Merge pull request #224 from CycloneDX/v1.5-dev-ssvc

stevespringett · web-flow · commit 9861a7a7515a · 2023-06-14T22:31:15.000-05:00
Add SSVC to existing rating methods
diff --git a/schema/bom-1.5.proto b/schema/bom-1.5.proto
@@ -853,6 +853,8 @@ enum ScoreMethod {
   SCORE_METHOD_OTHER = 5;
   // Common Vulnerability Scoring System v3.1 - https://www.first.org/cvss/v4-0/
   SCORE_METHOD_CVSSV4 = 6;
+  // Stakeholder Specific Vulnerability Categorization (all versions) - https://github.com/CERTCC/SSVC
+  SCORE_METHOD_SSVC = 7;
 }
 
 message Advisory {
diff --git a/schema/bom-1.5.schema.json b/schema/bom-1.5.schema.json
@@ -1809,13 +1809,14 @@
     "scoreMethod": {
       "type": "string",
       "title": "Method",
-      "description": "Specifies the severity or risk scoring methodology or standard used.\n\n* CVSSv2 - [Common Vulnerability Scoring System v2](https://www.first.org/cvss/v2/)\n* CVSSv3 - [Common Vulnerability Scoring System v3](https://www.first.org/cvss/v3-0/)\n* CVSSv31 - [Common Vulnerability Scoring System v3.1](https://www.first.org/cvss/v3-1/)\n* CVSSv4 - [Common Vulnerability Scoring System v4](https://www.first.org/cvss/v4-0/)\n* OWASP - [OWASP Risk Rating Methodology](https://owasp.org/www-community/OWASP_Risk_Rating_Methodology)",
+      "description": "Specifies the severity or risk scoring methodology or standard used.\n\n* CVSSv2 - [Common Vulnerability Scoring System v2](https://www.first.org/cvss/v2/)\n* CVSSv3 - [Common Vulnerability Scoring System v3](https://www.first.org/cvss/v3-0/)\n* CVSSv31 - [Common Vulnerability Scoring System v3.1](https://www.first.org/cvss/v3-1/)\n* CVSSv4 - [Common Vulnerability Scoring System v4](https://www.first.org/cvss/v4-0/)\n* OWASP - [OWASP Risk Rating Methodology](https://owasp.org/www-community/OWASP_Risk_Rating_Methodology)\n* SSVC - [Stakeholder Specific Vulnerability Categorization](https://github.com/CERTCC/SSVC) (all versions)",
       "enum": [
         "CVSSv2",
         "CVSSv3",
         "CVSSv31",
         "CVSSv4",
         "OWASP",
+        "SSVC",
         "other"
       ]
     },
diff --git a/schema/bom-1.5.xsd b/schema/bom-1.5.xsd
@@ -3980,6 +3980,14 @@ limitations under the License.
                     </xs:documentation>
                 </xs:annotation>
             </xs:enumeration>
+            <xs:enumeration value="SSVC">
+                <xs:annotation>
+                    <xs:documentation xml:lang="en">
+                        The rating is based on Stakeholder Specific Vulnerability Categorization (all versions)
+                        https://github.com/CERTCC/SSVC
+                    </xs:documentation>
+                </xs:annotation>
+            </xs:enumeration>
             <xs:enumeration value="other">
                 <xs:annotation>
                     <xs:documentation xml:lang="en">

Original file line number	Diff line number	Diff line change
`@@ -853,6 +853,8 @@ enum ScoreMethod {`
`853`	`853`	`SCORE_METHOD_OTHER = 5;`
`854`	`854`	`// Common Vulnerability Scoring System v3.1 - https://www.first.org/cvss/v4-0/`
`855`	`855`	`SCORE_METHOD_CVSSV4 = 6;`
	`856`	`+ // Stakeholder Specific Vulnerability Categorization (all versions) - https://github.com/CERTCC/SSVC`
	`857`	`+ SCORE_METHOD_SSVC = 7;`
`856`	`858`	`}`
`857`	`859`
`858`	`860`	`message Advisory {`