• resolves Create DecisionTable representation of CVSS v4 equivalence sets decision model(s) #853
• resolves DecisionTable doesn't know how to handle a direct mapping with one input decision point #859
• resolves How to model CVSS EQ4 as a DecisionTable? #860
• resolves Create SSVC policy mappings for CVSSv4 decision points to CVSSv4 Equivalence Sets #393

This PR adds DecisionTable objects for each of the six CVSS v4 Equivalence Sets.

Incidental changes:

• reordered a few decision points where we didn't have their values in ascending "more likely to act" order
• fixed a bug in which DecisionTable refused to validate a decision table with exactly one input decision point.
• added a couple "without X (not defined)" decision points to replicate CVSS vector elements used in Equivalence Sets where the X (not defined) value was throwing off the DecisionTable graph-based validation algorithm. Because these values just revert to default values when computing CVSS scores anyway, we can safely eliminate them in our implementation and just note it in documentation later.

Copilot Summary

This pull request introduces several new CVSS decision point and decision table JSON files and makes corrections to the ordering and completeness of values in existing CVSS metric files. The changes primarily focus on improving the consistency and completeness of CVSS metric definitions, including the addition of "without Not Defined" variants and the introduction of a new equivalence set decision table.

Additions of new CVSS metric variants and decision tables:

• Added new "without Not Defined" metric files for Confidentiality Requirement (confidentiality_requirement_without_not_defined__1_1_1.json), Integrity Requirement (integrity_requirement_without_not_defined__1_1_1.json), and Availability Requirement (availability_requirement_without_not_defined__1_1_1.json), each omitting the "Not Defined" (X) option. [1] [2] [3]
• Added new "without Not Defined" metric files for Modified Availability Impact to the Subsequent System (modified_availability_impact_to_the_subsequent_system_without_not_defined__1_0_1.json) and Modified Integrity Impact to the Subsequent System (modified_integrity_impact_to_the_subsequent_system_without_not_defined__1_0_1.json), including a "Safety" (S) option. [1] [2]
• Introduced a new decision table for CVSS Equivalence Set 5 (cvss_equivalence_set_5_1_0_0.json), mapping Exploit Maturity levels to a three-level equivalence set.

Corrections and improvements to existing metric files:

• Reordered metric values in several files (such as access_complexity_1_0_0.json, access_complexity_2_0_0.json, attack_complexity_3_0_0.json, attack_requirements_1_0_0.json, and their "modified" variants) to ensure the "High" (H) value appears before "Low" (L), matching the intended schema and improving consistency. [1] [2] [3] [4] [5] [6] [7] [8]
• Added the "Safety" (S) value to the modified_availability_impact_to_the_subsequent_system_1_0_1.json metric.

These changes collectively improve the clarity, completeness, and usability of the CVSS decision point data files.

References:
[1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] [13] [14] [15]