SSVC

- addresses parts of oasis-tcs#803
- add SSVC link in informative references
- mention SSVC in design consideration principles
- add SSVC to metrics section

csaf_2.1/prose/edit/src/design-considerations-01-construction-principles.md

@@ -34,8 +34,17 @@ Proven and intended usage patterns from practice are given where possible.
 
 Delegation to industry best practices technologies is used in referencing schemas for:
 
+* Classification for Document Distribution
+  * Traffic Light Protocol (TLP)
+    * Default Definition: https://www.first.org/tlp/
+* Vulnerability Classification
+  * Common Weakness Enumeration (CWE) [cite](#CWE)
+    * CWE List: http://cwe.mitre.org/data/index.html
 * Platform Data:
   * Common Platform Enumeration (CPE) Version 2.3 [cite](#CPE23-N)
+* Vulnerability Categorization:
+  * Stakeholder-Specific Vulnerability Categorization [cite](#SSVC)
+    * JSON Schema Reference https://certcc.github.io/SSVC/data/schema/v1/Decision_Point_Value_Selection-1-0-1.schema.json
 * Vulnerability Scoring:
   * Common Vulnerability Scoring System (CVSS) Version 4.0 [cite](#CVSS40)
     * JSON Schema Reference https://www.first.org/cvss/cvss-v4.0.json
@@ -45,12 +54,6 @@ Delegation to industry best practices technologies is used in referencing schema
     * JSON Schema Reference https://www.first.org/cvss/cvss-v3.0.json
   * Common Vulnerability Scoring System (CVSS) Version 2.0 [cite](#CVSS2)
     * JSON Schema Reference https://www.first.org/cvss/cvss-v2.0.json
-* Vulnerability Classification
-  * Common Weakness Enumeration (CWE) [cite](#CWE)
-    * CWE List: http://cwe.mitre.org/data/index.html
-* Classification for Document Distribution
-  * Traffic Light Protocol (TLP)
-    * Default Definition: https://www.first.org/tlp/
 
 Even though the JSON schema does not prohibit specifically additional properties and custom keywords,
 it is strongly recommended not to use them. Suggestions for new fields SHOULD be made through issues in the TC's GitHub.
@@ -65,5 +68,3 @@ consumers to verify rules from the specification which can not be tested by the
 Section [sec](#distributing-csaf-documents) states how to distribute and where to find CSAF documents.
 Safety, Security and Data Protection are considered in section [sec](#safety-security-and-data-protection-considerations).
 Finally, a set of conformance targets describes tools in the ecosystem.
-
-

csaf_2.1/prose/edit/src/introduction-04-informative-references.md

@@ -102,6 +102,9 @@ SemVer
 SPDX22
 :    _The Software Package Data Exchange (SPDX®) Specification Version 2.2_, Linux Foundation and its Contributors, 2020, <https://spdx.github.io/spdx-spec/>.
 
+SSVC
+:    _SSVC: Stakeholder-Specific Vulnerability Categorization_, CERT/CC, <https://certcc.github.io/SSVC/>
+
 VERS
 :    _vers: a mostly universal version range specifier_, Part of the purl GitHub Project, <https://github.com/package-url/purl-spec/blob/version-range-spec/VERSION-RANGE-SPEC.rst>.
 

csaf_2.1/prose/edit/src/schema-elements-02-props-04-vulnerabilities.md

@@ -438,6 +438,9 @@ A Content object has at least 1 property.
           },
           "cvss_v4": {
             // ...
+          },
+          "ssvc_v1": {
+            // ....
           }
         }
 ```
@@ -452,6 +455,9 @@ The property CVSS v3 (`cvss_v3`) holding a CVSS v3.x value abiding by one of the
 The property CVSS v4 (`cvss_v4`) holding a CVSS v4.0 value abiding by the schema at
 [https://www.first.org/cvss/cvss-v4.0.json](https://www.first.org/cvss/cvss-v4.0.json).
 
+The property SSVC v1 (`ssvc_v1`) holding an SSVC Decision Point Value Selection v1.x.y value abiding by the schema at
+[https://certcc.github.io/SSVC/data/schema/v1/Decision_Point_Value_Selection-1-0-1.schema.json](https://certcc.github.io/SSVC/data/schema/v1/Decision_Point_Value_Selection-1-0-1.schema.json).
+
 ##### Vulnerabilities Property - Metrics - Products
 
 Product IDs (`products`) of value type `products_t` with 1 or more items indicates for which products the given content applies.