CERTCC SSVC
===========
This is the official Python package for the CERT/CC Stakeholder-Specific Vulnerability Categorization (SSVC) project.
Installation
------------
You can install the latest release from PyPI:
pip install certcc-ssvc
Demo to explore SSVC decision making
-----
After installation, import the package and explore the examples:
import ssvc
# Example decision point usage. A Weather Forecast and Humidity Value decision point
from ssvc.decision_points.example import weather
print(weather.LATEST.model_dump_json(indent=2))
from ssvc.decision_points.example import humidity
print(humidity.LATEST.model_dump_json(indent=2))
# Example decision table usage
from ssvc.decision_tables.example import to_play
print(to_play.LATEST.model_dump_json(indent=2))
#Show decision tree in ascii text art
from ssvc.decision_tables.helpers import ascii_tree
print(ascii_tree(to_play.LATEST))
Explanation
------
This demo is a simple decision tree that provides an Outcome based on two conditions: the weather forecast and the humidity level.
Imagine the decision tree as a series of questions. To find the outcome (the YesNo column), you start at the first question (Decision Point), which is the root node of the tree: What is the Weather Forecast?
- Step 1: Look at the Weather Forecast column (e.g., rain, overcast, sunny).
- Step 2: Look at the Humidity Value above 40% column (e.g., high, low).
- Step 3: Based on the combination of these two conditions, the YesNo column will give you the Decision as "Yes" to play and "No" to not to play.
The YesNo column is the Outcome Decision Point, and the other two Decision Points are inputs that will be collected. This decision tree looks like below in ascii form
```
Weather Fore.. | Humidity Val.. | YesNo v1.0.0.. |
---------------------------------------------------
├── rain
│ ├── high
│ │ └── [no]
│ └── low
│ └── [no]
├── overcast
│ ├── high
│ │ └── [no]
│ └── low
│ └── [yes]
└── sunny
├── high
│ └── [no]
└── low
└── [yes]
```
Usage
---------
For usage in vulnerability management scenarios consider the following popular SSVC decisions
import ssvc
# Example decision point usage. Exploitation as a Decision Point
from ssvc.decision_points.ssvc.exploitation import LATEST as Exploitation
print(Exploitation.model_dump_json(indent=2))
# Try a CVSS metic Attack Vector using SSVC
from ssvc.decision_points.cvss.attack_vector import LATEST as AttackVector
print(AttackVector.model_dump_json(indent=2))
from ssvc.decision_points.cisa.in_kev import LATEST as InKEV
print(InKEV.model_dump_json(indent=2))
# Example decision table for a Supplier deciding Patch Development Priority
from ssvc.decision_tables.ssvc.supplier_dt import LATEST as SupplierDT
print(SupplierDT.model_dump_json(indent=2))
# Example decision table for a Deployer decision Patch Application Priority
from ssvc.decision_tables.ssvc.deployer_dt import LATEST as DeployerDT
print(DeployerDT.model_dump_json(indent=2))
# Example CISA Decision Table as Coordinator for Vulnerability Management writ large
from ssvc.decision_tables.cisa.cisa_coordinate_dt import LATEST as CISACoordinate
print(CISACoordinate.model_dump_json(indent=2))
#Print CISA Decision Table as an ascii tree
from ssvc.decision_tables.helpers import ascii_tree
print(ascii_tree(CISACoordinate))
#Creating an SSVC Selection for publish/export to external providers like CSAF or CVE
from datetime import datetime, timezone
from ssvc.decision_tables.cisa.cisa_coordinate_dt import LATEST as decision_table
from ssvc import selection
namespace = "ssvc"
decision_points = ["Exploitation"]
values = [["Public PoC"]]
timestamp = datetime.now()
selections = []
for dp in decision_table.decision_points.values():
if dp.namespace == namespace and dp.name in decision_points:
dp_index = decision_points.index(dp.name)
selected = selection.Selection.from_decision_point(dp)
selected.values = tuple(selection.MinimalDecisionPointValue(key=val.key,
name=val.name) for val in dp.values if val.name in values[dp_index])
selections.append(selected)
out = selection.SelectionList(selections=selections,timestamp=timestamp)
print(out.model_dump_json(exclude_none=True, indent=4))
Resources
---------
Source code and full documentation:
<https://github.com/CERTCC/SSVC>
SSVC Policy Explorer:
<https://certcc.github.io/SSVC/ssvc-explorer/>
SSVC Calculator:
<https://certcc.github.io/SSVC/ssvc-calc/>
Raw data
{
"_id": null,
"home_page": null,
"name": "certcc-ssvc",
"maintainer": null,
"docs_url": null,
"requires_python": ">=3.12",
"maintainer_email": null,
"keywords": "ssvc, vulnerability management, vulnerability management",
"author": null,
"author_email": "CERT/CC SSVC <cert+ssvc@cert.org>",
"download_url": "https://files.pythonhosted.org/packages/96/c7/890a731ebf02c5cfaadaa8bc64f681b4e7bdf968db1b3f97c4dea74b8cba/certcc_ssvc-2025.10.101215.tar.gz",
"platform": null,
"description": "CERTCC SSVC\n===========\n\nThis is the official Python package for the CERT/CC Stakeholder-Specific Vulnerability Categorization (SSVC) project.\n\nInstallation\n------------\n\nYou can install the latest release from PyPI:\n\n pip install certcc-ssvc\n\nDemo to explore SSVC decision making\n-----\n\nAfter installation, import the package and explore the examples:\n\n import ssvc\n\n # Example decision point usage. A Weather Forecast and Humidity Value decision point\n from ssvc.decision_points.example import weather\n print(weather.LATEST.model_dump_json(indent=2))\n from ssvc.decision_points.example import humidity\n print(humidity.LATEST.model_dump_json(indent=2))\n\n\n # Example decision table usage\n from ssvc.decision_tables.example import to_play\n print(to_play.LATEST.model_dump_json(indent=2))\n\n #Show decision tree in ascii text art\n from ssvc.decision_tables.helpers import ascii_tree\n print(ascii_tree(to_play.LATEST))\n\nExplanation\n------\n\nThis demo is a simple decision tree that provides an Outcome based on two conditions: the weather forecast and the humidity level.\n\nImagine the decision tree as a series of questions. To find the outcome (the YesNo column), you start at the first question (Decision Point), which is the root node of the tree: What is the Weather Forecast?\n\n- Step 1: Look at the Weather Forecast column (e.g., rain, overcast, sunny).\n- Step 2: Look at the Humidity Value above 40% column (e.g., high, low).\n- Step 3: Based on the combination of these two conditions, the YesNo column will give you the Decision as \"Yes\" to play and \"No\" to not to play.\n\nThe YesNo column is the Outcome Decision Point, and the other two Decision Points are inputs that will be collected. This decision tree looks like below in ascii form\n\n```\nWeather Fore.. | Humidity Val.. | YesNo v1.0.0.. | \n---------------------------------------------------\n\u251c\u2500\u2500 rain \n\u2502 \u251c\u2500\u2500 high \n\u2502 \u2502 \u2514\u2500\u2500 [no]\n\u2502 \u2514\u2500\u2500 low \n\u2502 \u2514\u2500\u2500 [no]\n\u251c\u2500\u2500 overcast \n\u2502 \u251c\u2500\u2500 high \n\u2502 \u2502 \u2514\u2500\u2500 [no]\n\u2502 \u2514\u2500\u2500 low \n\u2502 \u2514\u2500\u2500 [yes]\n\u2514\u2500\u2500 sunny \n \u251c\u2500\u2500 high \n \u2502 \u2514\u2500\u2500 [no]\n \u2514\u2500\u2500 low \n \u2514\u2500\u2500 [yes]\n```\n\nUsage\n---------\n\nFor usage in vulnerability management scenarios consider the following popular SSVC decisions\n\n import ssvc\n\n # Example decision point usage. Exploitation as a Decision Point\n from ssvc.decision_points.ssvc.exploitation import LATEST as Exploitation\n print(Exploitation.model_dump_json(indent=2))\n # Try a CVSS metic Attack Vector using SSVC \n from ssvc.decision_points.cvss.attack_vector import LATEST as AttackVector\n print(AttackVector.model_dump_json(indent=2))\n from ssvc.decision_points.cisa.in_kev import LATEST as InKEV\n print(InKEV.model_dump_json(indent=2))\n\n # Example decision table for a Supplier deciding Patch Development Priority\n from ssvc.decision_tables.ssvc.supplier_dt import LATEST as SupplierDT\n print(SupplierDT.model_dump_json(indent=2))\n\n # Example decision table for a Deployer decision Patch Application Priority\n from ssvc.decision_tables.ssvc.deployer_dt import LATEST as DeployerDT\n print(DeployerDT.model_dump_json(indent=2))\n\n # Example CISA Decision Table as Coordinator for Vulnerability Management writ large\n from ssvc.decision_tables.cisa.cisa_coordinate_dt import LATEST as CISACoordinate\n print(CISACoordinate.model_dump_json(indent=2))\n\n #Print CISA Decision Table as an ascii tree\n from ssvc.decision_tables.helpers import ascii_tree\n print(ascii_tree(CISACoordinate))\n\n #Creating an SSVC Selection for publish/export to external providers like CSAF or CVE\n from datetime import datetime, timezone\n from ssvc.decision_tables.cisa.cisa_coordinate_dt import LATEST as decision_table\n from ssvc import selection\n namespace = \"ssvc\"\n decision_points = [\"Exploitation\"]\n values = [[\"Public PoC\"]]\n timestamp = datetime.now()\n selections = []\n\n for dp in decision_table.decision_points.values():\n if dp.namespace == namespace and dp.name in decision_points:\n dp_index = decision_points.index(dp.name)\n selected = selection.Selection.from_decision_point(dp)\n selected.values = tuple(selection.MinimalDecisionPointValue(key=val.key,\n\t name=val.name) for val in dp.values if val.name in values[dp_index])\n selections.append(selected)\n\n out = selection.SelectionList(selections=selections,timestamp=timestamp)\n print(out.model_dump_json(exclude_none=True, indent=4))\n\n\nResources\n---------\n\nSource code and full documentation:\n<https://github.com/CERTCC/SSVC>\n\nSSVC Policy Explorer:\n<https://certcc.github.io/SSVC/ssvc-explorer/>\n\nSSVC Calculator:\n<https://certcc.github.io/SSVC/ssvc-calc/>\n",
"bugtrack_url": null,
"license": null,
"summary": "Tools for working with a Stakeholder Specific Vulnerability Categorization (SSVC)",
"version": "2025.10.101215",
"project_urls": {
"Bug Tracker": "https://github.com/CERTCC/SSVC/issues",
"Homepage": "https://certcc.github.io/SSVC",
"Project": "https://github.com/CERTCC/SSVC"
},
"split_keywords": [
"ssvc",
" vulnerability management",
" vulnerability management"
],
"urls": [
{
"comment_text": null,
"digests": {
"blake2b_256": "5c6560da54c2dcb54de71c63c6e89490610feb78893c10385b7564286e28a638",
"md5": "857b5d56d9ed06dd31896b9695bbe7d7",
"sha256": "58811f0e4cccd571d0da8b66a5d09a2265cf6a727b4fb1e6ac3ce0db3f6c9367"
},
"downloads": -1,
"filename": "certcc_ssvc-2025.10.101215-py3-none-any.whl",
"has_sig": false,
"md5_digest": "857b5d56d9ed06dd31896b9695bbe7d7",
"packagetype": "bdist_wheel",
"python_version": "py3",
"requires_python": ">=3.12",
"size": 293803,
"upload_time": "2025-10-10T16:17:50",
"upload_time_iso_8601": "2025-10-10T16:17:50.787906Z",
"url": "https://files.pythonhosted.org/packages/5c/65/60da54c2dcb54de71c63c6e89490610feb78893c10385b7564286e28a638/certcc_ssvc-2025.10.101215-py3-none-any.whl",
"yanked": false,
"yanked_reason": null
},
{
"comment_text": null,
"digests": {
"blake2b_256": "96c7890a731ebf02c5cfaadaa8bc64f681b4e7bdf968db1b3f97c4dea74b8cba",
"md5": "85127e15c8a82dc098d54547bd1ac354",
"sha256": "14bdd56a237533b92d909b3430c7de8c2640b0ee332e3fc44b43dc8915047642"
},
"downloads": -1,
"filename": "certcc_ssvc-2025.10.101215.tar.gz",
"has_sig": false,
"md5_digest": "85127e15c8a82dc098d54547bd1ac354",
"packagetype": "sdist",
"python_version": "source",
"requires_python": ">=3.12",
"size": 245425,
"upload_time": "2025-10-10T16:17:52",
"upload_time_iso_8601": "2025-10-10T16:17:52.217012Z",
"url": "https://files.pythonhosted.org/packages/96/c7/890a731ebf02c5cfaadaa8bc64f681b4e7bdf968db1b3f97c4dea74b8cba/certcc_ssvc-2025.10.101215.tar.gz",
"yanked": false,
"yanked_reason": null
}
],
"upload_time": "2025-10-10 16:17:52",
"github": true,
"gitlab": false,
"bitbucket": false,
"codeberg": false,
"github_user": "CERTCC",
"github_project": "SSVC",
"travis_ci": false,
"coveralls": false,
"github_actions": true,
"requirements": [],
"lcname": "certcc-ssvc"
}
JSON
