Add CVSS v4 Facet Support

[david-waltermire]

Committer Notes

This PR adds constraints for assessment results facets for CVSS v4.0.

The names and values used are the initialisms used in the CVSS vector string, to provide for a more concise representation that aligns with how CVSS is commonly used in many tools.

All Submissions:

• Have you selected the correct base branch per Contributing guidance?
• Have you set "Allow edits and access to secrets by maintainers"?
• Have you checked to ensure there aren't other open Pull Requests for the same update/change?
• Have you squashed any non-relevant commits and commit messages? [instructions]
• Do all automated CI/CD checks pass?

By submitting a pull request, you are agreeing to provide this contribution under the CC0 1.0 Universal public domain dedication.

(For reviewers: The wiki has guidance on code review and overall issue review for completeness.)

Changes to Core Features:

• Have you added an explanation of what your changes do and why you'd like us to include them?
• Have you written new tests for your core changes, as applicable?
• Have you included examples of how to use your new feature(s)?
• Have you updated all OSCAL website and readme documentation affected by the changes you made? Changes to the OSCAL website can be made in the docs/content directory of your branch.

[aj-stein-gsa]

@david-waltermire, as this PR is not strictly a bug fix but is still backwards compatible, if you would like to target this PR at the main branch and propose I include it in the #2072, please let me know.

[david-waltermire]

This is a new enhancement, so I am comfortable with this being considered for the next minor release, as long as that is not too far into the future, since some organizations are already adopting CVSS 4.0.

[iMichaela]

@david-waltermire - I reviewed the proposed support for the CVSS 4.0.
I noted that CVSS v3.1 Facet is supported as a stand alone facet but there are no constraints associated with it nor it appears to be added to the CVSS v3.0 constraints. Do you mind ensuring no more updates are necessary for the CVSS support.

[iMichaela]

Proposed support for CVSS 4.0 looks good.

[iMichaela]

@david-waltermire - Can you please rebase your branch. I am not able to do so on your behalf.

[david-waltermire]

@david-waltermire - I reviewed the proposed support for the CVSS 4.0. I noted that CVSS v3.1 Facet is supported as a stand alone facet but there are no constraints associated with it nor it appears to be added to the CVSS v3.0 constraints. Do you mind ensuring no more updates are necessary for the CVSS support.

The facets for 3.0 and 3.1 are the same (minus the system), so the constraints for the values are shared between the two. This is because v3.0 and v3.1 only focused on adjusting guidance around how to apply the scoring system. See the following examples.

OSCAL/src/metaschema/oscal_assessment-common_metaschema.xml

Line 1498 in 4f02dac

<allowed-values target="(.)[@system=('http://www.first.org/cvss/v3.0', 'http://www.first.org/cvss/v3.1')]/@name">

OSCAL/src/metaschema/oscal_assessment-common_metaschema.xml

Line 1522 in 4f02dac

<allowed-values target="(.)[@system=('http://www.first.org/cvss/v3.0', 'http://www.first.org/cvss/v3.1') and @name='access-vector']/@value">

OSCAL/src/metaschema/oscal_assessment-common_metaschema.xml

Line 1532 in 4f02dac

<allowed-values target="(.)[@system=('http://www.first.org/cvss/v3.0', 'http://www.first.org/cvss/v3.1') and @name=('privileges-required', 'confidentiality-impact', 'integrity-impact', 'availability-impact')]/@value">

[david-waltermire]

@david-waltermire - Can you please rebase your branch. I am not able to do so on your behalf.

On what branch should I rebase?

FWIW, I have marked my PR as editable by maintainers as required in the PR template, so you should be able to rebase on you own.

[iMichaela]

@david-waltermire - Can you please rebase your branch. I am not able to do so on your behalf.

On what branch should I rebase?

FWIW, I have marked my PR as editable by maintainers as required in the PR template, so you should be able to rebase on you own.

There are conflicts I need to address manually. I can do so locally by pulling your branch and merge it into develop, but I want to ensure the correct selection is made when conflicts are addressed, unless you can address them and push them to the PR.

[david-waltermire]

It looks like you created some merge commits that where we causing the problem. I'd recommend generally using git rebase instead of git merge to prevent this. This can dramatically reduce the number of merge conflicts.

I rebased using git pull -r origin develop and it is back to a clean, single commit PR.

[iMichaela]

It looks like you created some merge commits that where we causing the problem. I'd recommend generally using git rebase instead of git merge to prevent this. This can dramatically reduce the number of merge conflicts.

I rebased using git pull -r origin develop and it is back to a clean, single commit PR.

Thank you!