SsvcVulnAssessmentRelationship

Summary

Provides an SSVC assessment for a vulnerability.

Description

An SsvcVulnAssessmentRelationship describes the decision made using the Stakeholder-Specific Vulnerability Categorization (SSVC) decision tree as defined by CISA Stakeholder-Specific Vulnerability Categorization Guide.

It is intended to communicate the results of using the CISA SSVC Calculator.

Constraints

  • The relationship type must be set to hasAssessmentFor.

Example

{
  "@type": "SsvcVulnAssessmentRelationship",
  "@id": "urn:spdx.dev:ssvc-1",
  "relationshipType": "hasAssessmentFor",
  "security_decisionType": "act",
  "from": "urn:spdx.dev:vuln-cve-2020-28498",
  "to": ["urn:product-acme-application-1.3"],
  "security_assessedElement": "urn:npm-elliptic-6.5.2",
  "suppliedBy": ["urn:spdx.dev:agent-jane-doe"],
  "publishedTime": "2021-03-09T11:04:53Z"
}

Metadata

https://spdx.org/rdf/3.0.1/terms/Security/SsvcVulnAssessmentRelationship

Name SsvcVulnAssessmentRelationship
Instantiability Concrete
SubclassOf VulnAssessmentRelationship

Superclasses

/Core/Element
       /Core/Relationship
             /Security/VulnAssessmentRelationship
                   /Security/SsvcVulnAssessmentRelationship

Properties

Property Type minCount maxCount
decisionType SsvcDecisionType 1 1

All properties

Property Type minCount maxCount
assessedElement SoftwareArtifact 0 1
comment xsd:string 0 1
completeness RelationshipCompleteness 0 1
creationInfo CreationInfo 1 1
decisionType SsvcDecisionType 1 1
description xsd:string 0 1
endTime DateTime 0 1
extension Extension 0 *
externalIdentifier ExternalIdentifier 0 *
externalRef ExternalRef 0 *
from Element 1 1
modifiedTime DateTime 0 1
name xsd:string 0 1
publishedTime DateTime 0 1
relationshipType RelationshipType 1 1
spdxId xsd:anyURI 1 1
startTime DateTime 0 1
summary xsd:string 0 1
suppliedBy Agent 0 1
to Element 1 *
verifiedUsing IntegrityMethod 0 *
withdrawnTime DateTime 0 1