Skip to content

Outcome Values and Outcome Groups

Provides outcome group and outcome value classes for SSVC.

OutcomeGroup dataclass

Bases: _Base

Models an outcome group.

Source code in src/ssvc/outcomes/base.py 
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
@dataclass_json
@dataclass(kw_only=True)
class OutcomeGroup(_Base):
    """
    Models an outcome group.
    """

    outcomes: Iterable[OutcomeValue]

    def __iter__(self):
        """
        Allow iteration over the outcomes in the group.
        """
        return iter(self.outcomes)

    def __len__(self):
        """
        Allow len() to be called on the group.
        """
        return len(self.outcomes)

__iter__()

Allow iteration over the outcomes in the group.

Source code in src/ssvc/outcomes/base.py 
43
44
45
46
47
def __iter__(self):
    """
    Allow iteration over the outcomes in the group.
    """
    return iter(self.outcomes)

__len__()

Allow len() to be called on the group.

Source code in src/ssvc/outcomes/base.py 
49
50
51
52
53
def __len__(self):
    """
    Allow len() to be called on the group.
    """
    return len(self.outcomes)

OutcomeValue dataclass

Bases: _Base, _Keyed

Models a single value option for an SSVC outcome.

Source code in src/ssvc/outcomes/base.py 
26
27
28
29
30
31
@dataclass_json
@dataclass(kw_only=True)
class OutcomeValue(_Base, _Keyed):
    """
    Models a single value option for an SSVC outcome.
    """

Provides a set of outcome groups for use in SSVC.

CISA = OutcomeGroup(name='CISA Levels', description='The CISA outcome group. CISA uses its own SSVC decision tree model to prioritize relevant vulnerabilities into four possible decisions: Track, Track*, Attend, and Act.', outcomes=(OutcomeValue(name='Track', key='T', description='The vulnerability does not require action at this time. The organization would continue to track the vulnerability and reassess it if new information becomes available. CISA recommends remediating Track vulnerabilities within standard update timelines.'), OutcomeValue(name='Track*', key='T*', description='The vulnerability contains specific characteristics that may require closer monitoring for changes. CISA recommends remediating Track* vulnerabilities within standard update timelines.'), OutcomeValue(name='Attend', key='A', description="The vulnerability requires attention from the organization's internal, supervisory-level individuals. Necessary actions may include requesting assistance or information about the vulnerability and may involve publishing a notification, either internally and/or externally, about the vulnerability. CISA recommends remediating Attend vulnerabilities sooner than standard update timelines."), OutcomeValue(name='Act', key='A', description="The vulnerability requires attention from the organization's internal, supervisory-level and leadership-level individuals. Necessary actions include requesting assistance or information about the vulnerability, as well as publishing a notification either internally and/or externally. Typically, internal groups would meet to determine the overall response and then execute agreed upon actions. CISA recommends remediating Act vulnerabilities as soon as possible."))) module-attribute

The CISA outcome group. Based on CISA's customizations of the SSVC model. See https://www.cisa.gov/stakeholder-specific-vulnerability-categorization-ssvc

COORDINATE = OutcomeGroup(name='Decline, Track, Coordinate', description='The coordinate outcome group.', outcomes=(OutcomeValue(name='Decline', key='D', description='Decline'), OutcomeValue(name='Track', key='T', description='Track'), OutcomeValue(name='Coordinate', key='C', description='Coordinate'))) module-attribute

The coordinate outcome group.

CVSS = OutcomeGroup(name='CVSS Levels', description='The CVSS outcome group.', outcomes=(OutcomeValue(name='Low', key='L', description='Low'), OutcomeValue(name='Medium', key='M', description='Medium'), OutcomeValue(name='High', key='H', description='High'), OutcomeValue(name='Critical', key='C', description='Critical'))) module-attribute

The CVSS outcome group.

DSOI = OutcomeGroup(name='Defer, Scheduled, Out-of-Cycle, Immediate', description='The original SSVC outcome group.', outcomes=(OutcomeValue(name='Defer', key='D', description='Defer'), OutcomeValue(name='Scheduled', key='S', description='Scheduled'), OutcomeValue(name='Out-of-Cycle', key='O', description='Out-of-Cycle'), OutcomeValue(name='Immediate', key='I', description='Immediate'))) module-attribute

The original SSVC outcome group.

EISENHOWER = OutcomeGroup(name='Do, Schedule, Delegate, Delete', description='The Eisenhower outcome group.', outcomes=(OutcomeValue(name='Delete', key='D', description='Delete'), OutcomeValue(name='Delegate', key='G', description='Delegate'), OutcomeValue(name='Schedule', key='S', description='Schedule'), OutcomeValue(name='Do', key='O', description='Do'))) module-attribute

The Eisenhower outcome group.

MOSCOW = OutcomeGroup(name="Must, Should, Could, Won't", description='The Moscow outcome group.', outcomes=(OutcomeValue(name="Won't", key='W', description="Won't"), OutcomeValue(name='Could', key='C', description='Could'), OutcomeValue(name='Should', key='S', description='Should'), OutcomeValue(name='Must', key='M', description='Must'))) module-attribute

The MoSCoW outcome group.

PUBLISH = OutcomeGroup(name='Publish, Do Not Publish', description='The publish outcome group.', outcomes=(OutcomeValue(name='Do Not Publish', key='N', description='Do Not Publish'), OutcomeValue(name='Publish', key='P', description='Publish'))) module-attribute

The publish outcome group.

THE_PARANOIDS = OutcomeGroup(name='theParanoids', description='PrioritizedRiskRemediation outcome group based on TheParanoids.', outcomes=(OutcomeValue(name='Track 5', key='5', description='Track'), OutcomeValue(name='Track Closely 4', key='4', description='Track Closely'), OutcomeValue(name='Attend 3', key='3', description='Attend'), OutcomeValue(name='Attend 2', key='2', description='Attend'), OutcomeValue(name='Act 1', key='1', description='Act'), OutcomeValue(name='Act ASAP 0', key='0', description='Act ASAP'))) module-attribute

Outcome group based on TheParanoids' PrioritizedRiskRemediation. Their model is a 6-point scale, with 0 being the most urgent and 5 being the least. See https://github.com/theparanoids/PrioritizedRiskRemediation

VALUE_COMPLEXITY = OutcomeGroup(name='Value, Complexity', description='The Value/Complexity outcome group.', outcomes=(OutcomeValue(name='Drop', key='D', description='Drop'), OutcomeValue(name='Reconsider Later', key='R', description='Reconsider Later'), OutcomeValue(name='Easy Win', key='E', description='Easy Win'), OutcomeValue(name='Do First', key='F', description='Do First'))) module-attribute

The Value/Complexity outcome group.

YES_NO = OutcomeGroup(name='Yes, No', description='The Yes/No outcome group.', outcomes=(OutcomeValue(name='No', key='N', description='No'), OutcomeValue(name='Yes', key='Y', description='Yes'))) module-attribute

The Yes/No outcome group.