{"id":13846653,"url":"https://github.com/CERTCC/SSVC","last_synced_at":"2025-07-12T07:33:09.200Z","repository":{"id":38452156,"uuid":"235809355","full_name":"CERTCC/SSVC","owner":"CERTCC","description":"Stakeholder-Specific Vulnerability Categorization","archived":false,"fork":false,"pushed_at":"2025-07-07T19:05:22.000Z","size":8317,"stargazers_count":153,"open_issues_count":93,"forks_count":38,"subscribers_count":12,"default_branch":"main","last_synced_at":"2025-07-07T20:52:01.235Z","etag":null,"topics":["decision-support","decision-trees","prioritization","vulnerabilities","vulnerability","vulnerability-management"],"latest_commit_sha":null,"homepage":"https://certcc.github.io/SSVC/","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"other","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/CERTCC.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":".github/CODEOWNERS","security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null}},"created_at":"2020-01-23T14:16:42.000Z","updated_at":"2025-07-07T19:05:25.000Z","dependencies_parsed_at":"2023-10-17T01:58:34.013Z","dependency_job_id":"bb934443-0809-4cec-8483-8e71c2c8f3c7","html_url":"https://github.com/CERTCC/SSVC","commit_stats":{"total_commits":311,"total_committers":17,"mean_commits":"18.294117647058822","dds":0.7202572347266881,"last_synced_commit":"86da4683c09074746ce5ef87f7cfbdbd627b2bbe"},"previous_names":[],"tags_count":34,"template":false,"template_full_name":null,"purl":"pkg:github/CERTCC/SSVC","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/CERTCC%2FSSVC","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/CERTCC%2FSSVC/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/CERTCC%2FSSVC/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/CERTCC%2FSSVC/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/CERTCC","download_url":"https://codeload.github.com/CERTCC/SSVC/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/CERTCC%2FSSVC/sbom","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":264958194,"owners_count":23689010,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["decision-support","decision-trees","prioritization","vulnerabilities","vulnerability","vulnerability-management"],"created_at":"2024-08-04T18:00:44.513Z","updated_at":"2025-07-12T07:33:09.192Z","avatar_url":"https://github.com/CERTCC.png","language":"Python","funding_links":[],"categories":["Risk Management","Other Lists"],"sub_categories":["📊 TI TTP/Framework/Model/Trackers"],"readme":"[![Link Checker](https://github.com/CERTCC/SSVC/actions/workflows/link_checker.yml/badge.svg?branch=main)](https://github.com/CERTCC/SSVC/actions/workflows/link_checker.yml)\n\n# SSVC\n\nThe Stakeholder-specific Vulnerability Categorization (SSVC) is a system for prioritizing actions during vulnerability management.\nSSVC aims to avoid one-size-fits-all solutions in favor of a modular decision-making system with clearly defined and tested parts that vulnerability managers can select and use as appropriate to their context.\n\n---\n\nSSVC is mostly conceptual tools for vulnerability management.\nThese conceptual tools (how to make decisions, what should go into a decision, how to document and communicate decisions clearly, etc.) are described here.\n\n**Note:** This repository contains the *content* for the main SSVC documentation hosted at\n\n## [https://certcc.github.io/SSVC/](https://certcc.github.io/SSVC/)\n\n- If you are just looking for SSVC documentation, you should go there.\n- If you are interested in contributing to the SSVC documentation, you are in the right place.\n\n---\n\n# What's here\n\nHere's a quick overview of the main directories and files in this repository.\n\n## `/docs/*`\n\nRaw markdown and graphics files used to build the SSVC documentation website.\nSee [`project_docs/README.md`](project_docs/README.md) for more info.\n\n### `/docs/ssvc-calc`\n\nDirectory with SSVC calculator using D3 graph.\nSee [`ssvc-calc/README.md`](docs/ssvc-calc/README.md) for more info.\n\nA demo version of `ssvc-calc` can be found at \u003chttps://certcc.github.io/SSVC/ssvc-calc/\u003e\n\n## `/pdfs/*`\n\nStatic versions of previously issued PDF reports are stored in this directory.\n\n## `/data/*`\n\nThe data folder contains detailed data files that define suggested prioritization results based on each combination of information on a vulnerability work item.\n\nThere are both `.csv` and `.json` files in this directory.\n\n### `/data/csvs/*`\n\nThe `.csv` files are the primary data files used by the `ssvc.py` module.\n\nAlso included in data are the lookup tables as csv files which `ssvc_v2.py` reads in.\nThese files define one row per possible path through the trees as described in the documentation.\nCustomizing the \"outcome\" column in this csv is the primary recommended way that stakeholders might adapt SSVC to their environment.\n\n### `/data/json/*`\n\nThese json files are generated examples from the python `ssvc` module.\n\n### `/data/schema/*` and `/data/schema_examples/*`\n\nThese files are used by the `ssvc-calc` module.\n\n## `/docker/*`\n\nThe `docker` directory contains Dockerfiles and related configurations for to\ncreate images that can run the SSVC documentation site and unit tests.\n\nExample:\n\n```bash\ncd docker\ndocker-compose up test\ndocker-compose up docs\n```\n\n## `/src/*`\n\nThis directory holds helper scripts that can make managing or using SSVC easier.\n\n### `/src/ssvc/*`\n\nThe `ssvc` python module provides tools to work with decision points, decision point groups, and outcomes.\nThese modules are used to generate documentation for various [Decision Points](https://certcc.github.io/SSVC/reference/decision_points/)\n\nDocumentation for the `ssvc` module can be found at [https://certcc.github.io/SSVC/reference/code/](https://certcc.github.io/SSVC/reference/code/)\n\n### `src/ssvc_v2.py`\n\nA basic Python module for interacting with the SSVC trees. `ssvc_v2.py` has\ntwo methods: `applier_tree()` and `developer_tree()`\n\nThe two methods just loop through their respective lookup tables until\nthey hit a match, then return the outcome. Maybe not the best implementation,\nbut it worked well enough for what was needed at the time.\n\n## Local development\n\nThe simplest way to get started with local development is to use Docker.\nWe provide a Dockerfile that builds an image with all the dependencies needed to build the site.\nWe also provide a `Makefile` that simplifies the process of building the site and running a local server,\nso you don't have to remember the exact `docker build` and `docker run` commands\nto get started.\n\n### Make Commands\n\nTo display the available `make` commands, run:\n\n```bash\nmake help\n```\n\nTo preview any `make` command without actually executing it, run:\n\n```bash\nmake -n \u003ccommand\u003e\n```\n\n### Run Local Docs Server\n\nThe easiest way to get started is using make to build a docker image and run the site. However, we provide a few other options below.\n\n| Environment | Command |\n|-------------|---------|\n| Make, Docker | `make docs` |\n| ~~Make~~, Docker | `cd docker \u0026\u0026 docker-compose up docs` |\n| ~~Make~~, ~~Docker~~ | `mkdocs serve` |\n\nThen navigate to \u003chttp://localhost:8000/SSVC/\u003e to see the site.\n\n## Run tests\n\nWe include a few tests for the `ssvc` module.\nOptions for running the test suite are provided below.\n\n| Environment | Command | Comment |\n|-------------|---------|---------|\n| Make, Docker | `make docker_test` | runs in docker container |\n| ~~Make~~, Docker | `cd docker \u0026\u0026 docker-compose run -rm test` | runs in docker container |\n| Make, ~~Docker~~ | `make test` | runs in host OS |\n| ~~Make~~, ~~Docker~~ | `pytest src/test` | runs in host OS |\n\n## Environment Variables\n\nIf you encounter a problem with the `ssvc` module not being found, you may need to set the `PYTHONPATH` environment variable.\nThe Dockerfile takes care of this in the Docker environment.\nWhen not running in Docker, make sure that the `src` directory is in your `PYTHONPATH`:\n\n```bash\nexport PYTHONPATH=$PYTHONPATH:$(pwd)/src\n```\n\n## Contributing\n\n- [SSVC Community Engagement](https://certcc.github.io/SSVC/about/contributing/) has more detail on how to contribute to the project.\n- [SSVC Project Wiki](https://github.com/CERTCC/SSVC/wiki) for more detail how to contribute to the project (style guides, etc.)\n- [CONTRIBUTING.md](CONTRIBUTING.md) for high-level information and legal details\n\n## Citing SSVC\n\nTo reference SSVC in an academic publication, please refer to the version presented at the 2020 Workshop on Economics of Information Security (WEIS):\n\n```\n@inproceedings{spring2020ssvc,  \n  title={Prioritizing vulnerability response: {A} stakeholder-specific vulnerability categorization},  \n  author={Jonathan M Spring and Eric Hatleback and Allen D. Householder and Art Manion and Deana Shick},  \n  address={Brussels, Belgium},  \n  year={2020},  \n  month = dec,  \n  booktitle = {Workshop on the Economics of Information Security}  \n}\n```\n\n## References\n\n1. Spring, J., Hatleback, E., Householder, A., Manion, A., and Shick, D. \"Prioritizing Vulnerability Response: A Stakeholder-Specific Vulnerability Categorization.\" White Paper, Software Engineering Institute, Carnegie Mellon University (2019). \u003chttps://resources.sei.cmu.edu/library/asset-view.cfm?assetid=636379\u003e\n2. Spring, J., Hatleback, E., Householder, A., Manion, A., and Shick, D. \"Towards Improving CVSS.\" White Paper, Software Engineering Institute, Carnegie Mellon University (2018). \u003chttps://resources.sei.cmu.edu/library/asset-view.cfm?assetid=538368\u003e\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2FCERTCC%2FSSVC","html_url":"https://awesome.ecosyste.ms/projects/github.com%2FCERTCC%2FSSVC","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2FCERTCC%2FSSVC/lists"}