Skip to content

Commit c6662d6

Browse files
attzonkoattzonko
committed
Cleaning up the change assessment scheme
Signed-off-by: Alex Tzonkov <4975715+attzonko@users.noreply.github.com>
1 parent 818cbba commit c6662d6

6 files changed

Lines changed: 71 additions & 37 deletions

File tree

Documentation/corim_profile/examples/ocp-safe-sfr-fw-example.diag

Lines changed: 4 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -72,17 +72,17 @@
7272
/ issue-entry / {
7373
/ 0: title / 0: "Memory corruption when reading record from SPI flash",
7474
/ 1: description / 1: "Due to insufficient input validation in the firmware, a local attacker who tampers with a configuration structure in SPI flash, can cause stack-based memory corruption.",
75-
/ 2: assessment / 2: {
76-
/ 0: cvss-score / 0: "7.9",
77-
/ 1: cvss-vector / 1: "AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:H/A:L",
75+
/ 2: assessment-scheme / 2: {
76+
/ 0: cvss-score / 0: "7.9",
77+
/ 1: cvss-vector / 1: "AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:H/A:L",
7878
/ 2: cvss-version / 2: "3.1"
7979
},
8080
/ 3: cwe / 3: "CWE-111"
8181
},
8282
/ issue-entry / {
8383
/ 0: title / 0: "Debug commands enable arbitrary memory read/write",
8484
/ 1: description / 1: "The firmware exposes debug command handlers that enable host-side drivers to read and write arbitrary regions of the device's SRAM.",
85-
/ 2: assessment / 2: {
85+
/ 2: assessment-scheme / 2: {
8686
/ 0: cvss-score / 0: "8.7",
8787
/ 1: cvss-vector / 1: "AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:L",
8888
/ 2: cvss-version / 2: "3.1"

Documentation/corim_profile/ocp-safe-sfr-profile.cddl

Lines changed: 6 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -18,18 +18,18 @@ ocp-safe-sfr-map = {
1818
issue-entry = {
1919
&(title: 0) => tstr
2020
&(description: 1) => tstr
21-
&(assessment: 2) => $assessment
21+
&(assessment-scheme: 2) => $assessment-scheme
2222
?&(cwe: 3) => tstr
2323
?&(cve: 4) => tstr
2424
* $$ocp-safe-issue-entry-ext
2525
}
2626

27-
$assessment /= cvss
27+
$assessment-scheme /= cvss-scheme
2828

29-
cvss = {
30-
&(score: 0) => tstr
31-
&(vector: 1) => tstr
32-
&(version: 2) => tstr
29+
cvss-scheme = {
30+
&(cvss-score: 0) => tstr
31+
&(cvss-vector: 1) => tstr
32+
? &(cvss-version: 2) => tstr
3333
}
3434

3535
fw-identifier = non-empty<{

shortform_report-main/OcpReportLib.py

Lines changed: 16 additions & 10 deletions
Original file line numberDiff line numberDiff line change
@@ -340,21 +340,27 @@ def _convert_to_corim_structure(self) -> Dict[str, Any]:
340340
# Convert issues
341341
corim_issues = []
342342
for issue in self.report["audit"]["issues"]:
343-
corim_issue = {
344-
0: issue["title"], # title
345-
1: issue["cvss_score"], # cvss-score
346-
2: issue["cvss_vector"], # cvss-vector
347-
3: issue["cwe"], # cwe
348-
4: issue["description"], # description
343+
# Build nested cvss-scheme structure
344+
cvss_scheme = {
345+
0: issue["cvss_score"], # cvss-score
346+
1: issue["cvss_vector"], # cvss-vector
349347
}
350348

351-
# Add optional fields
349+
# Add optional cvss-version
352350
if "cvss_version" in self.report["audit"]:
353-
# cvss-version
354-
corim_issue[5] = self.report["audit"]["cvss_version"]
351+
cvss_scheme[2] = self.report["audit"]["cvss_version"] # cvss-version
352+
353+
# Build issue-entry with nested assessment-scheme
354+
corim_issue = {
355+
0: issue["title"], # title
356+
1: issue["description"], # description
357+
2: cvss_scheme, # assessment-scheme (nested cvss-scheme)
358+
3: issue["cwe"], # cwe
359+
}
355360

361+
# Add optional cve
356362
if issue.get("cve"):
357-
corim_issue[6] = issue["cve"] # cve
363+
corim_issue[4] = issue["cve"] # cve
358364

359365
corim_issues.append(corim_issue)
360366

shortform_report-main/cbor_human_inspector.py

Lines changed: 17 additions & 11 deletions
Original file line numberDiff line numberDiff line change
@@ -834,25 +834,31 @@ def inspect_sfr_data(sfr_data, indent=""):
834834
elif field_num == 5: # Issues
835835
if isinstance(field_value, list):
836836
print(f"{indent} 🚨 {len(field_value)} security issue(s) found:")
837-
837+
838838
for i, issue in enumerate(field_value):
839839
if isinstance(issue, dict):
840840
print(f"\n{indent} 🔴 Issue #{i+1}:")
841841
if 0 in issue: # title
842842
print(f"{indent} Title: {issue[0]}")
843-
if 1 in issue: # cvss-score
844-
print(f"{indent} CVSS Score: {issue[1]}")
845-
if 2 in issue: # cvss-vector
846-
print(f"{indent} CVSS Vector: {issue[2]}")
847-
if 3 in issue: # cwe
848-
print(f"{indent} CWE: {issue[3]}")
849-
if 4 in issue: # description
850-
desc = issue[4]
843+
if 1 in issue: # description
844+
desc = issue[1]
851845
if len(desc) > 100:
852846
desc = desc[:100] + "..."
853847
print(f"{indent} Description: {desc}")
854-
if 5 in issue: # cve
855-
print(f"{indent} CVE: {issue[5]}")
848+
if 2 in issue: # assessment-scheme (nested cvss-scheme)
849+
assessment = issue[2]
850+
if isinstance(assessment, dict):
851+
print(f"{indent} Assessment Scheme: CVSS")
852+
if 0 in assessment: # cvss-score
853+
print(f"{indent} CVSS Score: {assessment[0]}")
854+
if 1 in assessment: # cvss-vector
855+
print(f"{indent} CVSS Vector: {assessment[1]}")
856+
if 2 in assessment: # cvss-version
857+
print(f"{indent} CVSS Version: {assessment[2]}")
858+
if 3 in issue: # cwe
859+
print(f"{indent} CWE: {issue[3]}")
860+
if 4 in issue: # cve
861+
print(f"{indent} CVE: {issue[4]}")
856862
else:
857863
print(f"{indent} Issues: {type(field_value).__name__}")
858864

shortform_report-main/tests/final_validation_summary.py

Lines changed: 15 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -234,13 +234,27 @@ def validate_corim_compliance():
234234
# Validate first issue structure
235235
if len(issues) > 0:
236236
first_issue = issues[0]
237-
required_issue_fields = [0, 1, 2, 3, 4] # title, cvss-score, cvss-vector, cwe, description
237+
required_issue_fields = [0, 1, 2, 3] # title, description, assessment-scheme, cwe
238238
for field in required_issue_fields:
239239
if field in first_issue:
240240
print(f"✓ Issue field {field} present")
241241
else:
242242
print(f"✗ Issue field {field} missing")
243243
return False
244+
245+
# Validate nested assessment-scheme structure
246+
if 2 in first_issue:
247+
assessment = first_issue[2]
248+
if isinstance(assessment, dict):
249+
print("✓ Assessment-scheme is properly nested")
250+
if 0 in assessment and 1 in assessment:
251+
print("✓ Assessment-scheme contains cvss-score and cvss-vector")
252+
else:
253+
print("✗ Assessment-scheme missing required CVSS fields")
254+
return False
255+
else:
256+
print("✗ Assessment-scheme is not a dict")
257+
return False
244258
else:
245259
print("✗ Issues not properly structured as list")
246260
return False

shortform_report-main/tests/test_corim_generation.py

Lines changed: 13 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -165,12 +165,20 @@ def test_schema_compliance():
165165
issues = sfr_map[5]
166166
for issue in issues:
167167
assert 0 in issue # title
168-
assert 1 in issue # cvss-score
169-
assert 2 in issue # cvss-vector
168+
assert 1 in issue # description
169+
assert 2 in issue # assessment-scheme
170+
171+
# Validate nested assessment-scheme structure
172+
assessment_scheme = issue[2]
173+
assert isinstance(assessment_scheme, dict), "assessment-scheme must be a dict"
174+
assert 0 in assessment_scheme # cvss-score
175+
assert 1 in assessment_scheme # cvss-vector
176+
# cvss-version is optional (key 2)
177+
170178
assert 3 in issue # cwe
171-
assert 4 in issue # description
172-
173-
print("✓ Issues structure: PASS")
179+
# cve is optional (key 4)
180+
181+
print("✓ Issues structure with nested assessment-scheme: PASS")
174182

175183
return True
176184

0 commit comments

Comments
 (0)