adding SSVC v1.0.1 production schema to the CVE Record metrics block.

schema/CVE_Record_Format.json

@@ -859,6 +859,9 @@
                     {
                         "required": ["cvssV2_0"]
                     },
+                    {
+                        "required": ["ssvcV1_0_1"]
+                    },
                     {
                         "required": ["other"]
                     }
@@ -898,6 +901,7 @@
                     "cvssV3_1": {"$ref": "file:imports/cvss/cvss-v3.1.json"},
                     "cvssV3_0": {"$ref": "file:imports/cvss/cvss-v3.0.json"},
                     "cvssV2_0": {"$ref": "file:imports/cvss/cvss-v2.0.json"},
+                    "ssvcV1_0_1": {"$ref": "file:imports/ssvc/ssvc-v1.0.1.json"},
                     "other": {
                         "type": "object",
                         "description": "A non-standard impact description, may be prose or JSON block.",

schema/imports/ssvc/ssvc-v1.0.1.json

@@ -0,0 +1,105 @@
+{
+    "$schema": "http://json-schema.org/draft-07/schema#",
+    "definitions": {
+	"id": {
+            "type": "string",
+            "description": "Identifier for a vulnerability could be CVE, CERT/CC VU#, OSV id, Bugtraq, GHSA etc.",
+            "examples": ["CVE-2024-101010","VU#11111","GHSA-11a1-22b2-33c3"]
+	},	
+	"role": {
+            "type": "string",
+            "description": "Roles to define SSVC Stakeholders https://certcc.github.io/SSVC/topics/enumerating_stakeholders/",
+            "examples": ["Supplier","Deployer","Coordinator"]
+        },
+	"timestamp" : {
+            "description": "Date and time in ISO format  ISO 8601 format",
+            "type": "string",
+            "format": "date-time"
+	},
+        "schemaVersion": {
+            "description": "Schema version used to represent this evaluation",
+            "type": "string",
+            "enum": ["1-0-1"]
+        },
+	"SsvcdecisionpointselectionSchema": {
+	    "description": "A down-selection of SSVC Decision Points that represent an evaluation at a specific time of a Vulnerability",
+	    "properties": {
+		"name": {
+		    "description": "Name of the Decision Point that were evaluated", 
+		    "title": "name",
+		    "type": "string",
+		    "examples": ["Automatable", "Exploitation"]
+		},
+		"namespace": {
+		    "description": "SSVC Namespace that were used for defining the evaluated Decision Points",
+		    "title": "namespace",
+		    "type": "string",
+		    "examples": ["ssvc","cvvsv4"]
+		},
+		"values": {
+		    "description": "Evaluated values of the Decision Point",
+		    "title": "values",
+		    "type": "array",
+		    "minItems": 1,
+		    "items": {
+			"description": "Each value that were down-selected for a Decision Point",
+			"title": "values",
+			"type": "string"
+		    }
+		},
+		"version": {
+		    "description": "Version of the Decision Points that were evaluated",
+		    "title": "version",
+		    "type": "string"
+		}
+	    },
+	    "type": "object",
+	    "required": [
+		"name",
+		"namespace",
+		"values",
+		"version"
+	    ],
+	    "additionalProperties": false
+	},
+	"SsvcdecisionpointgroupselectionSchema": {
+	    "properties": {
+		"id": {
+		    "$ref": "#/definitions/id"
+		},
+		"role": {
+		    "$ref": "#/definitions/role"
+		},
+		"schemaVersion": {
+		    "$ref": "#/definitions/schemaVersion"
+		},
+		"timestamp": {
+		    "$ref": "#/definitions/timestamp"
+		},
+		"selections": {
+		    "description" : "An array of Decision Points and their Values that were down-selected or evaluated ",
+		    "title": "selections",
+		    "type": "array",
+		    "minItems": 1,
+		    "items": {
+			"$ref": "#/definitions/SsvcdecisionpointselectionSchema"
+		    }
+		}
+	    },
+	    "type": "object",
+	    "required": [
+		"selections",
+		"id",
+		"timestamp",
+		"schemaVersion"
+	    ],
+	    "additionalProperties": false
+	}
+    },
+    "type": "object",
+    "properties": {
+        "SsvcdecisionpointgroupselectionSchema": {
+            "$ref": "#/definitions/SsvcdecisionpointgroupselectionSchema"
+        }
+    }
+}