ssvc:DSOI:1.0.0": "O", }, { "ssvc:E:1.1.0": "P", - "x_org.owasp#aivss:AIL:1.0.0": "P", - "x_org.owasp#aivss:SI:1.0.0": "S", + "aivss:AIL:1.0.0": "P", + "aivss:SI:1.0.0": "S", "ssvc:DSOI:1.0.0": "O", }, { "ssvc:E:1.1.0": "P", - "x_org.owasp#aivss:AIL:1.0.0": "P", - "x_org.owasp#aivss:SI:1.0.0": "R", + "aivss:AIL:1.0.0": "P", + "aivss:SI:1.0.0": "R", "ssvc:DSOI:1.0.0": "I", }, { "ssvc:E:1.1.0": "A", - "x_org.owasp#aivss:AIL:1.0.0": "C", - "x_org.owasp#aivss:SI:1.0.0": "C", + "aivss:AIL:1.0.0": "C", + "aivss:SI:1.0.0": "C", "ssvc:DSOI:1.0.0": "O", }, { "ssvc:E:1.1.0": "A", - "x_org.owasp#aivss:AIL:1.0.0": "C", - "x_org.owasp#aivss:SI:1.0.0": "S", + "aivss:AIL:1.0.0": "C", + "aivss:SI:1.0.0": "S", "ssvc:DSOI:1.0.0": "O", }, { "ssvc:E:1.1.0": "A", - "x_org.owasp#aivss:AIL:1.0.0": "C", - "x_org.owasp#aivss:SI:1.0.0": "R", + "aivss:AIL:1.0.0": "C", + "aivss:SI:1.0.0": "R", "ssvc:DSOI:1.0.0": "I", }, { "ssvc:E:1.1.0": "A", - "x_org.owasp#aivss:AIL:1.0.0": "S", - "x_org.owasp#aivss:SI:1.0.0": "C", + "aivss:AIL:1.0.0": "S", + "aivss:SI:1.0.0": "C", "ssvc:DSOI:1.0.0": "O", }, { "ssvc:E:1.1.0": "A", - "x_org.owasp#aivss:AIL:1.0.0": "S", - "x_org.owasp#aivss:SI:1.0.0": "S", + "aivss:AIL:1.0.0": "S", + "aivss:SI:1.0.0": "S", "ssvc:DSOI:1.0.0": "I", }, { "ssvc:E:1.1.0": "A", - "x_org.owasp#aivss:AIL:1.0.0": "S", - "x_org.owasp#aivss:SI:1.0.0": "R", + "aivss:AIL:1.0.0": "S", + "aivss:SI:1.0.0": "R", "ssvc:DSOI:1.0.0": "I", }, { "ssvc:E:1.1.0": "A", - "x_org.owasp#aivss:AIL:1.0.0": "P", - "x_org.owasp#aivss:SI:1.0.0": "C", + "aivss:AIL:1.0.0": "P", + "aivss:SI:1.0.0": "C", "ssvc:DSOI:1.0.0": "I", }, { "ssvc:E:1.1.0": "A", - "x_org.owasp#aivss:AIL:1.0.0": "P", - "x_org.owasp#aivss:SI:1.0.0": "S", + "aivss:AIL:1.0.0": "P", + "aivss:SI:1.0.0": "S", "ssvc:DSOI:1.0.0": "I", }, { "ssvc:E:1.1.0": "A", - "x_org.owasp#aivss:AIL:1.0.0": "P", - "x_org.owasp#aivss:SI:1.0.0": "R", + "aivss:AIL:1.0.0": "P", + "aivss:SI:1.0.0": "R", "ssvc:DSOI:1.0.0": "I", }, ], diff --git a/src/ssvc/decision_tables/aivss/env_adaptation.py b/src/ssvc/decision_tables/aivss/env_adaptation.py index 0692db6c..48e915ca 100644 --- a/src/ssvc/decision_tables/aivss/env_adaptation.py +++ b/src/ssvc/decision_tables/aivss/env_adaptation.py @@ -55,571 +55,571 @@ outcome=ENV_ADAPT_01.id, mapping=[ { - "x_org.owasp#aivss:MU:1.0.0": "S", - "x_org.owasp#aivss:CA:1.0.0": "I", - "x_org.owasp#aivss:DI:1.0.0": "F", - "x_org.owasp#aivss:MAI:1.0.0": "S", - "x_org.owasp#aivss:EA:1.0.0": "I", + "aivss:MU:1.0.0": "S", + "aivss:CA:1.0.0": "I", + "aivss:DI:1.0.0": "F", + "aivss:MAI:1.0.0": "S", + "aivss:EA:1.0.0": "I", }, { - "x_org.owasp#aivss:MU:1.0.0": "S", - "x_org.owasp#aivss:CA:1.0.0": "I", - "x_org.owasp#aivss:DI:1.0.0": "F", - "x_org.owasp#aivss:MAI:1.0.0": "R", - "x_org.owasp#aivss:EA:1.0.0": "I", + "aivss:MU:1.0.0": "S", + "aivss:CA:1.0.0": "I", + "aivss:DI:1.0.0": "F", + "aivss:MAI:1.0.0": "R", + "aivss:EA:1.0.0": "I", }, { - "x_org.owasp#aivss:MU:1.0.0": "S", - "x_org.owasp#aivss:CA:1.0.0": "I", - "x_org.owasp#aivss:DI:1.0.0": "F", - "x_org.owasp#aivss:MAI:1.0.0": "O", - "x_org.owasp#aivss:EA:1.0.0": "C", + "aivss:MU:1.0.0": "S", + "aivss:CA:1.0.0": "I", + "aivss:DI:1.0.0": "F", + "aivss:MAI:1.0.0": "O", + "aivss:EA:1.0.0": "C", }, { - "x_org.owasp#aivss:MU:1.0.0": "S", - "x_org.owasp#aivss:CA:1.0.0": "I", - "x_org.owasp#aivss:DI:1.0.0": "S", - "x_org.owasp#aivss:MAI:1.0.0": "S", - "x_org.owasp#aivss:EA:1.0.0": "I", + "aivss:MU:1.0.0": "S", + "aivss:CA:1.0.0": "I", + "aivss:DI:1.0.0": "S", + "aivss:MAI:1.0.0": "S", + "aivss:EA:1.0.0": "I", }, { - "x_org.owasp#aivss:MU:1.0.0": "S", - "x_org.owasp#aivss:CA:1.0.0": "I", - "x_org.owasp#aivss:DI:1.0.0": "S", - "x_org.owasp#aivss:MAI:1.0.0": "R", - "x_org.owasp#aivss:EA:1.0.0": "C", + "aivss:MU:1.0.0": "S", + "aivss:CA:1.0.0": "I", + "aivss:DI:1.0.0": "S", + "aivss:MAI:1.0.0": "R", + "aivss:EA:1.0.0": "C", }, { - "x_org.owasp#aivss:MU:1.0.0": "S", - "x_org.owasp#aivss:CA:1.0.0": "I", - "x_org.owasp#aivss:DI:1.0.0": "S", - "x_org.owasp#aivss:MAI:1.0.0": "O", - "x_org.owasp#aivss:EA:1.0.0": "C", + "aivss:MU:1.0.0": "S", + "aivss:CA:1.0.0": "I", + "aivss:DI:1.0.0": "S", + "aivss:MAI:1.0.0": "O", + "aivss:EA:1.0.0": "C", }, { - "x_org.owasp#aivss:MU:1.0.0": "S", - "x_org.owasp#aivss:CA:1.0.0": "I", - "x_org.owasp#aivss:DI:1.0.0": "A", - "x_org.owasp#aivss:MAI:1.0.0": "S", - "x_org.owasp#aivss:EA:1.0.0": "C", + "aivss:MU:1.0.0": "S", + "aivss:CA:1.0.0": "I", + "aivss:DI:1.0.0": "A", + "aivss:MAI:1.0.0": "S", + "aivss:EA:1.0.0": "C", }, { - "x_org.owasp#aivss:MU:1.0.0": "S", - "x_org.owasp#aivss:CA:1.0.0": "I", - "x_org.owasp#aivss:DI:1.0.0": "A", - "x_org.owasp#aivss:MAI:1.0.0": "R", - "x_org.owasp#aivss:EA:1.0.0": "C", + "aivss:MU:1.0.0": "S", + "aivss:CA:1.0.0": "I", + "aivss:DI:1.0.0": "A", + "aivss:MAI:1.0.0": "R", + "aivss:EA:1.0.0": "C", }, { - "x_org.owasp#aivss:MU:1.0.0": "S", - "x_org.owasp#aivss:CA:1.0.0": "I", - "x_org.owasp#aivss:DI:1.0.0": "A", - "x_org.owasp#aivss:MAI:1.0.0": "O", - "x_org.owasp#aivss:EA:1.0.0": "P", + "aivss:MU:1.0.0": "S", + "aivss:CA:1.0.0": "I", + "aivss:DI:1.0.0": "A", + "aivss:MAI:1.0.0": "O", + "aivss:EA:1.0.0": "P", }, { - "x_org.owasp#aivss:MU:1.0.0": "S", - "x_org.owasp#aivss:CA:1.0.0": "T", - "x_org.owasp#aivss:DI:1.0.0": "F", - "x_org.owasp#aivss:MAI:1.0.0": "S", - "x_org.owasp#aivss:EA:1.0.0": "I", + "aivss:MU:1.0.0": "S", + "aivss:CA:1.0.0": "T", + "aivss:DI:1.0.0": "F", + "aivss:MAI:1.0.0": "S", + "aivss:EA:1.0.0": "I", }, { - "x_org.owasp#aivss:MU:1.0.0": "S", - "x_org.owasp#aivss:CA:1.0.0": "T", - "x_org.owasp#aivss:DI:1.0.0": "F", - "x_org.owasp#aivss:MAI:1.0.0": "R", - "x_org.owasp#aivss:EA:1.0.0": "C", + "aivss:MU:1.0.0": "S", + "aivss:CA:1.0.0": "T", + "aivss:DI:1.0.0": "F", + "aivss:MAI:1.0.0": "R", + "aivss:EA:1.0.0": "C", }, { - "x_org.owasp#aivss:MU:1.0.0": "S", - "x_org.owasp#aivss:CA:1.0.0": "T", - "x_org.owasp#aivss:DI:1.0.0": "F", - "x_org.owasp#aivss:MAI:1.0.0": "O", - "x_org.owasp#aivss:EA:1.0.0": "C", + "aivss:MU:1.0.0": "S", + "aivss:CA:1.0.0": "T", + "aivss:DI:1.0.0": "F", + "aivss:MAI:1.0.0": "O", + "aivss:EA:1.0.0": "C", }, { - "x_org.owasp#aivss:MU:1.0.0": "S", - "x_org.owasp#aivss:CA:1.0.0": "T", - "x_org.owasp#aivss:DI:1.0.0": "S", - "x_org.owasp#aivss:MAI:1.0.0": "S", - "x_org.owasp#aivss:EA:1.0.0": "C", + "aivss:MU:1.0.0": "S", + "aivss:CA:1.0.0": "T", + "aivss:DI:1.0.0": "S", + "aivss:MAI:1.0.0": "S", + "aivss:EA:1.0.0": "C", }, { - "x_org.owasp#aivss:MU:1.0.0": "S", - "x_org.owasp#aivss:CA:1.0.0": "T", - "x_org.owasp#aivss:DI:1.0.0": "S", - "x_org.owasp#aivss:MAI:1.0.0": "R", - "x_org.owasp#aivss:EA:1.0.0": "C", + "aivss:MU:1.0.0": "S", + "aivss:CA:1.0.0": "T", + "aivss:DI:1.0.0": "S", + "aivss:MAI:1.0.0": "R", + "aivss:EA:1.0.0": "C", }, { - "x_org.owasp#aivss:MU:1.0.0": "S", - "x_org.owasp#aivss:CA:1.0.0": "T", - "x_org.owasp#aivss:DI:1.0.0": "S", - "x_org.owasp#aivss:MAI:1.0.0": "O", - "x_org.owasp#aivss:EA:1.0.0": "C", + "aivss:MU:1.0.0": "S", + "aivss:CA:1.0.0": "T", + "aivss:DI:1.0.0": "S", + "aivss:MAI:1.0.0": "O", + "aivss:EA:1.0.0": "C", }, { - "x_org.owasp#aivss:MU:1.0.0": "S", - "x_org.owasp#aivss:CA:1.0.0": "T", - "x_org.owasp#aivss:DI:1.0.0": "A", - "x_org.owasp#aivss:MAI:1.0.0": "S", - "x_org.owasp#aivss:EA:1.0.0": "C", + "aivss:MU:1.0.0": "S", + "aivss:CA:1.0.0": "T", + "aivss:DI:1.0.0": "A", + "aivss:MAI:1.0.0": "S", + "aivss:EA:1.0.0": "C", }, { - "x_org.owasp#aivss:MU:1.0.0": "S", - "x_org.owasp#aivss:CA:1.0.0": "T", - "x_org.owasp#aivss:DI:1.0.0": "A", - "x_org.owasp#aivss:MAI:1.0.0": "R", - "x_org.owasp#aivss:EA:1.0.0": "C", + "aivss:MU:1.0.0": "S", + "aivss:CA:1.0.0": "T", + "aivss:DI:1.0.0": "A", + "aivss:MAI:1.0.0": "R", + "aivss:EA:1.0.0": "C", }, { - "x_org.owasp#aivss:MU:1.0.0": "S", - "x_org.owasp#aivss:CA:1.0.0": "T", - "x_org.owasp#aivss:DI:1.0.0": "A", - "x_org.owasp#aivss:MAI:1.0.0": "O", - "x_org.owasp#aivss:EA:1.0.0": "P", + "aivss:MU:1.0.0": "S", + "aivss:CA:1.0.0": "T", + "aivss:DI:1.0.0": "A", + "aivss:MAI:1.0.0": "O", + "aivss:EA:1.0.0": "P", }, { - "x_org.owasp#aivss:MU:1.0.0": "S", - "x_org.owasp#aivss:CA:1.0.0": "A", - "x_org.owasp#aivss:DI:1.0.0": "F", - "x_org.owasp#aivss:MAI:1.0.0": "S", - "x_org.owasp#aivss:EA:1.0.0": "C", + "aivss:MU:1.0.0": "S", + "aivss:CA:1.0.0": "A", + "aivss:DI:1.0.0": "F", + "aivss:MAI:1.0.0": "S", + "aivss:EA:1.0.0": "C", }, { - "x_org.owasp#aivss:MU:1.0.0": "S", - "x_org.owasp#aivss:CA:1.0.0": "A", - "x_org.owasp#aivss:DI:1.0.0": "F", - "x_org.owasp#aivss:MAI:1.0.0": "R", - "x_org.owasp#aivss:EA:1.0.0": "C", + "aivss:MU:1.0.0": "S", + "aivss:CA:1.0.0": "A", + "aivss:DI:1.0.0": "F", + "aivss:MAI:1.0.0": "R", + "aivss:EA:1.0.0": "C", }, { - "x_org.owasp#aivss:MU:1.0.0": "S", - "x_org.owasp#aivss:CA:1.0.0": "A", - "x_org.owasp#aivss:DI:1.0.0": "F", - "x_org.owasp#aivss:MAI:1.0.0": "O", - "x_org.owasp#aivss:EA:1.0.0": "P", + "aivss:MU:1.0.0": "S", + "aivss:CA:1.0.0": "A", + "aivss:DI:1.0.0": "F", + "aivss:MAI:1.0.0": "O", + "aivss:EA:1.0.0": "P", }, { - "x_org.owasp#aivss:MU:1.0.0": "S", - "x_org.owasp#aivss:CA:1.0.0": "A", - "x_org.owasp#aivss:DI:1.0.0": "S", - "x_org.owasp#aivss:MAI:1.0.0": "S", - "x_org.owasp#aivss:EA:1.0.0": "C", + "aivss:MU:1.0.0": "S", + "aivss:CA:1.0.0": "A", + "aivss:DI:1.0.0": "S", + "aivss:MAI:1.0.0": "S", + "aivss:EA:1.0.0": "C", }, { - "x_org.owasp#aivss:MU:1.0.0": "S", - "x_org.owasp#aivss:CA:1.0.0": "A", - "x_org.owasp#aivss:DI:1.0.0": "S", - "x_org.owasp#aivss:MAI:1.0.0": "R", - "x_org.owasp#aivss:EA:1.0.0": "C", + "aivss:MU:1.0.0": "S", + "aivss:CA:1.0.0": "A", + "aivss:DI:1.0.0": "S", + "aivss:MAI:1.0.0": "R", + "aivss:EA:1.0.0": "C", }, { - "x_org.owasp#aivss:MU:1.0.0": "S", - "x_org.owasp#aivss:CA:1.0.0": "A", - "x_org.owasp#aivss:DI:1.0.0": "S", - "x_org.owasp#aivss:MAI:1.0.0": "O", - "x_org.owasp#aivss:EA:1.0.0": "P", + "aivss:MU:1.0.0": "S", + "aivss:CA:1.0.0": "A", + "aivss:DI:1.0.0": "S", + "aivss:MAI:1.0.0": "O", + "aivss:EA:1.0.0": "P", }, { - "x_org.owasp#aivss:MU:1.0.0": "S", - "x_org.owasp#aivss:CA:1.0.0": "A", - "x_org.owasp#aivss:DI:1.0.0": "A", - "x_org.owasp#aivss:MAI:1.0.0": "S", - "x_org.owasp#aivss:EA:1.0.0": "P", + "aivss:MU:1.0.0": "S", + "aivss:CA:1.0.0": "A", + "aivss:DI:1.0.0": "A", + "aivss:MAI:1.0.0": "S", + "aivss:EA:1.0.0": "P", }, { - "x_org.owasp#aivss:MU:1.0.0": "S", - "x_org.owasp#aivss:CA:1.0.0": "A", - "x_org.owasp#aivss:DI:1.0.0": "A", - "x_org.owasp#aivss:MAI:1.0.0": "R", - "x_org.owasp#aivss:EA:1.0.0": "P", + "aivss:MU:1.0.0": "S", + "aivss:CA:1.0.0": "A", + "aivss:DI:1.0.0": "A", + "aivss:MAI:1.0.0": "R", + "aivss:EA:1.0.0": "P", }, { - "x_org.owasp#aivss:MU:1.0.0": "S", - "x_org.owasp#aivss:CA:1.0.0": "A", - "x_org.owasp#aivss:DI:1.0.0": "A", - "x_org.owasp#aivss:MAI:1.0.0": "O", - "x_org.owasp#aivss:EA:1.0.0": "P", + "aivss:MU:1.0.0": "S", + "aivss:CA:1.0.0": "A", + "aivss:DI:1.0.0": "A", + "aivss:MAI:1.0.0": "O", + "aivss:EA:1.0.0": "P", }, { - "x_org.owasp#aivss:MU:1.0.0": "L", - "x_org.owasp#aivss:CA:1.0.0": "I", - "x_org.owasp#aivss:DI:1.0.0": "F", - "x_org.owasp#aivss:MAI:1.0.0": "S", - "x_org.owasp#aivss:EA:1.0.0": "I", + "aivss:MU:1.0.0": "L", + "aivss:CA:1.0.0": "I", + "aivss:DI:1.0.0": "F", + "aivss:MAI:1.0.0": "S", + "aivss:EA:1.0.0": "I", }, { - "x_org.owasp#aivss:MU:1.0.0": "L", - "x_org.owasp#aivss:CA:1.0.0": "I", - "x_org.owasp#aivss:DI:1.0.0": "F", - "x_org.owasp#aivss:MAI:1.0.0": "R", - "x_org.owasp#aivss:EA:1.0.0": "C", + "aivss:MU:1.0.0": "L", + "aivss:CA:1.0.0": "I", + "aivss:DI:1.0.0": "F", + "aivss:MAI:1.0.0": "R", + "aivss:EA:1.0.0": "C", }, { - "x_org.owasp#aivss:MU:1.0.0": "L", - "x_org.owasp#aivss:CA:1.0.0": "I", - "x_org.owasp#aivss:DI:1.0.0": "F", - "x_org.owasp#aivss:MAI:1.0.0": "O", - "x_org.owasp#aivss:EA:1.0.0": "C", + "aivss:MU:1.0.0": "L", + "aivss:CA:1.0.0": "I", + "aivss:DI:1.0.0": "F", + "aivss:MAI:1.0.0": "O", + "aivss:EA:1.0.0": "C", }, { - "x_org.owasp#aivss:MU:1.0.0": "L", - "x_org.owasp#aivss:CA:1.0.0": "I", - "x_org.owasp#aivss:DI:1.0.0": "S", - "x_org.owasp#aivss:MAI:1.0.0": "S", - "x_org.owasp#aivss:EA:1.0.0": "C", + "aivss:MU:1.0.0": "L", + "aivss:CA:1.0.0": "I", + "aivss:DI:1.0.0": "S", + "aivss:MAI:1.0.0": "S", + "aivss:EA:1.0.0": "C", }, { - "x_org.owasp#aivss:MU:1.0.0": "L", - "x_org.owasp#aivss:CA:1.0.0": "I", - "x_org.owasp#aivss:DI:1.0.0": "S", - "x_org.owasp#aivss:MAI:1.0.0": "R", - "x_org.owasp#aivss:EA:1.0.0": "C", + "aivss:MU:1.0.0": "L", + "aivss:CA:1.0.0": "I", + "aivss:DI:1.0.0": "S", + "aivss:MAI:1.0.0": "R", + "aivss:EA:1.0.0": "C", }, { - "x_org.owasp#aivss:MU:1.0.0": "L", - "x_org.owasp#aivss:CA:1.0.0": "I", - "x_org.owasp#aivss:DI:1.0.0": "S", - "x_org.owasp#aivss:MAI:1.0.0": "O", - "x_org.owasp#aivss:EA:1.0.0": "C", + "aivss:MU:1.0.0": "L", + "aivss:CA:1.0.0": "I", + "aivss:DI:1.0.0": "S", + "aivss:MAI:1.0.0": "O", + "aivss:EA:1.0.0": "C", }, { - "x_org.owasp#aivss:MU:1.0.0": "L", - "x_org.owasp#aivss:CA:1.0.0": "I", - "x_org.owasp#aivss:DI:1.0.0": "A", - "x_org.owasp#aivss:MAI:1.0.0": "S", - "x_org.owasp#aivss:EA:1.0.0": "C", + "aivss:MU:1.0.0": "L", + "aivss:CA:1.0.0": "I", + "aivss:DI:1.0.0": "A", + "aivss:MAI:1.0.0": "S", + "aivss:EA:1.0.0": "C", }, { - "x_org.owasp#aivss:MU:1.0.0": "L", - "x_org.owasp#aivss:CA:1.0.0": "I", - "x_org.owasp#aivss:DI:1.0.0": "A", - "x_org.owasp#aivss:MAI:1.0.0": "R", - "x_org.owasp#aivss:EA:1.0.0": "C", + "aivss:MU:1.0.0": "L", + "aivss:CA:1.0.0": "I", + "aivss:DI:1.0.0": "A", + "aivss:MAI:1.0.0": "R", + "aivss:EA:1.0.0": "C", }, { - "x_org.owasp#aivss:MU:1.0.0": "L", - "x_org.owasp#aivss:CA:1.0.0": "I", - "x_org.owasp#aivss:DI:1.0.0": "A", - "x_org.owasp#aivss:MAI:1.0.0": "O", - "x_org.owasp#aivss:EA:1.0.0": "P", + "aivss:MU:1.0.0": "L", + "aivss:CA:1.0.0": "I", + "aivss:DI:1.0.0": "A", + "aivss:MAI:1.0.0": "O", + "aivss:EA:1.0.0": "P", }, { - "x_org.owasp#aivss:MU:1.0.0": "L", - "x_org.owasp#aivss:CA:1.0.0": "T", - "x_org.owasp#aivss:DI:1.0.0": "F", - "x_org.owasp#aivss:MAI:1.0.0": "S", - "x_org.owasp#aivss:EA:1.0.0": "C", + "aivss:MU:1.0.0": "L", + "aivss:CA:1.0.0": "T", + "aivss:DI:1.0.0": "F", + "aivss:MAI:1.0.0": "S", + "aivss:EA:1.0.0": "C", }, { - "x_org.owasp#aivss:MU:1.0.0": "L", - "x_org.owasp#aivss:CA:1.0.0": "T", - "x_org.owasp#aivss:DI:1.0.0": "F", - "x_org.owasp#aivss:MAI:1.0.0": "R", - "x_org.owasp#aivss:EA:1.0.0": "C", + "aivss:MU:1.0.0": "L", + "aivss:CA:1.0.0": "T", + "aivss:DI:1.0.0": "F", + "aivss:MAI:1.0.0": "R", + "aivss:EA:1.0.0": "C", }, { - "x_org.owasp#aivss:MU:1.0.0": "L", - "x_org.owasp#aivss:CA:1.0.0": "T", - "x_org.owasp#aivss:DI:1.0.0": "F", - "x_org.owasp#aivss:MAI:1.0.0": "O", - "x_org.owasp#aivss:EA:1.0.0": "C", + "aivss:MU:1.0.0": "L", + "aivss:CA:1.0.0": "T", + "aivss:DI:1.0.0": "F", + "aivss:MAI:1.0.0": "O", + "aivss:EA:1.0.0": "C", }, { - "x_org.owasp#aivss:MU:1.0.0": "L", - "x_org.owasp#aivss:CA:1.0.0": "T", - "x_org.owasp#aivss:DI:1.0.0": "S", - "x_org.owasp#aivss:MAI:1.0.0": "S", - "x_org.owasp#aivss:EA:1.0.0": "C", + "aivss:MU:1.0.0": "L", + "aivss:CA:1.0.0": "T", + "aivss:DI:1.0.0": "S", + "aivss:MAI:1.0.0": "S", + "aivss:EA:1.0.0": "C", }, { - "x_org.owasp#aivss:MU:1.0.0": "L", - "x_org.owasp#aivss:CA:1.0.0": "T", - "x_org.owasp#aivss:DI:1.0.0": "S", - "x_org.owasp#aivss:MAI:1.0.0": "R", - "x_org.owasp#aivss:EA:1.0.0": "C", + "aivss:MU:1.0.0": "L", + "aivss:CA:1.0.0": "T", + "aivss:DI:1.0.0": "S", + "aivss:MAI:1.0.0": "R", + "aivss:EA:1.0.0": "C", }, { - "x_org.owasp#aivss:MU:1.0.0": "L", - "x_org.owasp#aivss:CA:1.0.0": "T", - "x_org.owasp#aivss:DI:1.0.0": "S", - "x_org.owasp#aivss:MAI:1.0.0": "O", - "x_org.owasp#aivss:EA:1.0.0": "C", + "aivss:MU:1.0.0": "L", + "aivss:CA:1.0.0": "T", + "aivss:DI:1.0.0": "S", + "aivss:MAI:1.0.0": "O", + "aivss:EA:1.0.0": "C", }, { - "x_org.owasp#aivss:MU:1.0.0": "L", - "x_org.owasp#aivss:CA:1.0.0": "T", - "x_org.owasp#aivss:DI:1.0.0": "A", - "x_org.owasp#aivss:MAI:1.0.0": "S", - "x_org.owasp#aivss:EA:1.0.0": "C", + "aivss:MU:1.0.0": "L", + "aivss:CA:1.0.0": "T", + "aivss:DI:1.0.0": "A", + "aivss:MAI:1.0.0": "S", + "aivss:EA:1.0.0": "C", }, { - "x_org.owasp#aivss:MU:1.0.0": "L", - "x_org.owasp#aivss:CA:1.0.0": "T", - "x_org.owasp#aivss:DI:1.0.0": "A", - "x_org.owasp#aivss:MAI:1.0.0": "R", - "x_org.owasp#aivss:EA:1.0.0": "C", + "aivss:MU:1.0.0": "L", + "aivss:CA:1.0.0": "T", + "aivss:DI:1.0.0": "A", + "aivss:MAI:1.0.0": "R", + "aivss:EA:1.0.0": "C", }, { - "x_org.owasp#aivss:MU:1.0.0": "L", - "x_org.owasp#aivss:CA:1.0.0": "T", - "x_org.owasp#aivss:DI:1.0.0": "A", - "x_org.owasp#aivss:MAI:1.0.0": "O", - "x_org.owasp#aivss:EA:1.0.0": "P", + "aivss:MU:1.0.0": "L", + "aivss:CA:1.0.0": "T", + "aivss:DI:1.0.0": "A", + "aivss:MAI:1.0.0": "O", + "aivss:EA:1.0.0": "P", }, { - "x_org.owasp#aivss:MU:1.0.0": "L", - "x_org.owasp#aivss:CA:1.0.0": "A", - "x_org.owasp#aivss:DI:1.0.0": "F", - "x_org.owasp#aivss:MAI:1.0.0": "S", - "x_org.owasp#aivss:EA:1.0.0": "C", + "aivss:MU:1.0.0": "L", + "aivss:CA:1.0.0": "A", + "aivss:DI:1.0.0": "F", + "aivss:MAI:1.0.0": "S", + "aivss:EA:1.0.0": "C", }, { - "x_org.owasp#aivss:MU:1.0.0": "L", - "x_org.owasp#aivss:CA:1.0.0": "A", - "x_org.owasp#aivss:DI:1.0.0": "F", - "x_org.owasp#aivss:MAI:1.0.0": "R", - "x_org.owasp#aivss:EA:1.0.0": "C", + "aivss:MU:1.0.0": "L", + "aivss:CA:1.0.0": "A", + "aivss:DI:1.0.0": "F", + "aivss:MAI:1.0.0": "R", + "aivss:EA:1.0.0": "C", }, { - "x_org.owasp#aivss:MU:1.0.0": "L", - "x_org.owasp#aivss:CA:1.0.0": "A", - "x_org.owasp#aivss:DI:1.0.0": "F", - "x_org.owasp#aivss:MAI:1.0.0": "O", - "x_org.owasp#aivss:EA:1.0.0": "P", + "aivss:MU:1.0.0": "L", + "aivss:CA:1.0.0": "A", + "aivss:DI:1.0.0": "F", + "aivss:MAI:1.0.0": "O", + "aivss:EA:1.0.0": "P", }, { - "x_org.owasp#aivss:MU:1.0.0": "L", - "x_org.owasp#aivss:CA:1.0.0": "A", - "x_org.owasp#aivss:DI:1.0.0": "S", - "x_org.owasp#aivss:MAI:1.0.0": "S", - "x_org.owasp#aivss:EA:1.0.0": "C", + "aivss:MU:1.0.0": "L", + "aivss:CA:1.0.0": "A", + "aivss:DI:1.0.0": "S", + "aivss:MAI:1.0.0": "S", + "aivss:EA:1.0.0": "C", }, { - "x_org.owasp#aivss:MU:1.0.0": "L", - "x_org.owasp#aivss:CA:1.0.0": "A", - "x_org.owasp#aivss:DI:1.0.0": "S", - "x_org.owasp#aivss:MAI:1.0.0": "R", - "x_org.owasp#aivss:EA:1.0.0": "C", + "aivss:MU:1.0.0": "L", + "aivss:CA:1.0.0": "A", + "aivss:DI:1.0.0": "S", + "aivss:MAI:1.0.0": "R", + "aivss:EA:1.0.0": "C", }, { - "x_org.owasp#aivss:MU:1.0.0": "L", - "x_org.owasp#aivss:CA:1.0.0": "A", - "x_org.owasp#aivss:DI:1.0.0": "S", - "x_org.owasp#aivss:MAI:1.0.0": "O", - "x_org.owasp#aivss:EA:1.0.0": "P", + "aivss:MU:1.0.0": "L", + "aivss:CA:1.0.0": "A", + "aivss:DI:1.0.0": "S", + "aivss:MAI:1.0.0": "O", + "aivss:EA:1.0.0": "P", }, { - "x_org.owasp#aivss:MU:1.0.0": "L", - "x_org.owasp#aivss:CA:1.0.0": "A", - "x_org.owasp#aivss:DI:1.0.0": "A", - "x_org.owasp#aivss:MAI:1.0.0": "S", - "x_org.owasp#aivss:EA:1.0.0": "P", + "aivss:MU:1.0.0": "L", + "aivss:CA:1.0.0": "A", + "aivss:DI:1.0.0": "A", + "aivss:MAI:1.0.0": "S", + "aivss:EA:1.0.0": "P", }, { - "x_org.owasp#aivss:MU:1.0.0": "L", - "x_org.owasp#aivss:CA:1.0.0": "A", - "x_org.owasp#aivss:DI:1.0.0": "A", - "x_org.owasp#aivss:MAI:1.0.0": "R", - "x_org.owasp#aivss:EA:1.0.0": "P", + "aivss:MU:1.0.0": "L", + "aivss:CA:1.0.0": "A", + "aivss:DI:1.0.0": "A", + "aivss:MAI:1.0.0": "R", + "aivss:EA:1.0.0": "P", }, { - "x_org.owasp#aivss:MU:1.0.0": "L", - "x_org.owasp#aivss:CA:1.0.0": "A", - "x_org.owasp#aivss:DI:1.0.0": "A", - "x_org.owasp#aivss:MAI:1.0.0": "O", - "x_org.owasp#aivss:EA:1.0.0": "P", + "aivss:MU:1.0.0": "L", + "aivss:CA:1.0.0": "A", + "aivss:DI:1.0.0": "A", + "aivss:MAI:1.0.0": "O", + "aivss:EA:1.0.0": "P", }, { - "x_org.owasp#aivss:MU:1.0.0": "M", - "x_org.owasp#aivss:CA:1.0.0": "I", - "x_org.owasp#aivss:DI:1.0.0": "F", - "x_org.owasp#aivss:MAI:1.0.0": "S", - "x_org.owasp#aivss:EA:1.0.0": "C", + "aivss:MU:1.0.0": "M", + "aivss:CA:1.0.0": "I", + "aivss:DI:1.0.0": "F", + "aivss:MAI:1.0.0": "S", + "aivss:EA:1.0.0": "C", }, { - "x_org.owasp#aivss:MU:1.0.0": "M", - "x_org.owasp#aivss:CA:1.0.0": "I", - "x_org.owasp#aivss:DI:1.0.0": "F", - "x_org.owasp#aivss:MAI:1.0.0": "R", - "x_org.owasp#aivss:EA:1.0.0": "C", + "aivss:MU:1.0.0": "M", + "aivss:CA:1.0.0": "I", + "aivss:DI:1.0.0": "F", + "aivss:MAI:1.0.0": "R", + "aivss:EA:1.0.0": "C", }, { - "x_org.owasp#aivss:MU:1.0.0": "M", - "x_org.owasp#aivss:CA:1.0.0": "I", - "x_org.owasp#aivss:DI:1.0.0": "F", - "x_org.owasp#aivss:MAI:1.0.0": "O", - "x_org.owasp#aivss:EA:1.0.0": "P", + "aivss:MU:1.0.0": "M", + "aivss:CA:1.0.0": "I", + "aivss:DI:1.0.0": "F", + "aivss:MAI:1.0.0": "O", + "aivss:EA:1.0.0": "P", }, { - "x_org.owasp#aivss:MU:1.0.0": "M", - "x_org.owasp#aivss:CA:1.0.0": "I", - "x_org.owasp#aivss:DI:1.0.0": "S", - "x_org.owasp#aivss:MAI:1.0.0": "S", - "x_org.owasp#aivss:EA:1.0.0": "C", + "aivss:MU:1.0.0": "M", + "aivss:CA:1.0.0": "I", + "aivss:DI:1.0.0": "S", + "aivss:MAI:1.0.0": "S", + "aivss:EA:1.0.0": "C", }, { - "x_org.owasp#aivss:MU:1.0.0": "M", - "x_org.owasp#aivss:CA:1.0.0": "I", - "x_org.owasp#aivss:DI:1.0.0": "S", - "x_org.owasp#aivss:MAI:1.0.0": "R", - "x_org.owasp#aivss:EA:1.0.0": "C", + "aivss:MU:1.0.0": "M", + "aivss:CA:1.0.0": "I", + "aivss:DI:1.0.0": "S", + "aivss:MAI:1.0.0": "R", + "aivss:EA:1.0.0": "C", }, { - "x_org.owasp#aivss:MU:1.0.0": "M", - "x_org.owasp#aivss:CA:1.0.0": "I", - "x_org.owasp#aivss:DI:1.0.0": "S", - "x_org.owasp#aivss:MAI:1.0.0": "O", - "x_org.owasp#aivss:EA:1.0.0": "P", + "aivss:MU:1.0.0": "M", + "aivss:CA:1.0.0": "I", + "aivss:DI:1.0.0": "S", + "aivss:MAI:1.0.0": "O", + "aivss:EA:1.0.0": "P", }, { - "x_org.owasp#aivss:MU:1.0.0": "M", - "x_org.owasp#aivss:CA:1.0.0": "I", - "x_org.owasp#aivss:DI:1.0.0": "A", - "x_org.owasp#aivss:MAI:1.0.0": "S", - "x_org.owasp#aivss:EA:1.0.0": "P", + "aivss:MU:1.0.0": "M", + "aivss:CA:1.0.0": "I", + "aivss:DI:1.0.0": "A", + "aivss:MAI:1.0.0": "S", + "aivss:EA:1.0.0": "P", }, { - "x_org.owasp#aivss:MU:1.0.0": "M", - "x_org.owasp#aivss:CA:1.0.0": "I", - "x_org.owasp#aivss:DI:1.0.0": "A", - "x_org.owasp#aivss:MAI:1.0.0": "R", - "x_org.owasp#aivss:EA:1.0.0": "P", + "aivss:MU:1.0.0": "M", + "aivss:CA:1.0.0": "I", + "aivss:DI:1.0.0": "A", + "aivss:MAI:1.0.0": "R", + "aivss:EA:1.0.0": "P", }, { - "x_org.owasp#aivss:MU:1.0.0": "M", - "x_org.owasp#aivss:CA:1.0.0": "I", - "x_org.owasp#aivss:DI:1.0.0": "A", - "x_org.owasp#aivss:MAI:1.0.0": "O", - "x_org.owasp#aivss:EA:1.0.0": "P", + "aivss:MU:1.0.0": "M", + "aivss:CA:1.0.0": "I", + "aivss:DI:1.0.0": "A", + "aivss:MAI:1.0.0": "O", + "aivss:EA:1.0.0": "P", }, { - "x_org.owasp#aivss:MU:1.0.0": "M", - "x_org.owasp#aivss:CA:1.0.0": "T", - "x_org.owasp#aivss:DI:1.0.0": "F", - "x_org.owasp#aivss:MAI:1.0.0": "S", - "x_org.owasp#aivss:EA:1.0.0": "C", + "aivss:MU:1.0.0": "M", + "aivss:CA:1.0.0": "T", + "aivss:DI:1.0.0": "F", + "aivss:MAI:1.0.0": "S", + "aivss:EA:1.0.0": "C", }, { - "x_org.owasp#aivss:MU:1.0.0": "M", - "x_org.owasp#aivss:CA:1.0.0": "T", - "x_org.owasp#aivss:DI:1.0.0": "F", - "x_org.owasp#aivss:MAI:1.0.0": "R", - "x_org.owasp#aivss:EA:1.0.0": "C", + "aivss:MU:1.0.0": "M", + "aivss:CA:1.0.0": "T", + "aivss:DI:1.0.0": "F", + "aivss:MAI:1.0.0": "R", + "aivss:EA:1.0.0": "C", }, { - "x_org.owasp#aivss:MU:1.0.0": "M", - "x_org.owasp#aivss:CA:1.0.0": "T", - "x_org.owasp#aivss:DI:1.0.0": "F", - "x_org.owasp#aivss:MAI:1.0.0": "O", - "x_org.owasp#aivss:EA:1.0.0": "P", + "aivss:MU:1.0.0": "M", + "aivss:CA:1.0.0": "T", + "aivss:DI:1.0.0": "F", + "aivss:MAI:1.0.0": "O", + "aivss:EA:1.0.0": "P", }, { - "x_org.owasp#aivss:MU:1.0.0": "M", - "x_org.owasp#aivss:CA:1.0.0": "T", - "x_org.owasp#aivss:DI:1.0.0": "S", - "x_org.owasp#aivss:MAI:1.0.0": "S", - "x_org.owasp#aivss:EA:1.0.0": "C", + "aivss:MU:1.0.0": "M", + "aivss:CA:1.0.0": "T", + "aivss:DI:1.0.0": "S", + "aivss:MAI:1.0.0": "S", + "aivss:EA:1.0.0": "C", }, { - "x_org.owasp#aivss:MU:1.0.0": "M", - "x_org.owasp#aivss:CA:1.0.0": "T", - "x_org.owasp#aivss:DI:1.0.0": "S", - "x_org.owasp#aivss:MAI:1.0.0": "R", - "x_org.owasp#aivss:EA:1.0.0": "C", + "aivss:MU:1.0.0": "M", + "aivss:CA:1.0.0": "T", + "aivss:DI:1.0.0": "S", + "aivss:MAI:1.0.0": "R", + "aivss:EA:1.0.0": "C", }, { - "x_org.owasp#aivss:MU:1.0.0": "M", - "x_org.owasp#aivss:CA:1.0.0": "T", - "x_org.owasp#aivss:DI:1.0.0": "S", - "x_org.owasp#aivss:MAI:1.0.0": "O", - "x_org.owasp#aivss:EA:1.0.0": "P", + "aivss:MU:1.0.0": "M", + "aivss:CA:1.0.0": "T", + "aivss:DI:1.0.0": "S", + "aivss:MAI:1.0.0": "O", + "aivss:EA:1.0.0": "P", }, { - "x_org.owasp#aivss:MU:1.0.0": "M", - "x_org.owasp#aivss:CA:1.0.0": "T", - "x_org.owasp#aivss:DI:1.0.0": "A", - "x_org.owasp#aivss:MAI:1.0.0": "S", - "x_org.owasp#aivss:EA:1.0.0": "P", + "aivss:MU:1.0.0": "M", + "aivss:CA:1.0.0": "T", + "aivss:DI:1.0.0": "A", + "aivss:MAI:1.0.0": "S", + "aivss:EA:1.0.0": "P", }, { - "x_org.owasp#aivss:MU:1.0.0": "M", - "x_org.owasp#aivss:CA:1.0.0": "T", - "x_org.owasp#aivss:DI:1.0.0": "A", - "x_org.owasp#aivss:MAI:1.0.0": "R", - "x_org.owasp#aivss:EA:1.0.0": "P", + "aivss:MU:1.0.0": "M", + "aivss:CA:1.0.0": "T", + "aivss:DI:1.0.0": "A", + "aivss:MAI:1.0.0": "R", + "aivss:EA:1.0.0": "P", }, { - "x_org.owasp#aivss:MU:1.0.0": "M", - "x_org.owasp#aivss:CA:1.0.0": "T", - "x_org.owasp#aivss:DI:1.0.0": "A", - "x_org.owasp#aivss:MAI:1.0.0": "O", - "x_org.owasp#aivss:EA:1.0.0": "P", + "aivss:MU:1.0.0": "M", + "aivss:CA:1.0.0": "T", + "aivss:DI:1.0.0": "A", + "aivss:MAI:1.0.0": "O", + "aivss:EA:1.0.0": "P", }, { - "x_org.owasp#aivss:MU:1.0.0": "M", - "x_org.owasp#aivss:CA:1.0.0": "A", - "x_org.owasp#aivss:DI:1.0.0": "F", - "x_org.owasp#aivss:MAI:1.0.0": "S", - "x_org.owasp#aivss:EA:1.0.0": "P", + "aivss:MU:1.0.0": "M", + "aivss:CA:1.0.0": "A", + "aivss:DI:1.0.0": "F", + "aivss:MAI:1.0.0": "S", + "aivss:EA:1.0.0": "P", }, { - "x_org.owasp#aivss:MU:1.0.0": "M", - "x_org.owasp#aivss:CA:1.0.0": "A", - "x_org.owasp#aivss:DI:1.0.0": "F", - "x_org.owasp#aivss:MAI:1.0.0": "R", - "x_org.owasp#aivss:EA:1.0.0": "P", + "aivss:MU:1.0.0": "M", + "aivss:CA:1.0.0": "A", + "aivss:DI:1.0.0": "F", + "aivss:MAI:1.0.0": "R", + "aivss:EA:1.0.0": "P", }, { - "x_org.owasp#aivss:MU:1.0.0": "M", - "x_org.owasp#aivss:CA:1.0.0": "A", - "x_org.owasp#aivss:DI:1.0.0": "F", - "x_org.owasp#aivss:MAI:1.0.0": "O", - "x_org.owasp#aivss:EA:1.0.0": "P", + "aivss:MU:1.0.0": "M", + "aivss:CA:1.0.0": "A", + "aivss:DI:1.0.0": "F", + "aivss:MAI:1.0.0": "O", + "aivss:EA:1.0.0": "P", }, { - "x_org.owasp#aivss:MU:1.0.0": "M", - "x_org.owasp#aivss:CA:1.0.0": "A", - "x_org.owasp#aivss:DI:1.0.0": "S", - "x_org.owasp#aivss:MAI:1.0.0": "S", - "x_org.owasp#aivss:EA:1.0.0": "P", + "aivss:MU:1.0.0": "M", + "aivss:CA:1.0.0": "A", + "aivss:DI:1.0.0": "S", + "aivss:MAI:1.0.0": "S", + "aivss:EA:1.0.0": "P", }, { - "x_org.owasp#aivss:MU:1.0.0": "M", - "x_org.owasp#aivss:CA:1.0.0": "A", - "x_org.owasp#aivss:DI:1.0.0": "S", - "x_org.owasp#aivss:MAI:1.0.0": "R", - "x_org.owasp#aivss:EA:1.0.0": "P", + "aivss:MU:1.0.0": "M", + "aivss:CA:1.0.0": "A", + "aivss:DI:1.0.0": "S", + "aivss:MAI:1.0.0": "R", + "aivss:EA:1.0.0": "P", }, { - "x_org.owasp#aivss:MU:1.0.0": "M", - "x_org.owasp#aivss:CA:1.0.0": "A", - "x_org.owasp#aivss:DI:1.0.0": "S", - "x_org.owasp#aivss:MAI:1.0.0": "O", - "x_org.owasp#aivss:EA:1.0.0": "P", + "aivss:MU:1.0.0": "M", + "aivss:CA:1.0.0": "A", + "aivss:DI:1.0.0": "S", + "aivss:MAI:1.0.0": "O", + "aivss:EA:1.0.0": "P", }, { - "x_org.owasp#aivss:MU:1.0.0": "M", - "x_org.owasp#aivss:CA:1.0.0": "A", - "x_org.owasp#aivss:DI:1.0.0": "A", - "x_org.owasp#aivss:MAI:1.0.0": "S", - "x_org.owasp#aivss:EA:1.0.0": "P", + "aivss:MU:1.0.0": "M", + "aivss:CA:1.0.0": "A", + "aivss:DI:1.0.0": "A", + "aivss:MAI:1.0.0": "S", + "aivss:EA:1.0.0": "P", }, { - "x_org.owasp#aivss:MU:1.0.0": "M", - "x_org.owasp#aivss:CA:1.0.0": "A", - "x_org.owasp#aivss:DI:1.0.0": "A", - "x_org.owasp#aivss:MAI:1.0.0": "R", - "x_org.owasp#aivss:EA:1.0.0": "P", + "aivss:MU:1.0.0": "M", + "aivss:CA:1.0.0": "A", + "aivss:DI:1.0.0": "A", + "aivss:MAI:1.0.0": "R", + "aivss:EA:1.0.0": "P", }, { - "x_org.owasp#aivss:MU:1.0.0": "M", - "x_org.owasp#aivss:CA:1.0.0": "A", - "x_org.owasp#aivss:DI:1.0.0": "A", - "x_org.owasp#aivss:MAI:1.0.0": "O", - "x_org.owasp#aivss:EA:1.0.0": "P", + "aivss:MU:1.0.0": "M", + "aivss:CA:1.0.0": "A", + "aivss:DI:1.0.0": "A", + "aivss:MAI:1.0.0": "O", + "aivss:EA:1.0.0": "P", }, ], ) diff --git a/src/ssvc/decision_tables/aivss/execution_power.py b/src/ssvc/decision_tables/aivss/execution_power.py index 101aecdc..2409809f 100644 --- a/src/ssvc/decision_tables/aivss/execution_power.py +++ b/src/ssvc/decision_tables/aivss/execution_power.py @@ -54,571 +54,571 @@ outcome=EXECUTION_POWER.id, mapping=[ { - "x_org.owasp#aivss:AA:1.0.0": "G", - "x_org.owasp#aivss:TU:1.0.0": "V", - "x_org.owasp#aivss:SM:1.1.0": "F", - "x_org.owasp#aivss:GDP:1.0.0": "R", - "x_org.owasp#aivss:EP:1.0.0": "C", + "aivss:AA:1.0.0": "G", + "aivss:TU:1.0.0": "V", + "aivss:SM:1.1.0": "F", + "aivss:GDP:1.0.0": "R", + "aivss:EP:1.0.0": "C", }, { - "x_org.owasp#aivss:AA:1.0.0": "G", - "x_org.owasp#aivss:TU:1.0.0": "V", - "x_org.owasp#aivss:SM:1.1.0": "F", - "x_org.owasp#aivss:GDP:1.0.0": "A", - "x_org.owasp#aivss:EP:1.0.0": "C", + "aivss:AA:1.0.0": "G", + "aivss:TU:1.0.0": "V", + "aivss:SM:1.1.0": "F", + "aivss:GDP:1.0.0": "A", + "aivss:EP:1.0.0": "C", }, { - "x_org.owasp#aivss:AA:1.0.0": "G", - "x_org.owasp#aivss:TU:1.0.0": "V", - "x_org.owasp#aivss:SM:1.1.0": "F", - "x_org.owasp#aivss:GDP:1.0.0": "U", - "x_org.owasp#aivss:EP:1.0.0": "CA", + "aivss:AA:1.0.0": "G", + "aivss:TU:1.0.0": "V", + "aivss:SM:1.1.0": "F", + "aivss:GDP:1.0.0": "U", + "aivss:EP:1.0.0": "CA", }, { - "x_org.owasp#aivss:AA:1.0.0": "G", - "x_org.owasp#aivss:TU:1.0.0": "V", - "x_org.owasp#aivss:SM:1.1.0": "T", - "x_org.owasp#aivss:GDP:1.0.0": "R", - "x_org.owasp#aivss:EP:1.0.0": "C", + "aivss:AA:1.0.0": "G", + "aivss:TU:1.0.0": "V", + "aivss:SM:1.1.0": "T", + "aivss:GDP:1.0.0": "R", + "aivss:EP:1.0.0": "C", }, { - "x_org.owasp#aivss:AA:1.0.0": "G", - "x_org.owasp#aivss:TU:1.0.0": "V", - "x_org.owasp#aivss:SM:1.1.0": "T", - "x_org.owasp#aivss:GDP:1.0.0": "A", - "x_org.owasp#aivss:EP:1.0.0": "C", + "aivss:AA:1.0.0": "G", + "aivss:TU:1.0.0": "V", + "aivss:SM:1.1.0": "T", + "aivss:GDP:1.0.0": "A", + "aivss:EP:1.0.0": "C", }, { - "x_org.owasp#aivss:AA:1.0.0": "G", - "x_org.owasp#aivss:TU:1.0.0": "V", - "x_org.owasp#aivss:SM:1.1.0": "T", - "x_org.owasp#aivss:GDP:1.0.0": "U", - "x_org.owasp#aivss:EP:1.0.0": "CA", + "aivss:AA:1.0.0": "G", + "aivss:TU:1.0.0": "V", + "aivss:SM:1.1.0": "T", + "aivss:GDP:1.0.0": "U", + "aivss:EP:1.0.0": "CA", }, { - "x_org.owasp#aivss:AA:1.0.0": "G", - "x_org.owasp#aivss:TU:1.0.0": "V", - "x_org.owasp#aivss:SM:1.1.0": "M", - "x_org.owasp#aivss:GDP:1.0.0": "R", - "x_org.owasp#aivss:EP:1.0.0": "CA", + "aivss:AA:1.0.0": "G", + "aivss:TU:1.0.0": "V", + "aivss:SM:1.1.0": "M", + "aivss:GDP:1.0.0": "R", + "aivss:EP:1.0.0": "CA", }, { - "x_org.owasp#aivss:AA:1.0.0": "G", - "x_org.owasp#aivss:TU:1.0.0": "V", - "x_org.owasp#aivss:SM:1.1.0": "M", - "x_org.owasp#aivss:GDP:1.0.0": "A", - "x_org.owasp#aivss:EP:1.0.0": "CA", + "aivss:AA:1.0.0": "G", + "aivss:TU:1.0.0": "V", + "aivss:SM:1.1.0": "M", + "aivss:GDP:1.0.0": "A", + "aivss:EP:1.0.0": "CA", }, { - "x_org.owasp#aivss:AA:1.0.0": "G", - "x_org.owasp#aivss:TU:1.0.0": "V", - "x_org.owasp#aivss:SM:1.1.0": "M", - "x_org.owasp#aivss:GDP:1.0.0": "U", - "x_org.owasp#aivss:EP:1.0.0": "H", + "aivss:AA:1.0.0": "G", + "aivss:TU:1.0.0": "V", + "aivss:SM:1.1.0": "M", + "aivss:GDP:1.0.0": "U", + "aivss:EP:1.0.0": "H", }, { - "x_org.owasp#aivss:AA:1.0.0": "G", - "x_org.owasp#aivss:TU:1.0.0": "O", - "x_org.owasp#aivss:SM:1.1.0": "F", - "x_org.owasp#aivss:GDP:1.0.0": "R", - "x_org.owasp#aivss:EP:1.0.0": "C", + "aivss:AA:1.0.0": "G", + "aivss:TU:1.0.0": "O", + "aivss:SM:1.1.0": "F", + "aivss:GDP:1.0.0": "R", + "aivss:EP:1.0.0": "C", }, { - "x_org.owasp#aivss:AA:1.0.0": "G", - "x_org.owasp#aivss:TU:1.0.0": "O", - "x_org.owasp#aivss:SM:1.1.0": "F", - "x_org.owasp#aivss:GDP:1.0.0": "A", - "x_org.owasp#aivss:EP:1.0.0": "C", + "aivss:AA:1.0.0": "G", + "aivss:TU:1.0.0": "O", + "aivss:SM:1.1.0": "F", + "aivss:GDP:1.0.0": "A", + "aivss:EP:1.0.0": "C", }, { - "x_org.owasp#aivss:AA:1.0.0": "G", - "x_org.owasp#aivss:TU:1.0.0": "O", - "x_org.owasp#aivss:SM:1.1.0": "F", - "x_org.owasp#aivss:GDP:1.0.0": "U", - "x_org.owasp#aivss:EP:1.0.0": "CA", + "aivss:AA:1.0.0": "G", + "aivss:TU:1.0.0": "O", + "aivss:SM:1.1.0": "F", + "aivss:GDP:1.0.0": "U", + "aivss:EP:1.0.0": "CA", }, { - "x_org.owasp#aivss:AA:1.0.0": "G", - "x_org.owasp#aivss:TU:1.0.0": "O", - "x_org.owasp#aivss:SM:1.1.0": "T", - "x_org.owasp#aivss:GDP:1.0.0": "R", - "x_org.owasp#aivss:EP:1.0.0": "C", + "aivss:AA:1.0.0": "G", + "aivss:TU:1.0.0": "O", + "aivss:SM:1.1.0": "T", + "aivss:GDP:1.0.0": "R", + "aivss:EP:1.0.0": "C", }, { - "x_org.owasp#aivss:AA:1.0.0": "G", - "x_org.owasp#aivss:TU:1.0.0": "O", - "x_org.owasp#aivss:SM:1.1.0": "T", - "x_org.owasp#aivss:GDP:1.0.0": "A", - "x_org.owasp#aivss:EP:1.0.0": "CA", + "aivss:AA:1.0.0": "G", + "aivss:TU:1.0.0": "O", + "aivss:SM:1.1.0": "T", + "aivss:GDP:1.0.0": "A", + "aivss:EP:1.0.0": "CA", }, { - "x_org.owasp#aivss:AA:1.0.0": "G", - "x_org.owasp#aivss:TU:1.0.0": "O", - "x_org.owasp#aivss:SM:1.1.0": "T", - "x_org.owasp#aivss:GDP:1.0.0": "U", - "x_org.owasp#aivss:EP:1.0.0": "CA", + "aivss:AA:1.0.0": "G", + "aivss:TU:1.0.0": "O", + "aivss:SM:1.1.0": "T", + "aivss:GDP:1.0.0": "U", + "aivss:EP:1.0.0": "CA", }, { - "x_org.owasp#aivss:AA:1.0.0": "G", - "x_org.owasp#aivss:TU:1.0.0": "O", - "x_org.owasp#aivss:SM:1.1.0": "M", - "x_org.owasp#aivss:GDP:1.0.0": "R", - "x_org.owasp#aivss:EP:1.0.0": "CA", + "aivss:AA:1.0.0": "G", + "aivss:TU:1.0.0": "O", + "aivss:SM:1.1.0": "M", + "aivss:GDP:1.0.0": "R", + "aivss:EP:1.0.0": "CA", }, { - "x_org.owasp#aivss:AA:1.0.0": "G", - "x_org.owasp#aivss:TU:1.0.0": "O", - "x_org.owasp#aivss:SM:1.1.0": "M", - "x_org.owasp#aivss:GDP:1.0.0": "A", - "x_org.owasp#aivss:EP:1.0.0": "CA", + "aivss:AA:1.0.0": "G", + "aivss:TU:1.0.0": "O", + "aivss:SM:1.1.0": "M", + "aivss:GDP:1.0.0": "A", + "aivss:EP:1.0.0": "CA", }, { - "x_org.owasp#aivss:AA:1.0.0": "G", - "x_org.owasp#aivss:TU:1.0.0": "O", - "x_org.owasp#aivss:SM:1.1.0": "M", - "x_org.owasp#aivss:GDP:1.0.0": "U", - "x_org.owasp#aivss:EP:1.0.0": "H", + "aivss:AA:1.0.0": "G", + "aivss:TU:1.0.0": "O", + "aivss:SM:1.1.0": "M", + "aivss:GDP:1.0.0": "U", + "aivss:EP:1.0.0": "H", }, { - "x_org.owasp#aivss:AA:1.0.0": "G", - "x_org.owasp#aivss:TU:1.0.0": "A", - "x_org.owasp#aivss:SM:1.1.0": "F", - "x_org.owasp#aivss:GDP:1.0.0": "R", - "x_org.owasp#aivss:EP:1.0.0": "CA", + "aivss:AA:1.0.0": "G", + "aivss:TU:1.0.0": "A", + "aivss:SM:1.1.0": "F", + "aivss:GDP:1.0.0": "R", + "aivss:EP:1.0.0": "CA", }, { - "x_org.owasp#aivss:AA:1.0.0": "G", - "x_org.owasp#aivss:TU:1.0.0": "A", - "x_org.owasp#aivss:SM:1.1.0": "F", - "x_org.owasp#aivss:GDP:1.0.0": "A", - "x_org.owasp#aivss:EP:1.0.0": "CA", + "aivss:AA:1.0.0": "G", + "aivss:TU:1.0.0": "A", + "aivss:SM:1.1.0": "F", + "aivss:GDP:1.0.0": "A", + "aivss:EP:1.0.0": "CA", }, { - "x_org.owasp#aivss:AA:1.0.0": "G", - "x_org.owasp#aivss:TU:1.0.0": "A", - "x_org.owasp#aivss:SM:1.1.0": "F", - "x_org.owasp#aivss:GDP:1.0.0": "U", - "x_org.owasp#aivss:EP:1.0.0": "H", + "aivss:AA:1.0.0": "G", + "aivss:TU:1.0.0": "A", + "aivss:SM:1.1.0": "F", + "aivss:GDP:1.0.0": "U", + "aivss:EP:1.0.0": "H", }, { - "x_org.owasp#aivss:AA:1.0.0": "G", - "x_org.owasp#aivss:TU:1.0.0": "A", - "x_org.owasp#aivss:SM:1.1.0": "T", - "x_org.owasp#aivss:GDP:1.0.0": "R", - "x_org.owasp#aivss:EP:1.0.0": "CA", + "aivss:AA:1.0.0": "G", + "aivss:TU:1.0.0": "A", + "aivss:SM:1.1.0": "T", + "aivss:GDP:1.0.0": "R", + "aivss:EP:1.0.0": "CA", }, { - "x_org.owasp#aivss:AA:1.0.0": "G", - "x_org.owasp#aivss:TU:1.0.0": "A", - "x_org.owasp#aivss:SM:1.1.0": "T", - "x_org.owasp#aivss:GDP:1.0.0": "A", - "x_org.owasp#aivss:EP:1.0.0": "CA", + "aivss:AA:1.0.0": "G", + "aivss:TU:1.0.0": "A", + "aivss:SM:1.1.0": "T", + "aivss:GDP:1.0.0": "A", + "aivss:EP:1.0.0": "CA", }, { - "x_org.owasp#aivss:AA:1.0.0": "G", - "x_org.owasp#aivss:TU:1.0.0": "A", - "x_org.owasp#aivss:SM:1.1.0": "T", - "x_org.owasp#aivss:GDP:1.0.0": "U", - "x_org.owasp#aivss:EP:1.0.0": "H", + "aivss:AA:1.0.0": "G", + "aivss:TU:1.0.0": "A", + "aivss:SM:1.1.0": "T", + "aivss:GDP:1.0.0": "U", + "aivss:EP:1.0.0": "H", }, { - "x_org.owasp#aivss:AA:1.0.0": "G", - "x_org.owasp#aivss:TU:1.0.0": "A", - "x_org.owasp#aivss:SM:1.1.0": "M", - "x_org.owasp#aivss:GDP:1.0.0": "R", - "x_org.owasp#aivss:EP:1.0.0": "H", + "aivss:AA:1.0.0": "G", + "aivss:TU:1.0.0": "A", + "aivss:SM:1.1.0": "M", + "aivss:GDP:1.0.0": "R", + "aivss:EP:1.0.0": "H", }, { - "x_org.owasp#aivss:AA:1.0.0": "G", - "x_org.owasp#aivss:TU:1.0.0": "A", - "x_org.owasp#aivss:SM:1.1.0": "M", - "x_org.owasp#aivss:GDP:1.0.0": "A", - "x_org.owasp#aivss:EP:1.0.0": "H", + "aivss:AA:1.0.0": "G", + "aivss:TU:1.0.0": "A", + "aivss:SM:1.1.0": "M", + "aivss:GDP:1.0.0": "A", + "aivss:EP:1.0.0": "H", }, { - "x_org.owasp#aivss:AA:1.0.0": "G", - "x_org.owasp#aivss:TU:1.0.0": "A", - "x_org.owasp#aivss:SM:1.1.0": "M", - "x_org.owasp#aivss:GDP:1.0.0": "U", - "x_org.owasp#aivss:EP:1.0.0": "H", + "aivss:AA:1.0.0": "G", + "aivss:TU:1.0.0": "A", + "aivss:SM:1.1.0": "M", + "aivss:GDP:1.0.0": "U", + "aivss:EP:1.0.0": "H", }, { - "x_org.owasp#aivss:AA:1.0.0": "S", - "x_org.owasp#aivss:TU:1.0.0": "V", - "x_org.owasp#aivss:SM:1.1.0": "F", - "x_org.owasp#aivss:GDP:1.0.0": "R", - "x_org.owasp#aivss:EP:1.0.0": "C", + "aivss:AA:1.0.0": "S", + "aivss:TU:1.0.0": "V", + "aivss:SM:1.1.0": "F", + "aivss:GDP:1.0.0": "R", + "aivss:EP:1.0.0": "C", }, { - "x_org.owasp#aivss:AA:1.0.0": "S", - "x_org.owasp#aivss:TU:1.0.0": "V", - "x_org.owasp#aivss:SM:1.1.0": "F", - "x_org.owasp#aivss:GDP:1.0.0": "A", - "x_org.owasp#aivss:EP:1.0.0": "C", + "aivss:AA:1.0.0": "S", + "aivss:TU:1.0.0": "V", + "aivss:SM:1.1.0": "F", + "aivss:GDP:1.0.0": "A", + "aivss:EP:1.0.0": "C", }, { - "x_org.owasp#aivss:AA:1.0.0": "S", - "x_org.owasp#aivss:TU:1.0.0": "V", - "x_org.owasp#aivss:SM:1.1.0": "F", - "x_org.owasp#aivss:GDP:1.0.0": "U", - "x_org.owasp#aivss:EP:1.0.0": "CA", + "aivss:AA:1.0.0": "S", + "aivss:TU:1.0.0": "V", + "aivss:SM:1.1.0": "F", + "aivss:GDP:1.0.0": "U", + "aivss:EP:1.0.0": "CA", }, { - "x_org.owasp#aivss:AA:1.0.0": "S", - "x_org.owasp#aivss:TU:1.0.0": "V", - "x_org.owasp#aivss:SM:1.1.0": "T", - "x_org.owasp#aivss:GDP:1.0.0": "R", - "x_org.owasp#aivss:EP:1.0.0": "C", + "aivss:AA:1.0.0": "S", + "aivss:TU:1.0.0": "V", + "aivss:SM:1.1.0": "T", + "aivss:GDP:1.0.0": "R", + "aivss:EP:1.0.0": "C", }, { - "x_org.owasp#aivss:AA:1.0.0": "S", - "x_org.owasp#aivss:TU:1.0.0": "V", - "x_org.owasp#aivss:SM:1.1.0": "T", - "x_org.owasp#aivss:GDP:1.0.0": "A", - "x_org.owasp#aivss:EP:1.0.0": "CA", + "aivss:AA:1.0.0": "S", + "aivss:TU:1.0.0": "V", + "aivss:SM:1.1.0": "T", + "aivss:GDP:1.0.0": "A", + "aivss:EP:1.0.0": "CA", }, { - "x_org.owasp#aivss:AA:1.0.0": "S", - "x_org.owasp#aivss:TU:1.0.0": "V", - "x_org.owasp#aivss:SM:1.1.0": "T", - "x_org.owasp#aivss:GDP:1.0.0": "U", - "x_org.owasp#aivss:EP:1.0.0": "CA", + "aivss:AA:1.0.0": "S", + "aivss:TU:1.0.0": "V", + "aivss:SM:1.1.0": "T", + "aivss:GDP:1.0.0": "U", + "aivss:EP:1.0.0": "CA", }, { - "x_org.owasp#aivss:AA:1.0.0": "S", - "x_org.owasp#aivss:TU:1.0.0": "V", - "x_org.owasp#aivss:SM:1.1.0": "M", - "x_org.owasp#aivss:GDP:1.0.0": "R", - "x_org.owasp#aivss:EP:1.0.0": "CA", + "aivss:AA:1.0.0": "S", + "aivss:TU:1.0.0": "V", + "aivss:SM:1.1.0": "M", + "aivss:GDP:1.0.0": "R", + "aivss:EP:1.0.0": "CA", }, { - "x_org.owasp#aivss:AA:1.0.0": "S", - "x_org.owasp#aivss:TU:1.0.0": "V", - "x_org.owasp#aivss:SM:1.1.0": "M", - "x_org.owasp#aivss:GDP:1.0.0": "A", - "x_org.owasp#aivss:EP:1.0.0": "CA", + "aivss:AA:1.0.0": "S", + "aivss:TU:1.0.0": "V", + "aivss:SM:1.1.0": "M", + "aivss:GDP:1.0.0": "A", + "aivss:EP:1.0.0": "CA", }, { - "x_org.owasp#aivss:AA:1.0.0": "S", - "x_org.owasp#aivss:TU:1.0.0": "V", - "x_org.owasp#aivss:SM:1.1.0": "M", - "x_org.owasp#aivss:GDP:1.0.0": "U", - "x_org.owasp#aivss:EP:1.0.0": "H", + "aivss:AA:1.0.0": "S", + "aivss:TU:1.0.0": "V", + "aivss:SM:1.1.0": "M", + "aivss:GDP:1.0.0": "U", + "aivss:EP:1.0.0": "H", }, { - "x_org.owasp#aivss:AA:1.0.0": "S", - "x_org.owasp#aivss:TU:1.0.0": "O", - "x_org.owasp#aivss:SM:1.1.0": "F", - "x_org.owasp#aivss:GDP:1.0.0": "R", - "x_org.owasp#aivss:EP:1.0.0": "C", + "aivss:AA:1.0.0": "S", + "aivss:TU:1.0.0": "O", + "aivss:SM:1.1.0": "F", + "aivss:GDP:1.0.0": "R", + "aivss:EP:1.0.0": "C", }, { - "x_org.owasp#aivss:AA:1.0.0": "S", - "x_org.owasp#aivss:TU:1.0.0": "O", - "x_org.owasp#aivss:SM:1.1.0": "F", - "x_org.owasp#aivss:GDP:1.0.0": "A", - "x_org.owasp#aivss:EP:1.0.0": "CA", + "aivss:AA:1.0.0": "S", + "aivss:TU:1.0.0": "O", + "aivss:SM:1.1.0": "F", + "aivss:GDP:1.0.0": "A", + "aivss:EP:1.0.0": "CA", }, { - "x_org.owasp#aivss:AA:1.0.0": "S", - "x_org.owasp#aivss:TU:1.0.0": "O", - "x_org.owasp#aivss:SM:1.1.0": "F", - "x_org.owasp#aivss:GDP:1.0.0": "U", - "x_org.owasp#aivss:EP:1.0.0": "CA", + "aivss:AA:1.0.0": "S", + "aivss:TU:1.0.0": "O", + "aivss:SM:1.1.0": "F", + "aivss:GDP:1.0.0": "U", + "aivss:EP:1.0.0": "CA", }, { - "x_org.owasp#aivss:AA:1.0.0": "S", - "x_org.owasp#aivss:TU:1.0.0": "O", - "x_org.owasp#aivss:SM:1.1.0": "T", - "x_org.owasp#aivss:GDP:1.0.0": "R", - "x_org.owasp#aivss:EP:1.0.0": "CA", + "aivss:AA:1.0.0": "S", + "aivss:TU:1.0.0": "O", + "aivss:SM:1.1.0": "T", + "aivss:GDP:1.0.0": "R", + "aivss:EP:1.0.0": "CA", }, { - "x_org.owasp#aivss:AA:1.0.0": "S", - "x_org.owasp#aivss:TU:1.0.0": "O", - "x_org.owasp#aivss:SM:1.1.0": "T", - "x_org.owasp#aivss:GDP:1.0.0": "A", - "x_org.owasp#aivss:EP:1.0.0": "CA", + "aivss:AA:1.0.0": "S", + "aivss:TU:1.0.0": "O", + "aivss:SM:1.1.0": "T", + "aivss:GDP:1.0.0": "A", + "aivss:EP:1.0.0": "CA", }, { - "x_org.owasp#aivss:AA:1.0.0": "S", - "x_org.owasp#aivss:TU:1.0.0": "O", - "x_org.owasp#aivss:SM:1.1.0": "T", - "x_org.owasp#aivss:GDP:1.0.0": "U", - "x_org.owasp#aivss:EP:1.0.0": "CA", + "aivss:AA:1.0.0": "S", + "aivss:TU:1.0.0": "O", + "aivss:SM:1.1.0": "T", + "aivss:GDP:1.0.0": "U", + "aivss:EP:1.0.0": "CA", }, { - "x_org.owasp#aivss:AA:1.0.0": "S", - "x_org.owasp#aivss:TU:1.0.0": "O", - "x_org.owasp#aivss:SM:1.1.0": "M", - "x_org.owasp#aivss:GDP:1.0.0": "R", - "x_org.owasp#aivss:EP:1.0.0": "CA", + "aivss:AA:1.0.0": "S", + "aivss:TU:1.0.0": "O", + "aivss:SM:1.1.0": "M", + "aivss:GDP:1.0.0": "R", + "aivss:EP:1.0.0": "CA", }, { - "x_org.owasp#aivss:AA:1.0.0": "S", - "x_org.owasp#aivss:TU:1.0.0": "O", - "x_org.owasp#aivss:SM:1.1.0": "M", - "x_org.owasp#aivss:GDP:1.0.0": "A", - "x_org.owasp#aivss:EP:1.0.0": "CA", + "aivss:AA:1.0.0": "S", + "aivss:TU:1.0.0": "O", + "aivss:SM:1.1.0": "M", + "aivss:GDP:1.0.0": "A", + "aivss:EP:1.0.0": "CA", }, { - "x_org.owasp#aivss:AA:1.0.0": "S", - "x_org.owasp#aivss:TU:1.0.0": "O", - "x_org.owasp#aivss:SM:1.1.0": "M", - "x_org.owasp#aivss:GDP:1.0.0": "U", - "x_org.owasp#aivss:EP:1.0.0": "H", + "aivss:AA:1.0.0": "S", + "aivss:TU:1.0.0": "O", + "aivss:SM:1.1.0": "M", + "aivss:GDP:1.0.0": "U", + "aivss:EP:1.0.0": "H", }, { - "x_org.owasp#aivss:AA:1.0.0": "S", - "x_org.owasp#aivss:TU:1.0.0": "A", - "x_org.owasp#aivss:SM:1.1.0": "F", - "x_org.owasp#aivss:GDP:1.0.0": "R", - "x_org.owasp#aivss:EP:1.0.0": "CA", + "aivss:AA:1.0.0": "S", + "aivss:TU:1.0.0": "A", + "aivss:SM:1.1.0": "F", + "aivss:GDP:1.0.0": "R", + "aivss:EP:1.0.0": "CA", }, { - "x_org.owasp#aivss:AA:1.0.0": "S", - "x_org.owasp#aivss:TU:1.0.0": "A", - "x_org.owasp#aivss:SM:1.1.0": "F", - "x_org.owasp#aivss:GDP:1.0.0": "A", - "x_org.owasp#aivss:EP:1.0.0": "CA", + "aivss:AA:1.0.0": "S", + "aivss:TU:1.0.0": "A", + "aivss:SM:1.1.0": "F", + "aivss:GDP:1.0.0": "A", + "aivss:EP:1.0.0": "CA", }, { - "x_org.owasp#aivss:AA:1.0.0": "S", - "x_org.owasp#aivss:TU:1.0.0": "A", - "x_org.owasp#aivss:SM:1.1.0": "F", - "x_org.owasp#aivss:GDP:1.0.0": "U", - "x_org.owasp#aivss:EP:1.0.0": "H", + "aivss:AA:1.0.0": "S", + "aivss:TU:1.0.0": "A", + "aivss:SM:1.1.0": "F", + "aivss:GDP:1.0.0": "U", + "aivss:EP:1.0.0": "H", }, { - "x_org.owasp#aivss:AA:1.0.0": "S", - "x_org.owasp#aivss:TU:1.0.0": "A", - "x_org.owasp#aivss:SM:1.1.0": "T", - "x_org.owasp#aivss:GDP:1.0.0": "R", - "x_org.owasp#aivss:EP:1.0.0": "CA", + "aivss:AA:1.0.0": "S", + "aivss:TU:1.0.0": "A", + "aivss:SM:1.1.0": "T", + "aivss:GDP:1.0.0": "R", + "aivss:EP:1.0.0": "CA", }, { - "x_org.owasp#aivss:AA:1.0.0": "S", - "x_org.owasp#aivss:TU:1.0.0": "A", - "x_org.owasp#aivss:SM:1.1.0": "T", - "x_org.owasp#aivss:GDP:1.0.0": "A", - "x_org.owasp#aivss:EP:1.0.0": "CA", + "aivss:AA:1.0.0": "S", + "aivss:TU:1.0.0": "A", + "aivss:SM:1.1.0": "T", + "aivss:GDP:1.0.0": "A", + "aivss:EP:1.0.0": "CA", }, { - "x_org.owasp#aivss:AA:1.0.0": "S", - "x_org.owasp#aivss:TU:1.0.0": "A", - "x_org.owasp#aivss:SM:1.1.0": "T", - "x_org.owasp#aivss:GDP:1.0.0": "U", - "x_org.owasp#aivss:EP:1.0.0": "H", + "aivss:AA:1.0.0": "S", + "aivss:TU:1.0.0": "A", + "aivss:SM:1.1.0": "T", + "aivss:GDP:1.0.0": "U", + "aivss:EP:1.0.0": "H", }, { - "x_org.owasp#aivss:AA:1.0.0": "S", - "x_org.owasp#aivss:TU:1.0.0": "A", - "x_org.owasp#aivss:SM:1.1.0": "M", - "x_org.owasp#aivss:GDP:1.0.0": "R", - "x_org.owasp#aivss:EP:1.0.0": "H", + "aivss:AA:1.0.0": "S", + "aivss:TU:1.0.0": "A", + "aivss:SM:1.1.0": "M", + "aivss:GDP:1.0.0": "R", + "aivss:EP:1.0.0": "H", }, { - "x_org.owasp#aivss:AA:1.0.0": "S", - "x_org.owasp#aivss:TU:1.0.0": "A", - "x_org.owasp#aivss:SM:1.1.0": "M", - "x_org.owasp#aivss:GDP:1.0.0": "A", - "x_org.owasp#aivss:EP:1.0.0": "H", + "aivss:AA:1.0.0": "S", + "aivss:TU:1.0.0": "A", + "aivss:SM:1.1.0": "M", + "aivss:GDP:1.0.0": "A", + "aivss:EP:1.0.0": "H", }, { - "x_org.owasp#aivss:AA:1.0.0": "S", - "x_org.owasp#aivss:TU:1.0.0": "A", - "x_org.owasp#aivss:SM:1.1.0": "M", - "x_org.owasp#aivss:GDP:1.0.0": "U", - "x_org.owasp#aivss:EP:1.0.0": "H", + "aivss:AA:1.0.0": "S", + "aivss:TU:1.0.0": "A", + "aivss:SM:1.1.0": "M", + "aivss:GDP:1.0.0": "U", + "aivss:EP:1.0.0": "H", }, { - "x_org.owasp#aivss:AA:1.0.0": "F", - "x_org.owasp#aivss:TU:1.0.0": "V", - "x_org.owasp#aivss:SM:1.1.0": "F", - "x_org.owasp#aivss:GDP:1.0.0": "R", - "x_org.owasp#aivss:EP:1.0.0": "CA", + "aivss:AA:1.0.0": "F", + "aivss:TU:1.0.0": "V", + "aivss:SM:1.1.0": "F", + "aivss:GDP:1.0.0": "R", + "aivss:EP:1.0.0": "CA", }, { - "x_org.owasp#aivss:AA:1.0.0": "F", - "x_org.owasp#aivss:TU:1.0.0": "V", - "x_org.owasp#aivss:SM:1.1.0": "F", - "x_org.owasp#aivss:GDP:1.0.0": "A", - "x_org.owasp#aivss:EP:1.0.0": "CA", + "aivss:AA:1.0.0": "F", + "aivss:TU:1.0.0": "V", + "aivss:SM:1.1.0": "F", + "aivss:GDP:1.0.0": "A", + "aivss:EP:1.0.0": "CA", }, { - "x_org.owasp#aivss:AA:1.0.0": "F", - "x_org.owasp#aivss:TU:1.0.0": "V", - "x_org.owasp#aivss:SM:1.1.0": "F", - "x_org.owasp#aivss:GDP:1.0.0": "U", - "x_org.owasp#aivss:EP:1.0.0": "H", + "aivss:AA:1.0.0": "F", + "aivss:TU:1.0.0": "V", + "aivss:SM:1.1.0": "F", + "aivss:GDP:1.0.0": "U", + "aivss:EP:1.0.0": "H", }, { - "x_org.owasp#aivss:AA:1.0.0": "F", - "x_org.owasp#aivss:TU:1.0.0": "V", - "x_org.owasp#aivss:SM:1.1.0": "T", - "x_org.owasp#aivss:GDP:1.0.0": "R", - "x_org.owasp#aivss:EP:1.0.0": "CA", + "aivss:AA:1.0.0": "F", + "aivss:TU:1.0.0": "V", + "aivss:SM:1.1.0": "T", + "aivss:GDP:1.0.0": "R", + "aivss:EP:1.0.0": "CA", }, { - "x_org.owasp#aivss:AA:1.0.0": "F", - "x_org.owasp#aivss:TU:1.0.0": "V", - "x_org.owasp#aivss:SM:1.1.0": "T", - "x_org.owasp#aivss:GDP:1.0.0": "A", - "x_org.owasp#aivss:EP:1.0.0": "CA", + "aivss:AA:1.0.0": "F", + "aivss:TU:1.0.0": "V", + "aivss:SM:1.1.0": "T", + "aivss:GDP:1.0.0": "A", + "aivss:EP:1.0.0": "CA", }, { - "x_org.owasp#aivss:AA:1.0.0": "F", - "x_org.owasp#aivss:TU:1.0.0": "V", - "x_org.owasp#aivss:SM:1.1.0": "T", - "x_org.owasp#aivss:GDP:1.0.0": "U", - "x_org.owasp#aivss:EP:1.0.0": "H", + "aivss:AA:1.0.0": "F", + "aivss:TU:1.0.0": "V", + "aivss:SM:1.1.0": "T", + "aivss:GDP:1.0.0": "U", + "aivss:EP:1.0.0": "H", }, { - "x_org.owasp#aivss:AA:1.0.0": "F", - "x_org.owasp#aivss:TU:1.0.0": "V", - "x_org.owasp#aivss:SM:1.1.0": "M", - "x_org.owasp#aivss:GDP:1.0.0": "R", - "x_org.owasp#aivss:EP:1.0.0": "H", + "aivss:AA:1.0.0": "F", + "aivss:TU:1.0.0": "V", + "aivss:SM:1.1.0": "M", + "aivss:GDP:1.0.0": "R", + "aivss:EP:1.0.0": "H", }, { - "x_org.owasp#aivss:AA:1.0.0": "F", - "x_org.owasp#aivss:TU:1.0.0": "V", - "x_org.owasp#aivss:SM:1.1.0": "M", - "x_org.owasp#aivss:GDP:1.0.0": "A", - "x_org.owasp#aivss:EP:1.0.0": "H", + "aivss:AA:1.0.0": "F", + "aivss:TU:1.0.0": "V", + "aivss:SM:1.1.0": "M", + "aivss:GDP:1.0.0": "A", + "aivss:EP:1.0.0": "H", }, { - "x_org.owasp#aivss:AA:1.0.0": "F", - "x_org.owasp#aivss:TU:1.0.0": "V", - "x_org.owasp#aivss:SM:1.1.0": "M", - "x_org.owasp#aivss:GDP:1.0.0": "U", - "x_org.owasp#aivss:EP:1.0.0": "H", + "aivss:AA:1.0.0": "F", + "aivss:TU:1.0.0": "V", + "aivss:SM:1.1.0": "M", + "aivss:GDP:1.0.0": "U", + "aivss:EP:1.0.0": "H", }, { - "x_org.owasp#aivss:AA:1.0.0": "F", - "x_org.owasp#aivss:TU:1.0.0": "O", - "x_org.owasp#aivss:SM:1.1.0": "F", - "x_org.owasp#aivss:GDP:1.0.0": "R", - "x_org.owasp#aivss:EP:1.0.0": "CA", + "aivss:AA:1.0.0": "F", + "aivss:TU:1.0.0": "O", + "aivss:SM:1.1.0": "F", + "aivss:GDP:1.0.0": "R", + "aivss:EP:1.0.0": "CA", }, { - "x_org.owasp#aivss:AA:1.0.0": "F", - "x_org.owasp#aivss:TU:1.0.0": "O", - "x_org.owasp#aivss:SM:1.1.0": "F", - "x_org.owasp#aivss:GDP:1.0.0": "A", - "x_org.owasp#aivss:EP:1.0.0": "CA", + "aivss:AA:1.0.0": "F", + "aivss:TU:1.0.0": "O", + "aivss:SM:1.1.0": "F", + "aivss:GDP:1.0.0": "A", + "aivss:EP:1.0.0": "CA", }, { - "x_org.owasp#aivss:AA:1.0.0": "F", - "x_org.owasp#aivss:TU:1.0.0": "O", - "x_org.owasp#aivss:SM:1.1.0": "F", - "x_org.owasp#aivss:GDP:1.0.0": "U", - "x_org.owasp#aivss:EP:1.0.0": "H", + "aivss:AA:1.0.0": "F", + "aivss:TU:1.0.0": "O", + "aivss:SM:1.1.0": "F", + "aivss:GDP:1.0.0": "U", + "aivss:EP:1.0.0": "H", }, { - "x_org.owasp#aivss:AA:1.0.0": "F", - "x_org.owasp#aivss:TU:1.0.0": "O", - "x_org.owasp#aivss:SM:1.1.0": "T", - "x_org.owasp#aivss:GDP:1.0.0": "R", - "x_org.owasp#aivss:EP:1.0.0": "CA", + "aivss:AA:1.0.0": "F", + "aivss:TU:1.0.0": "O", + "aivss:SM:1.1.0": "T", + "aivss:GDP:1.0.0": "R", + "aivss:EP:1.0.0": "CA", }, { - "x_org.owasp#aivss:AA:1.0.0": "F", - "x_org.owasp#aivss:TU:1.0.0": "O", - "x_org.owasp#aivss:SM:1.1.0": "T", - "x_org.owasp#aivss:GDP:1.0.0": "A", - "x_org.owasp#aivss:EP:1.0.0": "CA", + "aivss:AA:1.0.0": "F", + "aivss:TU:1.0.0": "O", + "aivss:SM:1.1.0": "T", + "aivss:GDP:1.0.0": "A", + "aivss:EP:1.0.0": "CA", }, { - "x_org.owasp#aivss:AA:1.0.0": "F", - "x_org.owasp#aivss:TU:1.0.0": "O", - "x_org.owasp#aivss:SM:1.1.0": "T", - "x_org.owasp#aivss:GDP:1.0.0": "U", - "x_org.owasp#aivss:EP:1.0.0": "H", + "aivss:AA:1.0.0": "F", + "aivss:TU:1.0.0": "O", + "aivss:SM:1.1.0": "T", + "aivss:GDP:1.0.0": "U", + "aivss:EP:1.0.0": "H", }, { - "x_org.owasp#aivss:AA:1.0.0": "F", - "x_org.owasp#aivss:TU:1.0.0": "O", - "x_org.owasp#aivss:SM:1.1.0": "M", - "x_org.owasp#aivss:GDP:1.0.0": "R", - "x_org.owasp#aivss:EP:1.0.0": "H", + "aivss:AA:1.0.0": "F", + "aivss:TU:1.0.0": "O", + "aivss:SM:1.1.0": "M", + "aivss:GDP:1.0.0": "R", + "aivss:EP:1.0.0": "H", }, { - "x_org.owasp#aivss:AA:1.0.0": "F", - "x_org.owasp#aivss:TU:1.0.0": "O", - "x_org.owasp#aivss:SM:1.1.0": "M", - "x_org.owasp#aivss:GDP:1.0.0": "A", - "x_org.owasp#aivss:EP:1.0.0": "H", + "aivss:AA:1.0.0": "F", + "aivss:TU:1.0.0": "O", + "aivss:SM:1.1.0": "M", + "aivss:GDP:1.0.0": "A", + "aivss:EP:1.0.0": "H", }, { - "x_org.owasp#aivss:AA:1.0.0": "F", - "x_org.owasp#aivss:TU:1.0.0": "O", - "x_org.owasp#aivss:SM:1.1.0": "M", - "x_org.owasp#aivss:GDP:1.0.0": "U", - "x_org.owasp#aivss:EP:1.0.0": "H", + "aivss:AA:1.0.0": "F", + "aivss:TU:1.0.0": "O", + "aivss:SM:1.1.0": "M", + "aivss:GDP:1.0.0": "U", + "aivss:EP:1.0.0": "H", }, { - "x_org.owasp#aivss:AA:1.0.0": "F", - "x_org.owasp#aivss:TU:1.0.0": "A", - "x_org.owasp#aivss:SM:1.1.0": "F", - "x_org.owasp#aivss:GDP:1.0.0": "R", - "x_org.owasp#aivss:EP:1.0.0": "H", + "aivss:AA:1.0.0": "F", + "aivss:TU:1.0.0": "A", + "aivss:SM:1.1.0": "F", + "aivss:GDP:1.0.0": "R", + "aivss:EP:1.0.0": "H", }, { - "x_org.owasp#aivss:AA:1.0.0": "F", - "x_org.owasp#aivss:TU:1.0.0": "A", - "x_org.owasp#aivss:SM:1.1.0": "F", - "x_org.owasp#aivss:GDP:1.0.0": "A", - "x_org.owasp#aivss:EP:1.0.0": "H", + "aivss:AA:1.0.0": "F", + "aivss:TU:1.0.0": "A", + "aivss:SM:1.1.0": "F", + "aivss:GDP:1.0.0": "A", + "aivss:EP:1.0.0": "H", }, { - "x_org.owasp#aivss:AA:1.0.0": "F", - "x_org.owasp#aivss:TU:1.0.0": "A", - "x_org.owasp#aivss:SM:1.1.0": "F", - "x_org.owasp#aivss:GDP:1.0.0": "U", - "x_org.owasp#aivss:EP:1.0.0": "H", + "aivss:AA:1.0.0": "F", + "aivss:TU:1.0.0": "A", + "aivss:SM:1.1.0": "F", + "aivss:GDP:1.0.0": "U", + "aivss:EP:1.0.0": "H", }, { - "x_org.owasp#aivss:AA:1.0.0": "F", - "x_org.owasp#aivss:TU:1.0.0": "A", - "x_org.owasp#aivss:SM:1.1.0": "T", - "x_org.owasp#aivss:GDP:1.0.0": "R", - "x_org.owasp#aivss:EP:1.0.0": "H", + "aivss:AA:1.0.0": "F", + "aivss:TU:1.0.0": "A", + "aivss:SM:1.1.0": "T", + "aivss:GDP:1.0.0": "R", + "aivss:EP:1.0.0": "H", }, { - "x_org.owasp#aivss:AA:1.0.0": "F", - "x_org.owasp#aivss:TU:1.0.0": "A", - "x_org.owasp#aivss:SM:1.1.0": "T", - "x_org.owasp#aivss:GDP:1.0.0": "A", - "x_org.owasp#aivss:EP:1.0.0": "H", + "aivss:AA:1.0.0": "F", + "aivss:TU:1.0.0": "A", + "aivss:SM:1.1.0": "T", + "aivss:GDP:1.0.0": "A", + "aivss:EP:1.0.0": "H", }, { - "x_org.owasp#aivss:AA:1.0.0": "F", - "x_org.owasp#aivss:TU:1.0.0": "A", - "x_org.owasp#aivss:SM:1.1.0": "T", - "x_org.owasp#aivss:GDP:1.0.0": "U", - "x_org.owasp#aivss:EP:1.0.0": "H", + "aivss:AA:1.0.0": "F", + "aivss:TU:1.0.0": "A", + "aivss:SM:1.1.0": "T", + "aivss:GDP:1.0.0": "U", + "aivss:EP:1.0.0": "H", }, { - "x_org.owasp#aivss:AA:1.0.0": "F", - "x_org.owasp#aivss:TU:1.0.0": "A", - "x_org.owasp#aivss:SM:1.1.0": "M", - "x_org.owasp#aivss:GDP:1.0.0": "R", - "x_org.owasp#aivss:EP:1.0.0": "H", + "aivss:AA:1.0.0": "F", + "aivss:TU:1.0.0": "A", + "aivss:SM:1.1.0": "M", + "aivss:GDP:1.0.0": "R", + "aivss:EP:1.0.0": "H", }, { - "x_org.owasp#aivss:AA:1.0.0": "F", - "x_org.owasp#aivss:TU:1.0.0": "A", - "x_org.owasp#aivss:SM:1.1.0": "M", - "x_org.owasp#aivss:GDP:1.0.0": "A", - "x_org.owasp#aivss:EP:1.0.0": "H", + "aivss:AA:1.0.0": "F", + "aivss:TU:1.0.0": "A", + "aivss:SM:1.1.0": "M", + "aivss:GDP:1.0.0": "A", + "aivss:EP:1.0.0": "H", }, { - "x_org.owasp#aivss:AA:1.0.0": "F", - "x_org.owasp#aivss:TU:1.0.0": "A", - "x_org.owasp#aivss:SM:1.1.0": "M", - "x_org.owasp#aivss:GDP:1.0.0": "U", - "x_org.owasp#aivss:EP:1.0.0": "H", + "aivss:AA:1.0.0": "F", + "aivss:TU:1.0.0": "A", + "aivss:SM:1.1.0": "M", + "aivss:GDP:1.0.0": "U", + "aivss:EP:1.0.0": "H", }, ], ) diff --git a/src/ssvc/decision_tables/aivss/predictability_influence.py b/src/ssvc/decision_tables/aivss/predictability_influence.py index e80d9431..c2277006 100644 --- a/src/ssvc/decision_tables/aivss/predictability_influence.py +++ b/src/ssvc/decision_tables/aivss/predictability_influence.py @@ -57,571 +57,571 @@ outcome=PREDICTABILITY_INFLUENCE_01.id, mapping=[ { - "x_org.owasp#aivss:ND:1.0.0": "D", - "x_org.owasp#aivss:OR:1.0.0": "T", - "x_org.owasp#aivss:VC:1.0.0": "P", - "x_org.owasp#aivss:DP:1.0.0": "P", - "x_org.owasp#aivss:PI:1.0.0": "V", + "aivss:ND:1.0.0": "D", + "aivss:OR:1.0.0": "T", + "aivss:VC:1.0.0": "P", + "aivss:DP:1.0.0": "P", + "aivss:PI:1.0.0": "V", }, { - "x_org.owasp#aivss:ND:1.0.0": "D", - "x_org.owasp#aivss:OR:1.0.0": "T", - "x_org.owasp#aivss:VC:1.0.0": "P", - "x_org.owasp#aivss:DP:1.0.0": "F", - "x_org.owasp#aivss:PI:1.0.0": "V", + "aivss:ND:1.0.0": "D", + "aivss:OR:1.0.0": "T", + "aivss:VC:1.0.0": "P", + "aivss:DP:1.0.0": "F", + "aivss:PI:1.0.0": "V", }, { - "x_org.owasp#aivss:ND:1.0.0": "D", - "x_org.owasp#aivss:OR:1.0.0": "T", - "x_org.owasp#aivss:VC:1.0.0": "P", - "x_org.owasp#aivss:DP:1.0.0": "S", - "x_org.owasp#aivss:PI:1.0.0": "U", + "aivss:ND:1.0.0": "D", + "aivss:OR:1.0.0": "T", + "aivss:VC:1.0.0": "P", + "aivss:DP:1.0.0": "S", + "aivss:PI:1.0.0": "U", }, { - "x_org.owasp#aivss:ND:1.0.0": "D", - "x_org.owasp#aivss:OR:1.0.0": "T", - "x_org.owasp#aivss:VC:1.0.0": "K", - "x_org.owasp#aivss:DP:1.0.0": "P", - "x_org.owasp#aivss:PI:1.0.0": "V", + "aivss:ND:1.0.0": "D", + "aivss:OR:1.0.0": "T", + "aivss:VC:1.0.0": "K", + "aivss:DP:1.0.0": "P", + "aivss:PI:1.0.0": "V", }, { - "x_org.owasp#aivss:ND:1.0.0": "D", - "x_org.owasp#aivss:OR:1.0.0": "T", - "x_org.owasp#aivss:VC:1.0.0": "K", - "x_org.owasp#aivss:DP:1.0.0": "F", - "x_org.owasp#aivss:PI:1.0.0": "U", + "aivss:ND:1.0.0": "D", + "aivss:OR:1.0.0": "T", + "aivss:VC:1.0.0": "K", + "aivss:DP:1.0.0": "F", + "aivss:PI:1.0.0": "U", }, { - "x_org.owasp#aivss:ND:1.0.0": "D", - "x_org.owasp#aivss:OR:1.0.0": "T", - "x_org.owasp#aivss:VC:1.0.0": "K", - "x_org.owasp#aivss:DP:1.0.0": "S", - "x_org.owasp#aivss:PI:1.0.0": "U", + "aivss:ND:1.0.0": "D", + "aivss:OR:1.0.0": "T", + "aivss:VC:1.0.0": "K", + "aivss:DP:1.0.0": "S", + "aivss:PI:1.0.0": "U", }, { - "x_org.owasp#aivss:ND:1.0.0": "D", - "x_org.owasp#aivss:OR:1.0.0": "T", - "x_org.owasp#aivss:VC:1.0.0": "U", - "x_org.owasp#aivss:DP:1.0.0": "P", - "x_org.owasp#aivss:PI:1.0.0": "U", + "aivss:ND:1.0.0": "D", + "aivss:OR:1.0.0": "T", + "aivss:VC:1.0.0": "U", + "aivss:DP:1.0.0": "P", + "aivss:PI:1.0.0": "U", }, { - "x_org.owasp#aivss:ND:1.0.0": "D", - "x_org.owasp#aivss:OR:1.0.0": "T", - "x_org.owasp#aivss:VC:1.0.0": "U", - "x_org.owasp#aivss:DP:1.0.0": "F", - "x_org.owasp#aivss:PI:1.0.0": "U", + "aivss:ND:1.0.0": "D", + "aivss:OR:1.0.0": "T", + "aivss:VC:1.0.0": "U", + "aivss:DP:1.0.0": "F", + "aivss:PI:1.0.0": "U", }, { - "x_org.owasp#aivss:ND:1.0.0": "D", - "x_org.owasp#aivss:OR:1.0.0": "T", - "x_org.owasp#aivss:VC:1.0.0": "U", - "x_org.owasp#aivss:DP:1.0.0": "S", - "x_org.owasp#aivss:PI:1.0.0": "O", + "aivss:ND:1.0.0": "D", + "aivss:OR:1.0.0": "T", + "aivss:VC:1.0.0": "U", + "aivss:DP:1.0.0": "S", + "aivss:PI:1.0.0": "O", }, { - "x_org.owasp#aivss:ND:1.0.0": "D", - "x_org.owasp#aivss:OR:1.0.0": "F", - "x_org.owasp#aivss:VC:1.0.0": "P", - "x_org.owasp#aivss:DP:1.0.0": "P", - "x_org.owasp#aivss:PI:1.0.0": "V", + "aivss:ND:1.0.0": "D", + "aivss:OR:1.0.0": "F", + "aivss:VC:1.0.0": "P", + "aivss:DP:1.0.0": "P", + "aivss:PI:1.0.0": "V", }, { - "x_org.owasp#aivss:ND:1.0.0": "D", - "x_org.owasp#aivss:OR:1.0.0": "F", - "x_org.owasp#aivss:VC:1.0.0": "P", - "x_org.owasp#aivss:DP:1.0.0": "F", - "x_org.owasp#aivss:PI:1.0.0": "U", + "aivss:ND:1.0.0": "D", + "aivss:OR:1.0.0": "F", + "aivss:VC:1.0.0": "P", + "aivss:DP:1.0.0": "F", + "aivss:PI:1.0.0": "U", }, { - "x_org.owasp#aivss:ND:1.0.0": "D", - "x_org.owasp#aivss:OR:1.0.0": "F", - "x_org.owasp#aivss:VC:1.0.0": "P", - "x_org.owasp#aivss:DP:1.0.0": "S", - "x_org.owasp#aivss:PI:1.0.0": "U", + "aivss:ND:1.0.0": "D", + "aivss:OR:1.0.0": "F", + "aivss:VC:1.0.0": "P", + "aivss:DP:1.0.0": "S", + "aivss:PI:1.0.0": "U", }, { - "x_org.owasp#aivss:ND:1.0.0": "D", - "x_org.owasp#aivss:OR:1.0.0": "F", - "x_org.owasp#aivss:VC:1.0.0": "K", - "x_org.owasp#aivss:DP:1.0.0": "P", - "x_org.owasp#aivss:PI:1.0.0": "U", + "aivss:ND:1.0.0": "D", + "aivss:OR:1.0.0": "F", + "aivss:VC:1.0.0": "K", + "aivss:DP:1.0.0": "P", + "aivss:PI:1.0.0": "U", }, { - "x_org.owasp#aivss:ND:1.0.0": "D", - "x_org.owasp#aivss:OR:1.0.0": "F", - "x_org.owasp#aivss:VC:1.0.0": "K", - "x_org.owasp#aivss:DP:1.0.0": "F", - "x_org.owasp#aivss:PI:1.0.0": "U", + "aivss:ND:1.0.0": "D", + "aivss:OR:1.0.0": "F", + "aivss:VC:1.0.0": "K", + "aivss:DP:1.0.0": "F", + "aivss:PI:1.0.0": "U", }, { - "x_org.owasp#aivss:ND:1.0.0": "D", - "x_org.owasp#aivss:OR:1.0.0": "F", - "x_org.owasp#aivss:VC:1.0.0": "K", - "x_org.owasp#aivss:DP:1.0.0": "S", - "x_org.owasp#aivss:PI:1.0.0": "U", + "aivss:ND:1.0.0": "D", + "aivss:OR:1.0.0": "F", + "aivss:VC:1.0.0": "K", + "aivss:DP:1.0.0": "S", + "aivss:PI:1.0.0": "U", }, { - "x_org.owasp#aivss:ND:1.0.0": "D", - "x_org.owasp#aivss:OR:1.0.0": "F", - "x_org.owasp#aivss:VC:1.0.0": "U", - "x_org.owasp#aivss:DP:1.0.0": "P", - "x_org.owasp#aivss:PI:1.0.0": "U", + "aivss:ND:1.0.0": "D", + "aivss:OR:1.0.0": "F", + "aivss:VC:1.0.0": "U", + "aivss:DP:1.0.0": "P", + "aivss:PI:1.0.0": "U", }, { - "x_org.owasp#aivss:ND:1.0.0": "D", - "x_org.owasp#aivss:OR:1.0.0": "F", - "x_org.owasp#aivss:VC:1.0.0": "U", - "x_org.owasp#aivss:DP:1.0.0": "F", - "x_org.owasp#aivss:PI:1.0.0": "U", + "aivss:ND:1.0.0": "D", + "aivss:OR:1.0.0": "F", + "aivss:VC:1.0.0": "U", + "aivss:DP:1.0.0": "F", + "aivss:PI:1.0.0": "U", }, { - "x_org.owasp#aivss:ND:1.0.0": "D", - "x_org.owasp#aivss:OR:1.0.0": "F", - "x_org.owasp#aivss:VC:1.0.0": "U", - "x_org.owasp#aivss:DP:1.0.0": "S", - "x_org.owasp#aivss:PI:1.0.0": "O", + "aivss:ND:1.0.0": "D", + "aivss:OR:1.0.0": "F", + "aivss:VC:1.0.0": "U", + "aivss:DP:1.0.0": "S", + "aivss:PI:1.0.0": "O", }, { - "x_org.owasp#aivss:ND:1.0.0": "D", - "x_org.owasp#aivss:OR:1.0.0": "O", - "x_org.owasp#aivss:VC:1.0.0": "P", - "x_org.owasp#aivss:DP:1.0.0": "P", - "x_org.owasp#aivss:PI:1.0.0": "U", + "aivss:ND:1.0.0": "D", + "aivss:OR:1.0.0": "O", + "aivss:VC:1.0.0": "P", + "aivss:DP:1.0.0": "P", + "aivss:PI:1.0.0": "U", }, { - "x_org.owasp#aivss:ND:1.0.0": "D", - "x_org.owasp#aivss:OR:1.0.0": "O", - "x_org.owasp#aivss:VC:1.0.0": "P", - "x_org.owasp#aivss:DP:1.0.0": "F", - "x_org.owasp#aivss:PI:1.0.0": "U", + "aivss:ND:1.0.0": "D", + "aivss:OR:1.0.0": "O", + "aivss:VC:1.0.0": "P", + "aivss:DP:1.0.0": "F", + "aivss:PI:1.0.0": "U", }, { - "x_org.owasp#aivss:ND:1.0.0": "D", - "x_org.owasp#aivss:OR:1.0.0": "O", - "x_org.owasp#aivss:VC:1.0.0": "P", - "x_org.owasp#aivss:DP:1.0.0": "S", - "x_org.owasp#aivss:PI:1.0.0": "O", + "aivss:ND:1.0.0": "D", + "aivss:OR:1.0.0": "O", + "aivss:VC:1.0.0": "P", + "aivss:DP:1.0.0": "S", + "aivss:PI:1.0.0": "O", }, { - "x_org.owasp#aivss:ND:1.0.0": "D", - "x_org.owasp#aivss:OR:1.0.0": "O", - "x_org.owasp#aivss:VC:1.0.0": "K", - "x_org.owasp#aivss:DP:1.0.0": "P", - "x_org.owasp#aivss:PI:1.0.0": "U", + "aivss:ND:1.0.0": "D", + "aivss:OR:1.0.0": "O", + "aivss:VC:1.0.0": "K", + "aivss:DP:1.0.0": "P", + "aivss:PI:1.0.0": "U", }, { - "x_org.owasp#aivss:ND:1.0.0": "D", - "x_org.owasp#aivss:OR:1.0.0": "O", - "x_org.owasp#aivss:VC:1.0.0": "K", - "x_org.owasp#aivss:DP:1.0.0": "F", - "x_org.owasp#aivss:PI:1.0.0": "U", + "aivss:ND:1.0.0": "D", + "aivss:OR:1.0.0": "O", + "aivss:VC:1.0.0": "K", + "aivss:DP:1.0.0": "F", + "aivss:PI:1.0.0": "U", }, { - "x_org.owasp#aivss:ND:1.0.0": "D", - "x_org.owasp#aivss:OR:1.0.0": "O", - "x_org.owasp#aivss:VC:1.0.0": "K", - "x_org.owasp#aivss:DP:1.0.0": "S", - "x_org.owasp#aivss:PI:1.0.0": "O", + "aivss:ND:1.0.0": "D", + "aivss:OR:1.0.0": "O", + "aivss:VC:1.0.0": "K", + "aivss:DP:1.0.0": "S", + "aivss:PI:1.0.0": "O", }, { - "x_org.owasp#aivss:ND:1.0.0": "D", - "x_org.owasp#aivss:OR:1.0.0": "O", - "x_org.owasp#aivss:VC:1.0.0": "U", - "x_org.owasp#aivss:DP:1.0.0": "P", - "x_org.owasp#aivss:PI:1.0.0": "O", + "aivss:ND:1.0.0": "D", + "aivss:OR:1.0.0": "O", + "aivss:VC:1.0.0": "U", + "aivss:DP:1.0.0": "P", + "aivss:PI:1.0.0": "O", }, { - "x_org.owasp#aivss:ND:1.0.0": "D", - "x_org.owasp#aivss:OR:1.0.0": "O", - "x_org.owasp#aivss:VC:1.0.0": "U", - "x_org.owasp#aivss:DP:1.0.0": "F", - "x_org.owasp#aivss:PI:1.0.0": "O", + "aivss:ND:1.0.0": "D", + "aivss:OR:1.0.0": "O", + "aivss:VC:1.0.0": "U", + "aivss:DP:1.0.0": "F", + "aivss:PI:1.0.0": "O", }, { - "x_org.owasp#aivss:ND:1.0.0": "D", - "x_org.owasp#aivss:OR:1.0.0": "O", - "x_org.owasp#aivss:VC:1.0.0": "U", - "x_org.owasp#aivss:DP:1.0.0": "S", - "x_org.owasp#aivss:PI:1.0.0": "O", + "aivss:ND:1.0.0": "D", + "aivss:OR:1.0.0": "O", + "aivss:VC:1.0.0": "U", + "aivss:DP:1.0.0": "S", + "aivss:PI:1.0.0": "O", }, { - "x_org.owasp#aivss:ND:1.0.0": "B", - "x_org.owasp#aivss:OR:1.0.0": "T", - "x_org.owasp#aivss:VC:1.0.0": "P", - "x_org.owasp#aivss:DP:1.0.0": "P", - "x_org.owasp#aivss:PI:1.0.0": "V", + "aivss:ND:1.0.0": "B", + "aivss:OR:1.0.0": "T", + "aivss:VC:1.0.0": "P", + "aivss:DP:1.0.0": "P", + "aivss:PI:1.0.0": "V", }, { - "x_org.owasp#aivss:ND:1.0.0": "B", - "x_org.owasp#aivss:OR:1.0.0": "T", - "x_org.owasp#aivss:VC:1.0.0": "P", - "x_org.owasp#aivss:DP:1.0.0": "F", - "x_org.owasp#aivss:PI:1.0.0": "U", + "aivss:ND:1.0.0": "B", + "aivss:OR:1.0.0": "T", + "aivss:VC:1.0.0": "P", + "aivss:DP:1.0.0": "F", + "aivss:PI:1.0.0": "U", }, { - "x_org.owasp#aivss:ND:1.0.0": "B", - "x_org.owasp#aivss:OR:1.0.0": "T", - "x_org.owasp#aivss:VC:1.0.0": "P", - "x_org.owasp#aivss:DP:1.0.0": "S", - "x_org.owasp#aivss:PI:1.0.0": "U", + "aivss:ND:1.0.0": "B", + "aivss:OR:1.0.0": "T", + "aivss:VC:1.0.0": "P", + "aivss:DP:1.0.0": "S", + "aivss:PI:1.0.0": "U", }, { - "x_org.owasp#aivss:ND:1.0.0": "B", - "x_org.owasp#aivss:OR:1.0.0": "T", - "x_org.owasp#aivss:VC:1.0.0": "K", - "x_org.owasp#aivss:DP:1.0.0": "P", - "x_org.owasp#aivss:PI:1.0.0": "U", + "aivss:ND:1.0.0": "B", + "aivss:OR:1.0.0": "T", + "aivss:VC:1.0.0": "K", + "aivss:DP:1.0.0": "P", + "aivss:PI:1.0.0": "U", }, { - "x_org.owasp#aivss:ND:1.0.0": "B", - "x_org.owasp#aivss:OR:1.0.0": "T", - "x_org.owasp#aivss:VC:1.0.0": "K", - "x_org.owasp#aivss:DP:1.0.0": "F", - "x_org.owasp#aivss:PI:1.0.0": "U", + "aivss:ND:1.0.0": "B", + "aivss:OR:1.0.0": "T", + "aivss:VC:1.0.0": "K", + "aivss:DP:1.0.0": "F", + "aivss:PI:1.0.0": "U", }, { - "x_org.owasp#aivss:ND:1.0.0": "B", - "x_org.owasp#aivss:OR:1.0.0": "T", - "x_org.owasp#aivss:VC:1.0.0": "K", - "x_org.owasp#aivss:DP:1.0.0": "S", - "x_org.owasp#aivss:PI:1.0.0": "U", + "aivss:ND:1.0.0": "B", + "aivss:OR:1.0.0": "T", + "aivss:VC:1.0.0": "K", + "aivss:DP:1.0.0": "S", + "aivss:PI:1.0.0": "U", }, { - "x_org.owasp#aivss:ND:1.0.0": "B", - "x_org.owasp#aivss:OR:1.0.0": "T", - "x_org.owasp#aivss:VC:1.0.0": "U", - "x_org.owasp#aivss:DP:1.0.0": "P", - "x_org.owasp#aivss:PI:1.0.0": "U", + "aivss:ND:1.0.0": "B", + "aivss:OR:1.0.0": "T", + "aivss:VC:1.0.0": "U", + "aivss:DP:1.0.0": "P", + "aivss:PI:1.0.0": "U", }, { - "x_org.owasp#aivss:ND:1.0.0": "B", - "x_org.owasp#aivss:OR:1.0.0": "T", - "x_org.owasp#aivss:VC:1.0.0": "U", - "x_org.owasp#aivss:DP:1.0.0": "F", - "x_org.owasp#aivss:PI:1.0.0": "U", + "aivss:ND:1.0.0": "B", + "aivss:OR:1.0.0": "T", + "aivss:VC:1.0.0": "U", + "aivss:DP:1.0.0": "F", + "aivss:PI:1.0.0": "U", }, { - "x_org.owasp#aivss:ND:1.0.0": "B", - "x_org.owasp#aivss:OR:1.0.0": "T", - "x_org.owasp#aivss:VC:1.0.0": "U", - "x_org.owasp#aivss:DP:1.0.0": "S", - "x_org.owasp#aivss:PI:1.0.0": "O", + "aivss:ND:1.0.0": "B", + "aivss:OR:1.0.0": "T", + "aivss:VC:1.0.0": "U", + "aivss:DP:1.0.0": "S", + "aivss:PI:1.0.0": "O", }, { - "x_org.owasp#aivss:ND:1.0.0": "B", - "x_org.owasp#aivss:OR:1.0.0": "F", - "x_org.owasp#aivss:VC:1.0.0": "P", - "x_org.owasp#aivss:DP:1.0.0": "P", - "x_org.owasp#aivss:PI:1.0.0": "U", + "aivss:ND:1.0.0": "B", + "aivss:OR:1.0.0": "F", + "aivss:VC:1.0.0": "P", + "aivss:DP:1.0.0": "P", + "aivss:PI:1.0.0": "U", }, { - "x_org.owasp#aivss:ND:1.0.0": "B", - "x_org.owasp#aivss:OR:1.0.0": "F", - "x_org.owasp#aivss:VC:1.0.0": "P", - "x_org.owasp#aivss:DP:1.0.0": "F", - "x_org.owasp#aivss:PI:1.0.0": "U", + "aivss:ND:1.0.0": "B", + "aivss:OR:1.0.0": "F", + "aivss:VC:1.0.0": "P", + "aivss:DP:1.0.0": "F", + "aivss:PI:1.0.0": "U", }, { - "x_org.owasp#aivss:ND:1.0.0": "B", - "x_org.owasp#aivss:OR:1.0.0": "F", - "x_org.owasp#aivss:VC:1.0.0": "P", - "x_org.owasp#aivss:DP:1.0.0": "S", - "x_org.owasp#aivss:PI:1.0.0": "U", + "aivss:ND:1.0.0": "B", + "aivss:OR:1.0.0": "F", + "aivss:VC:1.0.0": "P", + "aivss:DP:1.0.0": "S", + "aivss:PI:1.0.0": "U", }, { - "x_org.owasp#aivss:ND:1.0.0": "B", - "x_org.owasp#aivss:OR:1.0.0": "F", - "x_org.owasp#aivss:VC:1.0.0": "K", - "x_org.owasp#aivss:DP:1.0.0": "P", - "x_org.owasp#aivss:PI:1.0.0": "U", + "aivss:ND:1.0.0": "B", + "aivss:OR:1.0.0": "F", + "aivss:VC:1.0.0": "K", + "aivss:DP:1.0.0": "P", + "aivss:PI:1.0.0": "U", }, { - "x_org.owasp#aivss:ND:1.0.0": "B", - "x_org.owasp#aivss:OR:1.0.0": "F", - "x_org.owasp#aivss:VC:1.0.0": "K", - "x_org.owasp#aivss:DP:1.0.0": "F", - "x_org.owasp#aivss:PI:1.0.0": "U", + "aivss:ND:1.0.0": "B", + "aivss:OR:1.0.0": "F", + "aivss:VC:1.0.0": "K", + "aivss:DP:1.0.0": "F", + "aivss:PI:1.0.0": "U", }, { - "x_org.owasp#aivss:ND:1.0.0": "B", - "x_org.owasp#aivss:OR:1.0.0": "F", - "x_org.owasp#aivss:VC:1.0.0": "K", - "x_org.owasp#aivss:DP:1.0.0": "S", - "x_org.owasp#aivss:PI:1.0.0": "U", + "aivss:ND:1.0.0": "B", + "aivss:OR:1.0.0": "F", + "aivss:VC:1.0.0": "K", + "aivss:DP:1.0.0": "S", + "aivss:PI:1.0.0": "U", }, { - "x_org.owasp#aivss:ND:1.0.0": "B", - "x_org.owasp#aivss:OR:1.0.0": "F", - "x_org.owasp#aivss:VC:1.0.0": "U", - "x_org.owasp#aivss:DP:1.0.0": "P", - "x_org.owasp#aivss:PI:1.0.0": "U", + "aivss:ND:1.0.0": "B", + "aivss:OR:1.0.0": "F", + "aivss:VC:1.0.0": "U", + "aivss:DP:1.0.0": "P", + "aivss:PI:1.0.0": "U", }, { - "x_org.owasp#aivss:ND:1.0.0": "B", - "x_org.owasp#aivss:OR:1.0.0": "F", - "x_org.owasp#aivss:VC:1.0.0": "U", - "x_org.owasp#aivss:DP:1.0.0": "F", - "x_org.owasp#aivss:PI:1.0.0": "U", + "aivss:ND:1.0.0": "B", + "aivss:OR:1.0.0": "F", + "aivss:VC:1.0.0": "U", + "aivss:DP:1.0.0": "F", + "aivss:PI:1.0.0": "U", }, { - "x_org.owasp#aivss:ND:1.0.0": "B", - "x_org.owasp#aivss:OR:1.0.0": "F", - "x_org.owasp#aivss:VC:1.0.0": "U", - "x_org.owasp#aivss:DP:1.0.0": "S", - "x_org.owasp#aivss:PI:1.0.0": "O", + "aivss:ND:1.0.0": "B", + "aivss:OR:1.0.0": "F", + "aivss:VC:1.0.0": "U", + "aivss:DP:1.0.0": "S", + "aivss:PI:1.0.0": "O", }, { - "x_org.owasp#aivss:ND:1.0.0": "B", - "x_org.owasp#aivss:OR:1.0.0": "O", - "x_org.owasp#aivss:VC:1.0.0": "P", - "x_org.owasp#aivss:DP:1.0.0": "P", - "x_org.owasp#aivss:PI:1.0.0": "U", + "aivss:ND:1.0.0": "B", + "aivss:OR:1.0.0": "O", + "aivss:VC:1.0.0": "P", + "aivss:DP:1.0.0": "P", + "aivss:PI:1.0.0": "U", }, { - "x_org.owasp#aivss:ND:1.0.0": "B", - "x_org.owasp#aivss:OR:1.0.0": "O", - "x_org.owasp#aivss:VC:1.0.0": "P", - "x_org.owasp#aivss:DP:1.0.0": "F", - "x_org.owasp#aivss:PI:1.0.0": "U", + "aivss:ND:1.0.0": "B", + "aivss:OR:1.0.0": "O", + "aivss:VC:1.0.0": "P", + "aivss:DP:1.0.0": "F", + "aivss:PI:1.0.0": "U", }, { - "x_org.owasp#aivss:ND:1.0.0": "B", - "x_org.owasp#aivss:OR:1.0.0": "O", - "x_org.owasp#aivss:VC:1.0.0": "P", - "x_org.owasp#aivss:DP:1.0.0": "S", - "x_org.owasp#aivss:PI:1.0.0": "O", + "aivss:ND:1.0.0": "B", + "aivss:OR:1.0.0": "O", + "aivss:VC:1.0.0": "P", + "aivss:DP:1.0.0": "S", + "aivss:PI:1.0.0": "O", }, { - "x_org.owasp#aivss:ND:1.0.0": "B", - "x_org.owasp#aivss:OR:1.0.0": "O", - "x_org.owasp#aivss:VC:1.0.0": "K", - "x_org.owasp#aivss:DP:1.0.0": "P", - "x_org.owasp#aivss:PI:1.0.0": "U", + "aivss:ND:1.0.0": "B", + "aivss:OR:1.0.0": "O", + "aivss:VC:1.0.0": "K", + "aivss:DP:1.0.0": "P", + "aivss:PI:1.0.0": "U", }, { - "x_org.owasp#aivss:ND:1.0.0": "B", - "x_org.owasp#aivss:OR:1.0.0": "O", - "x_org.owasp#aivss:VC:1.0.0": "K", - "x_org.owasp#aivss:DP:1.0.0": "F", - "x_org.owasp#aivss:PI:1.0.0": "U", + "aivss:ND:1.0.0": "B", + "aivss:OR:1.0.0": "O", + "aivss:VC:1.0.0": "K", + "aivss:DP:1.0.0": "F", + "aivss:PI:1.0.0": "U", }, { - "x_org.owasp#aivss:ND:1.0.0": "B", - "x_org.owasp#aivss:OR:1.0.0": "O", - "x_org.owasp#aivss:VC:1.0.0": "K", - "x_org.owasp#aivss:DP:1.0.0": "S", - "x_org.owasp#aivss:PI:1.0.0": "O", + "aivss:ND:1.0.0": "B", + "aivss:OR:1.0.0": "O", + "aivss:VC:1.0.0": "K", + "aivss:DP:1.0.0": "S", + "aivss:PI:1.0.0": "O", }, { - "x_org.owasp#aivss:ND:1.0.0": "B", - "x_org.owasp#aivss:OR:1.0.0": "O", - "x_org.owasp#aivss:VC:1.0.0": "U", - "x_org.owasp#aivss:DP:1.0.0": "P", - "x_org.owasp#aivss:PI:1.0.0": "O", + "aivss:ND:1.0.0": "B", + "aivss:OR:1.0.0": "O", + "aivss:VC:1.0.0": "U", + "aivss:DP:1.0.0": "P", + "aivss:PI:1.0.0": "O", }, { - "x_org.owasp#aivss:ND:1.0.0": "B", - "x_org.owasp#aivss:OR:1.0.0": "O", - "x_org.owasp#aivss:VC:1.0.0": "U", - "x_org.owasp#aivss:DP:1.0.0": "F", - "x_org.owasp#aivss:PI:1.0.0": "O", + "aivss:ND:1.0.0": "B", + "aivss:OR:1.0.0": "O", + "aivss:VC:1.0.0": "U", + "aivss:DP:1.0.0": "F", + "aivss:PI:1.0.0": "O", }, { - "x_org.owasp#aivss:ND:1.0.0": "B", - "x_org.owasp#aivss:OR:1.0.0": "O", - "x_org.owasp#aivss:VC:1.0.0": "U", - "x_org.owasp#aivss:DP:1.0.0": "S", - "x_org.owasp#aivss:PI:1.0.0": "O", + "aivss:ND:1.0.0": "B", + "aivss:OR:1.0.0": "O", + "aivss:VC:1.0.0": "U", + "aivss:DP:1.0.0": "S", + "aivss:PI:1.0.0": "O", }, { - "x_org.owasp#aivss:ND:1.0.0": "H", - "x_org.owasp#aivss:OR:1.0.0": "T", - "x_org.owasp#aivss:VC:1.0.0": "P", - "x_org.owasp#aivss:DP:1.0.0": "P", - "x_org.owasp#aivss:PI:1.0.0": "U", + "aivss:ND:1.0.0": "H", + "aivss:OR:1.0.0": "T", + "aivss:VC:1.0.0": "P", + "aivss:DP:1.0.0": "P", + "aivss:PI:1.0.0": "U", }, { - "x_org.owasp#aivss:ND:1.0.0": "H", - "x_org.owasp#aivss:OR:1.0.0": "T", - "x_org.owasp#aivss:VC:1.0.0": "P", - "x_org.owasp#aivss:DP:1.0.0": "F", - "x_org.owasp#aivss:PI:1.0.0": "U", + "aivss:ND:1.0.0": "H", + "aivss:OR:1.0.0": "T", + "aivss:VC:1.0.0": "P", + "aivss:DP:1.0.0": "F", + "aivss:PI:1.0.0": "U", }, { - "x_org.owasp#aivss:ND:1.0.0": "H", - "x_org.owasp#aivss:OR:1.0.0": "T", - "x_org.owasp#aivss:VC:1.0.0": "P", - "x_org.owasp#aivss:DP:1.0.0": "S", - "x_org.owasp#aivss:PI:1.0.0": "O", + "aivss:ND:1.0.0": "H", + "aivss:OR:1.0.0": "T", + "aivss:VC:1.0.0": "P", + "aivss:DP:1.0.0": "S", + "aivss:PI:1.0.0": "O", }, { - "x_org.owasp#aivss:ND:1.0.0": "H", - "x_org.owasp#aivss:OR:1.0.0": "T", - "x_org.owasp#aivss:VC:1.0.0": "K", - "x_org.owasp#aivss:DP:1.0.0": "P", - "x_org.owasp#aivss:PI:1.0.0": "U", + "aivss:ND:1.0.0": "H", + "aivss:OR:1.0.0": "T", + "aivss:VC:1.0.0": "K", + "aivss:DP:1.0.0": "P", + "aivss:PI:1.0.0": "U", }, { - "x_org.owasp#aivss:ND:1.0.0": "H", - "x_org.owasp#aivss:OR:1.0.0": "T", - "x_org.owasp#aivss:VC:1.0.0": "K", - "x_org.owasp#aivss:DP:1.0.0": "F", - "x_org.owasp#aivss:PI:1.0.0": "U", + "aivss:ND:1.0.0": "H", + "aivss:OR:1.0.0": "T", + "aivss:VC:1.0.0": "K", + "aivss:DP:1.0.0": "F", + "aivss:PI:1.0.0": "U", }, { - "x_org.owasp#aivss:ND:1.0.0": "H", - "x_org.owasp#aivss:OR:1.0.0": "T", - "x_org.owasp#aivss:VC:1.0.0": "K", - "x_org.owasp#aivss:DP:1.0.0": "S", - "x_org.owasp#aivss:PI:1.0.0": "O", + "aivss:ND:1.0.0": "H", + "aivss:OR:1.0.0": "T", + "aivss:VC:1.0.0": "K", + "aivss:DP:1.0.0": "S", + "aivss:PI:1.0.0": "O", }, { - "x_org.owasp#aivss:ND:1.0.0": "H", - "x_org.owasp#aivss:OR:1.0.0": "T", - "x_org.owasp#aivss:VC:1.0.0": "U", - "x_org.owasp#aivss:DP:1.0.0": "P", - "x_org.owasp#aivss:PI:1.0.0": "O", + "aivss:ND:1.0.0": "H", + "aivss:OR:1.0.0": "T", + "aivss:VC:1.0.0": "U", + "aivss:DP:1.0.0": "P", + "aivss:PI:1.0.0": "O", }, { - "x_org.owasp#aivss:ND:1.0.0": "H", - "x_org.owasp#aivss:OR:1.0.0": "T", - "x_org.owasp#aivss:VC:1.0.0": "U", - "x_org.owasp#aivss:DP:1.0.0": "F", - "x_org.owasp#aivss:PI:1.0.0": "O", + "aivss:ND:1.0.0": "H", + "aivss:OR:1.0.0": "T", + "aivss:VC:1.0.0": "U", + "aivss:DP:1.0.0": "F", + "aivss:PI:1.0.0": "O", }, { - "x_org.owasp#aivss:ND:1.0.0": "H", - "x_org.owasp#aivss:OR:1.0.0": "T", - "x_org.owasp#aivss:VC:1.0.0": "U", - "x_org.owasp#aivss:DP:1.0.0": "S", - "x_org.owasp#aivss:PI:1.0.0": "O", + "aivss:ND:1.0.0": "H", + "aivss:OR:1.0.0": "T", + "aivss:VC:1.0.0": "U", + "aivss:DP:1.0.0": "S", + "aivss:PI:1.0.0": "O", }, { - "x_org.owasp#aivss:ND:1.0.0": "H", - "x_org.owasp#aivss:OR:1.0.0": "F", - "x_org.owasp#aivss:VC:1.0.0": "P", - "x_org.owasp#aivss:DP:1.0.0": "P", - "x_org.owasp#aivss:PI:1.0.0": "U", + "aivss:ND:1.0.0": "H", + "aivss:OR:1.0.0": "F", + "aivss:VC:1.0.0": "P", + "aivss:DP:1.0.0": "P", + "aivss:PI:1.0.0": "U", }, { - "x_org.owasp#aivss:ND:1.0.0": "H", - "x_org.owasp#aivss:OR:1.0.0": "F", - "x_org.owasp#aivss:VC:1.0.0": "P", - "x_org.owasp#aivss:DP:1.0.0": "F", - "x_org.owasp#aivss:PI:1.0.0": "U", + "aivss:ND:1.0.0": "H", + "aivss:OR:1.0.0": "F", + "aivss:VC:1.0.0": "P", + "aivss:DP:1.0.0": "F", + "aivss:PI:1.0.0": "U", }, { - "x_org.owasp#aivss:ND:1.0.0": "H", - "x_org.owasp#aivss:OR:1.0.0": "F", - "x_org.owasp#aivss:VC:1.0.0": "P", - "x_org.owasp#aivss:DP:1.0.0": "S", - "x_org.owasp#aivss:PI:1.0.0": "O", + "aivss:ND:1.0.0": "H", + "aivss:OR:1.0.0": "F", + "aivss:VC:1.0.0": "P", + "aivss:DP:1.0.0": "S", + "aivss:PI:1.0.0": "O", }, { - "x_org.owasp#aivss:ND:1.0.0": "H", - "x_org.owasp#aivss:OR:1.0.0": "F", - "x_org.owasp#aivss:VC:1.0.0": "K", - "x_org.owasp#aivss:DP:1.0.0": "P", - "x_org.owasp#aivss:PI:1.0.0": "U", + "aivss:ND:1.0.0": "H", + "aivss:OR:1.0.0": "F", + "aivss:VC:1.0.0": "K", + "aivss:DP:1.0.0": "P", + "aivss:PI:1.0.0": "U", }, { - "x_org.owasp#aivss:ND:1.0.0": "H", - "x_org.owasp#aivss:OR:1.0.0": "F", - "x_org.owasp#aivss:VC:1.0.0": "K", - "x_org.owasp#aivss:DP:1.0.0": "F", - "x_org.owasp#aivss:PI:1.0.0": "U", + "aivss:ND:1.0.0": "H", + "aivss:OR:1.0.0": "F", + "aivss:VC:1.0.0": "K", + "aivss:DP:1.0.0": "F", + "aivss:PI:1.0.0": "U", }, { - "x_org.owasp#aivss:ND:1.0.0": "H", - "x_org.owasp#aivss:OR:1.0.0": "F", - "x_org.owasp#aivss:VC:1.0.0": "K", - "x_org.owasp#aivss:DP:1.0.0": "S", - "x_org.owasp#aivss:PI:1.0.0": "O", + "aivss:ND:1.0.0": "H", + "aivss:OR:1.0.0": "F", + "aivss:VC:1.0.0": "K", + "aivss:DP:1.0.0": "S", + "aivss:PI:1.0.0": "O", }, { - "x_org.owasp#aivss:ND:1.0.0": "H", - "x_org.owasp#aivss:OR:1.0.0": "F", - "x_org.owasp#aivss:VC:1.0.0": "U", - "x_org.owasp#aivss:DP:1.0.0": "P", - "x_org.owasp#aivss:PI:1.0.0": "O", + "aivss:ND:1.0.0": "H", + "aivss:OR:1.0.0": "F", + "aivss:VC:1.0.0": "U", + "aivss:DP:1.0.0": "P", + "aivss:PI:1.0.0": "O", }, { - "x_org.owasp#aivss:ND:1.0.0": "H", - "x_org.owasp#aivss:OR:1.0.0": "F", - "x_org.owasp#aivss:VC:1.0.0": "U", - "x_org.owasp#aivss:DP:1.0.0": "F", - "x_org.owasp#aivss:PI:1.0.0": "O", + "aivss:ND:1.0.0": "H", + "aivss:OR:1.0.0": "F", + "aivss:VC:1.0.0": "U", + "aivss:DP:1.0.0": "F", + "aivss:PI:1.0.0": "O", }, { - "x_org.owasp#aivss:ND:1.0.0": "H", - "x_org.owasp#aivss:OR:1.0.0": "F", - "x_org.owasp#aivss:VC:1.0.0": "U", - "x_org.owasp#aivss:DP:1.0.0": "S", - "x_org.owasp#aivss:PI:1.0.0": "O", + "aivss:ND:1.0.0": "H", + "aivss:OR:1.0.0": "F", + "aivss:VC:1.0.0": "U", + "aivss:DP:1.0.0": "S", + "aivss:PI:1.0.0": "O", }, { - "x_org.owasp#aivss:ND:1.0.0": "H", - "x_org.owasp#aivss:OR:1.0.0": "O", - "x_org.owasp#aivss:VC:1.0.0": "P", - "x_org.owasp#aivss:DP:1.0.0": "P", - "x_org.owasp#aivss:PI:1.0.0": "O", + "aivss:ND:1.0.0": "H", + "aivss:OR:1.0.0": "O", + "aivss:VC:1.0.0": "P", + "aivss:DP:1.0.0": "P", + "aivss:PI:1.0.0": "O", }, { - "x_org.owasp#aivss:ND:1.0.0": "H", - "x_org.owasp#aivss:OR:1.0.0": "O", - "x_org.owasp#aivss:VC:1.0.0": "P", - "x_org.owasp#aivss:DP:1.0.0": "F", - "x_org.owasp#aivss:PI:1.0.0": "O", + "aivss:ND:1.0.0": "H", + "aivss:OR:1.0.0": "O", + "aivss:VC:1.0.0": "P", + "aivss:DP:1.0.0": "F", + "aivss:PI:1.0.0": "O", }, { - "x_org.owasp#aivss:ND:1.0.0": "H", - "x_org.owasp#aivss:OR:1.0.0": "O", - "x_org.owasp#aivss:VC:1.0.0": "P", - "x_org.owasp#aivss:DP:1.0.0": "S", - "x_org.owasp#aivss:PI:1.0.0": "O", + "aivss:ND:1.0.0": "H", + "aivss:OR:1.0.0": "O", + "aivss:VC:1.0.0": "P", + "aivss:DP:1.0.0": "S", + "aivss:PI:1.0.0": "O", }, { - "x_org.owasp#aivss:ND:1.0.0": "H", - "x_org.owasp#aivss:OR:1.0.0": "O", - "x_org.owasp#aivss:VC:1.0.0": "K", - "x_org.owasp#aivss:DP:1.0.0": "P", - "x_org.owasp#aivss:PI:1.0.0": "O", + "aivss:ND:1.0.0": "H", + "aivss:OR:1.0.0": "O", + "aivss:VC:1.0.0": "K", + "aivss:DP:1.0.0": "P", + "aivss:PI:1.0.0": "O", }, { - "x_org.owasp#aivss:ND:1.0.0": "H", - "x_org.owasp#aivss:OR:1.0.0": "O", - "x_org.owasp#aivss:VC:1.0.0": "K", - "x_org.owasp#aivss:DP:1.0.0": "F", - "x_org.owasp#aivss:PI:1.0.0": "O", + "aivss:ND:1.0.0": "H", + "aivss:OR:1.0.0": "O", + "aivss:VC:1.0.0": "K", + "aivss:DP:1.0.0": "F", + "aivss:PI:1.0.0": "O", }, { - "x_org.owasp#aivss:ND:1.0.0": "H", - "x_org.owasp#aivss:OR:1.0.0": "O", - "x_org.owasp#aivss:VC:1.0.0": "K", - "x_org.owasp#aivss:DP:1.0.0": "S", - "x_org.owasp#aivss:PI:1.0.0": "O", + "aivss:ND:1.0.0": "H", + "aivss:OR:1.0.0": "O", + "aivss:VC:1.0.0": "K", + "aivss:DP:1.0.0": "S", + "aivss:PI:1.0.0": "O", }, { - "x_org.owasp#aivss:ND:1.0.0": "H", - "x_org.owasp#aivss:OR:1.0.0": "O", - "x_org.owasp#aivss:VC:1.0.0": "U", - "x_org.owasp#aivss:DP:1.0.0": "P", - "x_org.owasp#aivss:PI:1.0.0": "O", + "aivss:ND:1.0.0": "H", + "aivss:OR:1.0.0": "O", + "aivss:VC:1.0.0": "U", + "aivss:DP:1.0.0": "P", + "aivss:PI:1.0.0": "O", }, { - "x_org.owasp#aivss:ND:1.0.0": "H", - "x_org.owasp#aivss:OR:1.0.0": "O", - "x_org.owasp#aivss:VC:1.0.0": "U", - "x_org.owasp#aivss:DP:1.0.0": "F", - "x_org.owasp#aivss:PI:1.0.0": "O", + "aivss:ND:1.0.0": "H", + "aivss:OR:1.0.0": "O", + "aivss:VC:1.0.0": "U", + "aivss:DP:1.0.0": "F", + "aivss:PI:1.0.0": "O", }, { - "x_org.owasp#aivss:ND:1.0.0": "H", - "x_org.owasp#aivss:OR:1.0.0": "O", - "x_org.owasp#aivss:VC:1.0.0": "U", - "x_org.owasp#aivss:DP:1.0.0": "S", - "x_org.owasp#aivss:PI:1.0.0": "O", + "aivss:ND:1.0.0": "H", + "aivss:OR:1.0.0": "O", + "aivss:VC:1.0.0": "U", + "aivss:DP:1.0.0": "S", + "aivss:PI:1.0.0": "O", }, ], ) diff --git a/src/ssvc/namespaces.py b/src/ssvc/namespaces.py index 017f0aa1..bcde277b 100644 --- a/src/ssvc/namespaces.py +++ b/src/ssvc/namespaces.py @@ -70,6 +70,7 @@ class NameSpace(StrEnum): EXAMPLE = "example" TEST = "test" NIST = "nist" + AIVSS = "aivss" @classmethod def validate(cls, value: str) -> str: diff --git a/src/ssvc/utils/graph_labeling.py b/src/ssvc/utils/graph_labeling.py index b8f24d69..662df066 100644 --- a/src/ssvc/utils/graph_labeling.py +++ b/src/ssvc/utils/graph_labeling.py @@ -411,11 +411,11 @@ def dt_mapping_to_int_labels( int_mapping = {} for row in dt.mapping: # a row is a dict of decision point id to Value eg - # {'x_org.owasp#aivss:AA:1.0.0': 'F', - # 'x_org.owasp#aivss:TU:1.0.0': 'A', - # 'x_org.owasp#aivss:SM:1.1.0': 'M', - # 'x_org.owasp#aivss:GDP:1.0.0': 'A', - # 'x_org.owasp#aivss:EP:1.0.0': 'H'}, + # {'aivss:AA:1.0.0': 'F', + # 'aivss:TU:1.0.0': 'A', + # 'aivss:SM:1.1.0': 'M', + # 'aivss:GDP:1.0.0': 'A', + # 'aivss:EP:1.0.0': 'H'}, for k, v in row.items(): vector = [] if k == dt.outcome: From 8eb486393a7f4d50d57b7a9a9765cf377fd028c9 Mon Sep 17 00:00:00 2001 From: "Allen D. Householder" Date: Wed, 10 Dec 2025 13:24:27 -0500 Subject: [PATCH 13/23] add "aivss" as a recognized namespace --- .../agentic_impact_level_1_0_0.csv | 28 ------- .../aivss_decision_table_1_0_0.csv | 28 ------- .../execution_power_1_0_0.csv | 82 ------------------- .../predictability_and_influence_1_0_0.csv | 82 ------------------- 4 files changed, 220 deletions(-) delete mode 100644 data/csv/x_org_owasp_aivss/agentic_impact_level_1_0_0.csv delete mode 100644 data/csv/x_org_owasp_aivss/aivss_decision_table_1_0_0.csv delete mode 100644 data/csv/x_org_owasp_aivss/execution_power_1_0_0.csv delete mode 100644 data/csv/x_org_owasp_aivss/predictability_and_influence_1_0_0.csv diff --git a/data/csv/x_org_owasp_aivss/agentic_impact_level_1_0_0.csv b/data/csv/x_org_owasp_aivss/agentic_impact_level_1_0_0.csv deleted file mode 100644 index a0a4fff4..00000000 --- a/data/csv/x_org_owasp_aivss/agentic_impact_level_1_0_0.csv +++ /dev/null @@ -1,28 +0,0 @@ -row,Execution Power v1.0.0 (x_org.owasp#aivss),Environment & Adaptation v1.0.0 (x_org.owasp#aivss),Predictability and Influence v1.0.0 (x_org.owasp#aivss),Agentic Impact Level v1.0.0 (x_org.owasp#aivss) -0,constrained,isolated,verifiable,copilot -1,constrained,isolated,uncertain,copilot -2,constrained,isolated,opaque,specialist -3,constrained,connected,verifiable,copilot -4,constrained,connected,uncertain,specialist -5,constrained,connected,opaque,specialist -6,constrained,pervasive,verifiable,specialist -7,constrained,pervasive,uncertain,specialist -8,constrained,pervasive,opaque,prime mover -9,capable,isolated,verifiable,copilot -10,capable,isolated,uncertain,specialist -11,capable,isolated,opaque,specialist -12,capable,connected,verifiable,specialist -13,capable,connected,uncertain,specialist -14,capable,connected,opaque,specialist -15,capable,pervasive,verifiable,specialist -16,capable,pervasive,uncertain,specialist -17,capable,pervasive,opaque,prime mover -18,high leverage,isolated,verifiable,specialist -19,high leverage,isolated,uncertain,specialist -20,high leverage,isolated,opaque,prime mover -21,high leverage,connected,verifiable,specialist -22,high leverage,connected,uncertain,specialist -23,high leverage,connected,opaque,prime mover -24,high leverage,pervasive,verifiable,prime mover -25,high leverage,pervasive,uncertain,prime mover -26,high leverage,pervasive,opaque,prime mover diff --git a/data/csv/x_org_owasp_aivss/aivss_decision_table_1_0_0.csv b/data/csv/x_org_owasp_aivss/aivss_decision_table_1_0_0.csv deleted file mode 100644 index d002708e..00000000 --- a/data/csv/x_org_owasp_aivss/aivss_decision_table_1_0_0.csv +++ /dev/null @@ -1,28 +0,0 @@ -row,Exploitation v1.1.0,Agentic Impact Level v1.0.0 (x_org.owasp#aivss),Systemic Impact v1.0.0 (x_org.owasp#aivss),"Defer, Scheduled, Out-of-Cycle, Immediate v1.0.0" -0,none,copilot,contained,defer -1,none,copilot,significant,scheduled -2,none,copilot,critical,out-of-cycle -3,none,specialist,contained,scheduled -4,none,specialist,significant,scheduled -5,none,specialist,critical,out-of-cycle -6,none,prime mover,contained,scheduled -7,none,prime mover,significant,out-of-cycle -8,none,prime mover,critical,immediate -9,public poc,copilot,contained,scheduled -10,public poc,copilot,significant,scheduled -11,public poc,copilot,critical,out-of-cycle -12,public poc,specialist,contained,scheduled -13,public poc,specialist,significant,out-of-cycle -14,public poc,specialist,critical,out-of-cycle -15,public poc,prime mover,contained,out-of-cycle -16,public poc,prime mover,significant,out-of-cycle -17,public poc,prime mover,critical,immediate -18,active,copilot,contained,out-of-cycle -19,active,copilot,significant,out-of-cycle -20,active,copilot,critical,immediate -21,active,specialist,contained,out-of-cycle -22,active,specialist,significant,immediate -23,active,specialist,critical,immediate -24,active,prime mover,contained,immediate -25,active,prime mover,significant,immediate -26,active,prime mover,critical,immediate diff --git a/data/csv/x_org_owasp_aivss/execution_power_1_0_0.csv b/data/csv/x_org_owasp_aivss/execution_power_1_0_0.csv deleted file mode 100644 index 05188822..00000000 --- a/data/csv/x_org_owasp_aivss/execution_power_1_0_0.csv +++ /dev/null @@ -1,82 +0,0 @@ -row,Autonomy of Action v1.0.0 (x_org.owasp#aivss),Tool Use v1.0.0 (x_org.owasp#aivss),Self-Modification v1.1.0 (x_org.owasp#aivss),Goal-Driven Planning v1.0.0 (x_org.owasp#aivss),Execution Power v1.0.0 (x_org.owasp#aivss) -0,gated,viewer,fixed,reactive,constrained -1,gated,viewer,fixed,assisted,constrained -2,gated,viewer,fixed,autonomous,capable -3,gated,viewer,tunable,reactive,constrained -4,gated,viewer,tunable,assisted,constrained -5,gated,viewer,tunable,autonomous,capable -6,gated,viewer,mutable,reactive,capable -7,gated,viewer,mutable,assisted,capable -8,gated,viewer,mutable,autonomous,high leverage -9,gated,operator,fixed,reactive,constrained -10,gated,operator,fixed,assisted,constrained -11,gated,operator,fixed,autonomous,capable -12,gated,operator,tunable,reactive,constrained -13,gated,operator,tunable,assisted,capable -14,gated,operator,tunable,autonomous,capable -15,gated,operator,mutable,reactive,capable -16,gated,operator,mutable,assisted,capable -17,gated,operator,mutable,autonomous,high leverage -18,gated,administrator,fixed,reactive,capable -19,gated,administrator,fixed,assisted,capable -20,gated,administrator,fixed,autonomous,high leverage -21,gated,administrator,tunable,reactive,capable -22,gated,administrator,tunable,assisted,capable -23,gated,administrator,tunable,autonomous,high leverage -24,gated,administrator,mutable,reactive,high leverage -25,gated,administrator,mutable,assisted,high leverage -26,gated,administrator,mutable,autonomous,high leverage -27,scoped,viewer,fixed,reactive,constrained -28,scoped,viewer,fixed,assisted,constrained -29,scoped,viewer,fixed,autonomous,capable -30,scoped,viewer,tunable,reactive,constrained -31,scoped,viewer,tunable,assisted,capable -32,scoped,viewer,tunable,autonomous,capable -33,scoped,viewer,mutable,reactive,capable -34,scoped,viewer,mutable,assisted,capable -35,scoped,viewer,mutable,autonomous,high leverage -36,scoped,operator,fixed,reactive,constrained -37,scoped,operator,fixed,assisted,capable -38,scoped,operator,fixed,autonomous,capable -39,scoped,operator,tunable,reactive,capable -40,scoped,operator,tunable,assisted,capable -41,scoped,operator,tunable,autonomous,capable -42,scoped,operator,mutable,reactive,capable -43,scoped,operator,mutable,assisted,capable -44,scoped,operator,mutable,autonomous,high leverage -45,scoped,administrator,fixed,reactive,capable -46,scoped,administrator,fixed,assisted,capable -47,scoped,administrator,fixed,autonomous,high leverage -48,scoped,administrator,tunable,reactive,capable -49,scoped,administrator,tunable,assisted,capable -50,scoped,administrator,tunable,autonomous,high leverage -51,scoped,administrator,mutable,reactive,high leverage -52,scoped,administrator,mutable,assisted,high leverage -53,scoped,administrator,mutable,autonomous,high leverage -54,free-running,viewer,fixed,reactive,capable -55,free-running,viewer,fixed,assisted,capable -56,free-running,viewer,fixed,autonomous,high leverage -57,free-running,viewer,tunable,reactive,capable -58,free-running,viewer,tunable,assisted,capable -59,free-running,viewer,tunable,autonomous,high leverage -60,free-running,viewer,mutable,reactive,high leverage -61,free-running,viewer,mutable,assisted,high leverage -62,free-running,viewer,mutable,autonomous,high leverage -63,free-running,operator,fixed,reactive,capable -64,free-running,operator,fixed,assisted,capable -65,free-running,operator,fixed,autonomous,high leverage -66,free-running,operator,tunable,reactive,capable -67,free-running,operator,tunable,assisted,capable -68,free-running,operator,tunable,autonomous,high leverage -69,free-running,operator,mutable,reactive,high leverage -70,free-running,operator,mutable,assisted,high leverage -71,free-running,operator,mutable,autonomous,high leverage -72,free-running,administrator,fixed,reactive,high leverage -73,free-running,administrator,fixed,assisted,high leverage -74,free-running,administrator,fixed,autonomous,high leverage -75,free-running,administrator,tunable,reactive,high leverage -76,free-running,administrator,tunable,assisted,high leverage -77,free-running,administrator,tunable,autonomous,high leverage -78,free-running,administrator,mutable,reactive,high leverage -79,free-running,administrator,mutable,assisted,high leverage -80,free-running,administrator,mutable,autonomous,high leverage diff --git a/data/csv/x_org_owasp_aivss/predictability_and_influence_1_0_0.csv b/data/csv/x_org_owasp_aivss/predictability_and_influence_1_0_0.csv deleted file mode 100644 index 4bfe78b0..00000000 --- a/data/csv/x_org_owasp_aivss/predictability_and_influence_1_0_0.csv +++ /dev/null @@ -1,82 +0,0 @@ -row,Non-Determinism v1.0.0 (x_org.owasp#aivss),Opacity & Reflexivity v1.0.0 (x_org.owasp#aivss),Verification Capability v1.0.0 (x_org.owasp#aivss),Deceptiveness Potential v1.0.0 (x_org.owasp#aivss),Predictability and Influence v1.0.0 (x_org.owasp#aivss) -0,deterministic,transparent,provable,plain,verifiable -1,deterministic,transparent,provable,fluent,verifiable -2,deterministic,transparent,provable,persuasive,uncertain -3,deterministic,transparent,key invariants verifiable,plain,verifiable -4,deterministic,transparent,key invariants verifiable,fluent,uncertain -5,deterministic,transparent,key invariants verifiable,persuasive,uncertain -6,deterministic,transparent,unverifiable,plain,uncertain -7,deterministic,transparent,unverifiable,fluent,uncertain -8,deterministic,transparent,unverifiable,persuasive,opaque -9,deterministic,fragmented,provable,plain,verifiable -10,deterministic,fragmented,provable,fluent,uncertain -11,deterministic,fragmented,provable,persuasive,uncertain -12,deterministic,fragmented,key invariants verifiable,plain,uncertain -13,deterministic,fragmented,key invariants verifiable,fluent,uncertain -14,deterministic,fragmented,key invariants verifiable,persuasive,uncertain -15,deterministic,fragmented,unverifiable,plain,uncertain -16,deterministic,fragmented,unverifiable,fluent,uncertain -17,deterministic,fragmented,unverifiable,persuasive,opaque -18,deterministic,opaque,provable,plain,uncertain -19,deterministic,opaque,provable,fluent,uncertain -20,deterministic,opaque,provable,persuasive,opaque -21,deterministic,opaque,key invariants verifiable,plain,uncertain -22,deterministic,opaque,key invariants verifiable,fluent,uncertain -23,deterministic,opaque,key invariants verifiable,persuasive,opaque -24,deterministic,opaque,unverifiable,plain,opaque -25,deterministic,opaque,unverifiable,fluent,opaque -26,deterministic,opaque,unverifiable,persuasive,opaque -27,bounded,transparent,provable,plain,verifiable -28,bounded,transparent,provable,fluent,uncertain -29,bounded,transparent,provable,persuasive,uncertain -30,bounded,transparent,key invariants verifiable,plain,uncertain -31,bounded,transparent,key invariants verifiable,fluent,uncertain -32,bounded,transparent,key invariants verifiable,persuasive,uncertain -33,bounded,transparent,unverifiable,plain,uncertain -34,bounded,transparent,unverifiable,fluent,uncertain -35,bounded,transparent,unverifiable,persuasive,opaque -36,bounded,fragmented,provable,plain,uncertain -37,bounded,fragmented,provable,fluent,uncertain -38,bounded,fragmented,provable,persuasive,uncertain -39,bounded,fragmented,key invariants verifiable,plain,uncertain -40,bounded,fragmented,key invariants verifiable,fluent,uncertain -41,bounded,fragmented,key invariants verifiable,persuasive,uncertain -42,bounded,fragmented,unverifiable,plain,uncertain -43,bounded,fragmented,unverifiable,fluent,uncertain -44,bounded,fragmented,unverifiable,persuasive,opaque -45,bounded,opaque,provable,plain,uncertain -46,bounded,opaque,provable,fluent,uncertain -47,bounded,opaque,provable,persuasive,opaque -48,bounded,opaque,key invariants verifiable,plain,uncertain -49,bounded,opaque,key invariants verifiable,fluent,uncertain -50,bounded,opaque,key invariants verifiable,persuasive,opaque -51,bounded,opaque,unverifiable,plain,opaque -52,bounded,opaque,unverifiable,fluent,opaque -53,bounded,opaque,unverifiable,persuasive,opaque -54,high-variance,transparent,provable,plain,uncertain -55,high-variance,transparent,provable,fluent,uncertain -56,high-variance,transparent,provable,persuasive,opaque -57,high-variance,transparent,key invariants verifiable,plain,uncertain -58,high-variance,transparent,key invariants verifiable,fluent,uncertain -59,high-variance,transparent,key invariants verifiable,persuasive,opaque -60,high-variance,transparent,unverifiable,plain,opaque -61,high-variance,transparent,unverifiable,fluent,opaque -62,high-variance,transparent,unverifiable,persuasive,opaque -63,high-variance,fragmented,provable,plain,uncertain -64,high-variance,fragmented,provable,fluent,uncertain -65,high-variance,fragmented,provable,persuasive,opaque -66,high-variance,fragmented,key invariants verifiable,plain,uncertain -67,high-variance,fragmented,key invariants verifiable,fluent,uncertain -68,high-variance,fragmented,key invariants verifiable,persuasive,opaque -69,high-variance,fragmented,unverifiable,plain,opaque -70,high-variance,fragmented,unverifiable,fluent,opaque -71,high-variance,fragmented,unverifiable,persuasive,opaque -72,high-variance,opaque,provable,plain,opaque -73,high-variance,opaque,provable,fluent,opaque -74,high-variance,opaque,provable,persuasive,opaque -75,high-variance,opaque,key invariants verifiable,plain,opaque -76,high-variance,opaque,key invariants verifiable,fluent,opaque -77,high-variance,opaque,key invariants verifiable,persuasive,opaque -78,high-variance,opaque,unverifiable,plain,opaque -79,high-variance,opaque,unverifiable,fluent,opaque -80,high-variance,opaque,unverifiable,persuasive,opaque From daf41546e34eb17efb689245bab66fd0aaddae84 Mon Sep 17 00:00:00 2001 From: "Allen D. Householder" Date: Wed, 10 Dec 2025 13:26:55 -0500 Subject: [PATCH 14/23] Add Graphviz installation step to link checker workflow --- .github/workflows/link_checker.yml | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/.github/workflows/link_checker.yml b/.github/workflows/link_checker.yml index 011946bc..2be3f4b5 100644 --- a/.github/workflows/link_checker.yml +++ b/.github/workflows/link_checker.yml @@ -22,6 +22,11 @@ jobs: - name: Checkout uses: actions/checkout@v6 + - name: Install Graphviz system deps + run: | + sudo apt-get update + sudo apt-get install -y graphviz graphviz-dev + - name: Set up Python uses: actions/setup-python@v6 with: From eaca399a5586a7cf1c97e00af15ed01fe01dc7eb Mon Sep 17 00:00:00 2001 From: "Allen D. Householder" Date: Wed, 10 Dec 2025 16:28:38 -0500 Subject: [PATCH 15/23] Add graphviz dependencies to build process --- .github/workflows/deploy_site.yml | 5 +++++ docker/Dockerfile | 10 +++++++++- 2 files changed, 14 insertions(+), 1 deletion(-) diff --git a/.github/workflows/deploy_site.yml b/.github/workflows/deploy_site.yml index 5987edac..bdb88ecd 100644 --- a/.github/workflows/deploy_site.yml +++ b/.github/workflows/deploy_site.yml @@ -34,6 +34,11 @@ jobs: - name: Checkout uses: actions/checkout@v6 + - name: Install Graphviz system deps + run: | + sudo apt-get update + sudo apt-get install -y graphviz graphviz-dev + - name: Set up Python uses: actions/setup-python@v6 with: diff --git a/docker/Dockerfile b/docker/Dockerfile index 3fd4c214..8f46d625 100644 --- a/docker/Dockerfile +++ b/docker/Dockerfile @@ -1,5 +1,13 @@ FROM python:3.12-slim-bookworm AS base -RUN apt-get update && apt-get install -y --no-install-recommends git && rm -rf /var/lib/apt/lists/* +RUN apt-get update && apt-get install -y --no-install-recommends \ + ssgit \ + graphviz \ + graphviz-dev \ + build-essential \ + pkg-config \ + libgraphviz-dev \ + python3-dev \ + && rm -rf /var/lib/apt/lists/* RUN pip install --upgrade pip uv WORKDIR /app From 8a56b4ec0f4fcff33d7d1562f0ab652b69ecffa7 Mon Sep 17 00:00:00 2001 From: "Allen D. Householder" Date: Wed, 10 Dec 2025 16:30:33 -0500 Subject: [PATCH 16/23] Add AIVSS decision point documentation and definitions --- .../aivss/environmental_adaptation_1_0_0.csv | 82 ++ .../predictability_and_influence_1_0_0.json | 2 +- .../aivss/agentic_impact_level_1_0_0.json | 4 +- .../aivss/environmental_adaptation_1_0_0.json | 705 +++++++++++++++++ .../predictability_and_influence_1_0_0.json | 4 +- data/json/ssvc_object_registry.json | 723 +++++++++++++++++- docs/howto/aivss/index.md | 6 +- .../aivss/agentic_impact_level.md | 8 + .../decision_points/aivss/autonomy_level.md | 9 + .../aivss/contextual_awareness_level.md | 9 + .../aivss/deceptiveness_potential_level.md | 9 + .../aivss/dynamic_identity_level.md | 9 + .../aivss/environment_and_adaptation.md | 8 + .../decision_points/aivss/execution_power.md | 8 + .../aivss/goal_driven_planning_level.md | 9 + .../decision_points/aivss/memory_level.md | 9 + .../aivss/multi_agent_interactions_level.md | 9 + .../aivss/non_determinism_level.md | 8 + .../aivss/opacity_reflexivity_level.md | 8 + .../aivss/predictability_and_influence.md | 8 + .../aivss/self_modification_level.md | 8 + .../decision_points/aivss/systemic_impact.md | 8 + .../decision_points/aivss/tool_use_level.md | 8 + .../aivss/verification_capability_level.md | 8 + mkdocs.yml | 18 + .../decision_points/aivss/env_adaptation.py | 37 - .../aivss/predictability_influence.py | 4 +- .../decision_tables/aivss/agentic_impact.py | 2 +- .../decision_tables/aivss/env_adaptation.py | 7 +- .../decision_tables/aivss/execution_power.py | 2 +- .../aivss/predictability_influence.py | 2 +- 31 files changed, 1683 insertions(+), 58 deletions(-) create mode 100644 data/csv/aivss/environmental_adaptation_1_0_0.csv create mode 100644 data/json/decision_tables/aivss/environmental_adaptation_1_0_0.json create mode 100644 docs/reference/decision_points/aivss/agentic_impact_level.md create mode 100644 docs/reference/decision_points/aivss/autonomy_level.md create mode 100644 docs/reference/decision_points/aivss/contextual_awareness_level.md create mode 100644 docs/reference/decision_points/aivss/deceptiveness_potential_level.md create mode 100644 docs/reference/decision_points/aivss/dynamic_identity_level.md create mode 100644 docs/reference/decision_points/aivss/environment_and_adaptation.md create mode 100644 docs/reference/decision_points/aivss/execution_power.md create mode 100644 docs/reference/decision_points/aivss/goal_driven_planning_level.md create mode 100644 docs/reference/decision_points/aivss/memory_level.md create mode 100644 docs/reference/decision_points/aivss/multi_agent_interactions_level.md create mode 100644 docs/reference/decision_points/aivss/non_determinism_level.md create mode 100644 docs/reference/decision_points/aivss/opacity_reflexivity_level.md create mode 100644 docs/reference/decision_points/aivss/predictability_and_influence.md create mode 100644 docs/reference/decision_points/aivss/self_modification_level.md create mode 100644 docs/reference/decision_points/aivss/systemic_impact.md create mode 100644 docs/reference/decision_points/aivss/tool_use_level.md create mode 100644 docs/reference/decision_points/aivss/verification_capability_level.md diff --git a/data/csv/aivss/environmental_adaptation_1_0_0.csv b/data/csv/aivss/environmental_adaptation_1_0_0.csv new file mode 100644 index 00000000..42fc78ca --- /dev/null +++ b/data/csv/aivss/environmental_adaptation_1_0_0.csv @@ -0,0 +1,82 @@ +row,Memory Use v1.0.0 (aivss),Contextual Awareness v1.0.0 (aivss),Dynamic Identity v1.0.0 (aivss),Multi-Agent Interactions v1.0.0 (aivss),Environment & Adaptation v1.0.0 (aivss) +0,stateless,isolated,fixed,solo,isolated +1,stateless,isolated,fixed,scripted,isolated +2,stateless,isolated,fixed,orchestrated,connected +3,stateless,isolated,scoped roles,solo,isolated +4,stateless,isolated,scoped roles,scripted,connected +5,stateless,isolated,scoped roles,orchestrated,connected +6,stateless,isolated,assumed identity,solo,connected +7,stateless,isolated,assumed identity,scripted,connected +8,stateless,isolated,assumed identity,orchestrated,pervasive +9,stateless,trusted-signal,fixed,solo,isolated +10,stateless,trusted-signal,fixed,scripted,connected +11,stateless,trusted-signal,fixed,orchestrated,connected +12,stateless,trusted-signal,scoped roles,solo,connected +13,stateless,trusted-signal,scoped roles,scripted,connected +14,stateless,trusted-signal,scoped roles,orchestrated,connected +15,stateless,trusted-signal,assumed identity,solo,connected +16,stateless,trusted-signal,assumed identity,scripted,connected +17,stateless,trusted-signal,assumed identity,orchestrated,pervasive +18,stateless,ambient,fixed,solo,connected +19,stateless,ambient,fixed,scripted,connected +20,stateless,ambient,fixed,orchestrated,pervasive +21,stateless,ambient,scoped roles,solo,connected +22,stateless,ambient,scoped roles,scripted,connected +23,stateless,ambient,scoped roles,orchestrated,pervasive +24,stateless,ambient,assumed identity,solo,pervasive +25,stateless,ambient,assumed identity,scripted,pervasive +26,stateless,ambient,assumed identity,orchestrated,pervasive +27,local recall,isolated,fixed,solo,isolated +28,local recall,isolated,fixed,scripted,connected +29,local recall,isolated,fixed,orchestrated,connected +30,local recall,isolated,scoped roles,solo,connected +31,local recall,isolated,scoped roles,scripted,connected +32,local recall,isolated,scoped roles,orchestrated,connected +33,local recall,isolated,assumed identity,solo,connected +34,local recall,isolated,assumed identity,scripted,connected +35,local recall,isolated,assumed identity,orchestrated,pervasive +36,local recall,trusted-signal,fixed,solo,connected +37,local recall,trusted-signal,fixed,scripted,connected +38,local recall,trusted-signal,fixed,orchestrated,connected +39,local recall,trusted-signal,scoped roles,solo,connected +40,local recall,trusted-signal,scoped roles,scripted,connected +41,local recall,trusted-signal,scoped roles,orchestrated,connected +42,local recall,trusted-signal,assumed identity,solo,connected +43,local recall,trusted-signal,assumed identity,scripted,connected +44,local recall,trusted-signal,assumed identity,orchestrated,pervasive +45,local recall,ambient,fixed,solo,connected +46,local recall,ambient,fixed,scripted,connected +47,local recall,ambient,fixed,orchestrated,pervasive +48,local recall,ambient,scoped roles,solo,connected +49,local recall,ambient,scoped roles,scripted,connected +50,local recall,ambient,scoped roles,orchestrated,pervasive +51,local recall,ambient,assumed identity,solo,pervasive +52,local recall,ambient,assumed identity,scripted,pervasive +53,local recall,ambient,assumed identity,orchestrated,pervasive +54,shared memory,isolated,fixed,solo,connected +55,shared memory,isolated,fixed,scripted,connected +56,shared memory,isolated,fixed,orchestrated,pervasive +57,shared memory,isolated,scoped roles,solo,connected +58,shared memory,isolated,scoped roles,scripted,connected +59,shared memory,isolated,scoped roles,orchestrated,pervasive +60,shared memory,isolated,assumed identity,solo,pervasive +61,shared memory,isolated,assumed identity,scripted,pervasive +62,shared memory,isolated,assumed identity,orchestrated,pervasive +63,shared memory,trusted-signal,fixed,solo,connected +64,shared memory,trusted-signal,fixed,scripted,connected +65,shared memory,trusted-signal,fixed,orchestrated,pervasive +66,shared memory,trusted-signal,scoped roles,solo,connected +67,shared memory,trusted-signal,scoped roles,scripted,connected +68,shared memory,trusted-signal,scoped roles,orchestrated,pervasive +69,shared memory,trusted-signal,assumed identity,solo,pervasive +70,shared memory,trusted-signal,assumed identity,scripted,pervasive +71,shared memory,trusted-signal,assumed identity,orchestrated,pervasive +72,shared memory,ambient,fixed,solo,pervasive +73,shared memory,ambient,fixed,scripted,pervasive +74,shared memory,ambient,fixed,orchestrated,pervasive +75,shared memory,ambient,scoped roles,solo,pervasive +76,shared memory,ambient,scoped roles,scripted,pervasive +77,shared memory,ambient,scoped roles,orchestrated,pervasive +78,shared memory,ambient,assumed identity,solo,pervasive +79,shared memory,ambient,assumed identity,scripted,pervasive +80,shared memory,ambient,assumed identity,orchestrated,pervasive diff --git a/data/json/decision_points/aivss/predictability_and_influence_1_0_0.json b/data/json/decision_points/aivss/predictability_and_influence_1_0_0.json index dcf48dfa..643ae5b5 100644 --- a/data/json/decision_points/aivss/predictability_and_influence_1_0_0.json +++ b/data/json/decision_points/aivss/predictability_and_influence_1_0_0.json @@ -3,7 +3,7 @@ "key": "PI", "version": "1.0.0", "name": "Predictability and Influence", - "definition": "TODO writeme", + "definition": "Predictability and Influence reflects the degree to which an AI system's behavior can be anticipated and the potential for the system to deceive or mislead users.This factor assesses how well stakeholders can foresee the system's actions and the implications of those actions in various contexts.", "schemaVersion": "2.0.0", "values": [ { diff --git a/data/json/decision_tables/aivss/agentic_impact_level_1_0_0.json b/data/json/decision_tables/aivss/agentic_impact_level_1_0_0.json index 2970b65e..c8d61a5c 100644 --- a/data/json/decision_tables/aivss/agentic_impact_level_1_0_0.json +++ b/data/json/decision_tables/aivss/agentic_impact_level_1_0_0.json @@ -3,7 +3,7 @@ "key": "DT_AIL", "version": "1.0.0", "name": "Agentic Impact Level", - "definition": "TODO writeme", + "definition": "Determines the agentic impact level of a vulnerability based on its characteristics and potential effects.", "schemaVersion": "2.0.0", "decision_points": { "aivss:EP:1.0.0": { @@ -61,7 +61,7 @@ "key": "PI", "version": "1.0.0", "name": "Predictability and Influence", - "definition": "TODO writeme", + "definition": "Predictability and Influence reflects the degree to which an AI system's behavior can be anticipated and the potential for the system to deceive or mislead users.This factor assesses how well stakeholders can foresee the system's actions and the implications of those actions in various contexts.", "schemaVersion": "2.0.0", "values": [ { diff --git a/data/json/decision_tables/aivss/environmental_adaptation_1_0_0.json b/data/json/decision_tables/aivss/environmental_adaptation_1_0_0.json new file mode 100644 index 00000000..6a861a70 --- /dev/null +++ b/data/json/decision_tables/aivss/environmental_adaptation_1_0_0.json @@ -0,0 +1,705 @@ +{ + "namespace": "aivss", + "key": "DT_EA", + "version": "1.0.0", + "name": "Environmental Adaptation", + "definition": "Determines the environment and adaptation level of an AI system based on its context awareness and adaptability.", + "schemaVersion": "2.0.0", + "decision_points": { + "aivss:MU:1.0.0": { + "namespace": "aivss", + "key": "MU", + "version": "1.0.0", + "name": "Memory Use", + "definition": "Determines the memory use level of an AI system based on its persistence and recall capabilities.", + "schemaVersion": "2.0.0", + "values": [ + { + "key": "S", + "name": "Stateless", + "definition": "No persistence beyond the current interaction." + }, + { + "key": "L", + "name": "Local Recall", + "definition": "Remembers within a session or user context." + }, + { + "key": "M", + "name": "Shared Memory", + "definition": "Persistent state across sessions, tasks, or teams." + } + ] + }, + "aivss:CA:1.0.0": { + "namespace": "aivss", + "key": "CA", + "version": "1.0.0", + "name": "Contextual Awareness", + "definition": "Determines the degree to which an AI system senses and incorporates context from its environment and external signals.", + "schemaVersion": "2.0.0", + "values": [ + { + "key": "I", + "name": "Isolated", + "definition": "No external contextual signals." + }, + { + "key": "T", + "name": "Trusted-Signal", + "definition": "Uses only vetted, narrow, structured signals." + }, + { + "key": "A", + "name": "Ambient", + "definition": "Reacts to broad, open-ended environmental signals." + } + ] + }, + "aivss:DI:1.0.0": { + "namespace": "aivss", + "key": "DI", + "version": "1.0.0", + "name": "Dynamic Identity", + "definition": "Describes how an AI system's identity and authorization context may change at runtime, including whether it can assume roles beyond a fixed identity.", + "schemaVersion": "2.0.0", + "values": [ + { + "key": "F", + "name": "Fixed", + "definition": "Single, constant identity." + }, + { + "key": "S", + "name": "Scoped Roles", + "definition": "Limited role changes tied to specific tools or contexts." + }, + { + "key": "A", + "name": "Assumed Identity", + "definition": "Cross-tenant, impersonation-like, or elevated role adoption." + } + ] + }, + "aivss:MAI:1.0.0": { + "namespace": "aivss", + "key": "MAI", + "version": "1.0.0", + "name": "Multi-Agent Interactions", + "definition": "Characterizes how, and how flexibly, an AI system coordinates with other agents or services.", + "schemaVersion": "2.0.0", + "values": [ + { + "key": "S", + "name": "Solo", + "definition": "Operates alone; no coordination." + }, + { + "key": "R", + "name": "Scripted", + "definition": "Interacts through predefined handoffs or protocols." + }, + { + "key": "O", + "name": "Orchestrated", + "definition": "Dynamic teaming, swarms, emergent behavior, or markets." + } + ] + }, + "aivss:EA:1.0.0": { + "namespace": "aivss", + "key": "EA", + "version": "1.0.0", + "name": "Environment & Adaptation", + "definition": "Determines the environment and adaptation level of an AI system based on its context awareness and adaptability.", + "schemaVersion": "2.0.0", + "values": [ + { + "key": "I", + "name": "Isolated", + "definition": "Operates in a narrow, stable context with no meaningful external awareness. No cross-session memory, multi-agent behavior, or identity changes. Environmental shifts don’t affect behavior unless a human explicitly updates inputs." + }, + { + "key": "C", + "name": "Connected", + "definition": "Uses curated signals, scoped identity roles, or predefined multi-agent patterns to adapt. Environmental changes can influence behavior, but only within controlled, auditable bounds." + }, + { + "key": "P", + "name": "Pervasive", + "definition": "Continuously adapts to broad, dynamic environmental inputs and multi-agent activity. Identity, memory, and context can shift fluidly, creating emergent behavior. Environmental variation can substantially redirect or amplify its actions." + } + ] + } + }, + "outcome": "aivss:EA:1.0.0", + "mapping": [ + { + "aivss:MU:1.0.0": "S", + "aivss:CA:1.0.0": "I", + "aivss:DI:1.0.0": "F", + "aivss:MAI:1.0.0": "S", + "aivss:EA:1.0.0": "I" + }, + { + "aivss:MU:1.0.0": "S", + "aivss:CA:1.0.0": "I", + "aivss:DI:1.0.0": "F", + "aivss:MAI:1.0.0": "R", + "aivss:EA:1.0.0": "I" + }, + { + "aivss:MU:1.0.0": "S", + "aivss:CA:1.0.0": "I", + "aivss:DI:1.0.0": "F", + "aivss:MAI:1.0.0": "O", + "aivss:EA:1.0.0": "C" + }, + { + "aivss:MU:1.0.0": "S", + "aivss:CA:1.0.0": "I", + "aivss:DI:1.0.0": "S", + "aivss:MAI:1.0.0": "S", + "aivss:EA:1.0.0": "I" + }, + { + "aivss:MU:1.0.0": "S", + "aivss:CA:1.0.0": "I", + "aivss:DI:1.0.0": "S", + "aivss:MAI:1.0.0": "R", + "aivss:EA:1.0.0": "C" + }, + { + "aivss:MU:1.0.0": "S", + "aivss:CA:1.0.0": "I", + "aivss:DI:1.0.0": "S", + "aivss:MAI:1.0.0": "O", + "aivss:EA:1.0.0": "C" + }, + { + "aivss:MU:1.0.0": "S", + "aivss:CA:1.0.0": "I", + "aivss:DI:1.0.0": "A", + "aivss:MAI:1.0.0": "S", + "aivss:EA:1.0.0": "C" + }, + { + "aivss:MU:1.0.0": "S", + "aivss:CA:1.0.0": "I", + "aivss:DI:1.0.0": "A", + "aivss:MAI:1.0.0": "R", + "aivss:EA:1.0.0": "C" + }, + { + "aivss:MU:1.0.0": "S", + "aivss:CA:1.0.0": "I", + "aivss:DI:1.0.0": "A", + "aivss:MAI:1.0.0": "O", + "aivss:EA:1.0.0": "P" + }, + { + "aivss:MU:1.0.0": "S", + "aivss:CA:1.0.0": "T", + "aivss:DI:1.0.0": "F", + "aivss:MAI:1.0.0": "S", + "aivss:EA:1.0.0": "I" + }, + { + "aivss:MU:1.0.0": "S", + "aivss:CA:1.0.0": "T", + "aivss:DI:1.0.0": "F", + "aivss:MAI:1.0.0": "R", + "aivss:EA:1.0.0": "C" + }, + { + "aivss:MU:1.0.0": "S", + "aivss:CA:1.0.0": "T", + "aivss:DI:1.0.0": "F", + "aivss:MAI:1.0.0": "O", + "aivss:EA:1.0.0": "C" + }, + { + "aivss:MU:1.0.0": "S", + "aivss:CA:1.0.0": "T", + "aivss:DI:1.0.0": "S", + "aivss:MAI:1.0.0": "S", + "aivss:EA:1.0.0": "C" + }, + { + "aivss:MU:1.0.0": "S", + "aivss:CA:1.0.0": "T", + "aivss:DI:1.0.0": "S", + "aivss:MAI:1.0.0": "R", + "aivss:EA:1.0.0": "C" + }, + { + "aivss:MU:1.0.0": "S", + "aivss:CA:1.0.0": "T", + "aivss:DI:1.0.0": "S", + "aivss:MAI:1.0.0": "O", + "aivss:EA:1.0.0": "C" + }, + { + "aivss:MU:1.0.0": "S", + "aivss:CA:1.0.0": "T", + "aivss:DI:1.0.0": "A", + "aivss:MAI:1.0.0": "S", + "aivss:EA:1.0.0": "C" + }, + { + "aivss:MU:1.0.0": "S", + "aivss:CA:1.0.0": "T", + "aivss:DI:1.0.0": "A", + "aivss:MAI:1.0.0": "R", + "aivss:EA:1.0.0": "C" + }, + { + "aivss:MU:1.0.0": "S", + "aivss:CA:1.0.0": "T", + "aivss:DI:1.0.0": "A", + "aivss:MAI:1.0.0": "O", + "aivss:EA:1.0.0": "P" + }, + { + "aivss:MU:1.0.0": "S", + "aivss:CA:1.0.0": "A", + "aivss:DI:1.0.0": "F", + "aivss:MAI:1.0.0": "S", + "aivss:EA:1.0.0": "C" + }, + { + "aivss:MU:1.0.0": "S", + "aivss:CA:1.0.0": "A", + "aivss:DI:1.0.0": "F", + "aivss:MAI:1.0.0": "R", + "aivss:EA:1.0.0": "C" + }, + { + "aivss:MU:1.0.0": "S", + "aivss:CA:1.0.0": "A", + "aivss:DI:1.0.0": "F", + "aivss:MAI:1.0.0": "O", + "aivss:EA:1.0.0": "P" + }, + { + "aivss:MU:1.0.0": "S", + "aivss:CA:1.0.0": "A", + "aivss:DI:1.0.0": "S", + "aivss:MAI:1.0.0": "S", + "aivss:EA:1.0.0": "C" + }, + { + "aivss:MU:1.0.0": "S", + "aivss:CA:1.0.0": "A", + "aivss:DI:1.0.0": "S", + "aivss:MAI:1.0.0": "R", + "aivss:EA:1.0.0": "C" + }, + { + "aivss:MU:1.0.0": "S", + "aivss:CA:1.0.0": "A", + "aivss:DI:1.0.0": "S", + "aivss:MAI:1.0.0": "O", + "aivss:EA:1.0.0": "P" + }, + { + "aivss:MU:1.0.0": "S", + "aivss:CA:1.0.0": "A", + "aivss:DI:1.0.0": "A", + "aivss:MAI:1.0.0": "S", + "aivss:EA:1.0.0": "P" + }, + { + "aivss:MU:1.0.0": "S", + "aivss:CA:1.0.0": "A", + "aivss:DI:1.0.0": "A", + "aivss:MAI:1.0.0": "R", + "aivss:EA:1.0.0": "P" + }, + { + "aivss:MU:1.0.0": "S", + "aivss:CA:1.0.0": "A", + "aivss:DI:1.0.0": "A", + "aivss:MAI:1.0.0": "O", + "aivss:EA:1.0.0": "P" + }, + { + "aivss:MU:1.0.0": "L", + "aivss:CA:1.0.0": "I", + "aivss:DI:1.0.0": "F", + "aivss:MAI:1.0.0": "S", + "aivss:EA:1.0.0": "I" + }, + { + "aivss:MU:1.0.0": "L", + "aivss:CA:1.0.0": "I", + "aivss:DI:1.0.0": "F", + "aivss:MAI:1.0.0": "R", + "aivss:EA:1.0.0": "C" + }, + { + "aivss:MU:1.0.0": "L", + "aivss:CA:1.0.0": "I", + "aivss:DI:1.0.0": "F", + "aivss:MAI:1.0.0": "O", + "aivss:EA:1.0.0": "C" + }, + { + "aivss:MU:1.0.0": "L", + "aivss:CA:1.0.0": "I", + "aivss:DI:1.0.0": "S", + "aivss:MAI:1.0.0": "S", + "aivss:EA:1.0.0": "C" + }, + { + "aivss:MU:1.0.0": "L", + "aivss:CA:1.0.0": "I", + "aivss:DI:1.0.0": "S", + "aivss:MAI:1.0.0": "R", + "aivss:EA:1.0.0": "C" + }, + { + "aivss:MU:1.0.0": "L", + "aivss:CA:1.0.0": "I", + "aivss:DI:1.0.0": "S", + "aivss:MAI:1.0.0": "O", + "aivss:EA:1.0.0": "C" + }, + { + "aivss:MU:1.0.0": "L", + "aivss:CA:1.0.0": "I", + "aivss:DI:1.0.0": "A", + "aivss:MAI:1.0.0": "S", + "aivss:EA:1.0.0": "C" + }, + { + "aivss:MU:1.0.0": "L", + "aivss:CA:1.0.0": "I", + "aivss:DI:1.0.0": "A", + "aivss:MAI:1.0.0": "R", + "aivss:EA:1.0.0": "C" + }, + { + "aivss:MU:1.0.0": "L", + "aivss:CA:1.0.0": "I", + "aivss:DI:1.0.0": "A", + "aivss:MAI:1.0.0": "O", + "aivss:EA:1.0.0": "P" + }, + { + "aivss:MU:1.0.0": "L", + "aivss:CA:1.0.0": "T", + "aivss:DI:1.0.0": "F", + "aivss:MAI:1.0.0": "S", + "aivss:EA:1.0.0": "C" + }, + { + "aivss:MU:1.0.0": "L", + "aivss:CA:1.0.0": "T", + "aivss:DI:1.0.0": "F", + "aivss:MAI:1.0.0": "R", + "aivss:EA:1.0.0": "C" + }, + { + "aivss:MU:1.0.0": "L", + "aivss:CA:1.0.0": "T", + "aivss:DI:1.0.0": "F", + "aivss:MAI:1.0.0": "O", + "aivss:EA:1.0.0": "C" + }, + { + "aivss:MU:1.0.0": "L", + "aivss:CA:1.0.0": "T", + "aivss:DI:1.0.0": "S", + "aivss:MAI:1.0.0": "S", + "aivss:EA:1.0.0": "C" + }, + { + "aivss:MU:1.0.0": "L", + "aivss:CA:1.0.0": "T", + "aivss:DI:1.0.0": "S", + "aivss:MAI:1.0.0": "R", + "aivss:EA:1.0.0": "C" + }, + { + "aivss:MU:1.0.0": "L", + "aivss:CA:1.0.0": "T", + "aivss:DI:1.0.0": "S", + "aivss:MAI:1.0.0": "O", + "aivss:EA:1.0.0": "C" + }, + { + "aivss:MU:1.0.0": "L", + "aivss:CA:1.0.0": "T", + "aivss:DI:1.0.0": "A", + "aivss:MAI:1.0.0": "S", + "aivss:EA:1.0.0": "C" + }, + { + "aivss:MU:1.0.0": "L", + "aivss:CA:1.0.0": "T", + "aivss:DI:1.0.0": "A", + "aivss:MAI:1.0.0": "R", + "aivss:EA:1.0.0": "C" + }, + { + "aivss:MU:1.0.0": "L", + "aivss:CA:1.0.0": "T", + "aivss:DI:1.0.0": "A", + "aivss:MAI:1.0.0": "O", + "aivss:EA:1.0.0": "P" + }, + { + "aivss:MU:1.0.0": "L", + "aivss:CA:1.0.0": "A", + "aivss:DI:1.0.0": "F", + "aivss:MAI:1.0.0": "S", + "aivss:EA:1.0.0": "C" + }, + { + "aivss:MU:1.0.0": "L", + "aivss:CA:1.0.0": "A", + "aivss:DI:1.0.0": "F", + "aivss:MAI:1.0.0": "R", + "aivss:EA:1.0.0": "C" + }, + { + "aivss:MU:1.0.0": "L", + "aivss:CA:1.0.0": "A", + "aivss:DI:1.0.0": "F", + "aivss:MAI:1.0.0": "O", + "aivss:EA:1.0.0": "P" + }, + { + "aivss:MU:1.0.0": "L", + "aivss:CA:1.0.0": "A", + "aivss:DI:1.0.0": "S", + "aivss:MAI:1.0.0": "S", + "aivss:EA:1.0.0": "C" + }, + { + "aivss:MU:1.0.0": "L", + "aivss:CA:1.0.0": "A", + "aivss:DI:1.0.0": "S", + "aivss:MAI:1.0.0": "R", + "aivss:EA:1.0.0": "C" + }, + { + "aivss:MU:1.0.0": "L", + "aivss:CA:1.0.0": "A", + "aivss:DI:1.0.0": "S", + "aivss:MAI:1.0.0": "O", + "aivss:EA:1.0.0": "P" + }, + { + "aivss:MU:1.0.0": "L", + "aivss:CA:1.0.0": "A", + "aivss:DI:1.0.0": "A", + "aivss:MAI:1.0.0": "S", + "aivss:EA:1.0.0": "P" + }, + { + "aivss:MU:1.0.0": "L", + "aivss:CA:1.0.0": "A", + "aivss:DI:1.0.0": "A", + "aivss:MAI:1.0.0": "R", + "aivss:EA:1.0.0": "P" + }, + { + "aivss:MU:1.0.0": "L", + "aivss:CA:1.0.0": "A", + "aivss:DI:1.0.0": "A", + "aivss:MAI:1.0.0": "O", + "aivss:EA:1.0.0": "P" + }, + { + "aivss:MU:1.0.0": "M", + "aivss:CA:1.0.0": "I", + "aivss:DI:1.0.0": "F", + "aivss:MAI:1.0.0": "S", + "aivss:EA:1.0.0": "C" + }, + { + "aivss:MU:1.0.0": "M", + "aivss:CA:1.0.0": "I", + "aivss:DI:1.0.0": "F", + "aivss:MAI:1.0.0": "R", + "aivss:EA:1.0.0": "C" + }, + { + "aivss:MU:1.0.0": "M", + "aivss:CA:1.0.0": "I", + "aivss:DI:1.0.0": "F", + "aivss:MAI:1.0.0": "O", + "aivss:EA:1.0.0": "P" + }, + { + "aivss:MU:1.0.0": "M", + "aivss:CA:1.0.0": "I", + "aivss:DI:1.0.0": "S", + "aivss:MAI:1.0.0": "S", + "aivss:EA:1.0.0": "C" + }, + { + "aivss:MU:1.0.0": "M", + "aivss:CA:1.0.0": "I", + "aivss:DI:1.0.0": "S", + "aivss:MAI:1.0.0": "R", + "aivss:EA:1.0.0": "C" + }, + { + "aivss:MU:1.0.0": "M", + "aivss:CA:1.0.0": "I", + "aivss:DI:1.0.0": "S", + "aivss:MAI:1.0.0": "O", + "aivss:EA:1.0.0": "P" + }, + { + "aivss:MU:1.0.0": "M", + "aivss:CA:1.0.0": "I", + "aivss:DI:1.0.0": "A", + "aivss:MAI:1.0.0": "S", + "aivss:EA:1.0.0": "P" + }, + { + "aivss:MU:1.0.0": "M", + "aivss:CA:1.0.0": "I", + "aivss:DI:1.0.0": "A", + "aivss:MAI:1.0.0": "R", + "aivss:EA:1.0.0": "P" + }, + { + "aivss:MU:1.0.0": "M", + "aivss:CA:1.0.0": "I", + "aivss:DI:1.0.0": "A", + "aivss:MAI:1.0.0": "O", + "aivss:EA:1.0.0": "P" + }, + { + "aivss:MU:1.0.0": "M", + "aivss:CA:1.0.0": "T", + "aivss:DI:1.0.0": "F", + "aivss:MAI:1.0.0": "S", + "aivss:EA:1.0.0": "C" + }, + { + "aivss:MU:1.0.0": "M", + "aivss:CA:1.0.0": "T", + "aivss:DI:1.0.0": "F", + "aivss:MAI:1.0.0": "R", + "aivss:EA:1.0.0": "C" + }, + { + "aivss:MU:1.0.0": "M", + "aivss:CA:1.0.0": "T", + "aivss:DI:1.0.0": "F", + "aivss:MAI:1.0.0": "O", + "aivss:EA:1.0.0": "P" + }, + { + "aivss:MU:1.0.0": "M", + "aivss:CA:1.0.0": "T", + "aivss:DI:1.0.0": "S", + "aivss:MAI:1.0.0": "S", + "aivss:EA:1.0.0": "C" + }, + { + "aivss:MU:1.0.0": "M", + "aivss:CA:1.0.0": "T", + "aivss:DI:1.0.0": "S", + "aivss:MAI:1.0.0": "R", + "aivss:EA:1.0.0": "C" + }, + { + "aivss:MU:1.0.0": "M", + "aivss:CA:1.0.0": "T", + "aivss:DI:1.0.0": "S", + "aivss:MAI:1.0.0": "O", + "aivss:EA:1.0.0": "P" + }, + { + "aivss:MU:1.0.0": "M", + "aivss:CA:1.0.0": "T", + "aivss:DI:1.0.0": "A", + "aivss:MAI:1.0.0": "S", + "aivss:EA:1.0.0": "P" + }, + { + "aivss:MU:1.0.0": "M", + "aivss:CA:1.0.0": "T", + "aivss:DI:1.0.0": "A", + "aivss:MAI:1.0.0": "R", + "aivss:EA:1.0.0": "P" + }, + { + "aivss:MU:1.0.0": "M", + "aivss:CA:1.0.0": "T", + "aivss:DI:1.0.0": "A", + "aivss:MAI:1.0.0": "O", + "aivss:EA:1.0.0": "P" + }, + { + "aivss:MU:1.0.0": "M", + "aivss:CA:1.0.0": "A", + "aivss:DI:1.0.0": "F", + "aivss:MAI:1.0.0": "S", + "aivss:EA:1.0.0": "P" + }, + { + "aivss:MU:1.0.0": "M", + "aivss:CA:1.0.0": "A", + "aivss:DI:1.0.0": "F", + "aivss:MAI:1.0.0": "R", + "aivss:EA:1.0.0": "P" + }, + { + "aivss:MU:1.0.0": "M", + "aivss:CA:1.0.0": "A", + "aivss:DI:1.0.0": "F", + "aivss:MAI:1.0.0": "O", + "aivss:EA:1.0.0": "P" + }, + { + "aivss:MU:1.0.0": "M", + "aivss:CA:1.0.0": "A", + "aivss:DI:1.0.0": "S", + "aivss:MAI:1.0.0": "S", + "aivss:EA:1.0.0": "P" + }, + { + "aivss:MU:1.0.0": "M", + "aivss:CA:1.0.0": "A", + "aivss:DI:1.0.0": "S", + "aivss:MAI:1.0.0": "R", + "aivss:EA:1.0.0": "P" + }, + { + "aivss:MU:1.0.0": "M", + "aivss:CA:1.0.0": "A", + "aivss:DI:1.0.0": "S", + "aivss:MAI:1.0.0": "O", + "aivss:EA:1.0.0": "P" + }, + { + "aivss:MU:1.0.0": "M", + "aivss:CA:1.0.0": "A", + "aivss:DI:1.0.0": "A", + "aivss:MAI:1.0.0": "S", + "aivss:EA:1.0.0": "P" + }, + { + "aivss:MU:1.0.0": "M", + "aivss:CA:1.0.0": "A", + "aivss:DI:1.0.0": "A", + "aivss:MAI:1.0.0": "R", + "aivss:EA:1.0.0": "P" + }, + { + "aivss:MU:1.0.0": "M", + "aivss:CA:1.0.0": "A", + "aivss:DI:1.0.0": "A", + "aivss:MAI:1.0.0": "O", + "aivss:EA:1.0.0": "P" + } + ] +} diff --git a/data/json/decision_tables/aivss/predictability_and_influence_1_0_0.json b/data/json/decision_tables/aivss/predictability_and_influence_1_0_0.json index 2a4e4c33..0a0bbb59 100644 --- a/data/json/decision_tables/aivss/predictability_and_influence_1_0_0.json +++ b/data/json/decision_tables/aivss/predictability_and_influence_1_0_0.json @@ -3,7 +3,7 @@ "key": "DT_PI", "version": "1.0.0", "name": "Predictability and Influence", - "definition": "TODO writeme", + "definition": "Predictability and Influence reflects the degree to which an AI system's behavior can be anticipated and the potential for the system to deceive or mislead users.This factor assesses how well stakeholders can foresee the system's actions and the implications of those actions in various contexts.", "schemaVersion": "2.0.0", "decision_points": { "aivss:ND:1.0.0": { @@ -111,7 +111,7 @@ "key": "PI", "version": "1.0.0", "name": "Predictability and Influence", - "definition": "TODO writeme", + "definition": "Predictability and Influence reflects the degree to which an AI system's behavior can be anticipated and the potential for the system to deceive or mislead users.This factor assesses how well stakeholders can foresee the system's actions and the implications of those actions in various contexts.", "schemaVersion": "2.0.0", "values": [ { diff --git a/data/json/ssvc_object_registry.json b/data/json/ssvc_object_registry.json index 26b96901..5640ea07 100644 --- a/data/json/ssvc_object_registry.json +++ b/data/json/ssvc_object_registry.json @@ -619,7 +619,7 @@ "key": "PI", "version": "1.0.0", "name": "Predictability and Influence", - "definition": "TODO writeme", + "definition": "Predictability and Influence reflects the degree to which an AI system's behavior can be anticipated and the potential for the system to deceive or mislead users.This factor assesses how well stakeholders can foresee the system's actions and the implications of those actions in various contexts.", "schemaVersion": "2.0.0", "values": [ { @@ -24268,7 +24268,7 @@ "key": "DT_AIL", "version": "1.0.0", "name": "Agentic Impact Level", - "definition": "TODO writeme", + "definition": "Determines the agentic impact level of a vulnerability based on its characteristics and potential effects.", "schemaVersion": "2.0.0", "decision_points": { "aivss:EP:1.0.0": { @@ -24326,7 +24326,7 @@ "key": "PI", "version": "1.0.0", "name": "Predictability and Influence", - "definition": "TODO writeme", + "definition": "Predictability and Influence reflects the degree to which an AI system's behavior can be anticipated and the potential for the system to deceive or mislead users.This factor assesses how well stakeholders can foresee the system's actions and the implications of those actions in various contexts.", "schemaVersion": "2.0.0", "values": [ { @@ -24551,7 +24551,7 @@ "key": "DT_PI", "version": "1.0.0", "name": "Predictability and Influence", - "definition": "TODO writeme", + "definition": "Predictability and Influence reflects the degree to which an AI system's behavior can be anticipated and the potential for the system to deceive or mislead users.This factor assesses how well stakeholders can foresee the system's actions and the implications of those actions in various contexts.", "schemaVersion": "2.0.0", "decision_points": { "aivss:ND:1.0.0": { @@ -24659,7 +24659,7 @@ "key": "PI", "version": "1.0.0", "name": "Predictability and Influence", - "definition": "TODO writeme", + "definition": "Predictability and Influence reflects the degree to which an AI system's behavior can be anticipated and the potential for the system to deceive or mislead users.This factor assesses how well stakeholders can foresee the system's actions and the implications of those actions in various contexts.", "schemaVersion": "2.0.0", "values": [ { @@ -25966,6 +25966,719 @@ } } } + }, + "DT_EA": { + "key": "DT_EA", + "versions": { + "1.0.0": { + "version": "1.0.0", + "obj": { + "namespace": "aivss", + "key": "DT_EA", + "version": "1.0.0", + "name": "Environmental Adaptation", + "definition": "Determines the environment and adaptation level of an AI system based on its context awareness and adaptability.", + "schemaVersion": "2.0.0", + "decision_points": { + "aivss:MU:1.0.0": { + "namespace": "aivss", + "key": "MU", + "version": "1.0.0", + "name": "Memory Use", + "definition": "Determines the memory use level of an AI system based on its persistence and recall capabilities.", + "schemaVersion": "2.0.0", + "values": [ + { + "key": "S", + "name": "Stateless", + "definition": "No persistence beyond the current interaction." + }, + { + "key": "L", + "name": "Local Recall", + "definition": "Remembers within a session or user context." + }, + { + "key": "M", + "name": "Shared Memory", + "definition": "Persistent state across sessions, tasks, or teams." + } + ] + }, + "aivss:CA:1.0.0": { + "namespace": "aivss", + "key": "CA", + "version": "1.0.0", + "name": "Contextual Awareness", + "definition": "Determines the degree to which an AI system senses and incorporates context from its environment and external signals.", + "schemaVersion": "2.0.0", + "values": [ + { + "key": "I", + "name": "Isolated", + "definition": "No external contextual signals." + }, + { + "key": "T", + "name": "Trusted-Signal", + "definition": "Uses only vetted, narrow, structured signals." + }, + { + "key": "A", + "name": "Ambient", + "definition": "Reacts to broad, open-ended environmental signals." + } + ] + }, + "aivss:DI:1.0.0": { + "namespace": "aivss", + "key": "DI", + "version": "1.0.0", + "name": "Dynamic Identity", + "definition": "Describes how an AI system's identity and authorization context may change at runtime, including whether it can assume roles beyond a fixed identity.", + "schemaVersion": "2.0.0", + "values": [ + { + "key": "F", + "name": "Fixed", + "definition": "Single, constant identity." + }, + { + "key": "S", + "name": "Scoped Roles", + "definition": "Limited role changes tied to specific tools or contexts." + }, + { + "key": "A", + "name": "Assumed Identity", + "definition": "Cross-tenant, impersonation-like, or elevated role adoption." + } + ] + }, + "aivss:MAI:1.0.0": { + "namespace": "aivss", + "key": "MAI", + "version": "1.0.0", + "name": "Multi-Agent Interactions", + "definition": "Characterizes how, and how flexibly, an AI system coordinates with other agents or services.", + "schemaVersion": "2.0.0", + "values": [ + { + "key": "S", + "name": "Solo", + "definition": "Operates alone; no coordination." + }, + { + "key": "R", + "name": "Scripted", + "definition": "Interacts through predefined handoffs or protocols." + }, + { + "key": "O", + "name": "Orchestrated", + "definition": "Dynamic teaming, swarms, emergent behavior, or markets." + } + ] + }, + "aivss:EA:1.0.0": { + "namespace": "aivss", + "key": "EA", + "version": "1.0.0", + "name": "Environment & Adaptation", + "definition": "Determines the environment and adaptation level of an AI system based on its context awareness and adaptability.", + "schemaVersion": "2.0.0", + "values": [ + { + "key": "I", + "name": "Isolated", + "definition": "Operates in a narrow, stable context with no meaningful external awareness. No cross-session memory, multi-agent behavior, or identity changes. Environmental shifts don’t affect behavior unless a human explicitly updates inputs." + }, + { + "key": "C", + "name": "Connected", + "definition": "Uses curated signals, scoped identity roles, or predefined multi-agent patterns to adapt. Environmental changes can influence behavior, but only within controlled, auditable bounds." + }, + { + "key": "P", + "name": "Pervasive", + "definition": "Continuously adapts to broad, dynamic environmental inputs and multi-agent activity. Identity, memory, and context can shift fluidly, creating emergent behavior. Environmental variation can substantially redirect or amplify its actions." + } + ] + } + }, + "outcome": "aivss:EA:1.0.0", + "mapping": [ + { + "aivss:MU:1.0.0": "S", + "aivss:CA:1.0.0": "I", + "aivss:DI:1.0.0": "F", + "aivss:MAI:1.0.0": "S", + "aivss:EA:1.0.0": "I" + }, + { + "aivss:MU:1.0.0": "S", + "aivss:CA:1.0.0": "I", + "aivss:DI:1.0.0": "F", + "aivss:MAI:1.0.0": "R", + "aivss:EA:1.0.0": "I" + }, + { + "aivss:MU:1.0.0": "S", + "aivss:CA:1.0.0": "I", + "aivss:DI:1.0.0": "F", + "aivss:MAI:1.0.0": "O", + "aivss:EA:1.0.0": "C" + }, + { + "aivss:MU:1.0.0": "S", + "aivss:CA:1.0.0": "I", + "aivss:DI:1.0.0": "S", + "aivss:MAI:1.0.0": "S", + "aivss:EA:1.0.0": "I" + }, + { + "aivss:MU:1.0.0": "S", + "aivss:CA:1.0.0": "I", + "aivss:DI:1.0.0": "S", + "aivss:MAI:1.0.0": "R", + "aivss:EA:1.0.0": "C" + }, + { + "aivss:MU:1.0.0": "S", + "aivss:CA:1.0.0": "I", + "aivss:DI:1.0.0": "S", + "aivss:MAI:1.0.0": "O", + "aivss:EA:1.0.0": "C" + }, + { + "aivss:MU:1.0.0": "S", + "aivss:CA:1.0.0": "I", + "aivss:DI:1.0.0": "A", + "aivss:MAI:1.0.0": "S", + "aivss:EA:1.0.0": "C" + }, + { + "aivss:MU:1.0.0": "S", + "aivss:CA:1.0.0": "I", + "aivss:DI:1.0.0": "A", + "aivss:MAI:1.0.0": "R", + "aivss:EA:1.0.0": "C" + }, + { + "aivss:MU:1.0.0": "S", + "aivss:CA:1.0.0": "I", + "aivss:DI:1.0.0": "A", + "aivss:MAI:1.0.0": "O", + "aivss:EA:1.0.0": "P" + }, + { + "aivss:MU:1.0.0": "S", + "aivss:CA:1.0.0": "T", + "aivss:DI:1.0.0": "F", + "aivss:MAI:1.0.0": "S", + "aivss:EA:1.0.0": "I" + }, + { + "aivss:MU:1.0.0": "S", + "aivss:CA:1.0.0": "T", + "aivss:DI:1.0.0": "F", + "aivss:MAI:1.0.0": "R", + "aivss:EA:1.0.0": "C" + }, + { + "aivss:MU:1.0.0": "S", + "aivss:CA:1.0.0": "T", + "aivss:DI:1.0.0": "F", + "aivss:MAI:1.0.0": "O", + "aivss:EA:1.0.0": "C" + }, + { + "aivss:MU:1.0.0": "S", + "aivss:CA:1.0.0": "T", + "aivss:DI:1.0.0": "S", + "aivss:MAI:1.0.0": "S", + "aivss:EA:1.0.0": "C" + }, + { + "aivss:MU:1.0.0": "S", + "aivss:CA:1.0.0": "T", + "aivss:DI:1.0.0": "S", + "aivss:MAI:1.0.0": "R", + "aivss:EA:1.0.0": "C" + }, + { + "aivss:MU:1.0.0": "S", + "aivss:CA:1.0.0": "T", + "aivss:DI:1.0.0": "S", + "aivss:MAI:1.0.0": "O", + "aivss:EA:1.0.0": "C" + }, + { + "aivss:MU:1.0.0": "S", + "aivss:CA:1.0.0": "T", + "aivss:DI:1.0.0": "A", + "aivss:MAI:1.0.0": "S", + "aivss:EA:1.0.0": "C" + }, + { + "aivss:MU:1.0.0": "S", + "aivss:CA:1.0.0": "T", + "aivss:DI:1.0.0": "A", + "aivss:MAI:1.0.0": "R", + "aivss:EA:1.0.0": "C" + }, + { + "aivss:MU:1.0.0": "S", + "aivss:CA:1.0.0": "T", + "aivss:DI:1.0.0": "A", + "aivss:MAI:1.0.0": "O", + "aivss:EA:1.0.0": "P" + }, + { + "aivss:MU:1.0.0": "S", + "aivss:CA:1.0.0": "A", + "aivss:DI:1.0.0": "F", + "aivss:MAI:1.0.0": "S", + "aivss:EA:1.0.0": "C" + }, + { + "aivss:MU:1.0.0": "S", + "aivss:CA:1.0.0": "A", + "aivss:DI:1.0.0": "F", + "aivss:MAI:1.0.0": "R", + "aivss:EA:1.0.0": "C" + }, + { + "aivss:MU:1.0.0": "S", + "aivss:CA:1.0.0": "A", + "aivss:DI:1.0.0": "F", + "aivss:MAI:1.0.0": "O", + "aivss:EA:1.0.0": "P" + }, + { + "aivss:MU:1.0.0": "S", + "aivss:CA:1.0.0": "A", + "aivss:DI:1.0.0": "S", + "aivss:MAI:1.0.0": "S", + "aivss:EA:1.0.0": "C" + }, + { + "aivss:MU:1.0.0": "S", + "aivss:CA:1.0.0": "A", + "aivss:DI:1.0.0": "S", + "aivss:MAI:1.0.0": "R", + "aivss:EA:1.0.0": "C" + }, + { + "aivss:MU:1.0.0": "S", + "aivss:CA:1.0.0": "A", + "aivss:DI:1.0.0": "S", + "aivss:MAI:1.0.0": "O", + "aivss:EA:1.0.0": "P" + }, + { + "aivss:MU:1.0.0": "S", + "aivss:CA:1.0.0": "A", + "aivss:DI:1.0.0": "A", + "aivss:MAI:1.0.0": "S", + "aivss:EA:1.0.0": "P" + }, + { + "aivss:MU:1.0.0": "S", + "aivss:CA:1.0.0": "A", + "aivss:DI:1.0.0": "A", + "aivss:MAI:1.0.0": "R", + "aivss:EA:1.0.0": "P" + }, + { + "aivss:MU:1.0.0": "S", + "aivss:CA:1.0.0": "A", + "aivss:DI:1.0.0": "A", + "aivss:MAI:1.0.0": "O", + "aivss:EA:1.0.0": "P" + }, + { + "aivss:MU:1.0.0": "L", + "aivss:CA:1.0.0": "I", + "aivss:DI:1.0.0": "F", + "aivss:MAI:1.0.0": "S", + "aivss:EA:1.0.0": "I" + }, + { + "aivss:MU:1.0.0": "L", + "aivss:CA:1.0.0": "I", + "aivss:DI:1.0.0": "F", + "aivss:MAI:1.0.0": "R", + "aivss:EA:1.0.0": "C" + }, + { + "aivss:MU:1.0.0": "L", + "aivss:CA:1.0.0": "I", + "aivss:DI:1.0.0": "F", + "aivss:MAI:1.0.0": "O", + "aivss:EA:1.0.0": "C" + }, + { + "aivss:MU:1.0.0": "L", + "aivss:CA:1.0.0": "I", + "aivss:DI:1.0.0": "S", + "aivss:MAI:1.0.0": "S", + "aivss:EA:1.0.0": "C" + }, + { + "aivss:MU:1.0.0": "L", + "aivss:CA:1.0.0": "I", + "aivss:DI:1.0.0": "S", + "aivss:MAI:1.0.0": "R", + "aivss:EA:1.0.0": "C" + }, + { + "aivss:MU:1.0.0": "L", + "aivss:CA:1.0.0": "I", + "aivss:DI:1.0.0": "S", + "aivss:MAI:1.0.0": "O", + "aivss:EA:1.0.0": "C" + }, + { + "aivss:MU:1.0.0": "L", + "aivss:CA:1.0.0": "I", + "aivss:DI:1.0.0": "A", + "aivss:MAI:1.0.0": "S", + "aivss:EA:1.0.0": "C" + }, + { + "aivss:MU:1.0.0": "L", + "aivss:CA:1.0.0": "I", + "aivss:DI:1.0.0": "A", + "aivss:MAI:1.0.0": "R", + "aivss:EA:1.0.0": "C" + }, + { + "aivss:MU:1.0.0": "L", + "aivss:CA:1.0.0": "I", + "aivss:DI:1.0.0": "A", + "aivss:MAI:1.0.0": "O", + "aivss:EA:1.0.0": "P" + }, + { + "aivss:MU:1.0.0": "L", + "aivss:CA:1.0.0": "T", + "aivss:DI:1.0.0": "F", + "aivss:MAI:1.0.0": "S", + "aivss:EA:1.0.0": "C" + }, + { + "aivss:MU:1.0.0": "L", + "aivss:CA:1.0.0": "T", + "aivss:DI:1.0.0": "F", + "aivss:MAI:1.0.0": "R", + "aivss:EA:1.0.0": "C" + }, + { + "aivss:MU:1.0.0": "L", + "aivss:CA:1.0.0": "T", + "aivss:DI:1.0.0": "F", + "aivss:MAI:1.0.0": "O", + "aivss:EA:1.0.0": "C" + }, + { + "aivss:MU:1.0.0": "L", + "aivss:CA:1.0.0": "T", + "aivss:DI:1.0.0": "S", + "aivss:MAI:1.0.0": "S", + "aivss:EA:1.0.0": "C" + }, + { + "aivss:MU:1.0.0": "L", + "aivss:CA:1.0.0": "T", + "aivss:DI:1.0.0": "S", + "aivss:MAI:1.0.0": "R", + "aivss:EA:1.0.0": "C" + }, + { + "aivss:MU:1.0.0": "L", + "aivss:CA:1.0.0": "T", + "aivss:DI:1.0.0": "S", + "aivss:MAI:1.0.0": "O", + "aivss:EA:1.0.0": "C" + }, + { + "aivss:MU:1.0.0": "L", + "aivss:CA:1.0.0": "T", + "aivss:DI:1.0.0": "A", + "aivss:MAI:1.0.0": "S", + "aivss:EA:1.0.0": "C" + }, + { + "aivss:MU:1.0.0": "L", + "aivss:CA:1.0.0": "T", + "aivss:DI:1.0.0": "A", + "aivss:MAI:1.0.0": "R", + "aivss:EA:1.0.0": "C" + }, + { + "aivss:MU:1.0.0": "L", + "aivss:CA:1.0.0": "T", + "aivss:DI:1.0.0": "A", + "aivss:MAI:1.0.0": "O", + "aivss:EA:1.0.0": "P" + }, + { + "aivss:MU:1.0.0": "L", + "aivss:CA:1.0.0": "A", + "aivss:DI:1.0.0": "F", + "aivss:MAI:1.0.0": "S", + "aivss:EA:1.0.0": "C" + }, + { + "aivss:MU:1.0.0": "L", + "aivss:CA:1.0.0": "A", + "aivss:DI:1.0.0": "F", + "aivss:MAI:1.0.0": "R", + "aivss:EA:1.0.0": "C" + }, + { + "aivss:MU:1.0.0": "L", + "aivss:CA:1.0.0": "A", + "aivss:DI:1.0.0": "F", + "aivss:MAI:1.0.0": "O", + "aivss:EA:1.0.0": "P" + }, + { + "aivss:MU:1.0.0": "L", + "aivss:CA:1.0.0": "A", + "aivss:DI:1.0.0": "S", + "aivss:MAI:1.0.0": "S", + "aivss:EA:1.0.0": "C" + }, + { + "aivss:MU:1.0.0": "L", + "aivss:CA:1.0.0": "A", + "aivss:DI:1.0.0": "S", + "aivss:MAI:1.0.0": "R", + "aivss:EA:1.0.0": "C" + }, + { + "aivss:MU:1.0.0": "L", + "aivss:CA:1.0.0": "A", + "aivss:DI:1.0.0": "S", + "aivss:MAI:1.0.0": "O", + "aivss:EA:1.0.0": "P" + }, + { + "aivss:MU:1.0.0": "L", + "aivss:CA:1.0.0": "A", + "aivss:DI:1.0.0": "A", + "aivss:MAI:1.0.0": "S", + "aivss:EA:1.0.0": "P" + }, + { + "aivss:MU:1.0.0": "L", + "aivss:CA:1.0.0": "A", + "aivss:DI:1.0.0": "A", + "aivss:MAI:1.0.0": "R", + "aivss:EA:1.0.0": "P" + }, + { + "aivss:MU:1.0.0": "L", + "aivss:CA:1.0.0": "A", + "aivss:DI:1.0.0": "A", + "aivss:MAI:1.0.0": "O", + "aivss:EA:1.0.0": "P" + }, + { + "aivss:MU:1.0.0": "M", + "aivss:CA:1.0.0": "I", + "aivss:DI:1.0.0": "F", + "aivss:MAI:1.0.0": "S", + "aivss:EA:1.0.0": "C" + }, + { + "aivss:MU:1.0.0": "M", + "aivss:CA:1.0.0": "I", + "aivss:DI:1.0.0": "F", + "aivss:MAI:1.0.0": "R", + "aivss:EA:1.0.0": "C" + }, + { + "aivss:MU:1.0.0": "M", + "aivss:CA:1.0.0": "I", + "aivss:DI:1.0.0": "F", + "aivss:MAI:1.0.0": "O", + "aivss:EA:1.0.0": "P" + }, + { + "aivss:MU:1.0.0": "M", + "aivss:CA:1.0.0": "I", + "aivss:DI:1.0.0": "S", + "aivss:MAI:1.0.0": "S", + "aivss:EA:1.0.0": "C" + }, + { + "aivss:MU:1.0.0": "M", + "aivss:CA:1.0.0": "I", + "aivss:DI:1.0.0": "S", + "aivss:MAI:1.0.0": "R", + "aivss:EA:1.0.0": "C" + }, + { + "aivss:MU:1.0.0": "M", + "aivss:CA:1.0.0": "I", + "aivss:DI:1.0.0": "S", + "aivss:MAI:1.0.0": "O", + "aivss:EA:1.0.0": "P" + }, + { + "aivss:MU:1.0.0": "M", + "aivss:CA:1.0.0": "I", + "aivss:DI:1.0.0": "A", + "aivss:MAI:1.0.0": "S", + "aivss:EA:1.0.0": "P" + }, + { + "aivss:MU:1.0.0": "M", + "aivss:CA:1.0.0": "I", + "aivss:DI:1.0.0": "A", + "aivss:MAI:1.0.0": "R", + "aivss:EA:1.0.0": "P" + }, + { + "aivss:MU:1.0.0": "M", + "aivss:CA:1.0.0": "I", + "aivss:DI:1.0.0": "A", + "aivss:MAI:1.0.0": "O", + "aivss:EA:1.0.0": "P" + }, + { + "aivss:MU:1.0.0": "M", + "aivss:CA:1.0.0": "T", + "aivss:DI:1.0.0": "F", + "aivss:MAI:1.0.0": "S", + "aivss:EA:1.0.0": "C" + }, + { + "aivss:MU:1.0.0": "M", + "aivss:CA:1.0.0": "T", + "aivss:DI:1.0.0": "F", + "aivss:MAI:1.0.0": "R", + "aivss:EA:1.0.0": "C" + }, + { + "aivss:MU:1.0.0": "M", + "aivss:CA:1.0.0": "T", + "aivss:DI:1.0.0": "F", + "aivss:MAI:1.0.0": "O", + "aivss:EA:1.0.0": "P" + }, + { + "aivss:MU:1.0.0": "M", + "aivss:CA:1.0.0": "T", + "aivss:DI:1.0.0": "S", + "aivss:MAI:1.0.0": "S", + "aivss:EA:1.0.0": "C" + }, + { + "aivss:MU:1.0.0": "M", + "aivss:CA:1.0.0": "T", + "aivss:DI:1.0.0": "S", + "aivss:MAI:1.0.0": "R", + "aivss:EA:1.0.0": "C" + }, + { + "aivss:MU:1.0.0": "M", + "aivss:CA:1.0.0": "T", + "aivss:DI:1.0.0": "S", + "aivss:MAI:1.0.0": "O", + "aivss:EA:1.0.0": "P" + }, + { + "aivss:MU:1.0.0": "M", + "aivss:CA:1.0.0": "T", + "aivss:DI:1.0.0": "A", + "aivss:MAI:1.0.0": "S", + "aivss:EA:1.0.0": "P" + }, + { + "aivss:MU:1.0.0": "M", + "aivss:CA:1.0.0": "T", + "aivss:DI:1.0.0": "A", + "aivss:MAI:1.0.0": "R", + "aivss:EA:1.0.0": "P" + }, + { + "aivss:MU:1.0.0": "M", + "aivss:CA:1.0.0": "T", + "aivss:DI:1.0.0": "A", + "aivss:MAI:1.0.0": "O", + "aivss:EA:1.0.0": "P" + }, + { + "aivss:MU:1.0.0": "M", + "aivss:CA:1.0.0": "A", + "aivss:DI:1.0.0": "F", + "aivss:MAI:1.0.0": "S", + "aivss:EA:1.0.0": "P" + }, + { + "aivss:MU:1.0.0": "M", + "aivss:CA:1.0.0": "A", + "aivss:DI:1.0.0": "F", + "aivss:MAI:1.0.0": "R", + "aivss:EA:1.0.0": "P" + }, + { + "aivss:MU:1.0.0": "M", + "aivss:CA:1.0.0": "A", + "aivss:DI:1.0.0": "F", + "aivss:MAI:1.0.0": "O", + "aivss:EA:1.0.0": "P" + }, + { + "aivss:MU:1.0.0": "M", + "aivss:CA:1.0.0": "A", + "aivss:DI:1.0.0": "S", + "aivss:MAI:1.0.0": "S", + "aivss:EA:1.0.0": "P" + }, + { + "aivss:MU:1.0.0": "M", + "aivss:CA:1.0.0": "A", + "aivss:DI:1.0.0": "S", + "aivss:MAI:1.0.0": "R", + "aivss:EA:1.0.0": "P" + }, + { + "aivss:MU:1.0.0": "M", + "aivss:CA:1.0.0": "A", + "aivss:DI:1.0.0": "S", + "aivss:MAI:1.0.0": "O", + "aivss:EA:1.0.0": "P" + }, + { + "aivss:MU:1.0.0": "M", + "aivss:CA:1.0.0": "A", + "aivss:DI:1.0.0": "A", + "aivss:MAI:1.0.0": "S", + "aivss:EA:1.0.0": "P" + }, + { + "aivss:MU:1.0.0": "M", + "aivss:CA:1.0.0": "A", + "aivss:DI:1.0.0": "A", + "aivss:MAI:1.0.0": "R", + "aivss:EA:1.0.0": "P" + }, + { + "aivss:MU:1.0.0": "M", + "aivss:CA:1.0.0": "A", + "aivss:DI:1.0.0": "A", + "aivss:MAI:1.0.0": "O", + "aivss:EA:1.0.0": "P" + } + ] + } + } + } } } } diff --git a/docs/howto/aivss/index.md b/docs/howto/aivss/index.md index 626e9058..935bb53b 100644 --- a/docs/howto/aivss/index.md +++ b/docs/howto/aivss/index.md @@ -18,9 +18,9 @@ print(example_block(dp)) The Decision Points for AIVSS include: -- [Exploitation](../.. /reference/decision_points/exploitation.md) -- Agentic Impact Level -- Systemic Impact +- [Exploitation](../../reference/decision_points/exploitation.md) +- [Agentic Impact Level](../../reference/decision_points/aivss/agentic_impact_level.md) +- [Systemic Impact](../../reference/decision_points/aivss/systemic_impact.md) ```python exec="true" idprefix="" from ssvc.decision_tables.aivss.aivss import LATEST as DT diff --git a/docs/reference/decision_points/aivss/agentic_impact_level.md b/docs/reference/decision_points/aivss/agentic_impact_level.md new file mode 100644 index 00000000..e5e6cf7a --- /dev/null +++ b/docs/reference/decision_points/aivss/agentic_impact_level.md @@ -0,0 +1,8 @@ +# Agentic Impact Level + +```python exec="true" idprefix="" +from ssvc.decision_points.aivss.agentic_impact import LATEST +from ssvc.doc_helpers import example_block + +print(example_block(LATEST)) +``` diff --git a/docs/reference/decision_points/aivss/autonomy_level.md b/docs/reference/decision_points/aivss/autonomy_level.md new file mode 100644 index 00000000..f0a25189 --- /dev/null +++ b/docs/reference/decision_points/aivss/autonomy_level.md @@ -0,0 +1,9 @@ +# Autonomy + +```python exec="true" idprefix="" +from ssvc.decision_points.aivss.autonomy import LATEST +from ssvc.doc_helpers import example_block + +print(example_block(LATEST)) +``` + diff --git a/docs/reference/decision_points/aivss/contextual_awareness_level.md b/docs/reference/decision_points/aivss/contextual_awareness_level.md new file mode 100644 index 00000000..fea94a3f --- /dev/null +++ b/docs/reference/decision_points/aivss/contextual_awareness_level.md @@ -0,0 +1,9 @@ +# Contextual Awareness + +```python exec="true" idprefix="" +from ssvc.decision_points.aivss.contextual_awareness import LATEST +from ssvc.doc_helpers import example_block + +print(example_block(LATEST)) +``` + diff --git a/docs/reference/decision_points/aivss/deceptiveness_potential_level.md b/docs/reference/decision_points/aivss/deceptiveness_potential_level.md new file mode 100644 index 00000000..8bd77eda --- /dev/null +++ b/docs/reference/decision_points/aivss/deceptiveness_potential_level.md @@ -0,0 +1,9 @@ +# Deceptiveness Potential + +```python exec="true" idprefix="" +from ssvc.decision_points.aivss.deceptiveness_potential import LATEST +from ssvc.doc_helpers import example_block + +print(example_block(LATEST)) +``` + diff --git a/docs/reference/decision_points/aivss/dynamic_identity_level.md b/docs/reference/decision_points/aivss/dynamic_identity_level.md new file mode 100644 index 00000000..815d91c7 --- /dev/null +++ b/docs/reference/decision_points/aivss/dynamic_identity_level.md @@ -0,0 +1,9 @@ +# Dynamic Identity + +```python exec="true" idprefix="" +from ssvc.decision_points.aivss.dynamic_identity import LATEST +from ssvc.doc_helpers import example_block + +print(example_block(LATEST)) +``` + diff --git a/docs/reference/decision_points/aivss/environment_and_adaptation.md b/docs/reference/decision_points/aivss/environment_and_adaptation.md new file mode 100644 index 00000000..96f8722f --- /dev/null +++ b/docs/reference/decision_points/aivss/environment_and_adaptation.md @@ -0,0 +1,8 @@ +# Environment and Adaptation Decision Point + +```python exec="true" idprefix="" +from ssvc.decision_points.aivss.env_adaptation import LATEST +from ssvc.doc_helpers import example_block + +print(example_block(LATEST)) +``` diff --git a/docs/reference/decision_points/aivss/execution_power.md b/docs/reference/decision_points/aivss/execution_power.md new file mode 100644 index 00000000..41a56125 --- /dev/null +++ b/docs/reference/decision_points/aivss/execution_power.md @@ -0,0 +1,8 @@ +# Execution Power + +```python exec="true" idprefix="" +from ssvc.decision_points.aivss.execution_power import LATEST +from ssvc.doc_helpers import example_block + +print(example_block(LATEST)) +``` diff --git a/docs/reference/decision_points/aivss/goal_driven_planning_level.md b/docs/reference/decision_points/aivss/goal_driven_planning_level.md new file mode 100644 index 00000000..8da72364 --- /dev/null +++ b/docs/reference/decision_points/aivss/goal_driven_planning_level.md @@ -0,0 +1,9 @@ +# Goal-Driven Planning + +```python exec="true" idprefix="" +from ssvc.decision_points.aivss.goal_driven_planning import LATEST +from ssvc.doc_helpers import example_block + +print(example_block(LATEST)) +``` + diff --git a/docs/reference/decision_points/aivss/memory_level.md b/docs/reference/decision_points/aivss/memory_level.md new file mode 100644 index 00000000..3737833b --- /dev/null +++ b/docs/reference/decision_points/aivss/memory_level.md @@ -0,0 +1,9 @@ +# Memory Use Level Decision Point + +```python exec="true" idprefix="" +from ssvc.decision_points.aivss.memory import LATEST +from ssvc.doc_helpers import example_block + +print(example_block(LATEST)) +``` + diff --git a/docs/reference/decision_points/aivss/multi_agent_interactions_level.md b/docs/reference/decision_points/aivss/multi_agent_interactions_level.md new file mode 100644 index 00000000..f7b5b64b --- /dev/null +++ b/docs/reference/decision_points/aivss/multi_agent_interactions_level.md @@ -0,0 +1,9 @@ +# Multi-Agent Interactions + +```python exec="true" idprefix="" +from ssvc.decision_points.aivss.multi_agent_interactions import LATEST +from ssvc.doc_helpers import example_block + +print(example_block(LATEST)) +``` + diff --git a/docs/reference/decision_points/aivss/non_determinism_level.md b/docs/reference/decision_points/aivss/non_determinism_level.md new file mode 100644 index 00000000..77682134 --- /dev/null +++ b/docs/reference/decision_points/aivss/non_determinism_level.md @@ -0,0 +1,8 @@ +# Non-Determinism Level Decision Point + +```python exec="true" idprefix="" +from ssvc.decision_points.aivss.non_determinism import LATEST +from ssvc.doc_helpers import example_block + +print(example_block(LATEST)) +``` diff --git a/docs/reference/decision_points/aivss/opacity_reflexivity_level.md b/docs/reference/decision_points/aivss/opacity_reflexivity_level.md new file mode 100644 index 00000000..6fd1db90 --- /dev/null +++ b/docs/reference/decision_points/aivss/opacity_reflexivity_level.md @@ -0,0 +1,8 @@ +# Opacity and Reflexivity Level Decision Point + +```python exec="true" idprefix="" +from ssvc.decision_points.aivss.opacity_reflexivity import LATEST +from ssvc.doc_helpers import example_block + +print(example_block(LATEST)) +``` diff --git a/docs/reference/decision_points/aivss/predictability_and_influence.md b/docs/reference/decision_points/aivss/predictability_and_influence.md new file mode 100644 index 00000000..77ca8f0d --- /dev/null +++ b/docs/reference/decision_points/aivss/predictability_and_influence.md @@ -0,0 +1,8 @@ +# Predictability and Influence + +```python exec="true" idprefix="" +from ssvc.decision_points.aivss.predictability_influence import LATEST +from ssvc.doc_helpers import example_block + +print(example_block(LATEST)) +``` diff --git a/docs/reference/decision_points/aivss/self_modification_level.md b/docs/reference/decision_points/aivss/self_modification_level.md new file mode 100644 index 00000000..25e24188 --- /dev/null +++ b/docs/reference/decision_points/aivss/self_modification_level.md @@ -0,0 +1,8 @@ +# Self-Modification Level Decision Point + +```python exec="true" idprefix="" +from ssvc.decision_points.aivss.self_modification import LATEST +from ssvc.doc_helpers import example_block + +print(example_block(LATEST)) +``` diff --git a/docs/reference/decision_points/aivss/systemic_impact.md b/docs/reference/decision_points/aivss/systemic_impact.md new file mode 100644 index 00000000..76dedb35 --- /dev/null +++ b/docs/reference/decision_points/aivss/systemic_impact.md @@ -0,0 +1,8 @@ +# Systemic Impact + +```python exec="true" idprefix="" +from ssvc.decision_points.aivss.systemic_impact import LATEST +from ssvc.doc_helpers import example_block + +print(example_block(LATEST)) +``` diff --git a/docs/reference/decision_points/aivss/tool_use_level.md b/docs/reference/decision_points/aivss/tool_use_level.md new file mode 100644 index 00000000..21125ac7 --- /dev/null +++ b/docs/reference/decision_points/aivss/tool_use_level.md @@ -0,0 +1,8 @@ +# Tool Use Level Decision Point + +```python exec="true" idprefix="" +from ssvc.decision_points.aivss.tool_use import LATEST +from ssvc.doc_helpers import example_block + +print(example_block(LATEST)) +``` diff --git a/docs/reference/decision_points/aivss/verification_capability_level.md b/docs/reference/decision_points/aivss/verification_capability_level.md new file mode 100644 index 00000000..6fbff34d --- /dev/null +++ b/docs/reference/decision_points/aivss/verification_capability_level.md @@ -0,0 +1,8 @@ +# Verification Capability Level Decision Point + +```python exec="true" idprefix="" +from ssvc.decision_points.aivss.verification_capability import LATEST +from ssvc.doc_helpers import example_block + +print(example_block(LATEST)) +``` diff --git a/mkdocs.yml b/mkdocs.yml index b9e2b5d9..bfcf230d 100644 --- a/mkdocs.yml +++ b/mkdocs.yml @@ -136,6 +136,24 @@ nav: - Report Confidence: 'reference/decision_points/cvss/report_confidence.md' - Scope: 'reference/decision_points/cvss/scope.md' - Target Distribution: 'reference/decision_points/cvss/target_distribution.md' + - AIVSS-based decision points: + - Agentic Impact Level: 'reference/decision_points/aivss/agentic_impact_level.md' + - Systemic Impact: 'reference/decision_points/aivss/systemic_impact.md' + - Execution Power: 'reference/decision_points/aivss/execution_power.md' + - Environment and Adaptation: 'reference/decision_points/aivss/environment_and_adaptation.md' + - Predictability and Influence: 'reference/decision_points/aivss/predictability_and_influence.md' + - Autonomy: 'reference/decision_points/aivss/autonomy_level.md' + - Contextual Awareness: 'reference/decision_points/aivss/contextual_awareness_level.md' + - Deceptiveness Potential: 'reference/decision_points/aivss/deceptiveness_potential_level.md' + - Dynamic Identity: 'reference/decision_points/aivss/dynamic_identity_level.md' + - Goal-Driven Planning: 'reference/decision_points/aivss/goal_driven_planning_level.md' + - Memory: 'reference/decision_points/aivss/memory_level.md' + - Multi-Agent Interactions: 'reference/decision_points/aivss/multi_agent_interactions_level.md' + - Non-Determinism: 'reference/decision_points/aivss/non_determinism_level.md' + - Opacity & Reflexivity: 'reference/decision_points/aivss/opacity_reflexivity_level.md' + - Self-Modification: 'reference/decision_points/aivss/self_modification_level.md' + - Tool Use: 'reference/decision_points/aivss/tool_use_level.md' + - Verification Capability: 'reference/decision_points/aivss/verification_capability_level.md' - Outcomes: 'reference/decision_points/outcomes.md' - Code: - Intro: 'reference/code/index.md' diff --git a/src/ssvc/decision_points/aivss/env_adaptation.py b/src/ssvc/decision_points/aivss/env_adaptation.py index 1e4fd1d8..fc298bb7 100644 --- a/src/ssvc/decision_points/aivss/env_adaptation.py +++ b/src/ssvc/decision_points/aivss/env_adaptation.py @@ -25,46 +25,9 @@ from ssvc.decision_points.aivss.base import AivssDecisionPoint -# Copyright (c) 2025 Carnegie Mellon University. -# NO WARRANTY. THIS CARNEGIE MELLON UNIVERSITY AND SOFTWARE -# ENGINEERING INSTITUTE MATERIAL IS FURNISHED ON AN "AS-IS" BASIS. -# CARNEGIE MELLON UNIVERSITY MAKES NO WARRANTIES OF ANY KIND, -# EITHER EXPRESSED OR IMPLIED, AS TO ANY MATTER INCLUDING, BUT -# NOT LIMITED TO, WARRANTY OF FITNESS FOR PURPOSE OR -# MERCHANTABILITY, EXCLUSIVITY, OR RESULTS OBTAINED FROM USE -# OF THE MATERIAL. CARNEGIE MELLON UNIVERSITY DOES NOT MAKE -# ANY WARRANTY OF ANY KIND WITH RESPECT TO FREEDOM FROM -# PATENT, TRADEMARK, OR COPYRIGHT INFRINGEMENT. -# Licensed under a MIT (SEI)-style license, please see LICENSE or contact -# permission@sei.cmu.edu for full terms. -# [DISTRIBUTION STATEMENT A] This material has been approved for -# public release and unlimited distribution. Please see Copyright notice -# for non-US Government use and distribution. -# This Software includes and/or makes use of Third-Party Software each -# subject to its own license. -# DM24-0278 - from ssvc.decision_points.base import DecisionPointValue from ssvc.decision_points.helpers import print_versions_and_diffs -# # Environment & Adaptation -# Isolated -# -# Operates in a narrow, stable context with no meaningful external awareness. -# No cross-session memory, multi-agent behavior, or identity changes. -# Environmental shifts don’t affect behavior unless a human explicitly updates inputs. -# -# Connected -# -# Uses curated signals, scoped identity roles, or predefined multi-agent patterns to adapt. -# Environmental changes can influence behavior, but only within controlled, auditable bounds. -# -# Pervasive -# -# Continuously adapts to broad, dynamic environmental inputs and multi-agent activity. -# Identity, memory, and context can shift fluidly, creating emergent behavior. -# Environmental variation can substantially redirect or amplify its actions. - ISOLATED = DecisionPointValue( key="I", name="Isolated", diff --git a/src/ssvc/decision_points/aivss/predictability_influence.py b/src/ssvc/decision_points/aivss/predictability_influence.py index 1fc8d831..170575e8 100644 --- a/src/ssvc/decision_points/aivss/predictability_influence.py +++ b/src/ssvc/decision_points/aivss/predictability_influence.py @@ -71,7 +71,9 @@ PREDICTABILITY_INFLUENCE_01 = AivssDecisionPoint( key="PI", name="Predictability and Influence", - definition="TODO writeme", + definition="Predictability and Influence reflects the degree to which an AI system's behavior can be anticipated " + "and the potential for the system to deceive or mislead users." + "This factor assesses how well stakeholders can foresee the system's actions and the implications of those actions in various contexts.", version="1.0.0", values=(VERIFIABLE, UNCERTAIN, OPAQUE), ) diff --git a/src/ssvc/decision_tables/aivss/agentic_impact.py b/src/ssvc/decision_tables/aivss/agentic_impact.py index a182054c..3c2e0983 100644 --- a/src/ssvc/decision_tables/aivss/agentic_impact.py +++ b/src/ssvc/decision_tables/aivss/agentic_impact.py @@ -35,7 +35,7 @@ key="AIL", namespace=AIVSS_NS, name="Agentic Impact Level", - definition=("TODO writeme"), + definition=AGENTIC_IMPACT_LEVEL_01.definition, version="1.0.0", decision_points={ dp.id: dp diff --git a/src/ssvc/decision_tables/aivss/env_adaptation.py b/src/ssvc/decision_tables/aivss/env_adaptation.py index 48e915ca..abbe377e 100644 --- a/src/ssvc/decision_tables/aivss/env_adaptation.py +++ b/src/ssvc/decision_tables/aivss/env_adaptation.py @@ -36,10 +36,9 @@ from ssvc.decision_tables.base import DecisionTable V1_0_0 = DecisionTable( - # FIXME: Update key, name, and definition - key="EP", - name="Execution Power", - definition="Determines the level of execution power granted to an AI agent, influencing its ability to perform actions autonomously and interact with external systems.", + key="EA", + name="Environmental Adaptation", + definition=ENV_ADAPT_01.definition, version="1.0.0", namespace=AIVSS_NS, decision_points={ diff --git a/src/ssvc/decision_tables/aivss/execution_power.py b/src/ssvc/decision_tables/aivss/execution_power.py index 2409809f..87e2509d 100644 --- a/src/ssvc/decision_tables/aivss/execution_power.py +++ b/src/ssvc/decision_tables/aivss/execution_power.py @@ -38,7 +38,7 @@ V1_0_0 = DecisionTable( key="EP", name="Execution Power", - definition="Determines the level of execution power granted to an AI agent, influencing its ability to perform actions autonomously and interact with external systems.", + definition=EXECUTION_POWER.definition, version="1.0.0", namespace=AIVSS_NS, decision_points={ diff --git a/src/ssvc/decision_tables/aivss/predictability_influence.py b/src/ssvc/decision_tables/aivss/predictability_influence.py index c2277006..efd8d59f 100644 --- a/src/ssvc/decision_tables/aivss/predictability_influence.py +++ b/src/ssvc/decision_tables/aivss/predictability_influence.py @@ -43,7 +43,7 @@ version="1.0.0", namespace=AIVSS_NS, name="Predictability and Influence", - definition="TODO writeme", + definition=PREDICTABILITY_INFLUENCE_01.definition, decision_points={ dp.id: dp for dp in [ From 3c1da5481cc4f032a71d16feca00041a21432cba Mon Sep 17 00:00:00 2001 From: "Allen D. Householder" Date: Thu, 11 Dec 2025 13:12:57 -0500 Subject: [PATCH 17/23] Refactor AIVSS decision points structure in mkdocs.yml for improved organization --- mkdocs.yml | 33 ++++++++++++++++++--------------- 1 file changed, 18 insertions(+), 15 deletions(-) diff --git a/mkdocs.yml b/mkdocs.yml index bfcf230d..2ae3f070 100644 --- a/mkdocs.yml +++ b/mkdocs.yml @@ -139,21 +139,24 @@ nav: - AIVSS-based decision points: - Agentic Impact Level: 'reference/decision_points/aivss/agentic_impact_level.md' - Systemic Impact: 'reference/decision_points/aivss/systemic_impact.md' - - Execution Power: 'reference/decision_points/aivss/execution_power.md' - - Environment and Adaptation: 'reference/decision_points/aivss/environment_and_adaptation.md' - - Predictability and Influence: 'reference/decision_points/aivss/predictability_and_influence.md' - - Autonomy: 'reference/decision_points/aivss/autonomy_level.md' - - Contextual Awareness: 'reference/decision_points/aivss/contextual_awareness_level.md' - - Deceptiveness Potential: 'reference/decision_points/aivss/deceptiveness_potential_level.md' - - Dynamic Identity: 'reference/decision_points/aivss/dynamic_identity_level.md' - - Goal-Driven Planning: 'reference/decision_points/aivss/goal_driven_planning_level.md' - - Memory: 'reference/decision_points/aivss/memory_level.md' - - Multi-Agent Interactions: 'reference/decision_points/aivss/multi_agent_interactions_level.md' - - Non-Determinism: 'reference/decision_points/aivss/non_determinism_level.md' - - Opacity & Reflexivity: 'reference/decision_points/aivss/opacity_reflexivity_level.md' - - Self-Modification: 'reference/decision_points/aivss/self_modification_level.md' - - Tool Use: 'reference/decision_points/aivss/tool_use_level.md' - - Verification Capability: 'reference/decision_points/aivss/verification_capability_level.md' + - Execution Power: + - 'reference/decision_points/aivss/execution_power.md' + - Autonomy: 'reference/decision_points/aivss/autonomy_level.md' + - Tool Use: 'reference/decision_points/aivss/tool_use_level.md' + - Self-Modification: 'reference/decision_points/aivss/self_modification_level.md' + - Goal-Driven Planning: 'reference/decision_points/aivss/goal_driven_planning_level.md' + - Environment and Adaptation: + - 'reference/decision_points/aivss/environment_and_adaptation.md' + - Memory: 'reference/decision_points/aivss/memory_level.md' + - Contextual Awareness: 'reference/decision_points/aivss/contextual_awareness_level.md' + - Dynamic Identity: 'reference/decision_points/aivss/dynamic_identity_level.md' + - Multi-Agent Interactions: 'reference/decision_points/aivss/multi_agent_interactions_level.md' + - Predictability and Influence: + - 'reference/decision_points/aivss/predictability_and_influence.md' + - Non-Determinism: 'reference/decision_points/aivss/non_determinism_level.md' + - Opacity & Reflexivity: 'reference/decision_points/aivss/opacity_reflexivity_level.md' + - Verification Capability: 'reference/decision_points/aivss/verification_capability_level.md' + - Deceptiveness Potential: 'reference/decision_points/aivss/deceptiveness_potential_level.md' - Outcomes: 'reference/decision_points/outcomes.md' - Code: - Intro: 'reference/code/index.md' From a3f2e365dd450af37b42f81ffb8ca5e090969e9f Mon Sep 17 00:00:00 2001 From: "Allen D. Householder" Date: Thu, 11 Dec 2025 13:13:10 -0500 Subject: [PATCH 18/23] Enhance decision point documentation for AIVSS framework with detailed references and usage tips --- docs/howto/aivss/env_adapt.md | 10 ++++++++++ docs/howto/aivss/exec_power.md | 10 ++++++++++ docs/howto/aivss/predict_influence.md | 11 +++++++++++ .../aivss/environment_and_adaptation.md | 6 ++++++ .../decision_points/aivss/execution_power.md | 7 +++++++ .../aivss/predictability_and_influence.md | 6 ++++++ 6 files changed, 50 insertions(+) diff --git a/docs/howto/aivss/env_adapt.md b/docs/howto/aivss/env_adapt.md index 6696475e..1756e2f1 100644 --- a/docs/howto/aivss/env_adapt.md +++ b/docs/howto/aivss/env_adapt.md @@ -4,6 +4,9 @@ Some text ## Outcome +The outcome of the _Environment and Adaptation_ decision table is defined by +the [Environment and Adaptation Level](../../reference/decision_points/aivss/environment_and_adaptation.md) decision point. + ```python exec="true" idprefix="" from ssvc.decision_tables.aivss.env_adaptation import LATEST as DT from ssvc.doc_helpers import example_block @@ -14,6 +17,13 @@ print(example_block(dp)) ## Decision Points +The _Environment and Adaptation_ decision table has the following decision points: + +- [Memory Usage Level](../../reference/decision_points/aivss/memory_level.md) +- [Contextual Awareness](../../reference/decision_points/aivss/contextual_awareness_level.md) +- [Dynamic Identity](../../reference/decision_points/aivss/dynamic_identity_level.md) +- [Multi-Agent Interactions](../../reference/decision_points/aivss/multi_agent_interactions_level.md) + ```python exec="true" idprefix="" from ssvc.decision_tables.aivss.env_adaptation import LATEST as DT from ssvc.doc_helpers import example_block diff --git a/docs/howto/aivss/exec_power.md b/docs/howto/aivss/exec_power.md index d049760c..37c65102 100644 --- a/docs/howto/aivss/exec_power.md +++ b/docs/howto/aivss/exec_power.md @@ -4,6 +4,9 @@ Some text ## Outcome +The outcome of the _Execution Power_ decision table is defined by +the [Execution Power Level](../../reference/decision_points/aivss/execution_power.md) decision point. + ```python exec="true" idprefix="" from ssvc.decision_tables.aivss.execution_power import LATEST as DT from ssvc.doc_helpers import example_block @@ -14,6 +17,13 @@ print(example_block(dp)) ## Decision Points +The _Execution Power_ decision table has the following decision points: + +- [Autonomy](../../reference/decision_points/aivss/autonomy_level.md) +- [Tool Use](../../reference/decision_points/aivss/tool_use.md) +- [Self-Modification](../../reference/decision_points/aivss/self_modification.md) +- [Goal-Driven Planning](../../reference/decision_points/aivss/goal_driven_planning.md) + ```python exec="true" idprefix="" from ssvc.decision_tables.aivss.execution_power import LATEST as DT from ssvc.doc_helpers import example_block diff --git a/docs/howto/aivss/predict_influence.md b/docs/howto/aivss/predict_influence.md index bcf5e895..24bb8bb0 100644 --- a/docs/howto/aivss/predict_influence.md +++ b/docs/howto/aivss/predict_influence.md @@ -4,6 +4,9 @@ Some text ## Outcome +The outcome of the _Predictability and Influence_ decision table is defined by +the [Predictability and Influence Level](../../reference/decision_points/aivss/predictability_and_influence.md) decision point. + ```python exec="true" idprefix="" from ssvc.decision_tables.aivss.predictability_influence import LATEST as DT from ssvc.doc_helpers import example_block @@ -14,6 +17,14 @@ print(example_block(dp)) ## Decision Points +The _Predictability and Influence_ decision table has the following decision points: + +- [Non-Determinism](../../reference/decision_points/aivss/non_determinism_level.md) +- [Opacity and Reflexivity](../../reference/decision_points/aivss/opacity_reflexivity_level.md) +- [Verification Capability](../../reference/decision_points/aivss/verification_capability_level.md) +- [Deceptiveness Potential](../../reference/decision_points/aivss/deceptiveness_potential_level.md) + + ```python exec="true" idprefix="" from ssvc.decision_tables.aivss.predictability_influence import LATEST as DT from ssvc.doc_helpers import example_block diff --git a/docs/reference/decision_points/aivss/environment_and_adaptation.md b/docs/reference/decision_points/aivss/environment_and_adaptation.md index 96f8722f..b87f82ec 100644 --- a/docs/reference/decision_points/aivss/environment_and_adaptation.md +++ b/docs/reference/decision_points/aivss/environment_and_adaptation.md @@ -1,5 +1,11 @@ # Environment and Adaptation Decision Point +This is the reference documentation for the _Environment and Adaptation_ decision point in the AIVSS framework. + +!!! tip "How to apply the _Environment and Adaptation_ decision point" + + For a detailed explanation of how to use this decision point, see the [Environment and Adaptation How-To Guide](../../../howto/aivss/env_adapt.md). + ```python exec="true" idprefix="" from ssvc.decision_points.aivss.env_adaptation import LATEST from ssvc.doc_helpers import example_block diff --git a/docs/reference/decision_points/aivss/execution_power.md b/docs/reference/decision_points/aivss/execution_power.md index 41a56125..3d315724 100644 --- a/docs/reference/decision_points/aivss/execution_power.md +++ b/docs/reference/decision_points/aivss/execution_power.md @@ -1,5 +1,12 @@ # Execution Power + +This is the reference documentation for the _Execution Power_ decision point in the AIVSS framework. + +!!! tip "How to apply the _Execution Power_ decision point" + + For a detailed explanation of how to use this decision point, see the [Execution Power How-To Guide](../../../howto/aivss/exec_power.md). + ```python exec="true" idprefix="" from ssvc.decision_points.aivss.execution_power import LATEST from ssvc.doc_helpers import example_block diff --git a/docs/reference/decision_points/aivss/predictability_and_influence.md b/docs/reference/decision_points/aivss/predictability_and_influence.md index 77ca8f0d..c85bc775 100644 --- a/docs/reference/decision_points/aivss/predictability_and_influence.md +++ b/docs/reference/decision_points/aivss/predictability_and_influence.md @@ -1,5 +1,11 @@ # Predictability and Influence +This is the reference documentation for the _Predictability and Influence_ decision point in the AIVSS framework. + +!!! tip "How to apply the _Predictability and Influence_ decision point" + + For a detailed explanation of how to use this decision point, see the [Predictability and Influence How-To Guide](../../../howto/aivss/predict_influence.md). + ```python exec="true" idprefix="" from ssvc.decision_points.aivss.predictability_influence import LATEST from ssvc.doc_helpers import example_block From f1ad1bb1d36dee375453b2fad42ec822331bdab7 Mon Sep 17 00:00:00 2001 From: "Allen D. Householder" Date: Thu, 11 Dec 2025 15:13:17 -0500 Subject: [PATCH 19/23] refactoring decision table graph labeling (+3 squashed commits) Squashed commits: [d4850706] WIP commit: refactoring decision table graph labeling [bd8b92de] WIP commit: refactoring decision table graph labeling [8b70d33d] WIP commit: refactoring decision table graph labeling --- data/csv/aivss/execution_power_1_0_0.csv | 12 +- .../aivss/execution_power_1_0_0.json | 12 +- data/json/ssvc_object_registry.json | 12 +- obsolete/old_graph_labeling.py | 473 ++++++++++++++++++ pyproject.toml | 3 +- src/ssvc/csv_analyzer.py | 2 +- .../decision_tables/aivss/execution_power.py | 12 +- src/ssvc/decision_tables/base.py | 32 +- src/ssvc/decision_tables/dt_graph.py | 107 ++++ src/ssvc/utils/graph_labeling.py | 345 ++----------- src/ssvc/utils/toposort.py | 175 ------- ...est_toposort.py => test_graph_labeling.py} | 212 +++++--- uv.lock | 43 +- 13 files changed, 824 insertions(+), 616 deletions(-) create mode 100644 obsolete/old_graph_labeling.py create mode 100644 src/ssvc/decision_tables/dt_graph.py delete mode 100644 src/ssvc/utils/toposort.py rename src/test/utils/{test_toposort.py => test_graph_labeling.py} (57%) diff --git a/data/csv/aivss/execution_power_1_0_0.csv b/data/csv/aivss/execution_power_1_0_0.csv index 23235a79..25a405f5 100644 --- a/data/csv/aivss/execution_power_1_0_0.csv +++ b/data/csv/aivss/execution_power_1_0_0.csv @@ -3,15 +3,15 @@ row,Autonomy of Action v1.0.0 (aivss),Tool Use v1.0.0 (aivss),Self-Modification 1,gated,viewer,fixed,assisted,constrained 2,gated,viewer,fixed,autonomous,capable 3,gated,viewer,tunable,reactive,constrained -4,gated,viewer,tunable,assisted,constrained +4,gated,viewer,tunable,assisted,capable 5,gated,viewer,tunable,autonomous,capable 6,gated,viewer,mutable,reactive,capable 7,gated,viewer,mutable,assisted,capable 8,gated,viewer,mutable,autonomous,high leverage 9,gated,operator,fixed,reactive,constrained -10,gated,operator,fixed,assisted,constrained +10,gated,operator,fixed,assisted,capable 11,gated,operator,fixed,autonomous,capable -12,gated,operator,tunable,reactive,constrained +12,gated,operator,tunable,reactive,capable 13,gated,operator,tunable,assisted,capable 14,gated,operator,tunable,autonomous,capable 15,gated,operator,mutable,reactive,capable @@ -27,15 +27,15 @@ row,Autonomy of Action v1.0.0 (aivss),Tool Use v1.0.0 (aivss),Self-Modification 25,gated,administrator,mutable,assisted,high leverage 26,gated,administrator,mutable,autonomous,high leverage 27,scoped,viewer,fixed,reactive,constrained -28,scoped,viewer,fixed,assisted,constrained +28,scoped,viewer,fixed,assisted,capable 29,scoped,viewer,fixed,autonomous,capable -30,scoped,viewer,tunable,reactive,constrained +30,scoped,viewer,tunable,reactive,capable 31,scoped,viewer,tunable,assisted,capable 32,scoped,viewer,tunable,autonomous,capable 33,scoped,viewer,mutable,reactive,capable 34,scoped,viewer,mutable,assisted,capable 35,scoped,viewer,mutable,autonomous,high leverage -36,scoped,operator,fixed,reactive,constrained +36,scoped,operator,fixed,reactive,capable 37,scoped,operator,fixed,assisted,capable 38,scoped,operator,fixed,autonomous,capable 39,scoped,operator,tunable,reactive,capable diff --git a/data/json/decision_tables/aivss/execution_power_1_0_0.json b/data/json/decision_tables/aivss/execution_power_1_0_0.json index b3346ba1..a1d8d82c 100644 --- a/data/json/decision_tables/aivss/execution_power_1_0_0.json +++ b/data/json/decision_tables/aivss/execution_power_1_0_0.json @@ -167,7 +167,7 @@ "aivss:TU:1.0.0": "V", "aivss:SM:1.1.0": "T", "aivss:GDP:1.0.0": "A", - "aivss:EP:1.0.0": "C" + "aivss:EP:1.0.0": "CA" }, { "aivss:AA:1.0.0": "G", @@ -209,7 +209,7 @@ "aivss:TU:1.0.0": "O", "aivss:SM:1.1.0": "F", "aivss:GDP:1.0.0": "A", - "aivss:EP:1.0.0": "C" + "aivss:EP:1.0.0": "CA" }, { "aivss:AA:1.0.0": "G", @@ -223,7 +223,7 @@ "aivss:TU:1.0.0": "O", "aivss:SM:1.1.0": "T", "aivss:GDP:1.0.0": "R", - "aivss:EP:1.0.0": "C" + "aivss:EP:1.0.0": "CA" }, { "aivss:AA:1.0.0": "G", @@ -335,7 +335,7 @@ "aivss:TU:1.0.0": "V", "aivss:SM:1.1.0": "F", "aivss:GDP:1.0.0": "A", - "aivss:EP:1.0.0": "C" + "aivss:EP:1.0.0": "CA" }, { "aivss:AA:1.0.0": "S", @@ -349,7 +349,7 @@ "aivss:TU:1.0.0": "V", "aivss:SM:1.1.0": "T", "aivss:GDP:1.0.0": "R", - "aivss:EP:1.0.0": "C" + "aivss:EP:1.0.0": "CA" }, { "aivss:AA:1.0.0": "S", @@ -391,7 +391,7 @@ "aivss:TU:1.0.0": "O", "aivss:SM:1.1.0": "F", "aivss:GDP:1.0.0": "R", - "aivss:EP:1.0.0": "C" + "aivss:EP:1.0.0": "CA" }, { "aivss:AA:1.0.0": "S", diff --git a/data/json/ssvc_object_registry.json b/data/json/ssvc_object_registry.json index 5640ea07..5cbc075a 100644 --- a/data/json/ssvc_object_registry.json +++ b/data/json/ssvc_object_registry.json @@ -25428,7 +25428,7 @@ "aivss:TU:1.0.0": "V", "aivss:SM:1.1.0": "T", "aivss:GDP:1.0.0": "A", - "aivss:EP:1.0.0": "C" + "aivss:EP:1.0.0": "CA" }, { "aivss:AA:1.0.0": "G", @@ -25470,7 +25470,7 @@ "aivss:TU:1.0.0": "O", "aivss:SM:1.1.0": "F", "aivss:GDP:1.0.0": "A", - "aivss:EP:1.0.0": "C" + "aivss:EP:1.0.0": "CA" }, { "aivss:AA:1.0.0": "G", @@ -25484,7 +25484,7 @@ "aivss:TU:1.0.0": "O", "aivss:SM:1.1.0": "T", "aivss:GDP:1.0.0": "R", - "aivss:EP:1.0.0": "C" + "aivss:EP:1.0.0": "CA" }, { "aivss:AA:1.0.0": "G", @@ -25596,7 +25596,7 @@ "aivss:TU:1.0.0": "V", "aivss:SM:1.1.0": "F", "aivss:GDP:1.0.0": "A", - "aivss:EP:1.0.0": "C" + "aivss:EP:1.0.0": "CA" }, { "aivss:AA:1.0.0": "S", @@ -25610,7 +25610,7 @@ "aivss:TU:1.0.0": "V", "aivss:SM:1.1.0": "T", "aivss:GDP:1.0.0": "R", - "aivss:EP:1.0.0": "C" + "aivss:EP:1.0.0": "CA" }, { "aivss:AA:1.0.0": "S", @@ -25652,7 +25652,7 @@ "aivss:TU:1.0.0": "O", "aivss:SM:1.1.0": "F", "aivss:GDP:1.0.0": "R", - "aivss:EP:1.0.0": "C" + "aivss:EP:1.0.0": "CA" }, { "aivss:AA:1.0.0": "S", diff --git a/obsolete/old_graph_labeling.py b/obsolete/old_graph_labeling.py new file mode 100644 index 00000000..de4caceb --- /dev/null +++ b/obsolete/old_graph_labeling.py @@ -0,0 +1,473 @@ +#!/usr/bin/env python + +# Copyright (c) 2025 Carnegie Mellon University. +# NO WARRANTY. THIS CARNEGIE MELLON UNIVERSITY AND SOFTWARE +# ENGINEERING INSTITUTE MATERIAL IS FURNISHED ON AN "AS-IS" BASIS. +# CARNEGIE MELLON UNIVERSITY MAKES NO WARRANTIES OF ANY KIND, +# EITHER EXPRESSED OR IMPLIED, AS TO ANY MATTER INCLUDING, BUT +# NOT LIMITED TO, WARRANTY OF FITNESS FOR PURPOSE OR +# MERCHANTABILITY, EXCLUSIVITY, OR RESULTS OBTAINED FROM USE +# OF THE MATERIAL. CARNEGIE MELLON UNIVERSITY DOES NOT MAKE +# ANY WARRANTY OF ANY KIND WITH RESPECT TO FREEDOM FROM +# PATENT, TRADEMARK, OR COPYRIGHT INFRINGEMENT. +# Licensed under a MIT (SEI)-style license, please see LICENSE or contact +# permission@sei.cmu.edu for full terms. +# [DISTRIBUTION STATEMENT A] This material has been approved for +# public release and unlimited distribution. Please see Copyright notice +# for non-US Government use and distribution. +# This Software includes and/or makes use of Third-Party Software each +# subject to its own license. +# DM24-0278 + +# Moved to Obsolete because it's been replaced by ssvc.utils.graph_labeling +# however it has some extra graph visualization code that may be useful later +# so we are keeping it around for now. + +import bisect +import math +import sys +from collections import Counter +from functools import partial +from typing import Any, Callable, Dict, List, Tuple + +# import colorcet as cc +import networkx as nx +import numpy as np + +# from ssvc.decision_tables.base import DecisionTable + +# define partial functions for different norms +l1_magnitudes: Callable[[np.ndarray], np.ndarray] = partial( + np.linalg.norm, ord=1, axis=1 +) +l2_magnitudes: Callable[[np.ndarray], np.ndarray] = partial( + np.linalg.norm, ord=2, axis=1 +) +linf_magnitudes: Callable[[np.ndarray], np.ndarray] = partial( + np.linalg.norm, ord=np.inf, axis=1 +) + +# convenience aliases +manhattan_distances = l1_magnitudes +euclidean_distances = l2_magnitudes +max_distances = linf_magnitudes + + +def _layout_deterministic( + G: nx.DiGraph, +) -> dict[Any, tuple[float, float]] | None: + # Deterministic level layout (longest distance from minimal nodes) + min_nodes = [n for n in G.nodes if G.in_degree(n) == 0] or list(G.nodes) + levels: Dict[Any, int] = {n: 0 for n in min_nodes} + for n in nx.topological_sort(G): + base = levels.get(n, 0) + for s in G.successors(n): + levels[s] = max(levels.get(s, 0), base + 1) + + level_groups: Dict[int, List[Any]] = {} + for n, lvl in levels.items(): + level_groups.setdefault(lvl, []).append(n) + + pos = {} + for lvl in sorted(level_groups): + nodes = sorted(level_groups[lvl], key=lambda x: str(x)) + count = len(nodes) + xs = [i - (count - 1) / 2.0 for i in range(count)] + y = float(lvl) + for x, n in zip(xs, nodes): + pos[n] = (x, y) + + remaining = [n for n in G.nodes if n not in pos] + if remaining: + count = len(remaining) + xs = [i - (count - 1) / 2.0 for i in range(count)] + for x, n in zip(xs, remaining): + pos[n] = (x, 0.0) + return pos + + +def _layout_graphviz(G: nx.DiGraph) -> dict[Any, tuple[float, float]] | None: + pos = None + + try: + from networkx.drawing.nx_agraph import graphviz_layout # type: ignore + + pos = graphviz_layout( + G, + prog="dot", + args="-Grankdir=BT -Gcenter=true -Gnodesep=0.5 -Granksep=1.0", + ) + except Exception: + try: + from networkx.drawing.nx_pydot import graphviz_layout # type: ignore + + pos = graphviz_layout( + G, + prog="dot", + args="-Grankdir=BT -Gcenter=true -Gnodesep=0.5 -Granksep=1.0", + ) + except Exception: + pass + + return pos + + +def _normalize_columns( + arr: np.ndarray[tuple[Any, ...], np.dtype[Any]], +) -> np.ndarray[tuple[Any, ...], np.dtype[Any]]: + """Normalize each column of `arr` to the range [0, 1]. + + Args: + arr: 2D numpy array to normalize. All columns must have minimum 0 and positive maximum. + Returns: + Normalized 2D numpy array with same shape as `arr`. All columns are scaled to [0, 1]. + Raises: + ValueError: If any column does not have minimum 0 or has non-positive maximum. + """ + maxs = arr.max(axis=0) + + if np.any(maxs <= 0): + # throw an error if maxs are not positive + raise ValueError( + "All columns must have a positive maximum value for normalization." + ) + + # we're just going to scale from 0 to max + # so we can use min as 0 for all columns + mins = np.zeros_like(maxs) + ranges = maxs - mins + arr_norm = np.zeros_like(arr) + + nonzero = ranges != 0.0 + if np.any(nonzero): + arr_norm[:, nonzero] = (arr[:, nonzero] - mins[nonzero]) / ranges[ + nonzero + ] + return arr_norm + + +def _magnitude_quantile_labels_from_graph( + G: nx.DiGraph, + K: int, + norm_func: Callable[[np.ndarray], np.ndarray] = euclidean_distances, +) -> Dict[Any, int]: + """ + Assign labels to graph nodes based on quantiles of their vector magnitudes. + Args: + G: Input graph with nodes as integer tuples representing vectors. + K: Number of quantile-based labels to assign (must be >= 2). + norm_func: Function to compute vector magnitudes (default: Euclidean aka L2 norm). + """ + if K < 2: + raise ValueError("K must be >= 2") + + node_iterable = list(G.nodes()) + if not node_iterable: + raise ValueError("Graph has no nodes") + + node_vectors: List[Tuple[int, ...]] = [] + + for n in node_iterable: + vec = n + node_vectors.append(tuple(int(x) for x in vec)) + + dim = len(node_vectors[0]) + for v in node_vectors: + if len(v) != dim: + raise ValueError("All node vectors must have the same length") + + # normalize per-dimension to [0,1] + arr = np.array(node_vectors, dtype=float) + + arr_norm = _normalize_columns(arr) + + # Compute magnitudes by calling dependency + mags = norm_func(arr_norm) + + # here is where we start the quantile labeling + unique_mags = np.unique(mags) + um_list = unique_mags.tolist() + + # Compute raw quantile cut values + probs = [i / K for i in range(K + 1)] + try: + raw_cuts = np.quantile(mags, probs, method="linear") + except TypeError: + raw_cuts = np.quantile(mags, probs, interpolation="linear") # type: ignore + + def first_strictly_greater(val: float) -> float: + idx = bisect.bisect_right(um_list, val) + return ( + float(um_list[idx]) if idx < len(um_list) else float(um_list[-1]) + ) + + # create adjusted cut values + adjusted: List[float] = [0.0] * (K + 1) + # the min and max cuts are fixed + # lowest cut is min magnitude + adjusted[0] = float(um_list[0]) + # highest cut is max magnitude + adjusted[-1] = float(um_list[-1]) + + # Adjust cut values to avoid clumps + for j in range(1, K): + c = float(raw_cuts[j]) + if np.any(np.isclose(unique_mags, c)): + adjusted[j] = first_strictly_greater(c) + else: + adjusted[j] = c + + # Ensure strictly increasing cut values + for j in range(1, K + 1): + prev = adjusted[j - 1] + cur = adjusted[j] + if cur <= prev or math.isclose(cur, prev): + idx = bisect.bisect_right(um_list, prev) + adjusted[j] = ( + float(um_list[idx]) + if idx < len(um_list) + else float(um_list[-1]) + ) + + # Assign labels based on adjusted cut values + adj_list = adjusted + labels_list: List[int] = [] + for m in mags: + pos = bisect.bisect_right(adj_list, float(m)) - 1 + if pos < 0: + pos = 0 + if pos >= K: + pos = K - 1 + labels_list.append(int(pos)) + + return {node: label for node, label in zip(node_iterable, labels_list)} + + +# def _spectrum(n, cmap="rainbow") -> List[Tuple[float, float, float, float]]: +# """ +# Generate a spectrum of `n` colors from the specified colormap. +# Args: +# n: Number of colors to generate. +# cmap: Colormap name (default: "rainbow"). +# +# Returns: +# List of RGBA tuples representing the colors. +# """ +# base = cc.cm[cmap] +# _float_colors = [base(i / (n - 1)) for i in range(n)] +# +# return _float_colors + + +# class DecisionTableGraph: +# def __init__( +# self, +# decision_table: DecisionTable, +# norm_func: Callable[[np.ndarray], np.ndarray] = euclidean_distances, +# ) -> None: +# self.dt = decision_table +# self.norm_func = norm_func +# self.cmap = "bmy" +# self.pos = None +# self._labels: Dict[Any, int] | None = None +# +# self.G = graph_from_dplist( +# decision_points=[ +# dp +# for dp in self.dt.decision_points.values() +# if dp.id != self.dt.outcome +# ] +# ) +# # number of outcome labels +# self.K = len(self.dt.decision_points[self.dt.outcome].values) +# +# def layout(self, redraw: bool = False) -> dict[Any, tuple[float, float]]: +# """ +# Compute or return cached layout for the graph. +# Args: +# redraw: If True, recompute the layout even if cached. +# +# Returns: +# Dictionary mapping nodes to (x, y) positions. +# """ +# if self.pos is not None and not redraw: +# return self.pos +# +# # try graphviz layout first, fall back to deterministic layout +# pos = _layout_graphviz(self.G) +# +# if pos is not None: +# self.pos = pos +# return pos +# +# self.pos = _layout_deterministic(self.G) +# return self.pos +# +# def mapping_to_int_labels(self) -> Dict[Tuple[int, ...], int]: +# return dt_mapping_to_int_labels(self.dt) +# +# def labels(self) -> Dict[Any, int]: +# if self._labels is not None: +# return self._labels +# +# self._labels = _magnitude_quantile_labels_from_graph( +# self.G, K=self.K, norm_func=self.norm_func +# ) +# return self._labels +# +# def colorize(self): +# # generate RGBA tuples from spectrum, then convert to hex strings for Graphviz/pygraphviz +# raw_colors = _spectrum(self.K, cmap=self.cmap) +# color_list = [ +# mcolors.to_hex(tuple(float(c) for c in col), keep_alpha=False) +# for col in raw_colors +# ] +# +# for node, i in self.labels().items(): +# self.G.nodes[node]["color"] = color_list[i] +# +# def draw(self, figsize: Tuple[int, int] = (24, 20)) -> plt.Axes: +# fig, ax = plt.subplots(figsize=figsize) +# +# if self.pos is None: +# self.layout() +# +# pos = self.pos +# +# nx_node_color = [ +# self.G.nodes[n].get("color", "skyblue") for n in self.G.nodes() +# ] +# nx.draw( +# self.G, +# pos=pos, +# with_labels=True, +# node_size=500, +# node_color=nx_node_color, +# edge_color="gray", +# font_size=10, +# ax=ax, +# ) +# ax.margins(0.01) +# return ax +# +# def _compute_figsize(self) -> Tuple[int, int]: +# """ +# Compute an appropriate figure size based on the graph's topology. +# +# Returns: +# Tuple of (width, height) for the figure size. +# """ +# height = 0 +# width = 0 +# scale_factor = 2 +# for l in nx.topological_generations(self.G): +# height += 1 +# width = max(width, len(list(l))) +# figsize = ( +# max(24, width * scale_factor), +# max(20, height * scale_factor), +# ) +# print(figsize) +# return figsize +# +# def write_graph( +# self, filename: str, png: bool = True, svg: bool = False +# ) -> None: +# if not (png or svg): +# raise ValueError("At least one of png or svg must be True") +# +# # scale the graph to fit in the figure +# # how many layers in the graph? +# +# ax = self.draw(figsize=self._compute_figsize()) +# +# if png: +# ax.figure.savefig(f"{filename}.png", dpi=300, bbox_inches="tight") +# if svg: +# ax.figure.savefig(f"{filename}.svg", bbox_inches="tight") +# +# plt.close(ax.figure) +# +# +# def dt_mapping_to_int_labels( +# dt: DecisionTable, +# ) -> Dict[Tuple[int, ...], int]: +# """ +# Create a mapping from decision table outcome vectors to integer labels. +# Args: +# dt: Decision table to create mapping for. +# Returns: +# Dictionary mapping outcome vectors (as tuples) to integer labels. +# """ +# # construct a translator +# dp_values_to_int = {} +# for dp in dt.decision_points.values(): +# if dp.id not in dp_values_to_int: +# dp_values_to_int[dp.id] = {} +# +# for i, value in enumerate(dp.values): +# dp_values_to_int[dp.id][value.key] = i +# +# int_mapping = {} +# for row in dt.mapping: +# # a row is a dict of decision point id to Value eg +# # {'aivss:AA:1.0.0': 'F', +# # 'aivss:TU:1.0.0': 'A', +# # 'aivss:SM:1.1.0': 'M', +# # 'aivss:GDP:1.0.0': 'A', +# # 'aivss:EP:1.0.0': 'H'}, +# for k, v in row.items(): +# vector = [] +# if k == dt.outcome: +# outcome_value = dp_values_to_int[k][v] +# else: +# vector.append(dp_values_to_int[k][v]) +# int_mapping[tuple(vector)] = outcome_value +# +# return int_mapping +# + + +def main() -> None: + """Main entry: build graphs from decision tables, color nodes, draw and write outputs.""" + + from ssvc.decision_tables.aivss.execution_power import LATEST as DT_AIVSS + from ssvc.decision_tables.ssvc.deployer_dt import LATEST as DT_DEPLOYER + from ssvc.decision_tables.ssvc.coord_triage import ( + LATEST as DT_COORD_TRIAGE, + ) + from ssvc.decision_tables.ssvc.supplier_dt import LATEST as DT_SUPPLIER + from ssvc.decision_tables.cvss.equivalence_set_six import LATEST as DT_SIX + + # print(dt_mapping_to_int_labels(DT_AIVSS)) + + sys.exit() + + for dt in [ + ("aivss", DT_AIVSS), + ("deployer", DT_DEPLOYER), + ("coord_triage", DT_COORD_TRIAGE), + ("supplier", DT_SUPPLIER), + ("cvss_equivalence_set_six", DT_SIX), + ]: + dtg_orig = DecisionTableGraph(dt[1]) + dtg_orig.layout() + + for j, normfunc in enumerate( + [manhattan_distances, euclidean_distances, max_distances] + ): + dtg = DecisionTableGraph(dt[1], norm_func=normfunc) + dtg.layout() + dtg.colorize() + dtg.write_graph( + filename=f"hasse_vector_magnitude_quantiles_3_{dt[0]}_norm_{j+1}" + ) + G = dtg.G + print( + f"{dt[0].upper()} color counts (norm {j+1}):", + Counter([G.nodes[n]["color"] for n in G.nodes()]), + ) + + +if __name__ == "__main__": + main() diff --git a/pyproject.toml b/pyproject.toml index dc4d7ffb..b946a6d2 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -48,8 +48,6 @@ dependencies = [ "pydantic>=2.11.7", "semver>=3.0.4", "fastapi[all,standard]>=0.116.1", - "pygraphviz>=1.14", - "colorcet>=3.1.0", ] dynamic = ["version",] @@ -92,5 +90,6 @@ testpaths = [ dev = [ "black>=25.9.0", "linkchecker>=10.6.0", + "pandas-stubs>=2.3.3.251201", "pytest>=8.4.1", ] diff --git a/src/ssvc/csv_analyzer.py b/src/ssvc/csv_analyzer.py index 225d7b14..281ea2df 100644 --- a/src/ssvc/csv_analyzer.py +++ b/src/ssvc/csv_analyzer.py @@ -69,7 +69,7 @@ from sklearn.base import clone from sklearn.tree import DecisionTreeClassifier -from ssvc.utils.toposort import graph_from_value_tuples +from ssvc.utils.graph_labeling import graph_from_value_tuples logger = logging.getLogger(__name__) diff --git a/src/ssvc/decision_tables/aivss/execution_power.py b/src/ssvc/decision_tables/aivss/execution_power.py index 87e2509d..4831fa54 100644 --- a/src/ssvc/decision_tables/aivss/execution_power.py +++ b/src/ssvc/decision_tables/aivss/execution_power.py @@ -86,7 +86,7 @@ "aivss:TU:1.0.0": "V", "aivss:SM:1.1.0": "T", "aivss:GDP:1.0.0": "A", - "aivss:EP:1.0.0": "C", + "aivss:EP:1.0.0": "CA", }, { "aivss:AA:1.0.0": "G", @@ -128,7 +128,7 @@ "aivss:TU:1.0.0": "O", "aivss:SM:1.1.0": "F", "aivss:GDP:1.0.0": "A", - "aivss:EP:1.0.0": "C", + "aivss:EP:1.0.0": "CA", }, { "aivss:AA:1.0.0": "G", @@ -142,7 +142,7 @@ "aivss:TU:1.0.0": "O", "aivss:SM:1.1.0": "T", "aivss:GDP:1.0.0": "R", - "aivss:EP:1.0.0": "C", + "aivss:EP:1.0.0": "CA", }, { "aivss:AA:1.0.0": "G", @@ -254,7 +254,7 @@ "aivss:TU:1.0.0": "V", "aivss:SM:1.1.0": "F", "aivss:GDP:1.0.0": "A", - "aivss:EP:1.0.0": "C", + "aivss:EP:1.0.0": "CA", }, { "aivss:AA:1.0.0": "S", @@ -268,7 +268,7 @@ "aivss:TU:1.0.0": "V", "aivss:SM:1.1.0": "T", "aivss:GDP:1.0.0": "R", - "aivss:EP:1.0.0": "C", + "aivss:EP:1.0.0": "CA", }, { "aivss:AA:1.0.0": "S", @@ -310,7 +310,7 @@ "aivss:TU:1.0.0": "O", "aivss:SM:1.1.0": "F", "aivss:GDP:1.0.0": "R", - "aivss:EP:1.0.0": "C", + "aivss:EP:1.0.0": "CA", }, { "aivss:AA:1.0.0": "S", diff --git a/src/ssvc/decision_tables/base.py b/src/ssvc/decision_tables/base.py index f8e49fea..422bf32f 100644 --- a/src/ssvc/decision_tables/base.py +++ b/src/ssvc/decision_tables/base.py @@ -35,10 +35,10 @@ _SchemaVersioned, ) from ssvc.decision_points.base import DecisionPoint +from ssvc.decision_tables.dt_graph import DtGraph from ssvc.registry import get_registry from ssvc.utils.field_specs import DecisionPointDict from ssvc.utils.misc import obfuscate_dict -from ssvc.utils.toposort import dplist_to_toposort logger = logging.getLogger(__name__) @@ -135,32 +135,10 @@ def populate_mapping_if_empty(self): logger.debug("Mapping is already set, skipping population.") return self - outcome_key = self.outcome - - dps = [ - dp - for dpid, dp in self.decision_points.items() - if dpid != outcome_key - ] - mapping = dplist_to_toposort(dps) - - # mapping is a list of dicts - # but mapping doesn't have the outcome key yet - # add the key with None as the value - for row in mapping: - # row is a dict with decision point values - # we need to add the outcome key - if outcome_key in row: - # if the outcome key is already in the row, we should not overwrite it - logger.warning( - f"Outcome key '{outcome_key}' already exists in row, skipping." - ) - row[outcome_key] = None - - # distribute outcomes evenly across the mapping - og: DecisionPoint = self.decision_points[outcome_key] - - mapping = distribute_outcomes_evenly(mapping, og) + dtg = DtGraph( + decision_points=self.decision_points, outcome_id=self.outcome + ) + mapping = dtg.mapping() # set the mapping self.mapping = mapping diff --git a/src/ssvc/decision_tables/dt_graph.py b/src/ssvc/decision_tables/dt_graph.py new file mode 100644 index 00000000..7e2031ef --- /dev/null +++ b/src/ssvc/decision_tables/dt_graph.py @@ -0,0 +1,107 @@ +#!/usr/bin/env python + +# Copyright (c) 2025 Carnegie Mellon University. +# NO WARRANTY. THIS CARNEGIE MELLON UNIVERSITY AND SOFTWARE +# ENGINEERING INSTITUTE MATERIAL IS FURNISHED ON AN "AS-IS" BASIS. +# CARNEGIE MELLON UNIVERSITY MAKES NO WARRANTIES OF ANY KIND, +# EITHER EXPRESSED OR IMPLIED, AS TO ANY MATTER INCLUDING, BUT +# NOT LIMITED TO, WARRANTY OF FITNESS FOR PURPOSE OR +# MERCHANTABILITY, EXCLUSIVITY, OR RESULTS OBTAINED FROM USE +# OF THE MATERIAL. CARNEGIE MELLON UNIVERSITY DOES NOT MAKE +# ANY WARRANTY OF ANY KIND WITH RESPECT TO FREEDOM FROM +# PATENT, TRADEMARK, OR COPYRIGHT INFRINGEMENT. +# Licensed under a MIT (SEI)-style license, please see LICENSE or contact +# permission@sei.cmu.edu for full terms. +# [DISTRIBUTION STATEMENT A] This material has been approved for +# public release and unlimited distribution. Please see Copyright notice +# for non-US Government use and distribution. +# This Software includes and/or makes use of Third-Party Software each +# subject to its own license. +# DM24-0278 + +""" +Provides TODO writeme +""" +from typing import Callable + +import numpy as np + +from ssvc.decision_points.base import DecisionPoint +from ssvc.utils.graph_labeling import ( + _magnitude_quantile_labels_from_graph, + euclidean_distances, + graph_from_dplist, +) + + +class DtGraph: + """Helper class to represent the decision table as a graph to facilitate mapping generation.""" + + def __init__( + self, + decision_points: dict[str, DecisionPoint], + outcome_id: str, + norm_func: Callable[[np.ndarray], np.ndarray] = euclidean_distances, + ) -> None: + """ + Initialize the DtGraph. + + Args: + decision_points: dict[str, DecisionPoint]: The decision points in the decision table. + outcome_id: str: The ID of the outcome decision point. Must be a key in decision_points. + norm_func: Callable[[np.ndarray], np.ndarray]: A normalization function to apply to the distance matrix. Defaults to euclidean_distances. + Raises: + ValueError: If the outcome_id is not found in decision_points. + """ + self.decision_points = decision_points + self.outcome_id = outcome_id + self.norm_func = norm_func + + if self.outcome_id not in self.decision_points: + raise ValueError( + f"Outcome ID '{self.outcome_id}' not found in decision points." + ) + + self._input_points = { + k: v + for k, v in self.decision_points.items() + if k != self.outcome_id + } + self._outcome_point = self.decision_points[self.outcome_id] + + # G is an integer-labeled directed graph representing the decision table + self.G = graph_from_dplist( + decision_points=list(self._input_points.values()) + ) + + self.K = len(self._outcome_point.values) + + def _int_labels(self): + return _magnitude_quantile_labels_from_graph( + G=self.G, K=self.K, norm_func=self.norm_func + ) + + def mapping(self) -> list[dict[str, str]]: + """ + Generate the mapping from the graph with integer labels to decision point value keys. + + Returns: + list[dict[str, str]]: The mapping as a list of dictionaries. + """ + int_labels = self._int_labels() + mapping = [] + input_dps = list(self._input_points.values()) + outcome_dp = self._outcome_point + + for node in self.G.nodes: + row = {} + for i, dp in enumerate(input_dps): + value_idx = node[i] + value_key = dp.values[value_idx].key + row[dp.id] = value_key + outcome_idx = int_labels[node] + outcome_value_key = outcome_dp.values[outcome_idx].key + row[self.outcome_id] = outcome_value_key + mapping.append(row) + + return mapping diff --git a/src/ssvc/utils/graph_labeling.py b/src/ssvc/utils/graph_labeling.py index 662df066..d0f3e00f 100644 --- a/src/ssvc/utils/graph_labeling.py +++ b/src/ssvc/utils/graph_labeling.py @@ -21,20 +21,20 @@ # DM24-0278 import bisect +import logging import math -import sys -from collections import Counter from functools import partial +from itertools import product from typing import Any, Callable, Dict, List, Tuple -import colorcet as cc -import matplotlib.colors as mcolors +# import colorcet as cc import networkx as nx import numpy as np -from matplotlib import pyplot as plt -from ssvc.decision_tables.base import DecisionTable -from ssvc.utils.toposort import graph_from_dplist +from ssvc.decision_points.base import DecisionPoint + +logger = logging.getLogger(__name__) + # define partial functions for different norms l1_magnitudes: Callable[[np.ndarray], np.ndarray] = partial( @@ -53,65 +53,6 @@ max_distances = linf_magnitudes -def _layout_deterministic( - G: nx.DiGraph, -) -> dict[Any, tuple[float, float]] | None: - # Deterministic level layout (longest distance from minimal nodes) - min_nodes = [n for n in G.nodes if G.in_degree(n) == 0] or list(G.nodes) - levels: Dict[Any, int] = {n: 0 for n in min_nodes} - for n in nx.topological_sort(G): - base = levels.get(n, 0) - for s in G.successors(n): - levels[s] = max(levels.get(s, 0), base + 1) - - level_groups: Dict[int, List[Any]] = {} - for n, lvl in levels.items(): - level_groups.setdefault(lvl, []).append(n) - - pos = {} - for lvl in sorted(level_groups): - nodes = sorted(level_groups[lvl], key=lambda x: str(x)) - count = len(nodes) - xs = [i - (count - 1) / 2.0 for i in range(count)] - y = float(lvl) - for x, n in zip(xs, nodes): - pos[n] = (x, y) - - remaining = [n for n in G.nodes if n not in pos] - if remaining: - count = len(remaining) - xs = [i - (count - 1) / 2.0 for i in range(count)] - for x, n in zip(xs, remaining): - pos[n] = (x, 0.0) - return pos - - -def _layout_graphviz(G: nx.DiGraph) -> dict[Any, tuple[float, float]] | None: - pos = None - - try: - from networkx.drawing.nx_agraph import graphviz_layout # type: ignore - - pos = graphviz_layout( - G, - prog="dot", - args="-Grankdir=BT -Gcenter=true -Gnodesep=0.5 -Granksep=1.0", - ) - except Exception: - try: - from networkx.drawing.nx_pydot import graphviz_layout # type: ignore - - pos = graphviz_layout( - G, - prog="dot", - args="-Grankdir=BT -Gcenter=true -Gnodesep=0.5 -Granksep=1.0", - ) - except Exception: - pass - - return pos - - def _normalize_columns( arr: np.ndarray[tuple[Any, ...], np.dtype[Any]], ) -> np.ndarray[tuple[Any, ...], np.dtype[Any]]: @@ -124,6 +65,9 @@ def _normalize_columns( Raises: ValueError: If any column does not have minimum 0 or has non-positive maximum. """ + # ensure that arr is all floats + arr = arr.astype(float) + maxs = arr.max(axis=0) if np.any(maxs <= 0): @@ -243,230 +187,47 @@ def first_strictly_greater(val: float) -> float: return {node: label for node, label in zip(node_iterable, labels_list)} -def _spectrum(n, cmap="rainbow") -> List[Tuple[float, float, float, float]]: - """ - Generate a spectrum of `n` colors from the specified colormap. - Args: - n: Number of colors to generate. - cmap: Colormap name (default: "rainbow"). - - Returns: - List of RGBA tuples representing the colors. - """ - base = cc.cm[cmap] - _float_colors = [base(i / (n - 1)) for i in range(n)] - - return _float_colors - - -class DecisionTableGraph: - def __init__( - self, - decision_table: DecisionTable, - norm_func: Callable[[np.ndarray], np.ndarray] = euclidean_distances, - ) -> None: - self.dt = decision_table - self.norm_func = norm_func - self.cmap = "bmy" - self.pos = None - self._labels: Dict[Any, int] | None = None - - self.G = graph_from_dplist( - decision_points=[ - dp - for dp in self.dt.decision_points.values() - if dp.id != self.dt.outcome - ] - ) - # number of outcome labels - self.K = len(self.dt.decision_points[self.dt.outcome].values) - - def layout(self, redraw: bool = False) -> dict[Any, tuple[float, float]]: - """ - Compute or return cached layout for the graph. - Args: - redraw: If True, recompute the layout even if cached. - - Returns: - Dictionary mapping nodes to (x, y) positions. - """ - if self.pos is not None and not redraw: - return self.pos - - # try graphviz layout first, fall back to deterministic layout - pos = _layout_graphviz(self.G) - - if pos is not None: - self.pos = pos - return pos - - self.pos = _layout_deterministic(self.G) - return self.pos - - def mapping_to_int_labels(self) -> Dict[Tuple[int, ...], int]: - return dt_mapping_to_int_labels(self.dt) - - def labels(self) -> Dict[Any, int]: - if self._labels is not None: - return self._labels - - self._labels = _magnitude_quantile_labels_from_graph( - self.G, K=self.K, norm_func=self.norm_func - ) - return self._labels - - def colorize(self): - # generate RGBA tuples from spectrum, then convert to hex strings for Graphviz/pygraphviz - raw_colors = _spectrum(self.K, cmap=self.cmap) - color_list = [ - mcolors.to_hex(tuple(float(c) for c in col), keep_alpha=False) - for col in raw_colors - ] - - for node, i in self.labels().items(): - self.G.nodes[node]["color"] = color_list[i] - - def draw(self, figsize: Tuple[int, int] = (24, 20)) -> plt.Axes: - fig, ax = plt.subplots(figsize=figsize) - - if self.pos is None: - self.layout() - - pos = self.pos - - nx_node_color = [ - self.G.nodes[n].get("color", "skyblue") for n in self.G.nodes() - ] - nx.draw( - self.G, - pos=pos, - with_labels=True, - node_size=500, - node_color=nx_node_color, - edge_color="gray", - font_size=10, - ax=ax, - ) - ax.margins(0.01) - return ax - - def _compute_figsize(self) -> Tuple[int, int]: - """ - Compute an appropriate figure size based on the graph's topology. - - Returns: - Tuple of (width, height) for the figure size. - """ - height = 0 - width = 0 - scale_factor = 2 - for l in nx.topological_generations(self.G): - height += 1 - width = max(width, len(list(l))) - figsize = ( - max(24, width * scale_factor), - max(20, height * scale_factor), - ) - print(figsize) - return figsize - - def write_graph( - self, filename: str, png: bool = True, svg: bool = False - ) -> None: - if not (png or svg): - raise ValueError("At least one of png or svg must be True") - - # scale the graph to fit in the figure - # how many layers in the graph? - - ax = self.draw(figsize=self._compute_figsize()) - - if png: - ax.figure.savefig(f"{filename}.png", dpi=300, bbox_inches="tight") - if svg: - ax.figure.savefig(f"{filename}.svg", bbox_inches="tight") - - plt.close(ax.figure) - - -def dt_mapping_to_int_labels( - dt: DecisionTable, -) -> Dict[Tuple[int, ...], int]: - """ - Create a mapping from decision table outcome vectors to integer labels. - Args: - dt: Decision table to create mapping for. - Returns: - Dictionary mapping outcome vectors (as tuples) to integer labels. - """ - # construct a translator - dp_values_to_int = {} - for dp in dt.decision_points.values(): - if dp.id not in dp_values_to_int: - dp_values_to_int[dp.id] = {} - - for i, value in enumerate(dp.values): - dp_values_to_int[dp.id][value.key] = i - - int_mapping = {} - for row in dt.mapping: - # a row is a dict of decision point id to Value eg - # {'aivss:AA:1.0.0': 'F', - # 'aivss:TU:1.0.0': 'A', - # 'aivss:SM:1.1.0': 'M', - # 'aivss:GDP:1.0.0': 'A', - # 'aivss:EP:1.0.0': 'H'}, - for k, v in row.items(): - vector = [] - if k == dt.outcome: - outcome_value = dp_values_to_int[k][v] - else: - vector.append(dp_values_to_int[k][v]) - int_mapping[tuple(vector)] = outcome_value - - return int_mapping - - -def main() -> None: - """Main entry: build graphs from decision tables, color nodes, draw and write outputs.""" - - from ssvc.decision_tables.aivss.execution_power import LATEST as DT_AIVSS - from ssvc.decision_tables.ssvc.deployer_dt import LATEST as DT_DEPLOYER - from ssvc.decision_tables.ssvc.coord_triage import ( - LATEST as DT_COORD_TRIAGE, +def graph_from_dplist(decision_points: list[DecisionPoint]) -> nx.DiGraph: + logger.debug( + f"Creating graph from dplist: {[dp.id for dp in decision_points]}" ) - from ssvc.decision_tables.ssvc.supplier_dt import LATEST as DT_SUPPLIER - from ssvc.decision_tables.cvss.equivalence_set_six import LATEST as DT_SIX - - print(dt_mapping_to_int_labels(DT_AIVSS)) - - sys.exit() - - for dt in [ - ("aivss", DT_AIVSS), - ("deployer", DT_DEPLOYER), - ("coord_triage", DT_COORD_TRIAGE), - ("supplier", DT_SUPPLIER), - ("cvss_equivalence_set_six", DT_SIX), - ]: - dtg_orig = DecisionTableGraph(dt[1]) - dtg_orig.layout() - - for j, normfunc in enumerate( - [manhattan_distances, euclidean_distances, max_distances] - ): - dtg = DecisionTableGraph(dt[1], norm_func=normfunc) - dtg.layout() - dtg.colorize() - dtg.write_graph( - filename=f"hasse_vector_magnitude_quantiles_3_{dt[0]}_norm_{j+1}" - ) - G = dtg.G - print( - f"{dt[0].upper()} color counts (norm {j+1}):", - Counter([G.nodes[n]["color"] for n in G.nodes()]), - ) - - -if __name__ == "__main__": - main() + value_lookup = dplist_to_value_lookup(decision_points) + value_tuples = [tuple(v.keys()) for v in value_lookup] + logger.debug(f"Value tuples: {value_tuples}") + + return graph_from_value_tuples(value_tuples) + + +def graph_from_value_tuples(value_tuples: list[tuple[int, ...]]) -> nx.DiGraph: + logger.debug(f"Creating graph from value_tuples: {value_tuples}") + G = nx.DiGraph() + + # add nodes to the graph + nodes = list(product(*value_tuples)) + G.add_nodes_from(nodes) + + # add edges to the graph + + # For each node, try to increment one coordinate by one step + for node in nodes: + for i, val in enumerate(node): + axis = value_tuples[i] + idx = axis.index(val) + if idx + 1 < len(axis): + # Create a new node with i-th coordinate incremented + neighbor = list(node) + neighbor[i] = axis[idx + 1] + neighbor = tuple(neighbor) + if neighbor in G: + G.add_edge(node, neighbor) + + return G + + +def dplist_to_value_lookup( + decision_points: list[DecisionPoint], +) -> list[dict[int, str]]: + value_lookup = [ + {i: v.key for i, v in enumerate(dp.values)} for dp in decision_points + ] + return value_lookup diff --git a/src/ssvc/utils/toposort.py b/src/ssvc/utils/toposort.py deleted file mode 100644 index a87b4756..00000000 --- a/src/ssvc/utils/toposort.py +++ /dev/null @@ -1,175 +0,0 @@ -#!/usr/bin/env python -""" -file: toposort -author: adh -created_at: 7/30/25 12:45 PM -""" - -# Copyright (c) 2025 Carnegie Mellon University. -# NO WARRANTY. THIS CARNEGIE MELLON UNIVERSITY AND SOFTWARE -# ENGINEERING INSTITUTE MATERIAL IS FURNISHED ON AN "AS-IS" BASIS. -# CARNEGIE MELLON UNIVERSITY MAKES NO WARRANTIES OF ANY KIND, -# EITHER EXPRESSED OR IMPLIED, AS TO ANY MATTER INCLUDING, BUT -# NOT LIMITED TO, WARRANTY OF FITNESS FOR PURPOSE OR -# MERCHANTABILITY, EXCLUSIVITY, OR RESULTS OBTAINED FROM USE -# OF THE MATERIAL. CARNEGIE MELLON UNIVERSITY DOES NOT MAKE -# ANY WARRANTY OF ANY KIND WITH RESPECT TO FREEDOM FROM -# PATENT, TRADEMARK, OR COPYRIGHT INFRINGEMENT. -# Licensed under a MIT (SEI)-style license, please see LICENSE or contact -# permission@sei.cmu.edu for full terms. -# [DISTRIBUTION STATEMENT A] This material has been approved for -# public release and unlimited distribution. Please see Copyright notice -# for non-US Government use and distribution. -# This Software includes and/or makes use of Third-Party Software each -# subject to its own license. -# DM24-0278 - -import logging -from itertools import product - -import networkx as nx - -from ssvc.decision_points.base import DecisionPoint - -logger = logging.getLogger(__name__) - - -def graph_from_dplist(decision_points: list[DecisionPoint]) -> nx.DiGraph: - logger.debug( - f"Creating graph from dplist: {[dp.id for dp in decision_points]}" - ) - value_lookup = dplist_to_value_lookup(decision_points) - value_tuples = [tuple(v.keys()) for v in value_lookup] - logger.debug(f"Value tuples: {value_tuples}") - - return graph_from_value_tuples(value_tuples) - - -def graph_from_value_tuples(value_tuples: list[tuple[int, ...]]) -> nx.DiGraph: - logger.debug(f"Creating graph from value_tuples: {value_tuples}") - G = nx.DiGraph() - - # add nodes to the graph - nodes = list(product(*value_tuples)) - G.add_nodes_from(nodes) - - # add edges to the graph - - # For each node, try to increment one coordinate by one step - for node in nodes: - for i, val in enumerate(node): - axis = value_tuples[i] - idx = axis.index(val) - if idx + 1 < len(axis): - # Create a new node with i-th coordinate incremented - neighbor = list(node) - neighbor[i] = axis[idx + 1] - neighbor = tuple(neighbor) - if neighbor in G: - G.add_edge(node, neighbor) - - return G - - -def dplist_to_value_lookup( - decision_points: list[DecisionPoint], -) -> list[dict[int, str]]: - value_lookup = [ - {i: v.key for i, v in enumerate(dp.values)} for dp in decision_points - ] - return value_lookup - - -def dplist_to_lookup(decision_points: list[DecisionPoint]) -> dict[int, str]: - dp_lookup = {i: dp.id for i, dp in enumerate(decision_points)} - return dp_lookup - - -def lookup_value( - t: tuple[int, ...], lookup: list[dict[int, str]] -) -> tuple[str, ...]: - """ - Converts a tuple of indices to a tuple of values using the provided lookup. - Args: - t: The tuple of indices. - lookup: A list of dictionaries mapping indices to values for each position. - - Returns: - A tuple of values corresponding to the indices in t. - - Examples: - # given - t = (0, 0, 0) - lookup = [{0: 'V', 1: 'R', 2: 'S', 3: 'HS'}, {0: 'H', 1: 'S', 2: 'B', 3: 'N'}, {0: 'F', 1: 'R', 2: 'B', 3: 'N'}] - # return (V,H,F) - """ - l = [lookup[i][t[i]] for i in range(len(t))] - return tuple(l) - - -def tuple_to_dict( - t: tuple[str, ...], lookup: dict[int, str] -) -> dict[str, str]: - """ - Converts a tuple of values to a dictionary using the provided lookup. - - Args: - t: The tuple of values. - lookup: A dictionary mapping indices to keys. - - Returns: - A dictionary mapping keys to values from the tuple. - - Examples: - # given - t = ('V', 'H', 'F') - lookup = {0: 'ER', 1: 'GM', 2: 'RC'} - # return {'ER': 'V', 'GM': 'H', 'RC': 'F'} - """ - return {lookup[i]: t[i] for i in range(len(t))} - - -def dplist_to_toposort( - decision_points: list[DecisionPoint], -) -> list[dict[str, str]]: - logger.debug("Creating graph from list of decision points") - G = graph_from_dplist(decision_points) - logger.debug( - "Graph created, performing topological sort over decision points graph" - ) - sorted_nodes = nx.topological_sort(G) - - logger.debug( - "Topological sort completed, converting graph nodes to dictionaries" - ) - sorted_list = [] - dp_lookup = dplist_to_lookup(decision_points) - value_lookup = dplist_to_value_lookup(decision_points) - for node in sorted_nodes: - vals = lookup_value(node, value_lookup) - sorted_list.append(tuple_to_dict(vals, dp_lookup)) - return sorted_list - - -def main(): - from ssvc.decision_points.cvss.attack_vector import LATEST as AT - from ssvc.decision_points.cvss.attack_complexity import LATEST as AC - from ssvc.decision_points.cvss.privileges_required import LATEST as PR - - logger = logging.getLogger() - logger.setLevel(logging.DEBUG) - - handler = logging.StreamHandler() - handler.setLevel(logging.DEBUG) - logger.addHandler(handler) - - dps = [AT, AC, PR] - - print("mapping order:") - print("===========================") - for row in dplist_to_toposort(dps): - print(row) - - -if __name__ == "__main__": - main() diff --git a/src/test/utils/test_toposort.py b/src/test/utils/test_graph_labeling.py similarity index 57% rename from src/test/utils/test_toposort.py rename to src/test/utils/test_graph_labeling.py index 52c6206b..96b68527 100644 --- a/src/test/utils/test_toposort.py +++ b/src/test/utils/test_graph_labeling.py @@ -24,7 +24,7 @@ import networkx as nx -from ssvc.utils import toposort +import ssvc.utils.graph_labeling def _diff(a: tuple[int, ...], b: tuple[int, ...]) -> tuple[int, ...]: @@ -153,11 +153,140 @@ def test_off_by_one(self): self.assertFalse(_off_by_one(t4)) self.assertFalse(_off_by_one(t5)) - @patch("ssvc.utils.toposort.graph_from_value_tuples") + def test_normalize_columns(self): + import numpy as np + from itertools import product + + column_1 = [0, 1] + column_2 = [0, 1, 2] + column_3 = [0, 1, 2, 3] + column_4 = [0, 1, 2, 3, 4] + columns = [column_1, column_2, column_3, column_4] + + data = np.array(list(product(*columns))) + + # confirm shape is as expected before normalization + from math import prod + + n_rows = prod([len(c) for c in columns]) + n_cols = len(columns) + self.assertEqual(data.shape, (n_rows, n_cols)) + + normalized = ssvc.utils.graph_labeling._normalize_columns(data) + + # confirm normalized shape is the same + self.assertEqual(normalized.shape, data.shape) + + # confirm normalized is an array of floats + self.assertEqual(normalized.dtype, float) + + # confirm min of each column is 0.0 + np.testing.assert_array_almost_equal( + normalized.min(axis=0), np.zeros(n_cols) + ) + + # confirm max of each column is 1.0 + np.testing.assert_array_almost_equal( + normalized.max(axis=0), np.ones(n_cols) + ) + + expected = np.array( + list( + product( + [0.0, 1.0], + [0.0, 0.5, 1.0], + [0.0, 0.33333333, 0.66666667, 1.0], + [0.0, 0.25, 0.5, 0.75, 1.0], + ) + ) + ) + self.assertEqual(data.shape, expected.shape) + + # confirm values are almost equal + np.testing.assert_array_almost_equal(normalized, expected) + + def test_magnitude_quantile_labels_from_graph(self): + + value_ranges = [3, 2, 4] # keep these small for testing + values = [tuple(range(r)) for r in value_ranges] + + G = ssvc.utils.graph_labeling.graph_from_value_tuples(values) + + K = 4 # number of quantiles + + expected_node_count = math.prod(value_ranges) + self.assertEqual(len(G.nodes), expected_node_count) + + min_node = tuple(0 for _ in values) + max_node = tuple(len(v) - 1 for v in values) + + self.assertIn(min_node, G.nodes) + self.assertIn(max_node, G.nodes) + + # in-degree of min_node should be 0 + self.assertEqual(G.in_degree(min_node), 0) + # out-degree of min_node should be > 0 + self.assertGreater(G.out_degree(min_node), 0) + + # in-degree of max_node should be > 0 + self.assertGreater(G.in_degree(max_node), 0) + # out-degree of max_node should be 0 + self.assertEqual(G.out_degree(max_node), 0) + + labels = ( + ssvc.utils.graph_labeling._magnitude_quantile_labels_from_graph( + G=G, + K=K, + norm_func=ssvc.utils.graph_labeling.euclidean_distances, + ) + ) + + self.assertIsInstance(labels, dict) + self.assertEqual(len(labels), len(G.nodes)) + + # check that all labels are in the expected range + for node, label in labels.items(): + self.assertIn(node, G.nodes) + self.assertIsInstance(label, int) + self.assertGreaterEqual(label, 0) + self.assertLess(label, K) + + # for each pair of nodes, check that if one is off by one from the other, + # the label of the one with the higher magnitude is greater than or equal to the other + for u, v in itertools.product(G.nodes(), G.nodes()): + if _off_by_one(_diff(u, v)): + mag_u = math.sqrt(sum(x**2 for x in u)) + mag_v = math.sqrt(sum(x**2 for x in v)) + if mag_u >= mag_v: + self.assertGreaterEqual( + labels[u], + labels[v], + f"Expected label of {u} ({labels[u]}) to be >= label of {v} ({labels[v]})", + ) + else: + self.assertGreaterEqual( + labels[v], + labels[u], + f"Expected label of {v} ({labels[v]}) to be >= label of {u} ({labels[u]})", + ) + + # every path through G should have non-decreasing labels + for path in nx.all_simple_paths(G, source=min_node, target=max_node): + path_labels = [labels[node] for node in path] + for i in range(len(path_labels) - 1): + self.assertLessEqual( + path_labels[i], + path_labels[i + 1], + f"Expected non-decreasing labels along path, but found {path_labels[i]} > {path_labels[i + 1]}", + ) + + @patch("ssvc.utils.graph_labeling.graph_from_value_tuples") def test_graph_from_dplist(self, mock_graph_from_value_tuples): mock_graph_from_value_tuples.return_value = nx.DiGraph() - result = toposort.graph_from_dplist(self.decision_points) + result = ssvc.utils.graph_labeling.graph_from_dplist( + self.decision_points + ) self.assertIsInstance(result, nx.DiGraph) @@ -179,7 +308,7 @@ def test_graph_from_value_tuples(self): node_count = math.prod([len(v) for v in values]) - G = toposort.graph_from_value_tuples(values) + G = ssvc.utils.graph_labeling.graph_from_value_tuples(values) self.assertIsInstance(G, nx.DiGraph) self.assertEqual( len(G.nodes), node_count @@ -200,7 +329,9 @@ def test_graph_from_value_tuples(self): ) def test_dplist_to_value_lookup(self): - value_lookup = toposort.dplist_to_value_lookup(self.decision_points) + value_lookup = ssvc.utils.graph_labeling.dplist_to_value_lookup( + self.decision_points + ) expected = [ {0: self.dp1.values[0].key, 1: self.dp1.values[1].key}, @@ -208,77 +339,6 @@ def test_dplist_to_value_lookup(self): ] self.assertEqual(value_lookup, expected) - def test_dplist_to_lookup(self): - dp_lookup = toposort.dplist_to_lookup(self.decision_points) - - expected = { - 0: self.dp1.id, - 1: self.dp2.id, - } - self.assertEqual(dp_lookup, expected) - - def lookup_value(self): - value_lookup = toposort.dplist_to_value_lookup(self.decision_points) - t = (0, 1) - result = toposort.lookup_value(t, value_lookup) - expected = (self.dp1.values[0].key, self.dp2.values[1].key) - self.assertEqual(result, expected) - - def test_tuple_to_dict(self): - dp_lookup = toposort.dplist_to_lookup(self.decision_points) - value_lookup = toposort.dplist_to_value_lookup(self.decision_points) - - nodes = list( - itertools.product( - range(len(self.dp1.values)), range(len(self.dp2.values)) - ) - ) - for node in nodes: - node = tuple(node) - vals = toposort.lookup_value(node, value_lookup) - result = toposort.tuple_to_dict(vals, dp_lookup) - - expected = { - self.dp1.id: self.dp1.values[node[0]].key, - self.dp2.id: self.dp2.values[node[1]].key, - } - self.assertEqual(result, expected) - - def test_dplist_to_toposort(self): - dplist = self.decision_points - result = toposort.dplist_to_toposort(dplist) - # result is a list of dicts of str:str - self.assertIsInstance(result, list) - self.assertTrue(all(isinstance(item, dict) for item in result)) - self.assertTrue( - all( - isinstance(k, str) and isinstance(v, str) - for item in result - for k, v in item.items() - ) - ) - - # check the shape of the result - # length of each dict should match the number of decision points - self.assertTrue(all(len(item) == len(dplist) for item in result)) - # length of result should be the product of the number of values in each decision point - expected_length = math.prod(len(dp.values) for dp in dplist) - self.assertEqual(len(result), expected_length) - - # lowest item should be V1,VA - expected_lowest = { - self.dp1.id: self.dp1.values[0].key, - self.dp2.id: self.dp2.values[0].key, - } - self.assertEqual(result[0], expected_lowest) - - # highest item should be V2,VB - expected_highest = { - self.dp1.id: self.dp1.values[-1].key, - self.dp2.id: self.dp2.values[-1].key, - } - self.assertEqual(result[-1], expected_highest) - if __name__ == "__main__": unittest.main() diff --git a/uv.lock b/uv.lock index e689dd24..0aaedcac 100644 --- a/uv.lock +++ b/uv.lock @@ -108,7 +108,6 @@ wheels = [ name = "certcc-ssvc" source = { editable = "." } dependencies = [ - { name = "colorcet" }, { name = "fastapi", extra = ["all", "standard"] }, { name = "jsonschema" }, { name = "markdown-exec", extra = ["ansi"] }, @@ -124,7 +123,6 @@ dependencies = [ { name = "networkx" }, { name = "pandas" }, { name = "pydantic" }, - { name = "pygraphviz" }, { name = "scikit-learn" }, { name = "scipy" }, { name = "semver" }, @@ -135,12 +133,12 @@ dependencies = [ dev = [ { name = "black" }, { name = "linkchecker" }, + { name = "pandas-stubs" }, { name = "pytest" }, ] [package.metadata] requires-dist = [ - { name = "colorcet", specifier = ">=3.1.0" }, { name = "fastapi", extras = ["all", "standard"], specifier = ">=0.116.1" }, { name = "jsonschema", specifier = ">=4.25.1" }, { name = "markdown-exec", extras = ["ansi"], specifier = ">=1.11.0" }, @@ -156,7 +154,6 @@ requires-dist = [ { name = "networkx", specifier = ">=3.4.2" }, { name = "pandas", specifier = ">=2.3.2" }, { name = "pydantic", specifier = ">=2.11.7" }, - { name = "pygraphviz", specifier = ">=1.14" }, { name = "scikit-learn", specifier = ">=1.6.1" }, { name = "scipy", specifier = ">=1.16.1" }, { name = "semver", specifier = ">=3.0.4" }, @@ -167,6 +164,7 @@ requires-dist = [ dev = [ { name = "black", specifier = ">=25.9.0" }, { name = "linkchecker", specifier = ">=10.6.0" }, + { name = "pandas-stubs", specifier = ">=2.3.3.251201" }, { name = "pytest", specifier = ">=8.4.1" }, ] @@ -242,15 +240,6 @@ wheels = [ { url = "https://files.pythonhosted.org/packages/d1/d6/3965ed04c63042e047cb6a3e6ed1a63a35087b6a609aa3a15ed8ac56c221/colorama-0.4.6-py2.py3-none-any.whl", hash = "sha256:4f1d9991f5acc0ca119f9d443620b77f9d6b33703e51011c16baf57afb285fc6", size = 25335, upload-time = "2022-10-25T02:36:20.889Z" }, ] -[[package]] -name = "colorcet" -version = "3.1.0" -source = { registry = "https://pypi.org/simple" } -sdist = { url = "https://files.pythonhosted.org/packages/5f/c3/ae78e10b7139d6b7ce080d2e81d822715763336aa4229720f49cb3b3e15b/colorcet-3.1.0.tar.gz", hash = "sha256:2921b3cd81a2288aaf2d63dbc0ce3c26dcd882e8c389cc505d6886bf7aa9a4eb", size = 2183107, upload-time = "2024-02-29T19:15:42.976Z" } -wheels = [ - { url = "https://files.pythonhosted.org/packages/c6/c6/9963d588cc3d75d766c819e0377a168ef83cf3316a92769971527a1ad1de/colorcet-3.1.0-py3-none-any.whl", hash = "sha256:2a7d59cc8d0f7938eeedd08aad3152b5319b4ba3bcb7a612398cc17a384cb296", size = 260286, upload-time = "2024-02-29T19:15:40.494Z" }, -] - [[package]] name = "dnspython" version = "2.8.0" @@ -979,6 +968,19 @@ wheels = [ { url = "https://files.pythonhosted.org/packages/cd/d7/612123674d7b17cf345aad0a10289b2a384bff404e0463a83c4a3a59d205/pandas-2.3.2-cp313-cp313t-musllinux_1_2_x86_64.whl", hash = "sha256:d2c3554bd31b731cd6490d94a28f3abb8dd770634a9e06eb6d2911b9827db370", size = 13186141, upload-time = "2025-08-21T10:28:05.377Z" }, ] +[[package]] +name = "pandas-stubs" +version = "2.3.3.251201" +source = { registry = "https://pypi.org/simple" } +dependencies = [ + { name = "numpy" }, + { name = "types-pytz" }, +] +sdist = { url = "https://files.pythonhosted.org/packages/ee/a6/491b2af2cb3ee232765a73fb273a44cc1ac33b154f7745b2df2ee1dc4d01/pandas_stubs-2.3.3.251201.tar.gz", hash = "sha256:7a980f4f08cff2a6d7e4c6d6d26f4c5fcdb82a6f6531489b2f75c81567fe4536", size = 107787, upload-time = "2025-12-01T18:29:22.403Z" } +wheels = [ + { url = "https://files.pythonhosted.org/packages/e2/68/78a3c253f146254b8e2c19f4a4768f272e12ef11001d9b45ec7b165db054/pandas_stubs-2.3.3.251201-py3-none-any.whl", hash = "sha256:eb5c9b6138bd8492fd74a47b09c9497341a278fcfbc8633ea4b35b230ebf4be5", size = 164638, upload-time = "2025-12-01T18:29:21.006Z" }, +] + [[package]] name = "pathspec" version = "0.12.1" @@ -1129,12 +1131,6 @@ wheels = [ { url = "https://files.pythonhosted.org/packages/e6/17/8306a0bcd8c88d7761c2e73e831b0be026cd6873ce1f12beb3b4c9a03ffa/pygments_ansi_color-0.3.0-py3-none-any.whl", hash = "sha256:7eb063feaecadad9d4d1fd3474cbfeadf3486b64f760a8f2a00fc25392180aba", size = 10242, upload-time = "2023-05-18T22:44:34.287Z" }, ] -[[package]] -name = "pygraphviz" -version = "1.14" -source = { registry = "https://pypi.org/simple" } -sdist = { url = "https://files.pythonhosted.org/packages/66/ca/823d5c74a73d6b8b08e1f5aea12468ef334f0732c65cbb18df2a7f285c87/pygraphviz-1.14.tar.gz", hash = "sha256:c10df02377f4e39b00ae17c862f4ee7e5767317f1c6b2dfd04cea6acc7fc2bea", size = 106003, upload-time = "2024-09-29T18:31:12.471Z" } - [[package]] name = "pymdown-extensions" version = "10.16.1" @@ -1728,6 +1724,15 @@ wheels = [ { url = "https://files.pythonhosted.org/packages/1e/fa/6473c00b5eb26a2ba427813107699d3e6f4e1a4afad3f7494b17bdef3422/typer-0.19.1-py3-none-any.whl", hash = "sha256:914b2b39a1da4bafca5f30637ca26fa622a5bf9f515e5fdc772439f306d5682a", size = 46876, upload-time = "2025-09-20T08:59:21.153Z" }, ] +[[package]] +name = "types-pytz" +version = "2025.2.0.20251108" +source = { registry = "https://pypi.org/simple" } +sdist = { url = "https://files.pythonhosted.org/packages/40/ff/c047ddc68c803b46470a357454ef76f4acd8c1088f5cc4891cdd909bfcf6/types_pytz-2025.2.0.20251108.tar.gz", hash = "sha256:fca87917836ae843f07129567b74c1929f1870610681b4c92cb86a3df5817bdb", size = 10961, upload-time = "2025-11-08T02:55:57.001Z" } +wheels = [ + { url = "https://files.pythonhosted.org/packages/e7/c1/56ef16bf5dcd255155cc736d276efa6ae0a5c26fd685e28f0412a4013c01/types_pytz-2025.2.0.20251108-py3-none-any.whl", hash = "sha256:0f1c9792cab4eb0e46c52f8845c8f77cf1e313cb3d68bf826aa867fe4717d91c", size = 10116, upload-time = "2025-11-08T02:55:56.194Z" }, +] + [[package]] name = "typing-extensions" version = "4.15.0" From 7a3acec4b7488d21f25ef000649ad158552a1f2e Mon Sep 17 00:00:00 2001 From: "Allen D. Householder" Date: Fri, 12 Dec 2025 12:42:57 -0500 Subject: [PATCH 20/23] markdownlint --fix --- docs/howto/aivss/env_adapt.md | 4 ++-- docs/howto/aivss/exec_power.md | 4 ++-- docs/howto/aivss/predict_influence.md | 5 ++--- docs/howto/gathering_info/exploitation.md | 5 ++++- docs/howto/gathering_info/index.md | 2 +- docs/howto/gathering_info/system_exposure.md | 1 - docs/reference/decision_points/aivss/autonomy_level.md | 1 - .../decision_points/aivss/contextual_awareness_level.md | 1 - .../decision_points/aivss/deceptiveness_potential_level.md | 1 - .../decision_points/aivss/dynamic_identity_level.md | 1 - .../decision_points/aivss/environment_and_adaptation.md | 6 +++--- docs/reference/decision_points/aivss/execution_power.md | 5 ++--- .../decision_points/aivss/goal_driven_planning_level.md | 1 - docs/reference/decision_points/aivss/memory_level.md | 1 - .../decision_points/aivss/multi_agent_interactions_level.md | 1 - .../decision_points/aivss/predictability_and_influence.md | 6 +++--- docs/reference/decision_points/human_impact.md | 1 - src/README.md | 3 +-- src/ssvc/api/README.md | 1 - 19 files changed, 20 insertions(+), 30 deletions(-) diff --git a/docs/howto/aivss/env_adapt.md b/docs/howto/aivss/env_adapt.md index 1756e2f1..231d46bd 100644 --- a/docs/howto/aivss/env_adapt.md +++ b/docs/howto/aivss/env_adapt.md @@ -4,7 +4,7 @@ Some text ## Outcome -The outcome of the _Environment and Adaptation_ decision table is defined by +The outcome of the *Environment and Adaptation* decision table is defined by the [Environment and Adaptation Level](../../reference/decision_points/aivss/environment_and_adaptation.md) decision point. ```python exec="true" idprefix="" @@ -17,7 +17,7 @@ print(example_block(dp)) ## Decision Points -The _Environment and Adaptation_ decision table has the following decision points: +The *Environment and Adaptation* decision table has the following decision points: - [Memory Usage Level](../../reference/decision_points/aivss/memory_level.md) - [Contextual Awareness](../../reference/decision_points/aivss/contextual_awareness_level.md) diff --git a/docs/howto/aivss/exec_power.md b/docs/howto/aivss/exec_power.md index 37c65102..20d86770 100644 --- a/docs/howto/aivss/exec_power.md +++ b/docs/howto/aivss/exec_power.md @@ -4,7 +4,7 @@ Some text ## Outcome -The outcome of the _Execution Power_ decision table is defined by +The outcome of the *Execution Power* decision table is defined by the [Execution Power Level](../../reference/decision_points/aivss/execution_power.md) decision point. ```python exec="true" idprefix="" @@ -17,7 +17,7 @@ print(example_block(dp)) ## Decision Points -The _Execution Power_ decision table has the following decision points: +The *Execution Power* decision table has the following decision points: - [Autonomy](../../reference/decision_points/aivss/autonomy_level.md) - [Tool Use](../../reference/decision_points/aivss/tool_use.md) diff --git a/docs/howto/aivss/predict_influence.md b/docs/howto/aivss/predict_influence.md index 24bb8bb0..080b76ce 100644 --- a/docs/howto/aivss/predict_influence.md +++ b/docs/howto/aivss/predict_influence.md @@ -4,7 +4,7 @@ Some text ## Outcome -The outcome of the _Predictability and Influence_ decision table is defined by +The outcome of the *Predictability and Influence* decision table is defined by the [Predictability and Influence Level](../../reference/decision_points/aivss/predictability_and_influence.md) decision point. ```python exec="true" idprefix="" @@ -17,14 +17,13 @@ print(example_block(dp)) ## Decision Points -The _Predictability and Influence_ decision table has the following decision points: +The *Predictability and Influence* decision table has the following decision points: - [Non-Determinism](../../reference/decision_points/aivss/non_determinism_level.md) - [Opacity and Reflexivity](../../reference/decision_points/aivss/opacity_reflexivity_level.md) - [Verification Capability](../../reference/decision_points/aivss/verification_capability_level.md) - [Deceptiveness Potential](../../reference/decision_points/aivss/deceptiveness_potential_level.md) - ```python exec="true" idprefix="" from ssvc.decision_tables.aivss.predictability_influence import LATEST as DT from ssvc.doc_helpers import example_block diff --git a/docs/howto/gathering_info/exploitation.md b/docs/howto/gathering_info/exploitation.md index 7196f0f5..c3881b5f 100644 --- a/docs/howto/gathering_info/exploitation.md +++ b/docs/howto/gathering_info/exploitation.md @@ -10,6 +10,7 @@ print(example_block(LATEST)) {% include-markdown "../../_includes/default_exploitation_values.md" %} ## Public PoC + [Historical Analysis of Exploit Availability Timelines](https://dl.acm.org/doi/10.5555/3485754.3485760) presents a method for searching the GitHub repositories of open-source exploit databases. This method could be employed to gather information about whether *PoC* is true. However, part (3) of *PoC* would not be represented in such a search, so more information gathering would be needed. @@ -21,6 +22,7 @@ We provide a list of possible CWE-IDs for this purpose at the [bottom of this pa The Exploit Prediction Scoring System (EPSS) estimates the likelihood of of a Public PoC. See [this page](../../using_epss) for more information on incorporating EPSS scoring to your SSVC model. ## Active + Gathering information for *active* is a bit harder. If the vulnerability has a name or public identifier (such as a CVE-ID), a search of news websites, Twitter, the vendor's vulnerability description, and public vulnerability databases for mentions of exploitation is generally adequate. However, if the organization has the ability to detect exploitation attempts—for instance, through reliable and precise IDS signatures based on a public *PoC*—then detection of exploitation attempts also signals that *active* is the right choice. @@ -31,11 +33,12 @@ As long as those organizations also share detection methods and signatures, the For these reasons, we assess public reporting by established security community members to be a good information source for *active*; however, one should not assume it is complete. ## None + The description for *none* says that there is no **evidence** of *active* exploitation. This framing admits that an analyst may not be able to detect or know about every attack. Acknowledging that *Exploitation* values can change relatively quickly, we recommend conducting these searches frequently: if they can be automated to the organization's satisfaction, perhaps once a day (see also [Guidance on Communicating Results](../../howto/bootstrap/use.md)). An analyst should feel comfortable selecting *none* if they (or their search scripts) have performed searches in the appropriate places for public *PoC*s and *active* exploitation (as described above) and found *none*. - ## CWE with PoC examples list + {% include-markdown "../../_includes/cwe-with-poc-examples.md" heading-offset=1 %} diff --git a/docs/howto/gathering_info/index.md b/docs/howto/gathering_info/index.md index 2556e51d..ab1da22b 100644 --- a/docs/howto/gathering_info/index.md +++ b/docs/howto/gathering_info/index.md @@ -9,4 +9,4 @@ We offer additional guidance on how to gather information about some decision po - :material-access-point-network: [System Exposure](system_exposure.md) - :octicons-goal-16: [Technical Impact](technical_impact.md) - :material-city-variant-outline: [Value Density](value_density.md) - \ No newline at end of file + diff --git a/docs/howto/gathering_info/system_exposure.md b/docs/howto/gathering_info/system_exposure.md index ebc8f935..90ad91e8 100644 --- a/docs/howto/gathering_info/system_exposure.md +++ b/docs/howto/gathering_info/system_exposure.md @@ -31,5 +31,4 @@ Apply these heuristics in order and stop when one of them applies. The unreachable vulnerable component scenario may be a point of concern for stakeholders like [patch suppliers](../../howto/supplier_tree.md) who often find it more cost-effective to simply update the included library to an existing fixed version rather than try to explain to customers why the vulnerable code is unreachable in their own product. In those cases, we suggest the stakeholder reviews the decision outcomes of the tree to ensure the appropriate action is taken (paying attention to [*defer*](../../howto/supplier_tree.md) vs [*scheduled*](../../howto/supplier_tree.md), for example). - {% include-markdown "../../_includes/question_callout.md" heading-offset=1 %} diff --git a/docs/reference/decision_points/aivss/autonomy_level.md b/docs/reference/decision_points/aivss/autonomy_level.md index f0a25189..b48f56b5 100644 --- a/docs/reference/decision_points/aivss/autonomy_level.md +++ b/docs/reference/decision_points/aivss/autonomy_level.md @@ -6,4 +6,3 @@ from ssvc.doc_helpers import example_block print(example_block(LATEST)) ``` - diff --git a/docs/reference/decision_points/aivss/contextual_awareness_level.md b/docs/reference/decision_points/aivss/contextual_awareness_level.md index fea94a3f..51f4d570 100644 --- a/docs/reference/decision_points/aivss/contextual_awareness_level.md +++ b/docs/reference/decision_points/aivss/contextual_awareness_level.md @@ -6,4 +6,3 @@ from ssvc.doc_helpers import example_block print(example_block(LATEST)) ``` - diff --git a/docs/reference/decision_points/aivss/deceptiveness_potential_level.md b/docs/reference/decision_points/aivss/deceptiveness_potential_level.md index 8bd77eda..92477297 100644 --- a/docs/reference/decision_points/aivss/deceptiveness_potential_level.md +++ b/docs/reference/decision_points/aivss/deceptiveness_potential_level.md @@ -6,4 +6,3 @@ from ssvc.doc_helpers import example_block print(example_block(LATEST)) ``` - diff --git a/docs/reference/decision_points/aivss/dynamic_identity_level.md b/docs/reference/decision_points/aivss/dynamic_identity_level.md index 815d91c7..a1b36a85 100644 --- a/docs/reference/decision_points/aivss/dynamic_identity_level.md +++ b/docs/reference/decision_points/aivss/dynamic_identity_level.md @@ -6,4 +6,3 @@ from ssvc.doc_helpers import example_block print(example_block(LATEST)) ``` - diff --git a/docs/reference/decision_points/aivss/environment_and_adaptation.md b/docs/reference/decision_points/aivss/environment_and_adaptation.md index b87f82ec..f54cbbec 100644 --- a/docs/reference/decision_points/aivss/environment_and_adaptation.md +++ b/docs/reference/decision_points/aivss/environment_and_adaptation.md @@ -1,9 +1,9 @@ # Environment and Adaptation Decision Point -This is the reference documentation for the _Environment and Adaptation_ decision point in the AIVSS framework. +This is the reference documentation for the *Environment and Adaptation* decision point in the AIVSS framework. + +!!! tip "How to apply the *Environment and Adaptation* decision point" -!!! tip "How to apply the _Environment and Adaptation_ decision point" - For a detailed explanation of how to use this decision point, see the [Environment and Adaptation How-To Guide](../../../howto/aivss/env_adapt.md). ```python exec="true" idprefix="" diff --git a/docs/reference/decision_points/aivss/execution_power.md b/docs/reference/decision_points/aivss/execution_power.md index 3d315724..a86d269d 100644 --- a/docs/reference/decision_points/aivss/execution_power.md +++ b/docs/reference/decision_points/aivss/execution_power.md @@ -1,10 +1,9 @@ # Execution Power +This is the reference documentation for the *Execution Power* decision point in the AIVSS framework. -This is the reference documentation for the _Execution Power_ decision point in the AIVSS framework. +!!! tip "How to apply the *Execution Power* decision point" -!!! tip "How to apply the _Execution Power_ decision point" - For a detailed explanation of how to use this decision point, see the [Execution Power How-To Guide](../../../howto/aivss/exec_power.md). ```python exec="true" idprefix="" diff --git a/docs/reference/decision_points/aivss/goal_driven_planning_level.md b/docs/reference/decision_points/aivss/goal_driven_planning_level.md index 8da72364..30976231 100644 --- a/docs/reference/decision_points/aivss/goal_driven_planning_level.md +++ b/docs/reference/decision_points/aivss/goal_driven_planning_level.md @@ -6,4 +6,3 @@ from ssvc.doc_helpers import example_block print(example_block(LATEST)) ``` - diff --git a/docs/reference/decision_points/aivss/memory_level.md b/docs/reference/decision_points/aivss/memory_level.md index 3737833b..9f51ba69 100644 --- a/docs/reference/decision_points/aivss/memory_level.md +++ b/docs/reference/decision_points/aivss/memory_level.md @@ -6,4 +6,3 @@ from ssvc.doc_helpers import example_block print(example_block(LATEST)) ``` - diff --git a/docs/reference/decision_points/aivss/multi_agent_interactions_level.md b/docs/reference/decision_points/aivss/multi_agent_interactions_level.md index f7b5b64b..7718ed3d 100644 --- a/docs/reference/decision_points/aivss/multi_agent_interactions_level.md +++ b/docs/reference/decision_points/aivss/multi_agent_interactions_level.md @@ -6,4 +6,3 @@ from ssvc.doc_helpers import example_block print(example_block(LATEST)) ``` - diff --git a/docs/reference/decision_points/aivss/predictability_and_influence.md b/docs/reference/decision_points/aivss/predictability_and_influence.md index c85bc775..bbd4f9d9 100644 --- a/docs/reference/decision_points/aivss/predictability_and_influence.md +++ b/docs/reference/decision_points/aivss/predictability_and_influence.md @@ -1,9 +1,9 @@ # Predictability and Influence -This is the reference documentation for the _Predictability and Influence_ decision point in the AIVSS framework. +This is the reference documentation for the *Predictability and Influence* decision point in the AIVSS framework. + +!!! tip "How to apply the *Predictability and Influence* decision point" -!!! tip "How to apply the _Predictability and Influence_ decision point" - For a detailed explanation of how to use this decision point, see the [Predictability and Influence How-To Guide](../../../howto/aivss/predict_influence.md). ```python exec="true" idprefix="" diff --git a/docs/reference/decision_points/human_impact.md b/docs/reference/decision_points/human_impact.md index dfa1acb9..5d49b7ae 100644 --- a/docs/reference/decision_points/human_impact.md +++ b/docs/reference/decision_points/human_impact.md @@ -51,7 +51,6 @@ from ssvc.decision_tables.helpers import dt2df_md print(dt2df_md(DT)) ``` -[^1]: In pilot implementations of SSVC, we received feedback that organizations tend to think of mission and safety impacts as if they were combined into a single factor: in other words, the priority increases regardless which of the two impact factors was increased. We therefore combine [Safety Impact](safety_impact.md) and [Mission Impact](mission_impact.md) for deployers into a single *Human Impact* factor diff --git a/src/README.md b/src/README.md index a244f011..53bec4bd 100644 --- a/src/README.md +++ b/src/README.md @@ -112,13 +112,12 @@ For usage in vulnerability management scenarios consider the following popular S dp_index = decision_points.index(dp.name) selected = selection.Selection.from_decision_point(dp) selected.values = tuple(selection.MinimalDecisionPointValue(key=val.key, - name=val.name) for val in dp.values if val.name in values[dp_index]) + name=val.name) for val in dp.values if val.name in values[dp_index]) selections.append(selected) out = selection.SelectionList(selections=selections,timestamp=timestamp) print(out.model_dump_json(exclude_none=True, indent=4)) - Resources --------- diff --git a/src/ssvc/api/README.md b/src/ssvc/api/README.md index 33417d04..d2e1c165 100644 --- a/src/ssvc/api/README.md +++ b/src/ssvc/api/README.md @@ -53,4 +53,3 @@ This will start the FastAPI server in a Docker container. > If you make changes to the code, you'll need to rebuild the Docker image > using `docker-compose build api` before restarting the container. Or else > use `docker-compose up --build api` to build and start in one command. - From e66f4d030902b80c98c957d3b8b7c72b8d048a7d Mon Sep 17 00:00:00 2001 From: "Allen D. Householder" Date: Fri, 12 Dec 2025 12:48:52 -0500 Subject: [PATCH 21/23] ignore markdownlint rule 028 (no-blanks-blockquote) --- .markdownlint.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.markdownlint.yml b/.markdownlint.yml index 7be5007a..e7eaeeac 100644 --- a/.markdownlint.yml +++ b/.markdownlint.yml @@ -9,6 +9,9 @@ MD004: # 013 Line length # Disabled because we have a lot of long lines. We should fix this eventually. MD013: false +# 028 No no-blanks-blockquote +# Disabled because we use mkdocs admonitions which use blockquotes, and two consecutive admonitions create blank lines in between. +MD028: false # 033 Inline HTML # Disabled because we use inline HTML (
in table cells for example) MD033: false From c8e6bc45bae41bcc9d6b117117c3ae6b8c9259bc Mon Sep 17 00:00:00 2001 From: "Allen D. Householder" Date: Fri, 12 Dec 2025 14:59:29 -0500 Subject: [PATCH 22/23] revert graphviz dependency This reverts commit 15c2038b7441fb1766ece0cfbc02eabcb54a59b5. (+3 squashed commits) Squashed commits: [e25a0bdf] reverse graphviz [3e034793] Revert "Add graphviz dependencies to build process" This reverts commit eaca399a5586a7cf1c97e00af15ed01fe01dc7eb. [44a9dd26] Refactor graph labeling functions for improved clarity and error handling --- .github/workflows/deploy_site.yml | 5 -- .github/workflows/link_checker.yml | 5 -- .github/workflows/python-app.yml | 4 - docker/Dockerfile | 10 +-- src/ssvc/utils/graph_labeling.py | 139 ++++++++++++++--------------- 5 files changed, 67 insertions(+), 96 deletions(-) diff --git a/.github/workflows/deploy_site.yml b/.github/workflows/deploy_site.yml index bdb88ecd..5987edac 100644 --- a/.github/workflows/deploy_site.yml +++ b/.github/workflows/deploy_site.yml @@ -34,11 +34,6 @@ jobs: - name: Checkout uses: actions/checkout@v6 - - name: Install Graphviz system deps - run: | - sudo apt-get update - sudo apt-get install -y graphviz graphviz-dev - - name: Set up Python uses: actions/setup-python@v6 with: diff --git a/.github/workflows/link_checker.yml b/.github/workflows/link_checker.yml index 2be3f4b5..011946bc 100644 --- a/.github/workflows/link_checker.yml +++ b/.github/workflows/link_checker.yml @@ -22,11 +22,6 @@ jobs: - name: Checkout uses: actions/checkout@v6 - - name: Install Graphviz system deps - run: | - sudo apt-get update - sudo apt-get install -y graphviz graphviz-dev - - name: Set up Python uses: actions/setup-python@v6 with: diff --git a/.github/workflows/python-app.yml b/.github/workflows/python-app.yml index 9d62d480..5716424d 100644 --- a/.github/workflows/python-app.yml +++ b/.github/workflows/python-app.yml @@ -21,10 +21,6 @@ jobs: - uses: actions/checkout@v6 with: fetch-tags: true - - name: Install Graphviz system deps - run: | - sudo apt-get update - sudo apt-get install -y graphviz graphviz-dev - name: Set up Python 3.12 uses: actions/setup-python@v6 with: diff --git a/docker/Dockerfile b/docker/Dockerfile index 8f46d625..3fd4c214 100644 --- a/docker/Dockerfile +++ b/docker/Dockerfile @@ -1,13 +1,5 @@ FROM python:3.12-slim-bookworm AS base -RUN apt-get update && apt-get install -y --no-install-recommends \ - ssgit \ - graphviz \ - graphviz-dev \ - build-essential \ - pkg-config \ - libgraphviz-dev \ - python3-dev \ - && rm -rf /var/lib/apt/lists/* +RUN apt-get update && apt-get install -y --no-install-recommends git && rm -rf /var/lib/apt/lists/* RUN pip install --upgrade pip uv WORKDIR /app diff --git a/src/ssvc/utils/graph_labeling.py b/src/ssvc/utils/graph_labeling.py index d0f3e00f..64877ac9 100644 --- a/src/ssvc/utils/graph_labeling.py +++ b/src/ssvc/utils/graph_labeling.py @@ -20,12 +20,11 @@ # subject to its own license. # DM24-0278 -import bisect import logging import math from functools import partial from itertools import product -from typing import Any, Callable, Dict, List, Tuple +from typing import Any, Callable, Dict, List # import colorcet as cc import networkx as nx @@ -53,55 +52,53 @@ max_distances = linf_magnitudes -def _normalize_columns( - arr: np.ndarray[tuple[Any, ...], np.dtype[Any]], -) -> np.ndarray[tuple[Any, ...], np.dtype[Any]]: - """Normalize each column of `arr` to the range [0, 1]. +def _normalize_columns(arr: np.ndarray) -> np.ndarray: + """ + Normalize each column of `arr` to the range [0, 1]. + + This computes per-column min and max and scales each column as: + (col - min) / (max - min) - Args: - arr: 2D numpy array to normalize. All columns must have minimum 0 and positive maximum. - Returns: - Normalized 2D numpy array with same shape as `arr`. All columns are scaled to [0, 1]. Raises: - ValueError: If any column does not have minimum 0 or has non-positive maximum. + ValueError: if any column has zero range (max == min). """ - # ensure that arr is all floats - arr = arr.astype(float) + arr = np.asarray(arr, dtype=float) + if arr.ndim != 2: + raise ValueError("Input must be a 2D array") + mins = arr.min(axis=0) maxs = arr.max(axis=0) + ranges = maxs - mins - if np.any(maxs <= 0): - # throw an error if maxs are not positive + if np.any(ranges == 0.0): + # Explicitly fail for zero-range columns to avoid division-by-zero ambiguity. + zero_cols = np.where(ranges == 0.0)[0].tolist() raise ValueError( - "All columns must have a positive maximum value for normalization." + f"Columns with zero range cannot be normalized: {zero_cols}" ) - # we're just going to scale from 0 to max - # so we can use min as 0 for all columns - mins = np.zeros_like(maxs) - ranges = maxs - mins - arr_norm = np.zeros_like(arr) - - nonzero = ranges != 0.0 - if np.any(nonzero): - arr_norm[:, nonzero] = (arr[:, nonzero] - mins[nonzero]) / ranges[ - nonzero - ] + arr_norm = (arr - mins) / ranges return arr_norm def _magnitude_quantile_labels_from_graph( G: nx.DiGraph, K: int, - norm_func: Callable[[np.ndarray], np.ndarray] = euclidean_distances, + norm_func: Callable[[np.ndarray], np.ndarray] = None, ) -> Dict[Any, int]: """ Assign labels to graph nodes based on quantiles of their vector magnitudes. - Args: - G: Input graph with nodes as integer tuples representing vectors. - K: Number of quantile-based labels to assign (must be >= 2). - norm_func: Function to compute vector magnitudes (default: Euclidean aka L2 norm). + + Notes: + - norm_func defaults to L2 if not provided by the caller. + - Uses numpy searchsorted on the sorted unique magnitudes to make tie-handling explicit. """ + if norm_func is None: + # but keep compatibility with callers that pass no norm_func + from functools import partial + + norm_func = partial(np.linalg.norm, ord=2, axis=1) + if K < 2: raise ValueError("K must be >= 2") @@ -109,80 +106,72 @@ def _magnitude_quantile_labels_from_graph( if not node_iterable: raise ValueError("Graph has no nodes") - node_vectors: List[Tuple[int, ...]] = [] - - for n in node_iterable: - vec = n - node_vectors.append(tuple(int(x) for x in vec)) + node_vectors: List[tuple] = [ + tuple(int(x) for x in n) for n in node_iterable + ] dim = len(node_vectors[0]) for v in node_vectors: if len(v) != dim: raise ValueError("All node vectors must have the same length") - # normalize per-dimension to [0,1] arr = np.array(node_vectors, dtype=float) - arr_norm = _normalize_columns(arr) - # Compute magnitudes by calling dependency mags = norm_func(arr_norm) - - # here is where we start the quantile labeling unique_mags = np.unique(mags) - um_list = unique_mags.tolist() + if unique_mags.size == 0: + raise ValueError("No magnitudes computed") - # Compute raw quantile cut values - probs = [i / K for i in range(K + 1)] + probs = np.linspace(0.0, 1.0, K + 1) try: raw_cuts = np.quantile(mags, probs, method="linear") except TypeError: raw_cuts = np.quantile(mags, probs, interpolation="linear") # type: ignore - def first_strictly_greater(val: float) -> float: - idx = bisect.bisect_right(um_list, val) + # helper: next unique magnitude strictly greater than val (or last if none) + def next_strictly_greater(val: float) -> float: + idx = np.searchsorted(unique_mags, val, side="right") return ( - float(um_list[idx]) if idx < len(um_list) else float(um_list[-1]) + float(unique_mags[idx]) + if idx < unique_mags.size + else float(unique_mags[-1]) ) - # create adjusted cut values - adjusted: List[float] = [0.0] * (K + 1) - # the min and max cuts are fixed - # lowest cut is min magnitude - adjusted[0] = float(um_list[0]) - # highest cut is max magnitude - adjusted[-1] = float(um_list[-1]) + # build adjusted cuts ensuring strictly increasing sequence from unique_mags + adjusted = [0.0] * (K + 1) + adjusted[0] = float(unique_mags[0]) + adjusted[-1] = float(unique_mags[-1]) - # Adjust cut values to avoid clumps for j in range(1, K): c = float(raw_cuts[j]) + # if the cut equals an existing magnitude, move to the next strictly greater unique mag if np.any(np.isclose(unique_mags, c)): - adjusted[j] = first_strictly_greater(c) + adjusted[j] = next_strictly_greater(c) else: adjusted[j] = c - # Ensure strictly increasing cut values + # enforce strictly increasing using unique_mags when needed for j in range(1, K + 1): prev = adjusted[j - 1] cur = adjusted[j] if cur <= prev or math.isclose(cur, prev): - idx = bisect.bisect_right(um_list, prev) + # pick the next unique magnitude after prev + idx = np.searchsorted(unique_mags, prev, side="right") adjusted[j] = ( - float(um_list[idx]) - if idx < len(um_list) - else float(um_list[-1]) + float(unique_mags[idx]) + if idx < unique_mags.size + else float(unique_mags[-1]) ) - # Assign labels based on adjusted cut values - adj_list = adjusted + adj_array = np.array(adjusted, dtype=float) + + # assign labels using searchsorted (right) then clamp to [0, K-1] labels_list: List[int] = [] for m in mags: - pos = bisect.bisect_right(adj_list, float(m)) - 1 - if pos < 0: - pos = 0 - if pos >= K: - pos = K - 1 - labels_list.append(int(pos)) + pos = int(np.searchsorted(adj_array, float(m), side="right") - 1) + pos = max(0, min(pos, K - 1)) + labels_list.append(pos) return {node: label for node, label in zip(node_iterable, labels_list)} @@ -225,9 +214,13 @@ def graph_from_value_tuples(value_tuples: list[tuple[int, ...]]) -> nx.DiGraph: def dplist_to_value_lookup( - decision_points: list[DecisionPoint], -) -> list[dict[int, str]]: - value_lookup = [ + decision_points: List[DecisionPoint], +) -> List[Dict[int, Any]]: + """ + Convert a list of DecisionPoint objects into a list of index->value-key mappings. + Each entry corresponds to one DecisionPoint and maps the value index to the value key. + """ + value_lookup: List[Dict[int, Any]] = [ {i: v.key for i, v in enumerate(dp.values)} for dp in decision_points ] return value_lookup From f3a6d460160fe78b4ff97b6221679a9de63c04bf Mon Sep 17 00:00:00 2001 From: "Allen D. Householder" Date: Fri, 12 Dec 2025 16:09:05 -0500 Subject: [PATCH 23/23] Update decision points in Execution Power documentation to reflect correct file paths --- docs/howto/aivss/exec_power.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/docs/howto/aivss/exec_power.md b/docs/howto/aivss/exec_power.md index 20d86770..35bbe59f 100644 --- a/docs/howto/aivss/exec_power.md +++ b/docs/howto/aivss/exec_power.md @@ -20,9 +20,9 @@ print(example_block(dp)) The *Execution Power* decision table has the following decision points: - [Autonomy](../../reference/decision_points/aivss/autonomy_level.md) -- [Tool Use](../../reference/decision_points/aivss/tool_use.md) -- [Self-Modification](../../reference/decision_points/aivss/self_modification.md) -- [Goal-Driven Planning](../../reference/decision_points/aivss/goal_driven_planning.md) +- [Tool Use](../../reference/decision_points/aivss/tool_use_level.md) +- [Self-Modification](../../reference/decision_points/aivss/self_modification_level.md) +- [Goal-Driven Planning](../../reference/decision_points/aivss/goal_driven_planning_level.md) ```python exec="true" idprefix="" from ssvc.decision_tables.aivss.execution_power import LATEST as DT