Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add CVSS v4 Facet Support #2067

Merged

Conversation

david-waltermire
Copy link
Contributor

@david-waltermire david-waltermire commented Nov 11, 2024

Committer Notes

This PR adds constraints for assessment results facets for CVSS v4.0.

The names and values used are the initialisms used in the CVSS vector string, to provide for a more concise representation that aligns with how CVSS is commonly used in many tools.

All Submissions:

By submitting a pull request, you are agreeing to provide this contribution under the CC0 1.0 Universal public domain dedication.

(For reviewers: The wiki has guidance on code review and overall issue review for completeness.)

Changes to Core Features:

  • Have you added an explanation of what your changes do and why you'd like us to include them?
  • Have you written new tests for your core changes, as applicable?
  • Have you included examples of how to use your new feature(s)?
  • Have you updated all OSCAL website and readme documentation affected by the changes you made? Changes to the OSCAL website can be made in the docs/content directory of your branch.

@david-waltermire david-waltermire requested a review from a team as a code owner November 11, 2024 01:29
@aj-stein-gsa
Copy link
Contributor

@david-waltermire, as this PR is not strictly a bug fix but is still backwards compatible, if you would like to target this PR at the main branch and propose I include it in the #2072, please let me know.

@david-waltermire
Copy link
Contributor Author

This is a new enhancement, so I am comfortable with this being considered for the next minor release, as long as that is not too far into the future, since some organizations are already adopting CVSS 4.0.

@iMichaela
Copy link
Contributor

@david-waltermire - I reviewed the proposed support for the CVSS 4.0.
I noted that CVSS v3.1 Facet is supported as a stand alone facet but there are no constraints associated with it nor it appears to be added to the CVSS v3.0 constraints. Do you mind ensuring no more updates are necessary for the CVSS support.

Copy link
Contributor

@iMichaela iMichaela left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Proposed support for CVSS 4.0 looks good.

@iMichaela
Copy link
Contributor

@david-waltermire - Can you please rebase your branch. I am not able to do so on your behalf.

@david-waltermire
Copy link
Contributor Author

@david-waltermire - I reviewed the proposed support for the CVSS 4.0. I noted that CVSS v3.1 Facet is supported as a stand alone facet but there are no constraints associated with it nor it appears to be added to the CVSS v3.0 constraints. Do you mind ensuring no more updates are necessary for the CVSS support.

The facets for 3.0 and 3.1 are the same (minus the system), so the constraints for the values are shared between the two. This is because v3.0 and v3.1 only focused on adjusting guidance around how to apply the scoring system. See the following examples.

<allowed-values target="(.)[@system=('http://www.first.org/cvss/v3.0', 'http://www.first.org/cvss/v3.1')]/@name">

<allowed-values target="(.)[@system=('http://www.first.org/cvss/v3.0', 'http://www.first.org/cvss/v3.1') and @name='access-vector']/@value">

<allowed-values target="(.)[@system=('http://www.first.org/cvss/v3.0', 'http://www.first.org/cvss/v3.1') and @name=('privileges-required', 'confidentiality-impact', 'integrity-impact', 'availability-impact')]/@value">

@david-waltermire
Copy link
Contributor Author

@david-waltermire - Can you please rebase your branch. I am not able to do so on your behalf.

On what branch should I rebase?

FWIW, I have marked my PR as editable by maintainers as required in the PR template, so you should be able to rebase on you own.

@iMichaela
Copy link
Contributor

@david-waltermire - Can you please rebase your branch. I am not able to do so on your behalf.

On what branch should I rebase?

FWIW, I have marked my PR as editable by maintainers as required in the PR template, so you should be able to rebase on you own.

image

There are conflicts I need to address manually. I can do so locally by pulling your branch and merge it into develop, but I want to ensure the correct selection is made when conflicts are addressed, unless you can address them and push them to the PR.

@david-waltermire
Copy link
Contributor Author

david-waltermire commented Nov 14, 2024

It looks like you created some merge commits that where we causing the problem. I'd recommend generally using git rebase instead of git merge to prevent this. This can dramatically reduce the number of merge conflicts.

I rebased using git pull -r origin develop and it is back to a clean, single commit PR.

@iMichaela
Copy link
Contributor

It looks like you created some merge commits that where we causing the problem. I'd recommend generally using git rebase instead of git merge to prevent this. This can dramatically reduce the number of merge conflicts.

I rebased using git pull -r origin develop and it is back to a clean, single commit PR.

Thank you!

@iMichaela iMichaela merged commit 547679b into usnistgov:develop Nov 14, 2024
1 check passed
@david-waltermire david-waltermire deleted the feature/add-cvss-v4-support branch November 15, 2024 01:45
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants