oasis-tcs · santosomar · Apr 9, 2024 · Jan 30, 2024 · Jan 30, 2024 · Jan 30, 2024
diff --git a/csaf_2.1/json_schema/csaf_json_schema.json b/csaf_2.1/json_schema/csaf_json_schema.json
@@ -1350,6 +1350,9 @@
                     }
                   ]
                 },
+                "cvss_v4": {
+                  "$ref": "https://www.first.org/cvss/cvss-v4.0.json"
+                },
                 "products": {
                   "$ref": "#/$defs/products_t"
                 }

diff --git a/csaf_2.1/prose/edit/src/conformance.md b/csaf_2.1/prose/edit/src/conformance.md
@@ -135,6 +135,8 @@ Secondly, the program fulfills the following for all items of:
   `first_affected` and `last_affected` into `product_ids`.
   If none of these arrays exist, the CVRF CSAF converter outputs an error that no matching Product ID was found for this remediation element.
 * `/vulnerabilities[]/scores[]`:
+  * For any CVSS v4 element, the CVRF CSAF converter MUST compute the `baseSeverity` from the `baseScore` according to
+    the rules of the applicable CVSS standard. (CSAF CVRF v1.2 predates CVSS v4.0.)
   * For any CVSS v3 element, the CVRF CSAF converter MUST compute the `baseSeverity` from the `baseScore` according to
     the rules of the applicable CVSS standard.
   * If no `product_id` is given, the CVRF CSAF converter appends all Product IDs which are listed under `../product_status` in
@@ -145,7 +147,8 @@ Secondly, the program fulfills the following for all items of:
     A CVRF CSAF converter MAY offer a configuration option to delete such elements.
   * If there are CVSS v3.0 and CVSS v3.1 Vectors available for the same product, the CVRF CSAF converter discards
     the CVSS v3.0 information and provide in CSAF only the CVSS v3.1 information.
-  * To determine, which minor version of CVSS v3 is used, the CVRF CSAF converter uses the following steps:
+  * To determine, which minor version of CVSS v3 is used and to evaluate a CVSS v4 that was wrongly inserted in a CVSS v3 element,
+    the CVRF CSAF converter uses the following steps:
     1. Retrieve the CVSS version from the CVSS vector, if present.
 
         *Example 1:*

diff --git a/csaf_2.1/prose/edit/src/design-considerations-01-construction-principles.md b/csaf_2.1/prose/edit/src/design-considerations-01-construction-principles.md
@@ -37,6 +37,8 @@ Delegation to industry best practices technologies is used in referencing schema
 * Platform Data:
   * Common Platform Enumeration (CPE) Version 2.3 [cite](#CPE23-N)
 * Vulnerability Scoring:
+  * Common Vulnerability Scoring System (CVSS) Version 4.0 [cite](#CVSS40)
+    * JSON Schema Reference https://www.first.org/cvss/cvss-v4.0.json
   * Common Vulnerability Scoring System (CVSS) Version 3.1 [cite](#CVSS31)
     * JSON Schema Reference https://www.first.org/cvss/cvss-v3.1.json
   * Common Vulnerability Scoring System (CVSS) Version 3.0 [cite](#CVSS30)

diff --git a/csaf_2.1/prose/edit/src/frontmatter.md b/csaf_2.1/prose/edit/src/frontmatter.md
@@ -7,7 +7,7 @@
 
 ## Committee Specification Draft 01
 
-## ?? Month 2024
+## 28 February 2024
 
 #### This stage:
 https://docs.oasis-open.org/csaf/csaf/v2.1/csd01/csaf-v2.1-csd01.md (Authoritative) \
@@ -71,7 +71,7 @@ When referencing this specification the following citation format should be used
 
 **[csaf-v2.1]**
 
-_Common Security Advisory Framework Version 2.1_. Edited by Stefan Hagen, and Thomas Schmidt. ?? Month 2024. OASIS Standard. https://docs.oasis-open.org/csaf/csaf/v2.1/csd01/csaf-v2.1-csd01.html. Latest stage: https://docs.oasis-open.org/csaf/csaf/v2.1/csaf-v2.1.html.
+_Common Security Advisory Framework Version 2.1_. Edited by Stefan Hagen, and Thomas Schmidt. 28 February 2024. OASIS Committee Specification Draft 01. https://docs.oasis-open.org/csaf/csaf/v2.1/csd01/csaf-v2.1-csd01.html. Latest stage: https://docs.oasis-open.org/csaf/csaf/v2.1/csaf-v2.1.html.
 
 
 -------

diff --git a/csaf_2.1/prose/edit/src/guidance-on-size.md b/csaf_2.1/prose/edit/src/guidance-on-size.md
@@ -36,8 +36,9 @@ All _CSAF producers_ SHOULD NOT produce CSAF documents which exceed those limits
 ## File size
 
 A CSAF document in the specified JSON format encoded in UTF-8 SHOULD conform to known size limits of current technologies parsing JSON content,
-e.g.: 15 MB.
+e.g.: 50 MiB.
 
+> The CSAF documents observed in the wild expose strongly varying sizes as per the use cases they serve.
 > At least one database technology in wide use for storing CSAF documents rejects insert attempts when
 > the transformed BSON size exceeds 16 megabytes.
 > The BSON format optimizes for accessibility and not size.
@@ -211,6 +212,7 @@ A string SHOULD NOT have a length greater than:
   * `/vulnerabilities[]/remediations[]/product_ids[]`
   * `/vulnerabilities[]/scores[]/cvss_v2/vectorString`
   * `/vulnerabilities[]/scores[]/cvss_v3/vectorString`
+  * `/vulnerabilities[]/scores[]/cvss_v4/vectorString`
   * `/vulnerabilities[]/scores[]/products[]`
   * `/vulnerabilities[]/threats[]/group_ids[]`
   * `/vulnerabilities[]/threats[]/product_ids[]`
@@ -337,6 +339,42 @@ It seems to be safe to assume that the length of each value is not greater than
 * `/vulnerabilities[]/scores[]/cvss_v3/modifiedIntegrityImpact` (11)
 * `/vulnerabilities[]/scores[]/cvss_v3/modifiedAvailabilityImpact` (11)
 * `/vulnerabilities[]/scores[]/cvss_v3/environmentalSeverity` (8)
+* `/vulnerabilities[]/scores[]/cvss_v4/version` (3)
+* `/vulnerabilities[]/scores[]/cvss_v4/attackVector` (8)
+* `/vulnerabilities[]/scores[]/cvss_v4/attackComplexity` (4)
+* `/vulnerabilities[]/scores[]/cvss_v4/attackRequirements` (7)
+* `/vulnerabilities[]/scores[]/cvss_v4/privilegesRequired` (4)
+* `/vulnerabilities[]/scores[]/cvss_v4/userInteraction` (7)
+* `/vulnerabilities[]/scores[]/cvss_v4/vulnConfidentialityImpact` (4)
+* `/vulnerabilities[]/scores[]/cvss_v4/vulnIntegrityImpact` (4)
+* `/vulnerabilities[]/scores[]/cvss_v4/vulnAvailabilityImpact` (4)
+* `/vulnerabilities[]/scores[]/cvss_v4/subConfidentialityImpact` (4)
+* `/vulnerabilities[]/scores[]/cvss_v4/subIntegrityImpact` (4)
+* `/vulnerabilities[]/scores[]/cvss_v4/subAvailabilityImpact` (4)
+* `/vulnerabilities[]/scores[]/cvss_v4/exploitMaturity` (16)
+* `/vulnerabilities[]/scores[]/cvss_v4/confidentialityRequirement` (11)
+* `/vulnerabilities[]/scores[]/cvss_v4/integrityRequirement` (11)
+* `/vulnerabilities[]/scores[]/cvss_v4/availabilityRequirement` (11)
+* `/vulnerabilities[]/scores[]/cvss_v4/modifiedAttackVector` (11)
+* `/vulnerabilities[]/scores[]/cvss_v4/modifiedAttackComplexity` (11)
+* `/vulnerabilities[]/scores[]/cvss_v4/modifiedAttackRequirements` (11)
+* `/vulnerabilities[]/scores[]/cvss_v4/modifiedPrivilegesRequired` (11)
+* `/vulnerabilities[]/scores[]/cvss_v4/modifiedUserInteraction` (11)
+* `/vulnerabilities[]/scores[]/cvss_v4/modifiedVulnConfidentialityImpact` (11)
+* `/vulnerabilities[]/scores[]/cvss_v4/modifiedVulnIntegrityImpact` (11)
+* `/vulnerabilities[]/scores[]/cvss_v4/modifiedVulnAvailabilityImpact` (11)
+* `/vulnerabilities[]/scores[]/cvss_v4/modifiedSubConfidentialityImpact` (11)
+* `/vulnerabilities[]/scores[]/cvss_v4/modifiedSubIntegrityImpact` (11)
+* `/vulnerabilities[]/scores[]/cvss_v4/modifiedSubAvailabilityImpact` (11)
+* `/vulnerabilities[]/scores[]/cvss_v4/Safety` (11)
+* `/vulnerabilities[]/scores[]/cvss_v4/Automatable` (11)
+* `/vulnerabilities[]/scores[]/cvss_v4/Recovery` (13)
+* `/vulnerabilities[]/scores[]/cvss_v4/valueDensity` (12)
+* `/vulnerabilities[]/scores[]/cvss_v4/vulnerabilityResponseEffort` (11)
+* `/vulnerabilities[]/scores[]/cvss_v4/providerUrgency` (11)
+* `/vulnerabilities[]/scores[]/cvss_v4/baseSeverity` (8)
+* `/vulnerabilities[]/scores[]/cvss_v4/threatSeverity` (8)
+* `/vulnerabilities[]/scores[]/cvss_v4/environmentalSeverity` (8)
 * `/vulnerabilities[]/threats[]/category` (14)
 
 ## Date

diff --git a/csaf_2.1/prose/edit/src/introduction-04-informative-references.md b/csaf_2.1/prose/edit/src/introduction-04-informative-references.md
@@ -36,6 +36,9 @@ CVSS30
 CVSS31
 :    _Common Vulnerability Scoring System v3.1: Specification Document_, FIRST.Org, Inc., June 2019, https://www.first.org/cvss/v3-1/cvss-v31-specification_r1.pdf.
 
+CVSS40
+:    _Common Vulnerability Scoring System v4.0: Specification Document_, FIRST.Org, Inc., 09 November 2023, https://www.first.org/cvss/v4-0/cvss-v40-specification.pdf.
+
 CWE
 :    _Common Weakness Enumeration (CWE) – A Community-Developed List of Software Weakness Types_, MITRE, 2005, http://cwe.mitre.org/about/.
 
@@ -88,6 +91,10 @@ RFC7464
 :    N. Williams., "JavaScript Object Notation (JSON) Text Sequences", RFC 7464, DOI 10.17487/RFC7464, February 2015,
 https://www.rfc-editor.org/info/rfc7464.
 
+RFC8322
+:    Field, J., Banghart, S., and D. Waltermire, "Resource-Oriented Lightweight Information Exchange (ROLIE)", RFC 8322, DOI 10.17487/RFC8322, February 2018,
+https://www.rfc-editor.org/info/rfc8322.
+
 RFC8615
 :    Nottingham, M., "Well-Known Uniform Resource Identifiers (URIs)", RFC 8615, DOI 10.17487/RFC8615, May 2019,
 https://www.rfc-editor.org/info/rfc8615.

diff --git a/csaf_2.1/prose/edit/src/revision-history.md b/csaf_2.1/prose/edit/src/revision-history.md
@@ -11,5 +11,5 @@ toc:
 | Revision                 | Date       | Editor                          | Changes Made                                                                          |
 |:-------------------------|:-----------|:--------------------------------|:--------------------------------------------------------------------------------------|
 | csaf-v2.0-wd20240124-dev | 2024-01-24 | Stefan Hagen and Thomas Schmidt | Preparing initial Editor Revision |
-
+| csaf-v2.0-wd20240228-dev | 2024-02-28 | Stefan Hagen and Thomas Schmidt | Next Editor Revision |
 -------
diff --git a/csaf_2.1/prose/edit/src/schema-elements-01-defs-03-full-product-name.md b/csaf_2.1/prose/edit/src/schema-elements-01-defs-03-full-product-name.md
@@ -385,7 +385,7 @@ The URI (`uri`) of value type `string` with format `uri` contains the identifier
 ```
           "x_generic_uris": [
             {
-              "namespace": "https://spdx.github.io/spdx-spec/document-creation-information/#65-spdx-document-namespace-field",
+              "namespace": "https://spdx.github.io/spdx-spec/latest/document-creation-information/#65-spdx-document-namespace-field",
               "uri": "https://swinslow.net/spdx-examples/example4/main-bin-v2#SPDXRef-libc"
             }
           ]

diff --git a/csaf_2.1/prose/edit/src/schema-elements-02-props-03-vulnerabilities.md b/csaf_2.1/prose/edit/src/schema-elements-02-props-03-vulnerabilities.md
@@ -662,8 +662,8 @@ List of scores (`scores`) of value type `array` with 1 or more items of type sco
     },
 ```
 
-Value type of every such Score item is `object` with the mandatory property `products` and the optional properties `cvss_v2` and
-`cvss_v3` specifies information about (at least one) score of the vulnerability and for which products the given value applies.
+Value type of every such Score item is `object` with the mandatory property `products` and the optional properties `cvss_v2`,
+`cvss_v3` and `cvss_v4` specifies information about (at least one) score of the vulnerability and for which products the given value applies.
 Each Score item has at least 2 properties.
 
 ```
@@ -675,7 +675,10 @@ Each Score item has at least 2 properties.
             "oneOf": [
               // ...
             ]
-          }
+          },
+          "cvss_v4": {
+            // ...
+          },
           "products": {
             // ...
           }
@@ -689,6 +692,8 @@ The property CVSS v3 (`cvss_v3`) holding a CVSS v3.x value abiding by one of the
 [https://www.first.org/cvss/cvss-v3.0.json](https://www.first.org/cvss/cvss-v3.0.json) or
 [https://www.first.org/cvss/cvss-v3.1.json](https://www.first.org/cvss/cvss-v3.1.json).
 
+The property CVSS v4 (`cvss_v4`) holding a CVSS v4.0 value abiding by the schema at [https://www.first.org/cvss/cvss-v4.0.json](https://www.first.org/cvss/cvss-v4.0.json).
+
 Product IDs (`products`) of value type `products_t` with 1 or more items indicates for which products the given scores apply.
 A score object SHOULD reflect the associated product's status (for example,
 a fixed product no longer contains a vulnerability and should have a CVSS score of 0, or simply no score listed;

diff --git a/csaf_2.1/prose/edit/src/tests-01-mndtr-08-invalid-cvss.md b/csaf_2.1/prose/edit/src/tests-01-mndtr-08-invalid-cvss.md
@@ -7,6 +7,7 @@ The relevant paths for this test are:
 ```
   /vulnerabilities[]/scores[]/cvss_v2
   /vulnerabilities[]/scores[]/cvss_v3
+  /vulnerabilities[]/scores[]/cvss_v4
 ```
 
 *Example 1 (which fails the test):*

diff --git a/csaf_2.1/prose/edit/src/tests-01-mndtr-09-invalid-cvss-computation.md b/csaf_2.1/prose/edit/src/tests-01-mndtr-09-invalid-cvss-computation.md
@@ -16,6 +16,12 @@ The relevant paths for this test are:
   /vulnerabilities[]/scores[]/cvss_v3/temporalSeverity
   /vulnerabilities[]/scores[]/cvss_v3/environmentalScore
   /vulnerabilities[]/scores[]/cvss_v3/environmentalSeverity
+  /vulnerabilities[]/scores[]/cvss_v4/baseScore
+  /vulnerabilities[]/scores[]/cvss_v4/baseSeverity
+  /vulnerabilities[]/scores[]/cvss_v4/threatScore
+  /vulnerabilities[]/scores[]/cvss_v4/threatSeverity
+  /vulnerabilities[]/scores[]/cvss_v4/environmentalScore
+  /vulnerabilities[]/scores[]/cvss_v4/environmentalSeverity
 ```
 
 *Example 1 (which fails the test):*

diff --git a/csaf_2.1/prose/edit/src/tests-01-mndtr-10-inconsistent-cvss.md b/csaf_2.1/prose/edit/src/tests-01-mndtr-10-inconsistent-cvss.md
@@ -7,6 +7,7 @@ The relevant paths for this test are:
 ```
   /vulnerabilities[]/scores[]/cvss_v2
   /vulnerabilities[]/scores[]/cvss_v3
+  /vulnerabilities[]/scores[]/cvss_v4
 ```
 
 *Example 1 (which fails the test):*

diff --git a/csaf_2.1/prose/edit/src/tests-02-optional.md b/csaf_2.1/prose/edit/src/tests-02-optional.md
@@ -610,8 +610,8 @@ The relevant path for this test is:
 > Neither the `environmentalScore` nor the properties `modifiedIntegrityImpact`, `modifiedAvailabilityImpact`, `modifiedConfidentialityImpact` nor
 > the corresponding attributes in the `vectorString` have been set.
 
-> A tool MAY set the properties `modifiedIntegrityImpact`, `modifiedAvailabilityImpact`, `modifiedConfidentialityImpact` accordingly and
-> compute the `environmentalScore` as quick fix.
+> A tool MAY set the properties `modifiedIntegrityImpact`, `modifiedAvailabilityImpact`, `modifiedConfidentialityImpact` (respectively their
+> equivalents according to the CVSS version used) accordingly and compute the `environmentalScore` as quick fix.
 
 ### Additional Properties
 

diff --git a/csaf_2.1/prose/edit/src/tests-03-informative.md b/csaf_2.1/prose/edit/src/tests-03-informative.md
@@ -50,7 +50,7 @@ The relevant path for this test is:
 
 Recommendation:
 
-It is recommended to (also) use the CVSS v3.1.
+It is recommended to (also) use the CVSS v4.0.
 
 ### Use of CVSS v3.0
 
@@ -413,3 +413,45 @@ The relevant paths for this test are:
 > The product version starts with a `v`.
 
 -------
+
+### Missing CVSS v4.0
+
+For each item in the list of scores it MUST be tested that a `cvss_v4` object is present.
+
+The relevant path for this test is:
+
+```
+    /vulnerabilities[]/scores
+```
+
+*Example 1 (which fails the test):*
+
+```
+  "product_tree": {
+    "full_product_names": [
+      {
+        "product_id": "CSAFPID-9080700",
+        "name": "Product A"
+      }
+    ]
+  },
+  "vulnerabilities": [
+    {
+      "scores": [
+        {
+          "products": [
+            "CSAFPID-9080700"
+          ],
+          "cvss_v3": {
+            "version": "3.1",
+            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
+            "baseScore": 10,
+            "baseSeverity": "CRITICAL"
+          }
+        }
+      ]
+    }
+  ]
+```
+
+> There is no CVSS v4.0 score given for `CSAFPID-9080700`.