Merge pull request #195 from CycloneDX/v1.5-dev-cvssv4

stevespringett · web-flow · commit 1f0978a2cd8b · 2023-04-18T21:57:36.000-05:00
Added support for CVSSv4
diff --git a/schema/bom-1.5.proto b/schema/bom-1.5.proto
@@ -691,6 +691,8 @@ enum ScoreMethod {
   SCORE_METHOD_OWASP = 4;
   // Other scoring method
   SCORE_METHOD_OTHER = 5;
+  // Common Vulnerability Scoring System v3.1 - https://www.first.org/cvss/v4-0/
+  SCORE_METHOD_CVSSV4 = 6;
 }
 
 message Advisory {
diff --git a/schema/bom-1.5.schema.json b/schema/bom-1.5.schema.json
@@ -1543,11 +1543,12 @@
     "scoreMethod": {
       "type": "string",
       "title": "Method",
-      "description": "Specifies the severity or risk scoring methodology or standard used.\n\n* CVSSv2 - [Common Vulnerability Scoring System v2](https://www.first.org/cvss/v2/)\n* CVSSv3 - [Common Vulnerability Scoring System v3](https://www.first.org/cvss/v3-0/)\n* CVSSv31 - [Common Vulnerability Scoring System v3.1](https://www.first.org/cvss/v3-1/)\n* OWASP - [OWASP Risk Rating Methodology](https://owasp.org/www-community/OWASP_Risk_Rating_Methodology)",
+      "description": "Specifies the severity or risk scoring methodology or standard used.\n\n* CVSSv2 - [Common Vulnerability Scoring System v2](https://www.first.org/cvss/v2/)\n* CVSSv3 - [Common Vulnerability Scoring System v3](https://www.first.org/cvss/v3-0/)\n* CVSSv31 - [Common Vulnerability Scoring System v3.1](https://www.first.org/cvss/v3-1/)\n* CVSSv4 - [Common Vulnerability Scoring System v4](https://www.first.org/cvss/v4-0/)\n* OWASP - [OWASP Risk Rating Methodology](https://owasp.org/www-community/OWASP_Risk_Rating_Methodology)",
       "enum": [
         "CVSSv2",
         "CVSSv3",
         "CVSSv31",
+        "CVSSv4",
         "OWASP",
         "other"
       ]
diff --git a/schema/bom-1.5.xsd b/schema/bom-1.5.xsd
@@ -2796,6 +2796,14 @@ limitations under the License.
                     </xs:documentation>
                 </xs:annotation>
             </xs:enumeration>
+            <xs:enumeration value="CVSSv4">
+                <xs:annotation>
+                    <xs:documentation xml:lang="en">
+                        The rating is based on CVSS v4.0 standard
+                        https://www.first.org/cvss/v4-0/
+                    </xs:documentation>
+                </xs:annotation>
+            </xs:enumeration>
             <xs:enumeration value="OWASP">
                 <xs:annotation>
                     <xs:documentation xml:lang="en">

Original file line number	Diff line number	Diff line change
`@@ -691,6 +691,8 @@ enum ScoreMethod {`
`691`	`691`	`SCORE_METHOD_OWASP = 4;`
`692`	`692`	`// Other scoring method`
`693`	`693`	`SCORE_METHOD_OTHER = 5;`
	`694`	`+ // Common Vulnerability Scoring System v3.1 - https://www.first.org/cvss/v4-0/`
	`695`	`+ SCORE_METHOD_CVSSV4 = 6;`
`694`	`696`	`}`
`695`	`697`
`696`	`698`	`message Advisory {`