From 547679babee58dd95da47665acca1d7ff5ce4025 Mon Sep 17 00:00:00 2001 From: David Waltermire Date: Sun, 10 Nov 2024 19:32:27 -0500 Subject: [PATCH] Added facet system, names, and values for CVSS v4.0. --- .../oscal_assessment-common_metaschema.xml | 168 ++++++++++++++++++ 1 file changed, 168 insertions(+) diff --git a/src/metaschema/oscal_assessment-common_metaschema.xml b/src/metaschema/oscal_assessment-common_metaschema.xml index 3a3b34144b..56562f6b3d 100644 --- a/src/metaschema/oscal_assessment-common_metaschema.xml +++ b/src/metaschema/oscal_assessment-common_metaschema.xml @@ -1381,6 +1381,7 @@ The facet naming system for representing Common Vunerability Scoring System (CVSS) vectors as defined by the the Forum for Incident Response and Security Teams CVSS Special Interest Group (CVSS-SIG) for CVSS v2. The facet naming system for representing Common Vunerability Scoring System (CVSS) vectors as defined by the the Forum for Incident Response and Security Teams CVSS Special Interest Group (CVSS-SIG) for CVSS v3.0. The facet naming system for representing Common Vunerability Scoring System (CVSS) vectors as defined by the the Forum for Incident Response and Security Teams CVSS Special Interest Group (CVSS-SIG) for CVSS v3.1. + The facet naming system for representing Common Vunerability Scoring System (CVSS) vectors as defined by the the Forum for Incident Response and Security Teams CVSS Special Interest Group (CVSS-SIG) for CVSS v4.0. @@ -1596,6 +1597,173 @@ Unchanged Changed + + Base: Attack Vector + Base: Attack Complexity + Base: Attack Requirements + Base: Privileges Required + Base: User Interaction + Base: Vulnerable System Confidentiality Impact + Base: Vulnerable System Integrity Impact + Base: Vulnerable System Availability Impact + Base: Subsequent System Confidentiality Impact + Base: Vulnerable System Integrity Impact + Base: Vulnerable System Availability Impact + Supplemental: Safety + Supplemental: Automatable + Supplemental: Recovery + Supplemental: Value Density + Supplemental: Vulnerability Response Effort + Supplemental: Provider Urgency + Environmental: Modified Attack Vector + Environmental: Modified Attack Complexity + Environmental: Modified Attack Requirements + Environmental: Modified Privileges Required + Environmental: Modified User Interaction + Environmental: Modified Vulnerable System Confidentiality + Environmental: Modified Vulnerable System Integrity + Environmental: Modified Vulnerable System Availability + Environmental: Subsequent Vulnerable System Confidentiality + Environmental: Subsequent Vulnerable System Integrity + Environmental: Subsequent Vulnerable System Availability + Environmental: Confidentiality Requirements + Environmental: Integrity Requirements + Environmental: Availability Requirements + Threat: Exploit Maturity + + + Attack Vector Values + Network + Adjacent + Local + Physical + + + Attack Complexity Values + High + Low + + + Attack Requirements Values + None + Present + + + Privileges Required, Confidentiality, Integrity, and Availability Values + None + Low + High + + + User Interaction Values + None + Passive + Active + + + Safety Values + Not Defined + Negligible + Present + + + Automatable Values + Not Defined + No + Yes + + + Recovery Values + Not Defined + Automatic + User + Irrecoverable + + + Value Density Values + Not Defined + Automatic + User + Irrecoverable + + + Vulnerability Response Effort Values + Not Defined + Low + Moderate + High + + + Provider Urgency Values + Not Defined + Clear + Green + Amber + Red + + + Modified Attack Vector Values + Not Defined + Network + Adjacent + Local + Physical + + + Modified Attack Complexity Values + Not Defined + High + Low + + + Modified Attack Requirements Values + Not Defined + None + Present + + + Modified Privileges Required, and Vulnerable System Confidentiality, Integrity, and Availability Values + Not Defined + None + Low + High + + + Modified User Interaction Values + Not Defined + None + Passive + Active + + + Modified Subsequent System Confidentiality Values + Not Defined + Negligible + Low + High + + + Modified Safety-Related Subsequent System Integrity and Availability Values + Not Defined + Negligible + Low + High + Safety + + + Vulnerability Response Effort Values + Not Defined + Low + Medium + High + + + Vulnerability Response Effort Values + Not Defined + Attacked + PoC + Unreported +