We need to consider how to support sequencing for weaknesses, actions, barriers, etc. It would be ideal to come up with a common pattern that could be used in all cases. This will take some more significant design work than this issue indicates, but would greatly enhance the expressiveness of the vulntology.

@Chris-Turner-NIST We should set aside some time to design a way forward.

from vulntology.

Vulntology Sequencing Requirements

Scope

Support sequencing capability for:

• Barriers
• Weaknesses
• Actions
• Known Chains (possibly different case since we only want direct hops)

Requirements

1. Need to express options (e.g., A or B)
2. Need to express sequencing (ordering/preconditions) (e.g., A then B)
3. Need to express transitions (cause-effect/outcomes) (e.g., A leads to B)

Note: An array can provide for sequencing, but does not convey conditions or outcomes.

Example

> expresses allowed transition (i.e., A > B is A allows B)
= expresses a requirement (i.e., A = B is B requires A)
() indicates a combination of pre-conditions (i.e., (A B) is A then B)

• CWE-A > CWE-B => CWE-C
• CWE-B => CWE-C
• (CWE-A > CWE-B) => CWE-D > CWE-E

can be expressed as:

YAMLish logical structure:

  A:
     allows: B
     [other data]
  B:
    [other data]
    allows: C (optional)
    allows: D (optional)
  C:
    requires: B (implies B allows C)
    [other data]
  
  D:
    precondition-1:
      requires: A  (implies A must come before B?)
      requires: B (implies B allows D)
    [other data]

JSONish logical structure

{
  "A": {
    "allows": [ "B" ]
  },
  "B": {
    "allows": [ "C", "D" ]
  }
  "C": {
    "requires": [ "B" ]
  }
  "D": {
    "pre-condition": {
      "requires": [ "A", "B" ]
    },
    "allows": [ "E" ]
  }
   
}

A rough example of how this might look in practice.

{
  "actions": [ {
    "id": "action1",
    "allows": "action2"
  },
  {
    "id": "action2",
    "requires": "action1"
  }
  ]
}

from vulntology.