Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add SSVC to existing rating methods #224

Merged
merged 2 commits into from
Jun 15, 2023
Merged

Add SSVC to existing rating methods #224

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
ac47505
Added SSVC
stevespringett May 20, 2023
88c908f
Merge branch 'v1.5-dev' into v1.5-dev-ssvc
jkowalleck Jun 14, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 2 additions & 0 deletions schema/bom-1.5.proto
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -853,6 +853,8 @@ enum ScoreMethod {
SCORE_METHOD_OTHER = 5;
// Common Vulnerability Scoring System v3.1 - https://www.first.org/cvss/v4-0/
SCORE_METHOD_CVSSV4 = 6;
// Stakeholder Specific Vulnerability Categorization (all versions) - https://github.com/CERTCC/SSVC
SCORE_METHOD_SSVC = 7;
}

message Advisory {
Expand Down
3 changes: 2 additions & 1 deletion schema/bom-1.5.schema.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1809,13 +1809,14 @@
"scoreMethod": {
"type": "string",
"title": "Method",
"description": "Specifies the severity or risk scoring methodology or standard used.\n\n* CVSSv2 - [Common Vulnerability Scoring System v2](https://www.first.org/cvss/v2/)\n* CVSSv3 - [Common Vulnerability Scoring System v3](https://www.first.org/cvss/v3-0/)\n* CVSSv31 - [Common Vulnerability Scoring System v3.1](https://www.first.org/cvss/v3-1/)\n* CVSSv4 - [Common Vulnerability Scoring System v4](https://www.first.org/cvss/v4-0/)\n* OWASP - [OWASP Risk Rating Methodology](https://owasp.org/www-community/OWASP_Risk_Rating_Methodology)",
"description": "Specifies the severity or risk scoring methodology or standard used.\n\n* CVSSv2 - [Common Vulnerability Scoring System v2](https://www.first.org/cvss/v2/)\n* CVSSv3 - [Common Vulnerability Scoring System v3](https://www.first.org/cvss/v3-0/)\n* CVSSv31 - [Common Vulnerability Scoring System v3.1](https://www.first.org/cvss/v3-1/)\n* CVSSv4 - [Common Vulnerability Scoring System v4](https://www.first.org/cvss/v4-0/)\n* OWASP - [OWASP Risk Rating Methodology](https://owasp.org/www-community/OWASP_Risk_Rating_Methodology)\n* SSVC - [Stakeholder Specific Vulnerability Categorization](https://github.com/CERTCC/SSVC) (all versions)",
"enum": [
"CVSSv2",
"CVSSv3",
"CVSSv31",
"CVSSv4",
"OWASP",
"SSVC",
"other"
]
},
Expand Down
8 changes: 8 additions & 0 deletions schema/bom-1.5.xsd
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3980,6 +3980,14 @@ limitations under the License.
</xs:documentation>
</xs:annotation>
</xs:enumeration>
<xs:enumeration value="SSVC">
<xs:annotation>
<xs:documentation xml:lang="en">
The rating is based on Stakeholder Specific Vulnerability Categorization (all versions)
https://github.com/CERTCC/SSVC
</xs:documentation>
</xs:annotation>
</xs:enumeration>
<xs:enumeration value="other">
<xs:annotation>
<xs:documentation xml:lang="en">
Expand Down