This is the official Python package for the CERT/CC Stakeholder-Specific Vulnerability Categorization (SSVC) project.
You can install the latest release from PyPI:
pip install certcc-ssvc
After installation, import the package and explore the examples:
import ssvc
# Example decision point usage. A Weather Forecast and Humidity Value decision point
from ssvc.decision_points.example import weather
print(weather.LATEST.model_dump_json(indent=2))
from ssvc.decision_points.example import humidity
print(humidity.LATEST.model_dump_json(indent=2))
# Example decision table usage
from ssvc.decision_tables.example import to_play
print(to_play.LATEST.model_dump_json(indent=2))
#Show decision tree in ascii text art
from ssvc.decision_tables.helpers import ascii_tree
print(ascii_tree(to_play.LATEST))
This demo is a simple decision tree that provides an Outcome based on two conditions: the weather forecast and the humidity level.
Imagine the decision tree as a series of questions. To find the outcome (the YesNo column), you start at the first question (Decision Point), which is the root node of the tree: What is the Weather Forecast?
- Step 1: Look at the Weather Forecast column (e.g., rain, overcast, sunny).
- Step 2: Look at the Humidity Value above 40% column (e.g., high, low).
- Step 3: Based on the combination of these two conditions, the YesNo column will give you the Decision as "Yes" to play and "No" to not to play.
The YesNo column is the Outcome Decision Point, and the other two Decision Points are inputs that will be collected. This decision tree looks like below in ascii form
Weather Fore.. | Humidity Val.. | YesNo v1.0.0.. |
---------------------------------------------------
├── rain
│ ├── high
│ │ └── [no]
│ └── low
│ └── [no]
├── overcast
│ ├── high
│ │ └── [no]
│ └── low
│ └── [yes]
└── sunny
├── high
│ └── [no]
└── low
└── [yes]
For usage in vulnerability management scenarios consider the following popular SSVC decisions
import ssvc
# Example decision point usage. Exploitation as a Decision Point
from ssvc.decision_points.ssvc.exploitation import LATEST as Exploitation
print(Exploitation.model_dump_json(indent=2))
# Try a CVSS metic Attack Vector using SSVC
from ssvc.decision_points.cvss.attack_vector import LATEST as AttackVector
print(AttackVector.model_dump_json(indent=2))
from ssvc.decision_points.cisa.in_kev import LATEST as InKEV
print(InKEV.model_dump_json(indent=2))
# Example decision table for a Supplier deciding Patch Development Priority
from ssvc.decision_tables.ssvc.supplier_dt import LATEST as SupplierDT
print(SupplierDT.model_dump_json(indent=2))
# Example decision table for a Deployer decision Patch Application Priority
from ssvc.decision_tables.ssvc.deployer_dt import LATEST as DeployerDT
print(DeployerDT.model_dump_json(indent=2))
# Example CISA Decision Table as Coordinator for Vulnerability Management writ large
from ssvc.decision_tables.cisa.cisa_coordinate_dt import LATEST as CISACoordinate
print(CISACoordinate.model_dump_json(indent=2))
#Print CISA Decision Table as an ascii tree
from ssvc.decision_tables.helpers import ascii_tree
print(ascii_tree(CISACoordinate))
#Creating an SSVC Selection for publish/export to external providers like CSAF or CVE
from datetime import datetime, timezone
from ssvc.decision_tables.cisa.cisa_coordinate_dt import LATEST as decision_table
from ssvc import selection
namespace = "ssvc"
decision_points = ["Exploitation"]
values = [["Public PoC"]]
timestamp = datetime.now()
selections = []
for dp in decision_table.decision_points.values():
if dp.namespace == namespace and dp.name in decision_points:
dp_index = decision_points.index(dp.name)
selected = selection.Selection.from_decision_point(dp)
selected.values = tuple(selection.MinimalDecisionPointValue(key=val.key,
name=val.name) for val in dp.values if val.name in values[dp_index])
selections.append(selected)
out = selection.SelectionList(selections=selections,timestamp=timestamp)
print(out.model_dump_json(exclude_none=True, indent=4))
Source code and full documentation: https://github.com/CERTCC/SSVC
SSVC Policy Explorer: https://certcc.github.io/SSVC/ssvc-explorer/
SSVC Calculator: https://certcc.github.io/SSVC/ssvc-calc/