CVSS v4

[spiegel-im-spiegel]

Common Vulnerability Scoring System Version 4.0

[SecJoe]

Currently cvss4 has a draft state (release 2023-10-31). There are some major changes and therefore some effort for this project. Maybe we should implement that code (create merge request) request based on the current draft, to ensure the final changes can be implemented faster?

[pandatix]

There are some major changes

Partially true thus partially false: the vector is composed in the same way as for CVSS v3 so the code already exists. The only thing I changed in Section 7 of the release is the examples of valid and invalid vectors.

Nevertheless, the maths changed and I suggest you wait for the release to implement it (could take a bit of time to implement), as we are still finishing it.

EDIT(06th oct. 2023): I choosed to go with with strict ordering as for CVSS v2.0 to be able to build a linear regex. Else it would have been of O(n!) complexity thus not possible to build a regex (it is a current problem of CVSS v3). As you already support it, the code exists. One more point goes to the "wait for the release" :wink:

[spiegel-im-spiegel]

thank you.

I'm too busy with my day job to work on this package at the moment. I hope to work on CVSSv4 after the official release.

[bernhardreiter]

v4 has been published om the 1st of November, revision 1.1 of their document on 2023-11-09. https://www.first.org/cvss/v4-0/ So work could start on it. ;)