Skip to content

Add vulnerabilityContext object to link CVE/CVSS/EPSS data to AFR/TAF adjustments #66

Description

@github-actions

Motivation

RDX attack feasibility (AFR) and TAF assessments are primarily analyst-driven and lack a standardized, machine-consumable way to incorporate published vulnerability intelligence (CVE id, CVSS vectors) and predictive exploitability (EPSS) into feasibility and risk calculations. Integrating CVSS v4.0 vectors and EPSS probabilities as an explicit "vulnerabilityContext" allows RDX consumers to automate risk prioritization, reconcile SBOM/HBOM findings with attack path reachability, and reproduce AFR adjustments using auditable inputs.

Proposed change

  1. Schema additions
  • Add optional array vulnerabilityContexts[] at riskSet level.

  • Each vulnerabilityContext object SHOULD include these fields:

    • id (string, required)
    • cveId (string, optional) — e.g., "CVE-2026-12345"
    • references[] (array of strings/URLs) — NVD / vendor advisory
    • cpeMatches[] (array of CPE strings) — affected CPEs
    • cvss (object) with fields: version (string e.g., "4.0"), vector (string CVSS v4.0 vector), baseScore (number)
    • epssScore (number; 0..1) — EPSS probability for exploitation (may be omitted if unavailable)
    • exploitEvidence (object): { "poC": boolean, "exploitPublished": boolean, "kev": boolean } — presence of PoC/weaponization/CISA KEV membership
    • reachability (enum) — one of ["internet-exposed","adjacent-network","requires-physical","insider-only","unknown"]
    • relatedAttackPathIds[] (array of attackPath id values)
    • adjustmentMethodRef (string, methodId) — optional reference to a methods entry describing how to map CVSS/EPSS to AFR/TAF adjustments
    • note (string) rationale
  1. Method mapping
  • Define a small reusable method methodId example rdx-vuln-adjust-v1 in methods explaining how EV/EPSS map to AFR bands (deterministic formula or lookup table). For example: "adjustedAFR = clamp( baseAFR + f(epssScore, exploitEvidence, reachability) )" with explicit parameter definitions.
  1. Tooling & examples
  • Add examples/rdx-vulnerability-context-example.json showing:
    • an SBOM/HBOM component (cyclonedx linkage) with a vulnerabilityContext referencing a CVE and relatedAttackPathIds.
    • an attackFeasibilityRating whose inputFactors reference the vulnerabilityContext.id and demonstrate the score adjustment.
  1. Validation
  • JSON Schema should validate structure; validators SHOULD not attempt network lookups (CVE/EPSS) during CI. Example test vectors should include deterministic EPS S values for reproducibility in CI.
  1. Backwards compatibility
  • All fields OPTIONAL. Existing documents without vulnerabilityContexts remain valid.

  • New requirement ID: RDX-115 (new requirement): "Support optional vulnerabilityContext objects linking CVE/CVSS/EPSS and exploit evidence to attack feasibility and risk calculations."

References

Acceptance criteria

  • Schema change: spec/json/rdx.schema.json and spec/xml/rdx.xsd include vulnerabilityContexts[] and validate the example document.
  • Example: examples/rdx-vulnerability-context-example.json demonstrates a CVE -> vulnerabilityContext -> attackPath -> attackFeasibilityRating flow with a deterministic adjustmentMethodRef and shows how AFR is adjusted.
  • Documentation: Update methodology/Methodology.md and methodology/CAL-TAF-Integration.md with recommended mapping strategies (sample formula and lookup tables) and guidance on trusted EPSS sources.
  • CI: validation script accepts new examples; at least one unit test re-computes the adjusted AFR from provided inputs and asserts the documented adjusted value (deterministic test vector).

Generated by tools/ai_idea_scout.py via the AI Idea Scout workflow.
Review the proposal, refine the title/body/labels, and close if not desired.

Metadata

Metadata

Assignees

No one assigned

    Labels

    ai-proposalProposed by the AI idea scout; needs human reviewenhancementNew feature or request

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions