Replace Track*/Track * with Monitor in CISA-based decision model (#738)

* change type hints on OutcomeGroup class

* black reformat

* replace `Track *` with `Monitor`

* carve a new version of CISA OutcomeGroup to reflect `Track *` -> `Monitor`

* replace `Track*` with `Monitor` in json

* replace CISA.json with Monitor outcome value

* more substitutions

Author: ahouseholder

data/json/outcomes/CISA.json

@@ -1,28 +1,28 @@
 {
-  "version": "1.0.0",
+  "version": "1.1.0",
   "schemaVersion": "1-0-1",
   "name": "CISA Levels",
-  "description": "The CISA outcome group. CISA uses its own SSVC decision tree model to prioritize relevant vulnerabilities into four possible decisions: Track, Track*, Attend, and Act.",
+  "description": "The CISA outcome group. CISA uses its own SSVC decision tree model to prioritize relevant vulnerabilities into four possible decisions: Track, Monitor, Attend, and Act.",
   "outcomes": [
     {
       "key": "T",
       "name": "Track",
       "description": "The vulnerability does not require action at this time. The organization would continue to track the vulnerability and reassess it if new information becomes available. CISA recommends remediating Track vulnerabilities within standard update timelines."
     },
     {
-      "key": "T*",
-      "name": "Track*",
-      "description": "The vulnerability contains specific characteristics that may require closer monitoring for changes. CISA recommends remediating Track* vulnerabilities within standard update timelines."
+      "key": "M",
+      "name": "Monitor",
+      "description": "The vulnerability contains specific characteristics that may require closer monitoring for changes. CISA recommends remediating Monitor vulnerabilities within standard update timelines."
     },
     {
       "key": "A",
       "name": "Attend",
       "description": "The vulnerability requires attention from the organization's internal, supervisory-level individuals. Necessary actions may include requesting assistance or information about the vulnerability and may involve publishing a notification, either internally and/or externally, about the vulnerability. CISA recommends remediating Attend vulnerabilities sooner than standard update timelines."
     },
     {
-      "key": "A",
+      "key": "C",
       "name": "Act",
       "description": "The vulnerability requires attention from the organization's internal, supervisory-level and leadership-level individuals. Necessary actions include requesting assistance or information about the vulnerability, as well as publishing a notification either internally and/or externally. Typically, internal groups would meet to determine the overall response and then execute agreed upon actions. CISA recommends remediating Act vulnerabilities as soon as possible."
     }
   ]
-}
+}

docs/ssvc-calc/CISA-Coordinator.json

@@ -209,8 +209,8 @@
 		    "color": "#28a745"
 		},
 		{
-		    "label": "Track*",
-		    "key": "R",
+		    "label": "Monitor",
+		    "key": "M",
 		    "description": "Track these closely, especially if mitigation is unavailable or difficult. Recommended that analyst discuss with other ana-lysts and get a second opinion.",
 		    "color": "#ffc107"
 		},
@@ -266,7 +266,7 @@
 	    "Mission & Well-being": "medium"
 	},
 	{
-	    "Decision": "Track*",
+	    "Decision": "Monitor",
 	    "Exploitation": "none",
 	    "Automatable": "no",
 	    "Technical Impact": "total",
@@ -329,7 +329,7 @@
 	    "Mission & Well-being": "medium"
 	},
 	{
-	    "Decision": "Track*",
+	    "Decision": "Monitor",
 	    "Exploitation": "poc",
 	    "Automatable": "no",
 	    "Technical Impact": "partial",
@@ -343,7 +343,7 @@
 	    "Mission & Well-being": "low"
 	},
 	{
-	    "Decision": "Track*",
+	    "Decision": "Monitor",
 	    "Exploitation": "poc",
 	    "Automatable": "no",
 	    "Technical Impact": "total",
@@ -385,7 +385,7 @@
 	    "Mission & Well-being": "low"
 	},
 	{
-	    "Decision": "Track*",
+	    "Decision": "Monitor",
 	    "Exploitation": "poc",
 	    "Automatable": "yes",
 	    "Technical Impact": "total",

docs/ssvc-calc/findex.html

@@ -294,7 +294,7 @@ <h5>Mission Prevelance choices</h5>
       <h5> Vulnerability Scoring Decisions</h5>
       <b>Track </b> &nbsp; The vulnerability does not require attention outside of Vulnerability Management (VM) at this time.  Continue to track the situation and reassess the severity of vulnerability if necessary.
       <hr />
-      <b>Track * </b> &nbsp; Track these closely, especially if mitigation is unavailable or difficult. Recommended that analyst discuss with other ana-lysts and get a second opinion.
+      <b>Monitor </b> &nbsp; Track these closely, especially if mitigation is unavailable or difficult. Recommended that analyst discuss with other ana-lysts and get a second opinion.
       <hr />
       <b>Attend  </b> &nbsp; The vulnerability requires to be attended to by stakeholders outside VM. The action is a request to others for assistance / information / details, as well as a potential publication about the issue.
       <hr/>

docs/ssvc-calc/old_index.html

@@ -292,7 +292,7 @@ <h5>Mission Prevelance choices</h5>
       <h5> Vulnerability Scoring Decisions</h5>
       <b>Track </b> &nbsp; The vulnerability does not require attention outside of Vulnerability Management (VM) at this time.  Continue to track the situation and reassess the severity of vulnerability if necessary.
       <hr />
-      <b>Track * </b> &nbsp; Track these closely, especially if mitigation is unavailable or difficult. Recommended that analyst discuss with other ana-lysts and get a second opinion.
+      <b>Monitor </b> &nbsp; Track these closely, especially if mitigation is unavailable or difficult. Recommended that analyst discuss with other ana-lysts and get a second opinion.
       <hr />
       <b>Attend  </b> &nbsp; The vulnerability requires to be attended to by stakeholders outside VM. The action is a request to others for assistance / information / details, as well as a potential publication about the issue.
       <hr/>

docs/ssvc-calc/sample-ssvc.txt

@@ -1,8 +1,8 @@
 CVE	Vulnerability	CVSS (v3.x Base Score)	SSVC (Decision)	Exploit	Virulence	Technical	Mission/Well-Being (Impact)
 CVE-2020-7961	Liferay Portal JSON web services (JSONWS) deserialization	9.8	Track	PoC	Yes	Total	Low (Minimal/Minimal)
 CVE-2020-5847	Unraid 6.8.0 PHP RCE	9.8	Track	PoC	Yes	Total	Low (Minimal/Minimal)
-CVE-2019-0708	Microsoft Windows Remote Desktop RCE (BlueKeep)	9.8	Track*	PoC	Yes	Total	Medium (Support/Material)
-CVE-2019-13918	Rockwell Automation MicroLogix Controller open redirect	6.1	Track*	PoC	No	Partial	High (Essential/Material)
+CVE-2019-0708	Microsoft Windows Remote Desktop RCE (BlueKeep)	9.8	Monitor	PoC	Yes	Total	Medium (Support/Material)
+CVE-2019-13918	Rockwell Automation MicroLogix Controller open redirect	6.1	Monitor	PoC	No	Partial	High (Essential/Material)
 CVE-2019-19781	Citrix directory traversal and Perl RCE	9.8	Critical	Active	Yes	Total	Medium (Support/Minimal)
 CVE-2014-0751	GE CIMPLICITY HMI/SCADA directory traversal RCE (Black Energy)	9.8	Critical	Active	No	Total	High (Essential/Material)
 CVE-2018-5734	BIND 9 SERVFAIL assertion failure in badcache.c	7.5	Track	None	Yes	Partial	Medium (Support/Minimal)

docs/ssvc-calc/ssvc.js

@@ -21,7 +21,7 @@ var diagonal,tree,svg,duration,root
 var treeData = []
 /* Deefault color array of possible color options */
 var acolors = ["#28a745","#ffc107","#EE8733","#dc3545","#ff0000","#aa0000","#ff0000"]
-var lcolors = {"Track":"#28a745","Track*":"#ffc107","Attend":"#EE8733","Act":"#dc3545"}
+var lcolors = {"Track":"#28a745","Monitor":"#ffc107","Attend":"#EE8733","Act":"#dc3545"}
 var ssvc_short_keys = {};
 /* These variables are for decision tree schema JSON aka SSVC Provision Schema */
 var export_schema = {decision_points: [],decisions_table: [], lang: "en",

src/ssvc/outcomes/base.py

@@ -31,7 +31,7 @@ class OutcomeGroup(_Base, _Versioned, BaseModel):
     Models an outcome group.
     """
 
-    outcomes: list[OutcomeValue]
+    outcomes: tuple[OutcomeValue, ...]
 
     def __iter__(self):
         """

src/ssvc/outcomes/groups.py

@@ -40,9 +40,7 @@
     description="The publish outcome group.",
     version="1.0.0",
     outcomes=(
-        OutcomeValue(
-            name="Do Not Publish", key="N", description="Do Not Publish"
-        ),
+        OutcomeValue(name="Do Not Publish", key="N", description="Do Not Publish"),
         OutcomeValue(name="Publish", key="P", description="Publish"),
     ),
 )
@@ -109,7 +107,7 @@
 The CVSS outcome group.
 """
 
-CISA = OutcomeGroup(
+CISA_1 = OutcomeGroup(
     name="CISA Levels",
     description="The CISA outcome group. "
     "CISA uses its own SSVC decision tree model to prioritize relevant vulnerabilities into four possible decisions: Track, Track*, Attend, and Act.",
@@ -124,7 +122,7 @@
         ),
         OutcomeValue(
             name="Track*",
-            key="T*",
+            key="R",
             description="The vulnerability contains specific characteristics that may require closer monitoring for changes. "
             "CISA recommends remediating Track* vulnerabilities within standard update timelines.",
         ),
@@ -137,7 +135,48 @@
         ),
         OutcomeValue(
             name="Act",
+            key="C",
+            description="The vulnerability requires attention from the organization's internal, supervisory-level and leadership-level individuals. "
+            "Necessary actions include requesting assistance or information about the vulnerability, as well as publishing a notification either internally and/or externally. "
+            "Typically, internal groups would meet to determine the overall response and then execute agreed upon actions. "
+            "CISA recommends remediating Act vulnerabilities as soon as possible.",
+        ),
+    ),
+)
+"""
+The CISA outcome group. Based on CISA's customizations of the SSVC model.
+See https://www.cisa.gov/stakeholder-specific-vulnerability-categorization-ssvc
+"""
+
+CISA = OutcomeGroup(
+    name="CISA Levels",
+    description="The CISA outcome group. "
+    "CISA uses its own SSVC decision tree model to prioritize relevant vulnerabilities into four possible decisions: Track, Monitor, Attend, and Act.",
+    version="1.1.0",
+    outcomes=(
+        OutcomeValue(
+            name="Track",
+            key="T",
+            description="The vulnerability does not require action at this time. "
+            "The organization would continue to track the vulnerability and reassess it if new information becomes available. "
+            "CISA recommends remediating Track vulnerabilities within standard update timelines.",
+        ),
+        OutcomeValue(
+            name="Monitor",
+            key="M",
+            description="The vulnerability contains specific characteristics that may require closer monitoring for changes. "
+            "CISA recommends remediating Monitor vulnerabilities within standard update timelines.",
+        ),
+        OutcomeValue(
+            name="Attend",
             key="A",
+            description="The vulnerability requires attention from the organization's internal, supervisory-level individuals. "
+            "Necessary actions may include requesting assistance or information about the vulnerability and may involve publishing a notification, either internally and/or externally, about the vulnerability. "
+            "CISA recommends remediating Attend vulnerabilities sooner than standard update timelines.",
+        ),
+        OutcomeValue(
+            name="Act",
+            key="C",
             description="The vulnerability requires attention from the organization's internal, supervisory-level and leadership-level individuals. "
             "Necessary actions include requesting assistance or information about the vulnerability, as well as publishing a notification either internally and/or externally. "
             "Typically, internal groups would meet to determine the overall response and then execute agreed upon actions. "
@@ -150,6 +189,7 @@
 See https://www.cisa.gov/stakeholder-specific-vulnerability-categorization-ssvc
 """
 
+
 YES_NO = OutcomeGroup(
     name="Yes, No",
     description="The Yes/No outcome group.",
@@ -170,9 +210,7 @@
     outcomes=(
         # drop, reconsider later, easy win, do first
         OutcomeValue(name="Drop", key="D", description="Drop"),
-        OutcomeValue(
-            name="Reconsider Later", key="R", description="Reconsider Later"
-        ),
+        OutcomeValue(name="Reconsider Later", key="R", description="Reconsider Later"),
         OutcomeValue(name="Easy Win", key="E", description="Easy Win"),
         OutcomeValue(name="Do First", key="F", description="Do First"),
     ),
@@ -187,9 +225,7 @@
     version="1.0.0",
     outcomes=(
         OutcomeValue(name="Track 5", key="5", description="Track"),
-        OutcomeValue(
-            name="Track Closely 4", key="4", description="Track Closely"
-        ),
+        OutcomeValue(name="Track Closely 4", key="4", description="Track Closely"),
         OutcomeValue(name="Attend 3", key="3", description="Attend"),
         OutcomeValue(name="Attend 2", key="2", description="Attend"),
         OutcomeValue(name="Act 1", key="1", description="Act"),