SsvcVulnAssessmentRelationship

Summary

Provides an SSVC assessment for a vulnerability.

Description

An SsvcVulnAssessmentRelationship describes the decision made using the Stakeholder-Specific Vulnerability Categorization (SSVC) decision tree as defined by CISA Stakeholder-Specific Vulnerability Categorization Guide.

It is intended to communicate the results of using the CISA SSVC Calculator.

Constraints

The relationship type must be set to hasAssessmentFor.

Example

{
  "@type": "SsvcVulnAssessmentRelationship",
  "@id": "urn:spdx.dev:ssvc-1",
  "relationshipType": "hasAssessmentFor",
  "security_decisionType": "act",
  "from": "urn:spdx.dev:vuln-cve-2020-28498",
  "to": ["urn:product-acme-application-1.3"],
  "security_assessedElement": "urn:npm-elliptic-6.5.2",
  "suppliedBy": ["urn:spdx.dev:agent-jane-doe"],
  "publishedTime": "2021-03-09T11:04:53Z"
}

Metadata

https://spdx.org/rdf/3.0.1/terms/Security/SsvcVulnAssessmentRelationship


Name	SsvcVulnAssessmentRelationship
Instantiability	Concrete
SubclassOf	VulnAssessmentRelationship

Class hierarchy

/Core/Element
       /Core/Relationship
             /Security/VulnAssessmentRelationship
                   /Security/SsvcVulnAssessmentRelationship

Properties

Property	Type	minCount	maxCount
decisionType	SsvcDecisionType	1	1

All properties

Property	Type	minCount	maxCount
assessedElement	SoftwareArtifact	0	1
comment	xsd:string	0	1
completeness	RelationshipCompleteness	0	1
creationInfo	CreationInfo	1	1
decisionType	SsvcDecisionType	1	1
description	xsd:string	0	1
endTime	DateTime	0	1
extension	Extension	0	*
externalIdentifier	ExternalIdentifier	0	*
externalRef	ExternalRef	0	*
from	Element	1	1
modifiedTime	DateTime	0	1
name	xsd:string	0	1
publishedTime	DateTime	0	1
relationshipType	RelationshipType	1	1
spdxId	xsd:anyURI	1	1
startTime	DateTime	0	1
summary	xsd:string	0	1
suppliedBy	Agent	0	1
to	Element	1	*
verifiedUsing	IntegrityMethod	0	*
withdrawnTime	DateTime	0	1