From 601a2c9acc3f348c3ed72a6ec7f345d264b31214 Mon Sep 17 00:00:00 2001 From: adimatalon <48240623+adimatalon@users.noreply.github.com> Date: Mon, 18 Dec 2023 11:03:37 +0200 Subject: [PATCH 1/4] add new type: "EPSS_V1" to severity enum Signed-off-by: adimatalon <48240623+adimatalon@users.noreply.github.com> --- validation/schema.json | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/validation/schema.json b/validation/schema.json index 6c2bc0d6..480311f4 100644 --- a/validation/schema.json +++ b/validation/schema.json @@ -290,7 +290,8 @@ "enum": [ "CVSS_V2", "CVSS_V3", - "CVSS_V4" + "CVSS_V4", + "EPSS_V1" ] }, "score": { From afe3dbf4a60845eae19fc592685bb45f307a7f39 Mon Sep 17 00:00:00 2001 From: adimatalon <48240623+adimatalon@users.noreply.github.com> Date: Mon, 18 Dec 2023 11:15:27 +0200 Subject: [PATCH 2/4] Update schema.md Signed-off-by: adimatalon <48240623+adimatalon@users.noreply.github.com> --- docs/schema.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/docs/schema.md b/docs/schema.md index 47a6f151..c15be3d0 100644 --- a/docs/schema.md +++ b/docs/schema.md @@ -499,6 +499,8 @@ describes the quantitative method used to calculate the associated `score`. | `CVSS_V2` | A CVSS vector string representing the unique characteristics and severity of the vulnerability using a version of the [Common Vulnerability Scoring System notation](https://www.first.org/cvss/v2/) that is == 2.0 (e.g.`"AV:L/AC:M/Au:N/C:N/I:P/A:C"`).| | `CVSS_V3` | A CVSS vector string representing the unique characteristics and severity of the vulnerability using a version of the [Common Vulnerability Scoring System notation](https://www.first.org/cvss/) that is >= 3.0 and < 4.0 (e.g.`"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N"`).| | `CVSS_V4` | A CVSS vector string representing the unique characterictics and severity of the vulnerability using a version on the [Common Vulnerability Scoring System notation](https://www.first.org/cvss/) that is >= 4.0 and < 5.0 (e.g. `"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N"`). | +| `EPSS_V1` | EPSS is a measure of exploitability, it is estimating the probability of observing any exploitation attempts against a vulnerability in the next 30 days(https://www.first.org/epss/faq). +It containes score and percentile | | Your quantitative severity type here. | [Send us a PR](https://github.com/ossf/osv-schema/compare). | ### severity[].score field From 9f672329164ae1b67441fd37edf4f45318ee8bf8 Mon Sep 17 00:00:00 2001 From: adimatalon <48240623+adimatalon@users.noreply.github.com> Date: Mon, 18 Dec 2023 11:16:43 +0200 Subject: [PATCH 3/4] Update schema.md Signed-off-by: adimatalon <48240623+adimatalon@users.noreply.github.com> --- docs/schema.md | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/docs/schema.md b/docs/schema.md index c15be3d0..182b8361 100644 --- a/docs/schema.md +++ b/docs/schema.md @@ -499,8 +499,7 @@ describes the quantitative method used to calculate the associated `score`. | `CVSS_V2` | A CVSS vector string representing the unique characteristics and severity of the vulnerability using a version of the [Common Vulnerability Scoring System notation](https://www.first.org/cvss/v2/) that is == 2.0 (e.g.`"AV:L/AC:M/Au:N/C:N/I:P/A:C"`).| | `CVSS_V3` | A CVSS vector string representing the unique characteristics and severity of the vulnerability using a version of the [Common Vulnerability Scoring System notation](https://www.first.org/cvss/) that is >= 3.0 and < 4.0 (e.g.`"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N"`).| | `CVSS_V4` | A CVSS vector string representing the unique characterictics and severity of the vulnerability using a version on the [Common Vulnerability Scoring System notation](https://www.first.org/cvss/) that is >= 4.0 and < 5.0 (e.g. `"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N"`). | -| `EPSS_V1` | EPSS is a measure of exploitability, it is estimating the probability of observing any exploitation attempts against a vulnerability in the next 30 days(https://www.first.org/epss/faq). -It containes score and percentile | +| `EPSS_V1` | EPSS is a measure of exploitability, it is estimating the probability of observing any exploitation attempts against a vulnerability in the next 30 days(https://www.first.org/epss/faq),it containes score and percentile. | | Your quantitative severity type here. | [Send us a PR](https://github.com/ossf/osv-schema/compare). | ### severity[].score field From a58a2ce5bab8cf37acdf2bf5243ea36fbeaa9e15 Mon Sep 17 00:00:00 2001 From: adimatalon <48240623+adimatalon@users.noreply.github.com> Date: Mon, 18 Dec 2023 11:17:04 +0200 Subject: [PATCH 4/4] Update schema.md Signed-off-by: adimatalon <48240623+adimatalon@users.noreply.github.com> --- docs/schema.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/schema.md b/docs/schema.md index 182b8361..f5302322 100644 --- a/docs/schema.md +++ b/docs/schema.md @@ -499,7 +499,7 @@ describes the quantitative method used to calculate the associated `score`. | `CVSS_V2` | A CVSS vector string representing the unique characteristics and severity of the vulnerability using a version of the [Common Vulnerability Scoring System notation](https://www.first.org/cvss/v2/) that is == 2.0 (e.g.`"AV:L/AC:M/Au:N/C:N/I:P/A:C"`).| | `CVSS_V3` | A CVSS vector string representing the unique characteristics and severity of the vulnerability using a version of the [Common Vulnerability Scoring System notation](https://www.first.org/cvss/) that is >= 3.0 and < 4.0 (e.g.`"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N"`).| | `CVSS_V4` | A CVSS vector string representing the unique characterictics and severity of the vulnerability using a version on the [Common Vulnerability Scoring System notation](https://www.first.org/cvss/) that is >= 4.0 and < 5.0 (e.g. `"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N"`). | -| `EPSS_V1` | EPSS is a measure of exploitability, it is estimating the probability of observing any exploitation attempts against a vulnerability in the next 30 days(https://www.first.org/epss/faq),it containes score and percentile. | +| `EPSS_V1` | EPSS is a measure of exploitability, it is estimating the probability of observing any exploitation attempts against a vulnerability in the next 30 days(https://www.first.org/epss/faq), it containes score and percentile. | | Your quantitative severity type here. | [Send us a PR](https://github.com/ossf/osv-schema/compare). | ### severity[].score field