Tools for working with a Stakeholder Specific Vulnerability Categorization (SSVC)
Project description
CERTCC SSVC
This is the official Python package for the CERT/CC Stakeholder-Specific Vulnerability Categorization (SSVC) project.
Installation
You can install the latest release from PyPI:
pip install certcc-ssvc
Demo to explore SSVC decision making
After installation, import the package and explore the examples:
import ssvc
# Example decision point usage. A Weather Forecast and Humidity Value decision point
from ssvc.decision_points.example import weather
print(weather.LATEST.model_dump_json(indent=2))
from ssvc.decision_points.example import humidity
print(humidity.LATEST.model_dump_json(indent=2))
# Example decision table usage
from ssvc.decision_tables.example import to_play
print(to_play.LATEST.model_dump_json(indent=2))
#Show decision tree in ascii text art
from ssvc.decision_tables.helpers import ascii_tree
print(ascii_tree(to_play.LATEST))
Explanation
This demo is a simple decision tree that provides an Outcome based on two conditions: the weather forecast and the humidity level.
Imagine the decision tree as a series of questions. To find the outcome (the YesNo column), you start at the first question (Decision Point), which is the root node of the tree: What is the Weather Forecast?
- Step 1: Look at the Weather Forecast column (e.g., rain, overcast, sunny).
- Step 2: Look at the Humidity Value above 40% column (e.g., high, low).
- Step 3: Based on the combination of these two conditions, the YesNo column will give you the Decision as "Yes" to play and "No" to not to play.
The YesNo column is the Outcome Decision Point, and the other two Decision Points are inputs that will be collected. This decision tree looks like below in ascii form
Weather Fore.. | Humidity Val.. | YesNo v1.0.0.. |
---------------------------------------------------
├── rain
│ ├── high
│ │ └── [no]
│ └── low
│ └── [no]
├── overcast
│ ├── high
│ │ └── [no]
│ └── low
│ └── [yes]
└── sunny
├── high
│ └── [no]
└── low
└── [yes]
Usage
For usage in vulnerability management scenarios consider the following popular SSVC decisions
import ssvc
# Example decision point usage. Exploitation as a Decision Point
from ssvc.decision_points.ssvc.exploitation import LATEST as Exploitation
print(Exploitation.model_dump_json(indent=2))
# Try a CVSS metic Attack Vector using SSVC
from ssvc.decision_points.cvss.attack_vector import LATEST as AttackVector
print(AttackVector.model_dump_json(indent=2))
from ssvc.decision_points.cisa.in_kev import LATEST as InKEV
print(InKEV.model_dump_json(indent=2))
# Example decision table for a Supplier deciding Patch Development Priority
from ssvc.decision_tables.ssvc.supplier_dt import LATEST as SupplierDT
print(SupplierDT.model_dump_json(indent=2))
# Example decision table for a Deployer decision Patch Application Priority
from ssvc.decision_tables.ssvc.deployer_dt import LATEST as DeployerDT
print(DeployerDT.model_dump_json(indent=2))
# Example CISA Decision Table as Coordinator for Vulnerability Management writ large
from ssvc.decision_tables.cisa.cisa_coordinate_dt import LATEST as CISACoordinate
print(CISACoordinate.model_dump_json(indent=2))
#Print CISA Decision Table as an ascii tree
from ssvc.decision_tables.helpers import ascii_tree
print(ascii_tree(CISACoordinate))
#Creating an SSVC Selection for publish/export to external providers like CSAF or CVE
from datetime import datetime, timezone
from ssvc.decision_tables.cisa.cisa_coordinate_dt import LATEST as decision_table
from ssvc import selection
namespace = "ssvc"
decision_points = ["Exploitation"]
values = [["Public PoC"]]
timestamp = datetime.now()
selections = []
for dp in decision_table.decision_points.values():
if dp.namespace == namespace and dp.name in decision_points:
dp_index = decision_points.index(dp.name)
selected = selection.Selection.from_decision_point(dp)
selected.values = tuple(selection.MinimalDecisionPointValue(key=val.key,
name=val.name) for val in dp.values if val.name in values[dp_index])
selections.append(selected)
out = selection.SelectionList(selections=selections,timestamp=timestamp)
print(out.model_dump_json(exclude_none=True, indent=4))
Resources
Source code and full documentation: https://github.com/CERTCC/SSVC
SSVC Policy Explorer: https://certcc.github.io/SSVC/ssvc-explorer/
SSVC Calculator: https://certcc.github.io/SSVC/ssvc-calc/
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file certcc_ssvc-2025.10.101215.tar.gz.
File metadata
- Download URL: certcc_ssvc-2025.10.101215.tar.gz
- Upload date:
- Size: 245.4 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.1.0 CPython/3.13.4
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
14bdd56a237533b92d909b3430c7de8c2640b0ee332e3fc44b43dc8915047642
|
|
| MD5 |
85127e15c8a82dc098d54547bd1ac354
|
|
| BLAKE2b-256 |
96c7890a731ebf02c5cfaadaa8bc64f681b4e7bdf968db1b3f97c4dea74b8cba
|
File details
Details for the file certcc_ssvc-2025.10.101215-py3-none-any.whl.
File metadata
- Download URL: certcc_ssvc-2025.10.101215-py3-none-any.whl
- Upload date:
- Size: 293.8 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.1.0 CPython/3.13.4
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
58811f0e4cccd571d0da8b66a5d09a2265cf6a727b4fb1e6ac3ce0db3f6c9367
|
|
| MD5 |
857b5d56d9ed06dd31896b9695bbe7d7
|
|
| BLAKE2b-256 |
5c6560da54c2dcb54de71c63c6e89490610feb78893c10385b7564286e28a638
|
