Metadata-Version: 2.4
Name: certcc-ssvc
Version: 2025.9.141724
Summary: Tools for working with a Stakeholder Specific Vulnerability Categorization (SSVC)
Author-email: CERT/CC SSVC <cert+ssvc@cert.org>
Project-URL: Homepage, https://certcc.github.io/SSVC
Project-URL: Project, https://github.com/CERTCC/SSVC
Project-URL: Bug Tracker, https://github.com/CERTCC/SSVC/issues
Keywords: ssvc,vulnerability management,vulnerability management
Classifier: Development Status :: 4 - Beta
Classifier: Programming Language :: Python :: 3
Classifier: Topic :: Security
Classifier: Topic :: Software Development :: Libraries :: Python Modules
Requires-Python: >=3.12
Description-Content-Type: text/markdown
License-File: LICENSE
Requires-Dist: mkdocs==1.6.1
Requires-Dist: mkdocs-material==9.6.18
Requires-Dist: mkdocs-material-extensions==1.3.1
Requires-Dist: mkdocstrings==0.30.0
Requires-Dist: mkdocstrings-python==1.17.0
Requires-Dist: mkdocs-include-markdown-plugin==7.1.6
Requires-Dist: pandas==2.3.2
Requires-Dist: scipy==1.16.1
Requires-Dist: jsonschema==4.25.1
Requires-Dist: mkdocs-bibtex==4.4.0
Requires-Dist: mkdocs-table-reader-plugin==3.1.0
Requires-Dist: mkdocs-print-site-plugin==2.8
Requires-Dist: markdown-exec[ansi]==1.11.0
Requires-Dist: thefuzz==0.22.1
Requires-Dist: scikit-learn==1.6.1
Requires-Dist: networkx==3.4.2
Requires-Dist: pydantic==2.11.7
Requires-Dist: semver==3.0.4
Requires-Dist: fastapi[all,standard]>=0.116.1
Dynamic: license-file

CERTCC SSVC
===========

This is the official Python package for the CERT/CC Stakeholder-Specific Vulnerability Categorization (SSVC) project.

Installation
------------
You can install the latest release from PyPI:

    pip install certcc-ssvc

Demo to explore SSVC decision making
-----
After installation, import the package and explore the examples:

    import ssvc

    # Example decision point usage. A Weather Forecast and Humidity Value decision point
    from ssvc.decision_points.example import weather
    print(weather.LATEST.model_dump_json(indent=2))
    from ssvc.decision_points.example import humidity
    print(humidity.LATEST.model_dump_json(indent=2))


    # Example decision table usage
    from ssvc.decision_tables.example import to_play
    print(to_play.LATEST.model_dump_json(indent=2))

    #Show decision tree in ascii text art
    from ssvc.decision_tables.base import ascii_tree
    print(ascii_tree(to_play.LATEST))

Explanation
------

This demo is a simple decision tree that provides an Outcome based on two conditions: the weather forecast and the humidity level.

Imagine the decision tree as a series of questions. To find the outcome (the YesNo column), you start at the first question (Decision Point), which is the root node of the tree: What is the Weather Forecast?

* Step 1: Look at the Weather Forecast column (e.g., rain, overcast, sunny).
* Step 2: Look at the Humidity Value above 40% column (e.g., high, low).
* Step 3: Based on the combination of these two conditions, the YesNo column will give you the Decision as "Yes" to play and "No" to not to play.

The YesNo column is the Outcome Decision Point, and the other two Decision Points are inputs that will be collected. This decision tree looks like below in ascii form

```
Weather Fore.. | Humidity Val.. | YesNo v1.0.0.. | 
---------------------------------------------------
├── rain    
│               ├── high    
│               │               └── [no]
│               └── low    
│                               └── [no]
├── overcast    
│               ├── high    
│               │               └── [no]
│               └── low    
│                               └── [yes]
└── sunny    
                ├── high    
                │               └── [no]
                └── low    
                                └── [yes]
```

Usage
---------

For usage in vulnerability management scenarios consider the following popular SSVC decisions

    import ssvc

    # Example decision point usage. Exploitation as a Decision Point
    from ssvc.decision_points.ssvc.exploitation import LATEST as Exploitation
    print(Exploitation.model_dump_json(indent=2))
    # Try a CVSS metic Attack Vector using SSVC 
    from ssvc.decision_points.cvss.attack_vector import LATEST as AttackVector
    print(AttackVector.model_dump_json(indent=2))
    from ssvc.decision_points.cisa.in_kev import LATEST as InKEV
    print(InKEV.model_dump_json(indent=2))

    # Example decision table for a Supplier deciding Patch Development Priority
    from ssvc.decision_tables.ssvc.supplier_dt import LATEST as SupplierDT
    print(SupplierDT.model_dump_json(indent=2))

    # Example decision table for a Deployer decision Patch Application Priority
    from ssvc.decision_tables.ssvc.deployer_dt import LATEST as DeployerDT
    print(DeployerDT.model_dump_json(indent=2))

    # Example CISA Decision Table as Coordinator for Vulnerability Management writ large
    from ssvc.decision_tables.cisa.cisa_coordinate_dt import LATEST as CISACoordinate
    print(CISACoordinate.model_dump_json(indent=2))

    #Print CISA Decision Table as an ascii tree
    from ssvc.decision_tables.base import ascii_tree
    print(ascii_tree(CISACoordinate))


Resources
---------
Source code and full documentation:
https://github.com/CERTCC/SSVC

SSVC Policy Explorer:
https://certcc.github.io/SSVC/ssvc-explorer/

SSVC Calculator:
https://certcc.github.io/SSVC/ssvc-calc/
