Add DecisionTable objects for CVSS v4 Equivalence Sets

[ahouseholder]

• resolves Create DecisionTable representation of CVSS v4 equivalence sets decision model(s) #853
• resolves DecisionTable doesn't know how to handle a direct mapping with one input decision point #859
• resolves How to model CVSS EQ4 as a DecisionTable? #860
• resolves Create SSVC policy mappings for CVSSv4 decision points to CVSSv4 Equivalence Sets #393

This PR adds DecisionTable objects for each of the six CVSS v4 Equivalence Sets.

Incidental changes:

• reordered a few decision points where we didn't have their values in ascending "more likely to act" order
• fixed a bug in which DecisionTable refused to validate a decision table with exactly one input decision point.
• added a couple "without X (not defined)" decision points to replicate CVSS vector elements used in Equivalence Sets where the X (not defined) value was throwing off the DecisionTable graph-based validation algorithm. Because these values just revert to default values when computing CVSS scores anyway, we can safely eliminate them in our implementation and just note it in documentation later.

Copilot Summary

This pull request introduces several new CVSS decision point and decision table JSON files and makes corrections to the ordering and completeness of values in existing CVSS metric files. The changes primarily focus on improving the consistency and completeness of CVSS metric definitions, including the addition of "without Not Defined" variants and the introduction of a new equivalence set decision table.

Additions of new CVSS metric variants and decision tables:

• Added new "without Not Defined" metric files for Confidentiality Requirement (confidentiality_requirement_without_not_defined__1_1_1.json), Integrity Requirement (integrity_requirement_without_not_defined__1_1_1.json), and Availability Requirement (availability_requirement_without_not_defined__1_1_1.json), each omitting the "Not Defined" (X) option. [1] [2] [3]
• Added new "without Not Defined" metric files for Modified Availability Impact to the Subsequent System (modified_availability_impact_to_the_subsequent_system_without_not_defined__1_0_1.json) and Modified Integrity Impact to the Subsequent System (modified_integrity_impact_to_the_subsequent_system_without_not_defined__1_0_1.json), including a "Safety" (S) option. [1] [2]
• Introduced a new decision table for CVSS Equivalence Set 5 (cvss_equivalence_set_5_1_0_0.json), mapping Exploit Maturity levels to a three-level equivalence set.

Corrections and improvements to existing metric files:

• Reordered metric values in several files (such as access_complexity_1_0_0.json, access_complexity_2_0_0.json, attack_complexity_3_0_0.json, attack_requirements_1_0_0.json, and their "modified" variants) to ensure the "High" (H) value appears before "Low" (L), matching the intended schema and improving consistency. [1] [2] [3] [4] [5] [6] [7] [8]
• Added the "Safety" (S) value to the modified_availability_impact_to_the_subsequent_system_1_0_1.json metric.

These changes collectively improve the clarity, completeness, and usability of the CVSS decision point data files.

References:
[1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] [13] [14] [15]

[Copilot]

Pull Request Overview

This PR adds DecisionTable objects for each of the six CVSS v4 Equivalence Sets to enable structured decision-making based on CVSS metrics. The changes enhance the CVSS implementation by providing tabular mappings from combinations of vulnerability metrics to equivalence set outcomes.

• Implements decision tables for all six CVSS v4 Equivalence Sets with proper mappings from input metrics to outcome levels
• Creates "without Not Defined" variants of several CVSS metrics to support equivalence set decision tables
• Reorders metric values in existing decision points to follow ascending "more likely to act" order and fixes validation for single input decision points

Reviewed Changes

Copilot reviewed 38 out of 41 changed files in this pull request and generated 5 comments.

Show a summary per file

File	Description
src/test/decision_tables/test_base.py	Adds test case for decision tables with single input decision point
src/ssvc/decision_tables/base.py	Fixes validation to allow decision tables with exactly one input decision point
src/ssvc/decision_tables/helpers.py	Enhances helper functions for printing decision table versions
src/ssvc/decision_tables/cvss/*.py	Implements decision tables for CVSS v4 Equivalence Sets 1-5
src/ssvc/decision_points/cvss/helpers.py	Adds helper function to create "without Not Defined" variants and extends Safety metric support
data/json/decision_points/cvss/*.json	Reorders metric values and adds "without Not Defined" variants
data/json/decision_tables/cvss/*.json	JSON serializations of the new CVSS equivalence set decision tables

[sei-vsarvepalli]

Wow thank you Copilot! - running local test now.

[ahouseholder]

I'm currently working on a set of unit tests that will verify that EQ1-6 match https://www.first.org/cvss/v4-0/specification-document
I intend to have that done on this branch before we merge this PR.

[ahouseholder]

I'm currently working on a set of unit tests that will verify that EQ1-6 match https://www.first.org/cvss/v4-0/specification-document I intend to have that done on this branch before we merge this PR.

✅ 99548b6

[sei-vsarvepalli]

I didn't run all the test, the EQ sets are helpful in seeing CVSS v4 evolution to potentially lookup and less math.