Utilize/visualize SSVC scores from advisors

[Etsija]

I am sometimes seeing this in the Grafana logs (also see run ID 811):

If you look at the vector, it's obvious from SSVCv2 that it should be CVSSv2, but somehow the CVSS tag is reversed. Unfortunately the vulnerability endpoints don't yet return the advisors (#1325) so I cannot tell which advisors return the CVSS tags returned like this - but the problem is 100% reproducable for me. I wanted to create this ticket to document this curious finding, and I think it should be investigated where this string reversal comes from: the advisor itself, ORT core, or ORT Server.

[sschuberth]

Actually, SSVC does not seem to be a typo after all.

[sschuberth]

Also see https://github.com/CERTCC/SSVC.

[Etsija]

OK...nice to learn new things. Could ORT core learn this as well at some stage? The vector following the tag seems to be a valid vector, which could be visualized.

[Etsija]

See also https://certcc.github.io/SSVC/ssvc-calc/#

[sschuberth]

Could ORT core learn this as well at some stage?

Sure, but as SSVC does not seems to come with its own rating system, I'm not even sure which feature to add in ORT. I believe that more importantly https://github.com/org-metaeffekt/metaeffekt-universal-cvss-calculator should learn about SSVC vectors. I've filed an issue about that.

[Etsija]

Nice to see a repository whose devs respond promptly and fast! In the issue discussion you linked, Yan pointed out that there is a TypeScript library for evaluating the outcome of the SSVC process. The library is quite simple, but it would require some work to map the SSVC "vector", which is given by the advisors in a CVSS-like format, to something suitable for that library.

Maybe best to set this aside for now, but I would think that the outcome of the decision process, as in { action: 'Act', priority: 'immediate' } could in future be presented as a "score card", just like the CVSSv4 macro vector is presented currently. That would at least give some hint as to the "severity" of an SSVC result, even if it's not quantified in numbers.

[sschuberth]

Maybe best to set this aside for now

I agree, but we could turn this issue into a low-priority feature request to implement your proposed visualization.

[sschuberth]

BTW, the warnings come straight from the metaeffect library that ORT core uses. I'll investigate how to avoid them in this case.