Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Should there a optional "references" section in Selection schema? #600

Open
ahouseholder opened this issue Jul 11, 2024 · 3 comments
Open

Should there a optional "references" section in Selection schema? #600

ahouseholder opened this issue Jul 11, 2024 · 3 comments

Comments

@ahouseholder
Copy link
Contributor

ahouseholder commented Jul 11, 2024
edited
Loading

Another question came up in my mind - should there a optional "references" section in Selection schema to provide information such as Public POC was seen at a URL with optional "type" of reference information such as "exploit" - say something like

{"references" : [
      { 
          "url": "https://www.exploit-db.com/exploits/32998",
          "type": "exploit"
        } 
]}

Originally posted by @sei-vsarvepalli in #599 (comment)

I split this off into a separate issue because it seems like we should also consider whether the references apply to the list or to the individual decision point selections. I could imagine you'd want to say "we chose foo for Decision Point A because reference and bar for Decision Point B because other reference. We might need to understand better if/how this would be used to make a decision.

So I think the choices to be made include:

  • Do decision point value selection lists need references?
  • Are those references attached at the list level? At the decision point level? Both?
@ahouseholder ahouseholder mentioned this issue Jul 11, 2024
Merged
@sei-vsarvepalli
Copy link
Contributor

We could potentially make the reference be related to a relevant Decision Point by saying something like below

{"references" : [
      { 
          "url": "https://www.exploit-db.com/exploits/32998",
          "decision_point": "Exploitation"
        } ,
       { 
          "url": "https://kb.cert.org/vuls/id/490028",
          "decision_point": "Automatable"
        } ,  
]}

@sei-vsarvepalli sei-vsarvepalli mentioned this issue Jul 12, 2024
Open
@sei-vsarvepalli
Copy link
Contributor

It should be more like below - assuming no collision in the name field of the decision points.

{"references" : [
      { 
          "url": "https://www.exploit-db.com/exploits/32998",
          "decision_point": ["Exploitation","Automatable"]
        } ,
       { 
          "url": "https://kb.cert.org/vuls/id/490028",
          "decision_point": ["Automatable"]
        } ,  
]}

@ahouseholder
Copy link
Contributor Author

Do we need to establish the pattern of always fully qualifying decision points? I.e. (Namespace, name, version)?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@ahouseholder @sei-vsarvepalli