Skip to content

Make structured attackSteps the default and link to CVE/CWE/CAPEC/ATT&CK #48

Description

@JohnASRG

Motivation

The schema already supports a structured attackSteps array plus attackPaths.stepIds, but the legacy attackPaths.steps string array is still present (deprecated only) and the comprehensive examples still use plain strings. To make attack path analysis machine-readable for AFR, MDR, and detection engineering use cases, structured steps must become the V1.0 default and gain the fields enumerated in the requirements that are not yet visible in the schema.

Proposed change

  1. Field additions on attackStep:
    • type (enum: precondition | access | exploit | privilegeEscalation | lateralMovement | persistence | impact | exfiltration | actionOnObjective)
    • prerequisites[] (referenced by id; matches RDX-020-era requirement)
    • references[] to external knowledge bases: cveId, cweId, capecId, attackTechniqueId (MITRE ATT&CK incl. ATT&CK for ICS/Embedded), autoVulnDbId, internal vuln-tracker id
    • Optional step-level attackFeasibilityRatingId so step-level AFR can be expressed in addition to path-level
  2. Branching/graph support on attackPath:
    • Replace flat stepIds with edges[] carrying from, to, and joinType (AND | OR | SEQUENCE) so AND/OR attack trees can be expressed
    • Keep stepIds accepted as a sequence shorthand for backwards compatibility
  3. Deprecate string steps: mark in JSON Schema description and XSD annotation that the field will be removed in v0.2.0; update all examples to use structured steps; add a validator warning when string steps are present.
  4. Rewrite examples/rdx-xml-comprehensive.xml and one JSON example to demonstrate the new structured + branching form.

References

  • REQUIREMENTS.md — RDX-019/020 (attack path steps as structured elements)
  • AI peer review, section 3 ("Attack path modeling is in transition")
  • MITRE ATT&CK for ICS / Embedded; MITRE CAPEC; CWE; NVD CVE

Acceptance criteria

  • attackStep schema (JSON + XSD) gains type, prerequisites[], structured references[] with vulnerability/technique IDs, and optional attackFeasibilityRatingId
  • attackPath schema supports an edges[] model with AND/OR/SEQUENCE joins
  • At least one example demonstrates an AND/OR attack tree with structured steps and external references
  • String-based steps array emits a deprecation warning from tools/validate.sh
  • All bundled examples use structured attackSteps

Surfaced by external AI peer review; see chat transcript for full review text.

Metadata

Metadata

Assignees

No one assigned

    Labels

    ai-proposalProposed by the AI idea scout; needs human reviewenhancementNew feature or requestpeer-reviewSurfaced by external AI/peer review of the repopriority/P1High priority — V1.0 foundation

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions