Skip to content

coordinator_publication.md

Latest commit

 

History

History
executable file
·
208 lines (173 loc) · 7.85 KB

coordinator_publication.md

File metadata and controls

executable file
·
208 lines (173 loc) · 7.85 KB
generated true
source methodologies/coordinator_publication.yaml
generator scripts/generate_plugins.py
lastGenerated 2025-08-29 17:35:05 -0700
generatedFiles
python
path checksum
src/ssvc/plugins/coordinator_publication.py
5983af926e89dc7acf64d1137ce57e797f9b85f5

Coordinator Publication Decision Model

CERT/CC Coordinator Publication Decision Model

Version: 1.0
Reference: https://certcc.github.io/SSVC/howto/publication_decision/

Decision Tree

flowchart LR
    SupplierInvolvementLevel_1{SupplierInvolvementLevel}
    ExploitationStatus_2{ExploitationStatus}
    SupplierInvolvementLevel_1 -->|fix_ready| ExploitationStatus_2
    PublicValueAddedLevel_3{PublicValueAddedLevel}
    ExploitationStatus_2 -->|none| PublicValueAddedLevel_3
    Action_dont_publish_4[dont_publish]
    PublicValueAddedLevel_3 -->|limited| Action_dont_publish_4
    Action_publish_5[publish]
    PublicValueAddedLevel_3 -->|ampliative| Action_publish_5
    Action_publish_6[publish]
    PublicValueAddedLevel_3 -->|precedence| Action_publish_6
    PublicValueAddedLevel_7{PublicValueAddedLevel}
    ExploitationStatus_2 -->|public_poc| PublicValueAddedLevel_7
    Action_dont_publish_8[dont_publish]
    PublicValueAddedLevel_7 -->|limited| Action_dont_publish_8
    Action_publish_9[publish]
    PublicValueAddedLevel_7 -->|ampliative| Action_publish_9
    Action_publish_10[publish]
    PublicValueAddedLevel_7 -->|precedence| Action_publish_10
    PublicValueAddedLevel_11{PublicValueAddedLevel}
    ExploitationStatus_2 -->|active| PublicValueAddedLevel_11
    Action_publish_12[publish]
    PublicValueAddedLevel_11 -->|limited| Action_publish_12
    Action_publish_13[publish]
    PublicValueAddedLevel_11 -->|ampliative| Action_publish_13
    Action_publish_14[publish]
    PublicValueAddedLevel_11 -->|precedence| Action_publish_14
    ExploitationStatus_15{ExploitationStatus}
    SupplierInvolvementLevel_1 -->|cooperative| ExploitationStatus_15
    PublicValueAddedLevel_16{PublicValueAddedLevel}
    ExploitationStatus_15 -->|none| PublicValueAddedLevel_16
    Action_dont_publish_17[dont_publish]
    PublicValueAddedLevel_16 -->|limited| Action_dont_publish_17
    Action_dont_publish_18[dont_publish]
    PublicValueAddedLevel_16 -->|ampliative| Action_dont_publish_18
    Action_publish_19[publish]
    PublicValueAddedLevel_16 -->|precedence| Action_publish_19
    PublicValueAddedLevel_20{PublicValueAddedLevel}
    ExploitationStatus_15 -->|public_poc| PublicValueAddedLevel_20
    Action_dont_publish_21[dont_publish]
    PublicValueAddedLevel_20 -->|limited| Action_dont_publish_21
    Action_publish_22[publish]
    PublicValueAddedLevel_20 -->|ampliative| Action_publish_22
    Action_publish_23[publish]
    PublicValueAddedLevel_20 -->|precedence| Action_publish_23
    PublicValueAddedLevel_24{PublicValueAddedLevel}
    ExploitationStatus_15 -->|active| PublicValueAddedLevel_24
    Action_publish_25[publish]
    PublicValueAddedLevel_24 -->|limited| Action_publish_25
    Action_publish_26[publish]
    PublicValueAddedLevel_24 -->|ampliative| Action_publish_26
    Action_publish_27[publish]
    PublicValueAddedLevel_24 -->|precedence| Action_publish_27
    ExploitationStatus_28{ExploitationStatus}
    SupplierInvolvementLevel_1 -->|uncooperative_unresponsive| ExploitationStatus_28
    PublicValueAddedLevel_29{PublicValueAddedLevel}
    ExploitationStatus_28 -->|none| PublicValueAddedLevel_29
    Action_dont_publish_30[dont_publish]
    PublicValueAddedLevel_29 -->|limited| Action_dont_publish_30
    Action_dont_publish_31[dont_publish]
    PublicValueAddedLevel_29 -->|ampliative| Action_dont_publish_31
    Action_publish_32[publish]
    PublicValueAddedLevel_29 -->|precedence| Action_publish_32
    PublicValueAddedLevel_33{PublicValueAddedLevel}
    ExploitationStatus_28 -->|public_poc| PublicValueAddedLevel_33
    Action_publish_34[publish]
    PublicValueAddedLevel_33 -->|limited| Action_publish_34
    Action_publish_35[publish]
    PublicValueAddedLevel_33 -->|ampliative| Action_publish_35
    Action_publish_36[publish]
    PublicValueAddedLevel_33 -->|precedence| Action_publish_36
    PublicValueAddedLevel_37{PublicValueAddedLevel}
    ExploitationStatus_28 -->|active| PublicValueAddedLevel_37
    Action_publish_38[publish]
    PublicValueAddedLevel_37 -->|limited| Action_publish_38
    Action_publish_39[publish]
    PublicValueAddedLevel_37 -->|ampliative| Action_publish_39
    Action_publish_40[publish]
    PublicValueAddedLevel_37 -->|precedence| Action_publish_40
Loading

Decision Points

  • SupplierInvolvementLevel: fix_ready, cooperative, uncooperative_unresponsive
  • ExploitationStatus: none, public_poc, active
  • PublicValueAddedLevel: limited, ampliative, precedence

Usage

from ssvc.plugins.coordinator_publication import DecisionCoordinatorPublication

decision = DecisionCoordinatorPublication(
    # Set decision point values here
)

outcome = decision.evaluate()
print(f"Action: {outcome.action}")
print(f"Priority: {outcome.priority}")

Vector String Support

This methodology supports SSVC vector strings for compact representation and interchange.

Parameter Abbreviations

Parameter Abbreviation Value Mappings
supplier_involvement SI fix_ready→F, cooperative→C, uncooperative_unresponsive→U
exploitation E none→N, public_poc→P, active→A
public_value_added PV limited→L, ampliative→A, precedence→P

Vector String Format

COORD_PUBv1/[parameters]/[timestamp]/

Example Usage

# Generate vector string from decision
decision = DecisionCoordinatorPublication(
    supplier_involvement='fix_ready',
    exploitation='none',
    public_value_added='limited',
)

vector_string = decision.to_vector()
print(vector_string)
# Output: COORD_PUBv1/SI:F/E:N/PV:L/2024-07-23T20:34:21.000000/

# Parse vector string to create decision
parsed_decision = DecisionCoordinatorPublication.from_vector("COORD_PUBv1/SI:F/E:N/PV:L/2024-07-23T20:34:21.000000/")
outcome = parsed_decision.evaluate()

File Integrity Verification

The generated files in this methodology have SHA1 checksums for verification:

Checksum Verification Commands

Verify the integrity of generated files using these commands:

# Verify Python plugin file
echo "5983af926e89dc7acf64d1137ce57e797f9b85f5  src/ssvc/plugins/coordinator_publication.py" | sha1sum -c

# Verify all generated files using the justfile task
just verify-checksums

# Verify using actual file checksum  
sha1sum src/ssvc/plugins/coordinator_publication.py

Batch Verification

To verify all generated files at once:

# Verify all checksums from documentation metadata
just verify-checksums

# Alternative: Manual verification of all files
for doc in docs/*.md; do
    if [[ -f "$doc" ]]; then
        py_path=$(rg -N "path: src/ssvc/plugins/.*\.py" --only-matching "$doc" 2>/dev/null | head -1 | sed 's/path: //' || true)
        py_checksum=$(rg -N "checksum: [a-f0-9]+" --only-matching "$doc" 2>/dev/null | head -1 | sed 's/checksum: //' || true)
        if [[ -n "$py_path" ]] && [[ -n "$py_checksum" ]] && [[ -f "$py_path" ]]; then
            echo "$py_checksum  $py_path" | sha1sum -c
        fi
    fi
done

Why This Matters: Checksum verification ensures that generated files haven't been tampered with or corrupted. This is important for:

  • Security: Detecting unauthorized modifications to generated code
  • Integrity: Ensuring files match their expected content exactly
  • Trust: Providing cryptographic proof that files are authentic
  • Debugging: Confirming file corruption isn't causing unexpected behavior
  • Compliance: Meeting security requirements for code integrity verification

Always verify checksums before deploying or using generated files in production environments.