using System.Text.Json.Serialization; namespace StellaOps.Policy.Scoring; ///

/// CVSS v4.0 Base metric group - Exploitability and impact metrics. /// Per FIRST CVSS v4.0 Specification Document. ///

public sealed record CvssBaseMetrics { ///

Attack Vector (AV) - Mandatory.

[JsonPropertyName("av")] public required AttackVector AttackVector { get; init; } ///

Attack Complexity (AC) - Mandatory.

[JsonPropertyName("ac")] public required AttackComplexity AttackComplexity { get; init; } ///

Attack Requirements (AT) - Mandatory.

[JsonPropertyName("at")] public required AttackRequirements AttackRequirements { get; init; } ///

Privileges Required (PR) - Mandatory.

[JsonPropertyName("pr")] public required PrivilegesRequired PrivilegesRequired { get; init; } ///

User Interaction (UI) - Mandatory.

[JsonPropertyName("ui")] public required UserInteraction UserInteraction { get; init; } ///

Vulnerable System Confidentiality (VC) - Mandatory.

[JsonPropertyName("vc")] public required ImpactMetricValue VulnerableSystemConfidentiality { get; init; } ///

Vulnerable System Integrity (VI) - Mandatory.

[JsonPropertyName("vi")] public required ImpactMetricValue VulnerableSystemIntegrity { get; init; } ///

Vulnerable System Availability (VA) - Mandatory.

[JsonPropertyName("va")] public required ImpactMetricValue VulnerableSystemAvailability { get; init; } ///

Subsequent System Confidentiality (SC) - Mandatory.

[JsonPropertyName("sc")] public required ImpactMetricValue SubsequentSystemConfidentiality { get; init; } ///

Subsequent System Integrity (SI) - Mandatory.

[JsonPropertyName("si")] public required ImpactMetricValue SubsequentSystemIntegrity { get; init; } ///

Subsequent System Availability (SA) - Mandatory.

[JsonPropertyName("sa")] public required ImpactMetricValue SubsequentSystemAvailability { get; init; } } ///

/// CVSS v4.0 Threat metric group. ///

public sealed record CvssThreatMetrics { ///

Exploit Maturity (E) - Optional, defaults to Not Defined.

[JsonPropertyName("e")] public ExploitMaturity ExploitMaturity { get; init; } = ExploitMaturity.NotDefined; ///

When the threat signal was last observed (UTC).

[JsonPropertyName("observedAt")] public DateTimeOffset? ObservedAt { get; init; } ///

When this threat signal should expire.

[JsonPropertyName("expiresAt")] public DateTimeOffset? ExpiresAt { get; init; } ///

Source of threat intelligence (kev, epss, internal).

[JsonPropertyName("source")] public string? Source { get; init; } } ///

/// CVSS v4.0 Environmental metric group - Modified base metrics for specific environments. ///

public sealed record CvssEnvironmentalMetrics { ///

Modified Attack Vector (MAV).

[JsonPropertyName("mav")] public ModifiedAttackVector? ModifiedAttackVector { get; init; } ///

Modified Attack Complexity (MAC).

[JsonPropertyName("mac")] public ModifiedAttackComplexity? ModifiedAttackComplexity { get; init; } ///

Modified Attack Requirements (MAT).

[JsonPropertyName("mat")] public ModifiedAttackRequirements? ModifiedAttackRequirements { get; init; } ///

Modified Privileges Required (MPR).

[JsonPropertyName("mpr")] public ModifiedPrivilegesRequired? ModifiedPrivilegesRequired { get; init; } ///

Modified User Interaction (MUI).

[JsonPropertyName("mui")] public ModifiedUserInteraction? ModifiedUserInteraction { get; init; } ///

Modified Vulnerable System Confidentiality (MVC).

[JsonPropertyName("mvc")] public ModifiedImpactMetricValue? ModifiedVulnerableSystemConfidentiality { get; init; } ///

Modified Vulnerable System Integrity (MVI).

[JsonPropertyName("mvi")] public ModifiedImpactMetricValue? ModifiedVulnerableSystemIntegrity { get; init; } ///

Modified Vulnerable System Availability (MVA).

[JsonPropertyName("mva")] public ModifiedImpactMetricValue? ModifiedVulnerableSystemAvailability { get; init; } ///

Modified Subsequent System Confidentiality (MSC).

[JsonPropertyName("msc")] public ModifiedImpactMetricValue? ModifiedSubsequentSystemConfidentiality { get; init; } ///

Modified Subsequent System Integrity (MSI).

[JsonPropertyName("msi")] public ModifiedSubsequentImpact? ModifiedSubsequentSystemIntegrity { get; init; } ///

Modified Subsequent System Availability (MSA).

[JsonPropertyName("msa")] public ModifiedSubsequentImpact? ModifiedSubsequentSystemAvailability { get; init; } ///

Confidentiality Requirement (CR).

[JsonPropertyName("cr")] public SecurityRequirement? ConfidentialityRequirement { get; init; } ///

Integrity Requirement (IR).

[JsonPropertyName("ir")] public SecurityRequirement? IntegrityRequirement { get; init; } ///

Availability Requirement (AR).

[JsonPropertyName("ar")] public SecurityRequirement? AvailabilityRequirement { get; init; } } ///

/// CVSS v4.0 Supplemental metric group - Additional context metrics that do not affect scoring. ///

public sealed record CvssSupplementalMetrics { ///

Safety (S) - Does the vulnerability affect human safety?

[JsonPropertyName("s")] public Safety? Safety { get; init; } ///

Automatable (AU) - Can the vulnerability be exploited automatically?

[JsonPropertyName("au")] public Automatable? Automatable { get; init; } ///

Recovery (R) - What is the recovery capability?

[JsonPropertyName("r")] public Recovery? Recovery { get; init; } ///

Value Density (V) - Resource density of the vulnerable system.

[JsonPropertyName("v")] public ValueDensity? ValueDensity { get; init; } ///

Vulnerability Response Effort (RE) - Effort required to respond.

[JsonPropertyName("re")] public ResponseEffort? VulnerabilityResponseEffort { get; init; } ///

Provider Urgency (U) - Urgency as assessed by the provider.

[JsonPropertyName("u")] public ProviderUrgency? ProviderUrgency { get; init; } } #region Base Metric Enums ///

Attack Vector values per CVSS v4.0.

[JsonConverter(typeof(JsonStringEnumConverter))] public enum AttackVector { ///

Network (N) - Remotely exploitable.

Network, ///

Adjacent (A) - Same network segment.

Adjacent, ///

Local (L) - Local access required.

Local, ///

Physical (P) - Physical access required.

Physical } ///

Attack Complexity values per CVSS v4.0.

[JsonConverter(typeof(JsonStringEnumConverter))] public enum AttackComplexity { ///

Low (L) - No specialized conditions.

Low, ///

High (H) - Specialized conditions required.

High } ///

Attack Requirements values per CVSS v4.0.

[JsonConverter(typeof(JsonStringEnumConverter))] public enum AttackRequirements { ///

None (N) - No preconditions required.

None, ///

Present (P) - Preconditions must exist.

Present } ///

Privileges Required values per CVSS v4.0.

[JsonConverter(typeof(JsonStringEnumConverter))] public enum PrivilegesRequired { ///

None (N) - No privileges needed.

None, ///

Low (L) - Basic user privileges needed.

Low, ///

High (H) - Admin/elevated privileges needed.

High } ///

User Interaction values per CVSS v4.0.

[JsonConverter(typeof(JsonStringEnumConverter))] public enum UserInteraction { ///

None (N) - No user interaction required.

None, ///

Passive (P) - Involuntary user action.

Passive, ///

Active (A) - Conscious user action required.

Active } ///

Impact metric values (None/Low/High) per CVSS v4.0.

[JsonConverter(typeof(JsonStringEnumConverter))] public enum ImpactMetricValue { ///

None (N) - No impact.

None, ///

Low (L) - Limited impact.

Low, ///

High (H) - Serious impact.

High } #endregion #region Threat Metric Enums ///

Exploit Maturity values per CVSS v4.0.

[JsonConverter(typeof(JsonStringEnumConverter))] public enum ExploitMaturity { ///

Not Defined (X) - Not assessed.

NotDefined, ///

Attacked (A) - Active exploitation observed.

Attacked, ///

Proof of Concept (P) - PoC code exists.

ProofOfConcept, ///

Unreported (U) - No public exploit code.

Unreported } #endregion #region Environmental Metric Enums (Modified versions) ///

Modified Attack Vector values.

[JsonConverter(typeof(JsonStringEnumConverter))] public enum ModifiedAttackVector { NotDefined, Network, Adjacent, Local, Physical } ///

Modified Attack Complexity values.

[JsonConverter(typeof(JsonStringEnumConverter))] public enum ModifiedAttackComplexity { NotDefined, Low, High } ///

Modified Attack Requirements values.

[JsonConverter(typeof(JsonStringEnumConverter))] public enum ModifiedAttackRequirements { NotDefined, None, Present } ///

Modified Privileges Required values.

[JsonConverter(typeof(JsonStringEnumConverter))] public enum ModifiedPrivilegesRequired { NotDefined, None, Low, High } ///

Modified User Interaction values.

[JsonConverter(typeof(JsonStringEnumConverter))] public enum ModifiedUserInteraction { NotDefined, None, Passive, Active } ///

Modified Impact metric values.

[JsonConverter(typeof(JsonStringEnumConverter))] public enum ModifiedImpactMetricValue { NotDefined, None, Low, High } ///

Modified Subsequent System Impact values (includes Safety dimension).

[JsonConverter(typeof(JsonStringEnumConverter))] public enum ModifiedSubsequentImpact { NotDefined, Negligible, Low, High, Safety } ///

Security Requirement values.

[JsonConverter(typeof(JsonStringEnumConverter))] public enum SecurityRequirement { NotDefined, Low, Medium, High } #endregion #region Supplemental Metric Enums ///

Safety values per CVSS v4.0.

[JsonConverter(typeof(JsonStringEnumConverter))] public enum Safety { NotDefined, Negligible, Present } ///

Automatable values per CVSS v4.0.

[JsonConverter(typeof(JsonStringEnumConverter))] public enum Automatable { NotDefined, No, Yes } ///

Recovery values per CVSS v4.0.

[JsonConverter(typeof(JsonStringEnumConverter))] public enum Recovery { NotDefined, Automatic, User, Irrecoverable } ///

Value Density values per CVSS v4.0.

[JsonConverter(typeof(JsonStringEnumConverter))] public enum ValueDensity { NotDefined, Diffuse, Concentrated } ///

Response Effort values per CVSS v4.0.

[JsonConverter(typeof(JsonStringEnumConverter))] public enum ResponseEffort { NotDefined, Low, Moderate, High } ///

Provider Urgency values per CVSS v4.0.

[JsonConverter(typeof(JsonStringEnumConverter))] public enum ProviderUrgency { NotDefined, Clear, Green, Amber, Red } #endregion