Skip to content

Add CME (Common Mitigation Enumeration) control namespace + publisher entity stub#97

Merged
kurtseifried merged 1 commit into
mainfrom
add-cme-namespace
Jun 27, 2026
Merged

Add CME (Common Mitigation Enumeration) control namespace + publisher entity stub#97
kurtseifried merged 1 commit into
mainfrom
add-cme-namespace

Conversation

@kurtseifried

Copy link
Copy Markdown
Collaborator

What

Wires the CME (Common Mitigation Enumeration) prototype taxonomy into the registry as a control namespace, plus a publisher entity stub.

CME enumerates defensive controls (the mitigation counterpart to CVE/CWE), each mapped to a deterministic CVSS environmental attenuation and to CWE weakness classes. Hosted at github.com/stuwrtlttle/cme.

Structure (mirrors the MITRE publisher pattern)

Piece File SecID
Authority (account) github.com/stuwrtlttle
Publisher entity stub registry/entity/com/github/stuwrtlttle.json secid:entity/github.com/stuwrtlttle
Control taxonomy registry/control/com/github/stuwrtlttle.{json,md} secid:control/github.com/stuwrtlttle/cme
An item secid:control/github.com/stuwrtlttle/cme#CME-601

The cme name lives in match_nodes; CME-NNN IDs are subpaths (children) — same shape as mitre.org/cve#CVE-....

Resolution (two URLs per item)

  • weight 100 — raw JSON, parsability: structured, content_type: application/json (AI-first primary)
  • weight 50 — GitHub rendered view, parsability: scraped (human-readable)

Notes

  • Registry scope is identity + resolution only. Per-control data (CVSS attenuation, CWE relationships, verification commands) is deliberately not imported — it's destined for the future Data layer (V2). The CWE↔CME mappings are future Relationship-layer material.
  • Regex safety: item pattern ^CME-\d{3,4}$ is fully anchored with a bounded quantifier — no catastrophic backtracking.
  • Two intentionally-deferred soft pointers (no dangling references): structured schema SecID omitted (schema file listed as a plain URL instead); entity is a stub.
  • Both JSON files validate against schemas/registry-namespace.schema.json.

Deploy

Merging touches registry/**/*.json → triggers the auto-deploy chain to the live resolver.

… entity stub

Wire the CME prototype taxonomy (github.com/stuwrtlttle/cme) into the registry
as a control namespace, mirroring the MITRE publisher pattern (entity + type
file under one DNS-authority namespace).

- control/com/github/stuwrtlttle.{json,md}: name-level node `cme`, children
  match `^CME-\d{3,4}$` (anchored, bounded quantifier — no catastrophic
  backtracking). Two resolution URLs per item: raw JSON (weight 100,
  parsability structured) and GitHub rendered view (weight 50, scraped).
- entity/com/github/stuwrtlttle.json: publisher stub so the control's
  `operator:` pointer resolves; `cme` node cross-references via
  issues_type/issues_namespace.
- Registry scope is identity + resolution only; per-control data (CVSS
  attenuation, CWE relationships) is deferred to a future Data layer.
- Refresh namespace counts (2030).
@kurtseifried kurtseifried merged commit 591b011 into main Jun 27, 2026
2 checks passed
@kurtseifried kurtseifried deleted the add-cme-namespace branch June 27, 2026 05:16
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant