From 49ff91a9e04b87713aa049e2271bd9ae13c07ab8 Mon Sep 17 00:00:00 2001 From: Stefan Hagen Date: Tue, 27 Feb 2024 19:34:05 +0100 Subject: [PATCH] Rendered delivery items matching editor revision 2024-02-28 - amended the mapping helper files in etc to include the added section and example - executed the rendering pipeline - Note: the automated extraction of section and example counts for the mapping helpers was forgotten along the many changes during bootstrap TODO(sthagen) to restore this auto discovery Co-authored-by: Thomas Schmidt Signed-off-by: Stefan Hagen --- .../edit/etc/example-global-to-local.json | 41 +- .../edit/etc/example-local-to-global.json | 41 +- .../edit/etc/section-display-to-label.json | 1 + .../edit/etc/section-label-to-display.json | 1 + csaf_2.1/prose/share/csaf-v2.1-draft.html | 448 ++++++++++++++---- csaf_2.1/prose/share/csaf-v2.1-draft.md | 238 ++++++++-- 6 files changed, 604 insertions(+), 166 deletions(-) diff --git a/csaf_2.1/prose/edit/etc/example-global-to-local.json b/csaf_2.1/prose/edit/etc/example-global-to-local.json index c9f4ed4f..0e1b3adf 100644 --- a/csaf_2.1/prose/edit/etc/example-global-to-local.json +++ b/csaf_2.1/prose/edit/etc/example-global-to-local.json @@ -123,24 +123,25 @@ "121": "branch-categories-eg-1", "122": "usage-of-product-version-range-eg-1", "123": "usage-of-v-as-version-indicator-eg-1", - "124": "requirement-7-provider-metadata-json-eg-1", - "125": "requirement-8-security-txt-eg-1", - "126": "requirement-9-well-known-url-for-provider-metadata-json-eg-1", - "127": "requirement-11-one-folder-per-year-eg-1", - "128": "requirement-12-index-txt-eg-1", - "129": "requirement-13-changes-csv-eg-1", - "130": "requirement-15-rolie-feed-eg-1", - "131": "requirement-16-rolie-service-document-eg-1", - "132": "requirement-17-rolie-category-document-eg-1", - "133": "requirement-17-rolie-category-document-eg-2", - "134": "requirement-17-rolie-category-document-eg-3", - "135": "requirement-18-integrity-eg-1", - "136": "requirement-18-integrity-eg-2", - "137": "requirement-19-signatures-eg-1", - "138": "requirement-21-list-of-csaf-providers-eg-1", - "139": "requirement-23-mirror-eg-1", - "140": "conformance-clause-5-cvrf-csaf-converter-eg-1", - "141": "conformance-clause-5-cvrf-csaf-converter-eg-2", - "142": "conformance-clause-5-cvrf-csaf-converter-eg-3", - "143": "conformance-clause-5-cvrf-csaf-converter-eg-4" + "124": "missing-cvss-v4-0-eg-1", + "126": "requirement-7-provider-metadata-json-eg-1", + "127": "requirement-8-security-txt-eg-1", + "128": "requirement-9-well-known-url-for-provider-metadata-json-eg-1", + "129": "requirement-11-one-folder-per-year-eg-1", + "120": "requirement-12-index-txt-eg-1", + "130": "requirement-13-changes-csv-eg-1", + "131": "requirement-15-rolie-feed-eg-1", + "132": "requirement-16-rolie-service-document-eg-1", + "133": "requirement-17-rolie-category-document-eg-1", + "134": "requirement-17-rolie-category-document-eg-2", + "135": "requirement-17-rolie-category-document-eg-3", + "136": "requirement-18-integrity-eg-1", + "137": "requirement-18-integrity-eg-2", + "138": "requirement-19-signatures-eg-1", + "139": "requirement-21-list-of-csaf-providers-eg-1", + "140": "requirement-23-mirror-eg-1", + "141": "conformance-clause-5-cvrf-csaf-converter-eg-1", + "142": "conformance-clause-5-cvrf-csaf-converter-eg-2", + "143": "conformance-clause-5-cvrf-csaf-converter-eg-3", + "144": "conformance-clause-5-cvrf-csaf-converter-eg-4" } diff --git a/csaf_2.1/prose/edit/etc/example-local-to-global.json b/csaf_2.1/prose/edit/etc/example-local-to-global.json index 4e958008..14a23850 100644 --- a/csaf_2.1/prose/edit/etc/example-local-to-global.json +++ b/csaf_2.1/prose/edit/etc/example-local-to-global.json @@ -13,10 +13,10 @@ "branches-type-name-under-product-version-range-eg-2": "9", "build-metadata-in-revision-history-eg-1": "96", "circular-definition-of-product-id-eg-1": "51", - "conformance-clause-5-cvrf-csaf-converter-eg-1": "140", - "conformance-clause-5-cvrf-csaf-converter-eg-2": "141", - "conformance-clause-5-cvrf-csaf-converter-eg-3": "142", - "conformance-clause-5-cvrf-csaf-converter-eg-4": "143", + "conformance-clause-5-cvrf-csaf-converter-eg-1": "141", + "conformance-clause-5-cvrf-csaf-converter-eg-2": "142", + "conformance-clause-5-cvrf-csaf-converter-eg-3": "143", + "conformance-clause-5-cvrf-csaf-converter-eg-4": "144", "contradicting-product-status-eg-1": "54", "cve-in-field-ids-eg-1": "109", "cvss-for-fixed-products-eg-1": "111", @@ -56,6 +56,7 @@ "latest-document-version-eg-1": "64", "missing-canonical-url-eg-1": "103", "missing-cve-eg-1": "115", + "missing-cvss-v4-0-eg-1": "124", "missing-cwe-eg-1": "116", "missing-date-in-involvements-eg-1": "99", "missing-definition-of-product-group-id-eg-1": "52", @@ -93,22 +94,22 @@ "purl-eg-1": "61", "released-revision-history-eg-1": "66", "remediation-without-product-reference-eg-1": "88", - "requirement-11-one-folder-per-year-eg-1": "127", - "requirement-12-index-txt-eg-1": "128", - "requirement-13-changes-csv-eg-1": "129", - "requirement-15-rolie-feed-eg-1": "130", - "requirement-16-rolie-service-document-eg-1": "131", - "requirement-17-rolie-category-document-eg-1": "132", - "requirement-17-rolie-category-document-eg-2": "133", - "requirement-17-rolie-category-document-eg-3": "134", - "requirement-18-integrity-eg-1": "135", - "requirement-18-integrity-eg-2": "136", - "requirement-19-signatures-eg-1": "137", - "requirement-21-list-of-csaf-providers-eg-1": "138", - "requirement-23-mirror-eg-1": "139", - "requirement-7-provider-metadata-json-eg-1": "124", - "requirement-8-security-txt-eg-1": "125", - "requirement-9-well-known-url-for-provider-metadata-json-eg-1": "126", + "requirement-11-one-folder-per-year-eg-1": "128", + "requirement-12-index-txt-eg-1": "129", + "requirement-13-changes-csv-eg-1": "130", + "requirement-15-rolie-feed-eg-1": "131", + "requirement-16-rolie-service-document-eg-1": "132", + "requirement-17-rolie-category-document-eg-1": "133", + "requirement-17-rolie-category-document-eg-2": "134", + "requirement-17-rolie-category-document-eg-3": "135", + "requirement-18-integrity-eg-1": "136", + "requirement-18-integrity-eg-2": "137", + "requirement-19-signatures-eg-1": "138", + "requirement-21-list-of-csaf-providers-eg-1": "139", + "requirement-23-mirror-eg-1": "140", + "requirement-7-provider-metadata-json-eg-1": "125", + "requirement-8-security-txt-eg-1": "126", + "requirement-9-well-known-url-for-provider-metadata-json-eg-1": "127", "revision-history-entries-for-pre-release-versions-eg-1": "67", "sorted-revision-history-eg-1": "62", "spell-check-eg-1": "120", diff --git a/csaf_2.1/prose/edit/etc/section-display-to-label.json b/csaf_2.1/prose/edit/etc/section-display-to-label.json index d8de853d..5e77fc09 100644 --- a/csaf_2.1/prose/edit/etc/section-display-to-label.json +++ b/csaf_2.1/prose/edit/etc/section-display-to-label.json @@ -191,6 +191,7 @@ "6.3.9": "branch-categories", "6.3.10": "usage-of-product-version-range", "6.3.11": "usage-of-v-as-version-indicator", + "6.3.12": "missing-cvss-v4-0", "7": "distributing-csaf-documents", "7.1": "requirements", "7.1.1": "requirement-1-valid-csaf-document", diff --git a/csaf_2.1/prose/edit/etc/section-label-to-display.json b/csaf_2.1/prose/edit/etc/section-label-to-display.json index 6b34e181..e4cad037 100644 --- a/csaf_2.1/prose/edit/etc/section-label-to-display.json +++ b/csaf_2.1/prose/edit/etc/section-label-to-display.json @@ -112,6 +112,7 @@ "mandatory-tests": "6.1", "missing-canonical-url": "6.2.11", "missing-cve": "6.3.3", + "missing-cvss-v4-0": "6.3.12", "missing-cwe": "6.3.4", "missing-date-in-involvements": "6.2.7", "missing-definition-of-product-group-id": "6.1.4", diff --git a/csaf_2.1/prose/share/csaf-v2.1-draft.html b/csaf_2.1/prose/share/csaf-v2.1-draft.html index 04aee4d6..8baf0dec 100644 --- a/csaf_2.1/prose/share/csaf-v2.1-draft.html +++ b/csaf_2.1/prose/share/csaf-v2.1-draft.html @@ -1,7 +1,7 @@ - + @@ -9,7 +9,7 @@ Common Security Advisory Framework Version 2.1 @@ -403,14 +403,11 @@

Declared JSON namespaces:

@@ -620,7 +617,8 @@

Additional Conventions
5.1 Filename
5.2 Separation in Data Stream
- 5.3 Sorting + 5.3 Sorting
+ 5.4 Usage of Markdown
  • Tests
    @@ -701,7 +699,8 @@

    6.3.8 Spell check
    6.3.9 Branch Categories
    6.3.10 Usage of Product Version Range
    - 6.3.11 Usage of V as Version Indicator + 6.3.11 Usage of V as Version Indicator
    + 6.3.12 Missing CVSS v4.0

  • Distributing CSAF documents
    @@ -761,7 +760,8 @@

    9.1.14 Conformance Clause 14: CSAF basic validator
    9.1.15 Conformance Clause 15: CSAF extended validator
    9.1.16 Conformance Clause 16: CSAF full validator
    - 9.1.17 Conformance Clause 17: CSAF SBOM matching system + 9.1.17 Conformance Clause 17: CSAF SBOM matching system
    + 9.1.18 Conformance Clause 18: CSAF 2.0 to CSAF 2.1 converter

    • @@ -783,7 +783,8 @@

    This specification is provided under the Non-Assertion Mode of the OASIS IPR Policy, the mode chosen when the Technical Committee was established. For information on whether any patents - have been disclosed that may be essential to implementing this specification, and any offers of patent licensing terms, please refer to the Intellectual Property Rights section of the TC's web page (https://www.oasis-open.org/committees/csaf/ipr.php). + have been disclosed that may be essential to implementing this specification, and any offers of patent licensing terms, please refer to the Intellectual Property Rights section of the TC's web page ([https://www.oasis-open.org/committees/csaf/ipr.php](https://www.oasis-open.org/committees/csaf/ipr.php)).

    1.2 Terminology @@ -828,6 +829,12 @@

    sequence of bytes addressable via a URI. Examples: A physical file in a file system such as a source file, an object file, a configuration file or a data file; a specific version of a file in a version control system; a database table accessed via an HTTP request; an arbitrary stream of bytes returned from an HTTP request, a product URL, a common product enumeration value. +
    + CSAF 2.0 to CSAF 2.1 converter +
    +
    + A CSAF producer which takes a CSAF 2.0 document as input and converts it into a valid CSAF 2.1 document. +
    CSAF asset matching system
    @@ -1312,6 +1319,9 @@

    [CVSS31] Common Vulnerability Scoring System v3.1: Specification Document, FIRST.Org, Inc., June 2019, https://www.first.org/cvss/v3-1/cvss-v31-specification_r1.pdf.

    +

    + [CVSS40] Common Vulnerability Scoring System v4.0: Specification Document, FIRST.Org, Inc., 09 November 2023, https://www.first.org/cvss/v4-0/cvss-v40-specification.pdf. +

    [CWE] Common Weakness Enumeration (CWE) – A Community-Developed List of Software Weakness Types, MITRE, 2005, http://cwe.mitre.org/about/.

    @@ -1390,7 +1400,7 @@

    [27 September 2021, https://ntia.gov/files/ntia/publications/vex_one-page_summary.pdf.]

    - [XX May 2022, [June 2022, https://www.cisa.gov/sites/default/files/publications/VEX_Status_Justification_Jun22.pdf.]

    @@ -1499,6 +1509,12 @@

  • Vulnerability Scoring:
      +
    • Common Vulnerability Scoring System (CVSS) Version 4.0 [CVSS40] + +
    • Common Vulnerability Scoring System (CVSS) Version 3.1 [CVSS31]
      • JSON Schema Reference https://www.first.org/cvss/cvss-v3.1.json @@ -2006,7 +2022,7 @@ 

            "product_identification_helper": {
       // ...
-      "properties": {
+      "properties": { 
         "cpe": {
           // ...
         },
@@ -2104,14 +2120,14 @@ 
        
         The command openssl dgst -list (Version 1.1.1f from 2020-03-31) outputs the following:
       
        
       
         Supported digests:
- -blake2b512                -blake2s256                -md4
- -md5                       -md5-sha1                  -ripemd
- -ripemd160                 -rmd160                    -sha1
- -sha224                    -sha256                    -sha3-224
- -sha3-256                  -sha3-384                  -sha3-512
- -sha384                    -sha512                    -sha512-224
- -sha512-256                -shake128                  -shake256
- -sm3                       -ssl3-md5                  -ssl3-sha1
+ -blake2b512                -blake2s256                -md4                      
+ -md5                       -md5-sha1                  -ripemd                   
+ -ripemd160                 -rmd160                    -sha1                     
+ -sha224                    -sha256                    -sha3-224                 
+ -sha3-256                  -sha3-384                  -sha3-512                 
+ -sha384                    -sha512                    -sha512-224               
+ -sha512-256                -shake128                  -shake256                 
+ -sm3                       -ssl3-md5                  -ssl3-sha1                
  -whirlpool
        
     
     
        
@@ -2245,7 +2261,7 @@ 
        
       The list of stock keeping units (skus) of value type array with 1 or more items contains a list of full or abbreviated (partial) stock keeping units.
     
        
     
        
-      A list of stock keeping units SHOULD only be used if the list of relationships is used to decouple e.g. hardware from the software, or the stock keeping units change during update. In the latter case the remediations SHALL include the new stock keeping units is or a description how it can be obtained.
+      A list of stock keeping units SHOULD only be used if the list of relationships is used to decouple e.g. hardware from the software, or the stock keeping units change during update. In the latter case the remediations SHALL include the new stock keeping units or a description how it can be obtained.
     
        
     
        
       
        
@@ -2253,9 +2269,9 @@ 
        
       
        
     
        
     
            "skus": {
-        //...
+        //...  
       "items": {
-        //...
+        //...  
       }
     },
        
     
        
@@ -2957,7 +2973,7 @@ 
        
       Examples 1:
     
        
     
            https://www.us-cert.gov/tlp
-    https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Kritis/Merkblatt_TLP.pdf
        
+    https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/TLP/merkblatt-tlp.pdf

        3.2.1.6 Document Property - Language

        @@ -4187,8 +4203,8 @@

        } },

        - Value type of every such Score item is object with the mandatory property products and the optional properties cvss_v2 and cvss_v3 specifies information about (at least one) score of the vulnerability and for which products the given value applies. Each Score item has at least 2 - properties. + Value type of every such Score item is object with the mandatory property products and the optional properties cvss_v2, cvss_v3 and cvss_v4 specifies information about (at least one) score of the vulnerability and for which products the given value applies. Each Score item + has at least 2 properties. 

                "properties": {
           "cvss_v2": {
@@ -4198,16 +4214,23 @@ 
        
             "oneOf": [
               // ...
             ]
-          }
+          },
+          "cvss_v4": {
+            // ...
+          },
           "products": {
             // ...
           }
         }

        - The property CVSS v2 (cvss_v2) holding a CVSS v2.0 value abiding by the schema at https://www.first.org/cvss/cvss-v2.0.json. + The property CVSS v2 (cvss_v2) holding a CVSS v2.0 value abiding by the schema at [https://www.first.org/cvss/cvss-v2.0.json](https://www.first.org/cvss/cvss-v2.0.json). +

        +

        + The property CVSS v3 (cvss_v3) holding a CVSS v3.x value abiding by one of the schemas at [https://www.first.org/cvss/cvss-v3.0.json](https://www.first.org/cvss/cvss-v3.0.json) or [https://www.first.org/cvss/cvss-v3.1.json](https://www.first.org/cvss/cvss-v3.1.json).

        - The property CVSS v3 (cvss_v3) holding a CVSS v3.x value abiding by one of the schemas at https://www.first.org/cvss/cvss-v3.0.json or https://www.first.org/cvss/cvss-v3.1.json. + The property CVSS v4 (cvss_v4) holding a CVSS v4.0 value abiding by the schema at [https://www.first.org/cvss/cvss-v4.0.json](https://www.first.org/cvss/cvss-v4.0.json).

        Product IDs (products) of value type products_t with 1 or more items indicates for which products the given scores apply. A score object SHOULD reflect the associated product's status (for example, a fixed product no longer contains a vulnerability and should have a CVSS score of 0, or simply no score listed; @@ -4650,6 +4673,30 @@

        The keys within a CSAF document SHOULD be sorted alphabetically.

        +

        + 5.4 Usage of Markdown +

        +

        + The use of GitHub-flavoured Markdown is permitted in the following fields: +

        + 
          /document/acknowledgments[]/summary
+  /document/distribution/text
+  /document/notes[]/text
+  /document/publisher/issuing_authority
+  /document/references[]/summary
+  /document/tracking/revision_history[]/summary
+  /product_tree/product_groups[]/summary
+  /vulnerabilities[]/acknowledgments[]/summary
+  /vulnerabilities[]/involvements[]/summary
+  /vulnerabilities[]/notes[]/text
+  /vulnerabilities[]/references[]/summary
+  /vulnerabilities[]/remediations[]/details
+  /vulnerabilities[]/remediations[]/entitlements[]
+  /vulnerabilities[]/remediations[]/restart_required/details
+  /vulnerabilities[]/threats[]/details
        +

        + Other fields MUST NOT contain Markdown. +

        6. Tests @@ -4886,7 +4933,7 @@

        Affected:

        - 
        /vulnerabilities[]/product_status/first_affected[]
+        
        /vulnerabilities[]/product_status/first_affected[]  
 /vulnerabilities[]/product_status/known_affected[]
 /vulnerabilities[]/product_status/last_affected[]

        • @@ -5007,7 +5054,8 @@

        The relevant paths for this test are: 

          /vulnerabilities[]/scores[]/cvss_v2
-  /vulnerabilities[]/scores[]/cvss_v3
        + /vulnerabilities[]/scores[]/cvss_v3 + /vulnerabilities[]/scores[]/cvss_v4

        Example 1 (which fails the test):

        @@ -5048,7 +5096,13 @@

        /vulnerabilities[]/scores[]/cvss_v3/temporalScore /vulnerabilities[]/scores[]/cvss_v3/temporalSeverity /vulnerabilities[]/scores[]/cvss_v3/environmentalScore - /vulnerabilities[]/scores[]/cvss_v3/environmentalSeverity + /vulnerabilities[]/scores[]/cvss_v3/environmentalSeverity + /vulnerabilities[]/scores[]/cvss_v4/baseScore + /vulnerabilities[]/scores[]/cvss_v4/baseSeverity + /vulnerabilities[]/scores[]/cvss_v4/threatScore + /vulnerabilities[]/scores[]/cvss_v4/threatSeverity + /vulnerabilities[]/scores[]/cvss_v4/environmentalScore + /vulnerabilities[]/scores[]/cvss_v4/environmentalSeverity

        Example 1 (which fails the test):

        @@ -5078,7 +5132,8 @@

        The relevant paths for this test are: 

          /vulnerabilities[]/scores[]/cvss_v2
-  /vulnerabilities[]/scores[]/cvss_v3
        + /vulnerabilities[]/scores[]/cvss_v3 + /vulnerabilities[]/scores[]/cvss_v4

        Example 1 (which fails the test):

        @@ -6319,7 +6374,7 @@

        The relevant paths for this test are:

        - 
          /vulnerabilities[]/product_status/first_affected[]
+    
          /vulnerabilities[]/product_status/first_affected[]  
   /vulnerabilities[]/product_status/known_affected[]
   /vulnerabilities[]/product_status/last_affected[]
   /vulnerabilities[]/product_status/under_investigation[]
        
@@ -6357,7 +6412,7 @@ 
        
     
        
       The relevant paths for this test are:
     
        
-    
          /vulnerabilities[]/product_status/first_affected[]
+    
          /vulnerabilities[]/product_status/first_affected[]  
   /vulnerabilities[]/product_status/known_affected[]
   /vulnerabilities[]/product_status/last_affected[]
        
     
        
@@ -6922,7 +6977,7 @@ 
        
     
     
        
       
        
-        A tool MAY set the properties modifiedIntegrityImpact, modifiedAvailabilityImpact, modifiedConfidentialityImpact accordingly and compute the environmentalScore as quick fix.
+        A tool MAY set the properties modifiedIntegrityImpact, modifiedAvailabilityImpact, modifiedConfidentialityImpact (respectively their equivalents according to the CVSS version used) accordingly and compute the environmentalScore as quick fix.
       
        
     
        
     
        
@@ -7012,7 +7067,7 @@ 
        
       Recommendation:
     
        
     
        
-      It is recommended to (also) use the CVSS v3.1.
+      It is recommended to (also) use the CVSS v4.0.
     
        
     
        
       6.3.2 Use of CVSS v3.0 
@@ -7391,6 +7446,49 @@ 
        
       
        
     
     
        
+    
        
+      6.3.12 Missing CVSS v4.0 
+    
        
+    
        
+      For each item in the list of scores it MUST be tested that a cvss_v4 object is present.
+    
        
+    
        
+      The relevant path for this test is:
+    
        
+    
            /vulnerabilities[]/scores
        
+    
        
+      Example 1 (which fails the test):
+    
        
+    
          "product_tree": {
+    "full_product_names": [
+      {
+        "product_id": "CSAFPID-9080700",
+        "name": "Product A"
+      }
+    ]
+  },
+  "vulnerabilities": [
+    {
+      "scores": [
+        {
+          "products": [
+            "CSAFPID-9080700"
+          ],
+          "cvss_v3": {
+            "version": "3.1",
+            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
+            "baseScore": 10,
+            "baseSeverity": "CRITICAL"
+          }
+        }
+      ]
+    }
+  ]
        
+    
        
+      
        
+        There is no CVSS v4.0 score given for CSAFPID-9080700.
+      
        
+    
        
     
        
       7. Distributing CSAF documents 
     
        
@@ -7487,7 +7585,7 @@

      - Example 1 (minimal with ROLIE document): + Example 1 (minimal with ROLIE document): 

        {
     "canonical_url": "https://www.example.com/.well-known/csaf/provider-metadata.json",
@@ -7545,7 +7643,7 @@ 
      
       
      
     
     
      
-      Examples 1:
+      Examples 1:
     
      
     
      CSAF: https://domain.tld/security/data/csaf/provider-metadata.json
 CSAF: https://psirt.domain.tld/advisories/csaf/provider-metadata.json
@@ -7562,7 +7660,7 @@ 
      
       The URL path /.well-known/csaf/provider-metadata.json under the main domain of the issuing authority serves directly the provider-metadata.json according to requirement 7. The use of the scheme "HTTPS" is required. See [RFC8615] for more details.
     
      
     
      
-      Example 1:
+      Example 1:
     
      
     
        https://www.example.com/.well-known/csaf/provider-metadata.json
      
     
      
@@ -7578,10 +7676,10 @@ 
      
       The CSAF documents MUST be located within folders named <YYYY> where <YYYY> is the year given in the value of /document/tracking/initial_release_date.
     
      
     
      
-      Examples 1:
+      Examples 1:
     
      
-    
      2021
-2020
      
+    
      2024
+2023
      
     
      
       7.1.12 Requirement 12: index.txt 
     
      
@@ -7589,11 +7687,12 @@ 
      
       The index.txt file within MUST provide a list of all filenames of CSAF documents which are located in the sub-directories with their filenames.
     
      
     
      
-      Example 1:
+      Example 1:
     
      
-    
      2020/example_company_-_2020-yh4711.json
-2019/example_company_-_2019-yh3234.json
-2018/example_company_-_2018-yh2312.json
      
+    
      2023/esa-2023-09953.json
+2022/esa-2022-02723.json
+2021/esa-2021-31916.json
+2021/esa-2021-03676.json
      
     
      
       
      
         This can be used to download all CSAF documents.
@@ -7606,12 +7705,12 @@ 
      
       The file changes.csv MUST contain the filename as well as the value of /document/tracking/current_release_date for each CSAF document in the sub-directories without a heading; lines MUST be sorted by the current_release_date timestamp with the latest one first.
     
      
     
      
-      Example 1:
+      Example 1:
     
      
-    
      "2020/example_company_-_2020-yh4711.json","2020-07-01T10:09:07Z"
-"2018/example_company_-_2018-yh2312.json","2020-07-01T10:09:01Z"
-"2019/example_company_-_2019-yh3234.json","2019-04-17T15:08:41Z"
-"2018/example_company_-_2018-yh2312.json","2019-03-01T06:01:00Z"
      
+    
      "2023/esa-2023-09953.json","2023-07-01T10:09:07Z"
+"2021/esa-2021-03676.json","2023-07-01T10:09:01Z"
+"2022/esa-2022-02723.json","2022-04-17T15:08:41Z"
+"2021/esa-2021-31916.json","2022-03-01T06:01:00Z"
      
     
      
       7.1.14 Requirement 14: Directory listings 
     
      
@@ -7637,7 +7736,7 @@ 
      
       MUST exist. Each ROLIE feed document MUST be a JSON file that conforms with [RFC8322].
     
      
     
      
-      Example 1:
+      Example 1:
     
      
     
        {
     "feed": {
@@ -7702,7 +7801,7 @@ 
      
       The use and therefore the existence of ROLIE service document is optional. If it is used, each ROLIE service document MUST be a JSON file that conforms with [RFC8322] and lists the ROLIE feed documents.
     
      
     
      
-      Example 1:
+      Example 1:
     
      
     
        {
     "service": {
@@ -7768,7 +7867,7 @@ 
      
           type of product
         
      
         
      
-          Examples 1:
+          Examples 1:
         
      
         
        CPU
   Firewall
@@ -7784,7 +7883,7 @@ 
      
           areas or sectors, the products are used in
         
      
         
      
-          Examples 2:
+          Examples 2:
         
      
         
        Chemical
   Commercial
@@ -7802,7 +7901,7 @@

    - Example 3: + Example 3: 

      {
     "categories": {
@@ -7826,18 +7925,18 @@ 
    
       MD5 and SHA1 SHOULD NOT be used.
     
    
     
    
-      Example 1:
+      Example 1:
     
    
-    
    File name of CSAF document: example_company_-_2019-yh3234.json
-File name of SHA-256 hash file: example_company_-_2019-yh3234.json.sha256
-File name of SHA-512 hash file: example_company_-_2019-yh3234.json.sha512
    
+    
    File name of CSAF document: esa-2022-02723.json
+File name of SHA-256 hash file: esa-2022-02723.json.sha256
+File name of SHA-512 hash file: esa-2022-02723.json.sha512
    
     
    
       The file content SHALL start with the first byte of the hexadecimal hash value. Any subsequent data (like a filename) which is optional SHALL be separated by at least one space.
     
    
     
    
-      Example 2:
+      Example 2:
     
    
-    
    ea6a209dba30a958a78d82309d6cdcc6929fcb81673b3dc4d6b16fac18b6ff38  example_company_-_2019-yh3234.json
    
+    
    ea6a209dba30a958a78d82309d6cdcc6929fcb81673b3dc4d6b16fac18b6ff38  esa-2022-02723.json
    
     
    
       If a ROLIE feed exists, each hash file MUST be listed in it as described in requirement 15.
     
    
@@ -7848,10 +7947,10 @@ 
    
       All CSAF documents SHALL have at least one OpenPGP signature file which is provided under the same filename which is extended by the appropriate extension. See [RFC4880] for more details.
     
    
     
    
-      Example 1:
+      Example 1:
     
    
-    
    File name of CSAF document: example_company_-_2019-yh3234.json
-File name of signature file: example_company_-_2019-yh3234.json.asc
    
+    
    File name of CSAF document: esa-2022-02723.json
+File name of signature file: esa-2022-02723.json.asc
    
     
    
       If a ROLIE feed exists, each signature file MUST be listed in it as described in requirement 15.
     
    
@@ -7903,7 +8002,7 @@ 
    
       The file aggregator.json SHOULD only list the latest version of the metadata of a CSAF provider.
     
    
     
    
-      Example 1:
+      Example 1:
     
    
     
      {
     "aggregator": {
@@ -7960,7 +8059,7 @@

    • - Example 1: + Example 1: 

      {
     "aggregator": {
@@ -8208,7 +8307,7 @@ 
    
       In addition, CSAF documents may be rendered by consumers in various human-readable formats like HTML or PDF. Thus, for security reasons, CSAF producers and consumers SHALL adhere to the following:
     
    
     
      
-      
    • CSAF producers SHOULD NOT emit messages that contain HTML, even though all variants of Markdown permit it. To include HTML, source code, or any other content that may be interpreted or executed by a CSAF consumer, e.g. to provide a proof-of-concept, the issuing party SHALL use Markdown's fenced code blocks or inline code option.
+      
    • CSAF producers SHOULD NOT emit messages that contain HTML, even though GitHub-flavoured Markdown is permitted. To include HTML, source code, or any other content that may be interpreted or executed by a CSAF consumer, e.g. to provide a proof-of-concept, the issuing party SHALL use Markdown's fenced code blocks or inline code option.
       
      • 
       
    • Deeply nested markup can cause a stack overflow in the Markdown processor [GFMENG]. To reduce this risk, CSAF consumers SHALL use a Markdown processor that is hardened against such attacks. Note: One example is the GitHub fork of the cmark Markdown processor [GFMCMARK].
@@ -8312,6 +8411,9 @@ 
      
       
    • 
         CSAF SBOM matching system: A program that connects to or is an SBOM database and is able to manage CSAF documents as required by CSAF management system as well as matching them to SBOM components of the SBOM database.
       
      • 
+      
    • 
+        CSAF 2.0 to CSAF 2.1 converter: A CSAF producer which takes a CSAF 2.0 document as input and converts it into a valid CSAF 2.1 document.
+      
      • 
     
    
     
    
       9.1.1 Conformance Clause 1: CSAF document 
@@ -8425,6 +8527,8 @@ 
    
       
  • 
         /vulnerabilities[]/scores[]:
         
      
+          
    • For any CVSS v4 element, the CVRF CSAF converter MUST compute the baseSeverity from the baseScore according to the rules of the applicable CVSS standard. (CSAF CVRF v1.2 predates CVSS v4.0.)
+          
      • 
           
    • For any CVSS v3 element, the CVRF CSAF converter MUST compute the baseSeverity from the baseScore according to the rules of the applicable CVSS standard.
           
      • 
           
    • If no product_id is given, the CVRF CSAF converter appends all Product IDs which are listed under ../product_status in the arrays known_affected, first_affected and last_affected. If none of these arrays exist, the CVRF CSAF converter outputs an error that no
@@ -8434,14 +8538,14 @@ 
      
           
      • 
           
    • If there are CVSS v3.0 and CVSS v3.1 Vectors available for the same product, the CVRF CSAF converter discards the CVSS v3.0 information and provide in CSAF only the CVSS v3.1 information.
           
      • 
-          
    • To determine, which minor version of CVSS v3 is used, the CVRF CSAF converter uses the following steps:
+          
    • To determine, which minor version of CVSS v3 is used and to evaluate a CVSS v4 that was wrongly inserted in a CVSS v3 element, the CVRF CSAF converter uses the following steps:
             
        
               
      1. 
                 
        
                   Retrieve the CVSS version from the CVSS vector, if present.
                 
        
                 
        
-                  Example 1:
+                  Example 1:
                 
        
                 
          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H => 3.1
        
               
        2. 
@@ -8450,7 +8554,7 @@ 
        
                   Retrieve the CVSS version from the CVSS element's namespace, if present. The CVRF CSAF converter outputs a warning that this value was guessed from the element's namespace.
                 
        
                 
        
-                  Example 2:
+                  Example 2:
                 
        
                 
          xmlns:cvssv31="https://www.first.org/cvss/cvss-v3.1.xsd"
   <!-- -->
@@ -8459,7 +8563,7 @@ 
        
                   is handled the same as
                 
        
                 
        
-                  Example 3:
+                  Example 3:
                 
        
                 
          <ScoreSetV3 xmlns="https://www.first.org/cvss/cvss-v3.1.xsd">
        
               
@@ -8469,7 +8573,7 @@ 
        
                   decision.
                 
        
                 
        
-                  Example 4:
+                  Example 4:
                 
        
                 
          xmlns:cvssv3="https://www.first.org/cvss/cvss-v3.0.xsd" => 3.0
        
               
@@ -9154,6 +9258,31 @@ 
        
         
    
       
    • 
     
+    
    
+      9.1.18 Conformance Clause 18: CSAF 2.0 to CSAF 2.1 converter 
+    
    
+    
    
+      A program satisfies the "CSAF 2.0 to CSAF 2.1 converter" conformance profile if the program fulfills the following two groups of requirements:
+    
    
+    
    
+      Firstly, the program:
+    
    
+    
      
+      
    • satisfies the "CSAF producer" conformance profile.
+      
      • 
+      
    • takes only CSAF 2.0 documents as input.
+      
      • 
+      
    • additionally satisfies the normative requirements given below.
+      
      • 
+    
    
+    
    
+      Secondly, the program fulfills the following for all items of:
+    
    
+    
    
+      
    
+        A tool MAY implement options to convert other Markdown formats to GitHub-flavoured Markdown.
+      
    
+    
    
     
    
     
    
       Appendix A. Acknowledgments 
@@ -10471,8 +10600,8 @@ 
    
     
    
     
    
       
    
-        At least one database technology in wide use for storing CSAF documents rejects insert attempts when the transformed BSON size exceeds 16 megabytes. The BSON format optimizes for accessibility and not size. So, small integers and small strings may incur more overhead in the BSON format than in JSON. In addition, the BSON format adds
-        length information for the entries inside the document, which adds to the size when storing CSAF document content in a BSON format.
+        The CSAF documents observed in the wild expose strongly varying sizes as per the use cases they serve. At least one database technology in wide use for storing CSAF documents rejects insert attempts when the transformed BSON size exceeds 16 megabytes. The BSON format optimizes for accessibility and not size. So, small integers and
+        small strings may incur more overhead in the BSON format than in JSON. In addition, the BSON format adds length information for the entries inside the document, which adds to the size when storing CSAF document content in a BSON format.
       
    
     
    
     
    
@@ -10971,6 +11100,9 @@ 
    
           
  • 
             /vulnerabilities[]/scores[]/cvss_v3/vectorString
           
    • 
+          
  • 
+            /vulnerabilities[]/scores[]/cvss_v4/vectorString
+          
    • 
           
  • 
             /vulnerabilities[]/scores[]/products[]
           
    • 
@@ -11291,3 +11423,159 @@ 
    
       
  • 
         /vulnerabilities[]/scores[]/cvss_v3/remediationLevel (13)
       
    • 
+      
  • 
+        /vulnerabilities[]/scores[]/cvss_v3/reportConfidence (11)
+      
    • 
+      
  • 
+        /vulnerabilities[]/scores[]/cvss_v3/temporalSeverity (8)
+      
    • 
+      
  • 
+        /vulnerabilities[]/scores[]/cvss_v3/confidentialityRequirement (11)
+      
    • 
+      
  • 
+        /vulnerabilities[]/scores[]/cvss_v3/integrityRequirement (11)
+      
    • 
+      
  • 
+        /vulnerabilities[]/scores[]/cvss_v3/availabilityRequirement (11)
+      
    • 
+      
  • 
+        /vulnerabilities[]/scores[]/cvss_v3/modifiedAttackVector (16)
+      
    • 
+      
  • 
+        /vulnerabilities[]/scores[]/cvss_v3/modifiedAttackComplexity (11)
+      
    • 
+      
  • 
+        /vulnerabilities[]/scores[]/cvss_v3/modifiedPrivilegesRequired (11)
+      
    • 
+      
  • 
+        /vulnerabilities[]/scores[]/cvss_v3/modifiedUserInteraction (11)
+      
    • 
+      
  • 
+        /vulnerabilities[]/scores[]/cvss_v3/modifiedScope (11)
+      
    • 
+      
  • 
+        /vulnerabilities[]/scores[]/cvss_v3/modifiedConfidentialityImpact (11)
+      
    • 
+      
  • 
+        /vulnerabilities[]/scores[]/cvss_v3/modifiedIntegrityImpact (11)
+      
    • 
+      
  • 
+        /vulnerabilities[]/scores[]/cvss_v3/modifiedAvailabilityImpact (11)
+      
    • 
+      
  • 
+        /vulnerabilities[]/scores[]/cvss_v3/environmentalSeverity (8)
+      
    • 
+      
  • 
+        /vulnerabilities[]/scores[]/cvss_v4/version (3)
+      
    • 
+      
  • 
+        /vulnerabilities[]/scores[]/cvss_v4/attackVector (8)
+      
    • 
+      
  • 
+        /vulnerabilities[]/scores[]/cvss_v4/attackComplexity (4)
+      
    • 
+      
  • 
+        /vulnerabilities[]/scores[]/cvss_v4/attackRequirements (7)
+      
    • 
+      
  • 
+        /vulnerabilities[]/scores[]/cvss_v4/privilegesRequired (4)
+      
    • 
+      
  • 
+        /vulnerabilities[]/scores[]/cvss_v4/userInteraction (7)
+      
    • 
+      
  • 
+        /vulnerabilities[]/scores[]/cvss_v4/vulnConfidentialityImpact (4)
+      
    • 
+      
  • 
+        /vulnerabilities[]/scores[]/cvss_v4/vulnIntegrityImpact (4)
+      
    • 
+      
  • 
+        /vulnerabilities[]/scores[]/cvss_v4/vulnAvailabilityImpact (4)
+      
    • 
+      
  • 
+        /vulnerabilities[]/scores[]/cvss_v4/subConfidentialityImpact (4)
+      
    • 
+      
  • 
+        /vulnerabilities[]/scores[]/cvss_v4/subIntegrityImpact (4)
+      
    • 
+      
  • 
+        /vulnerabilities[]/scores[]/cvss_v4/subAvailabilityImpact (4)
+      
    • 
+      
  • 
+        /vulnerabilities[]/scores[]/cvss_v4/exploitMaturity (16)
+      
    • 
+      
  • 
+        /vulnerabilities[]/scores[]/cvss_v4/confidentialityRequirement (11)
+      
    • 
+      
  • 
+        /vulnerabilities[]/scores[]/cvss_v4/integrityRequirement (11)
+      
    • 
+      
  • 
+        /vulnerabilities[]/scores[]/cvss_v4/availabilityRequirement (11)
+      
    • 
+      
  • 
+        /vulnerabilities[]/scores[]/cvss_v4/modifiedAttackVector (11)
+      
    • 
+      
  • 
+        /vulnerabilities[]/scores[]/cvss_v4/modifiedAttackComplexity (11)
+      
    • 
+      
  • 
+        /vulnerabilities[]/scores[]/cvss_v4/modifiedAttackRequirements (11)
+      
    • 
+      
  • 
+        /vulnerabilities[]/scores[]/cvss_v4/modifiedPrivilegesRequired (11)
+      
    • 
+      
  • 
+        /vulnerabilities[]/scores[]/cvss_v4/modifiedUserInteraction (11)
+      
    • 
+      
  • 
+        /vulnerabilities[]/scores[]/cvss_v4/modifiedVulnConfidentialityImpact (11)
+      
    • 
+      
  • 
+        /vulnerabilities[]/scores[]/cvss_v4/modifiedVulnIntegrityImpact (11)
+      
    • 
+      
  • 
+        /vulnerabilities[]/scores[]/cvss_v4/modifiedVulnAvailabilityImpact (11)
+      
    • 
+      
  • 
+        /vulnerabilities[]/scores[]/cvss_v4/modifiedSubConfidentialityImpact (11)
+      
    • 
+      
  • 
+        /vulnerabilities[]/scores[]/cvss_v4/modifiedSubIntegrityImpact (11)
+      
    • 
+      
  • 
+        /vulnerabilities[]/scores[]/cvss_v4/modifiedSubAvailabilityImpact (11)
+      
    • 
+      
  • 
+        /vulnerabilities[]/scores[]/cvss_v4/Safety (11)
+      
    • 
+      
  • 
+        /vulnerabilities[]/scores[]/cvss_v4/Automatable (11)
+      
    • 
+      
  • 
+        /vulnerabilities[]/scores[]/cvss_v4/Recovery (13)
+      
    • 
+      
  • 
+        /vulnerabilities[]/scores[]/cvss_v4/valueDensity (12)
+      
    • 
+      
  • 
+        /vulnerabilities[]/scores[]/cvss_v4/vulnerabilityResponseEffort (11)
+      
    • 
+      
  • 
+        /vulnerabilities[]/scores[]/cvss_v4/providerUrgency (11)
+      
    • 
+      
  • 
+        /vulnerabilities[]/scores[]/cvss_v4/baseSeverity (8)
+      
    • 
+      
  • 
+        /vulnerabilities[]/scores[]/cvss_v4/threatSeverity (8)
+      
    • 
+      
  • 
+        /vulnerabilities[]/scores[]/cvss_v4/environmentalSeverity (8)
+      
    • 
+      
  • 
+        /vulnerabilities[]/threats[]/category (14)
+      
    • 
+    
+    
    
+      C.6 Date 
\ No newline at end of file
diff --git a/csaf_2.1/prose/share/csaf-v2.1-draft.md b/csaf_2.1/prose/share/csaf-v2.1-draft.md
index e89aacce..9945448c 100644
--- a/csaf_2.1/prose/share/csaf-v2.1-draft.md
+++ b/csaf_2.1/prose/share/csaf-v2.1-draft.md
@@ -215,6 +215,7 @@ The name "OASIS" is a trademark of [OASIS](https://www.oasis-open.org/), the own
 	5.1 [Filename](#filename)  
 	5.2 [Separation in Data Stream](#separation-in-data-stream)  
 	5.3 [Sorting](#additional-conventions--sorting)  
+	5.4 [Usage of Markdown](#usage-of-markdown)  
 6. [Tests](#tests)  
 	6.1 [Mandatory Tests](#mandatory-tests)  
 		6.1.1 [Missing Definition of Product ID](#missing-definition-of-product-id)  
@@ -294,6 +295,7 @@ The name "OASIS" is a trademark of [OASIS](https://www.oasis-open.org/), the own
 		6.3.9 [Branch Categories](#branch-categories)  
 		6.3.10 [Usage of Product Version Range](#usage-of-product-version-range)  
 		6.3.11 [Usage of V as Version Indicator](#usage-of-v-as-version-indicator)  
+		6.3.12 [Missing CVSS v4.0](#missing-cvss-v4-0)  
 7. [Distributing CSAF documents](#distributing-csaf-documents)  
 	7.1 [Requirements](#requirements)  
 		7.1.1 [Requirement 1: Valid CSAF document](#requirement-1-valid-csaf-document)  
@@ -348,6 +350,7 @@ The name "OASIS" is a trademark of [OASIS](https://www.oasis-open.org/), the own
 		9.1.15 [Conformance Clause 15: CSAF extended validator](#conformance-clause-15-csaf-extended-validator)  
 		9.1.16 [Conformance Clause 16: CSAF full validator](#conformance-clause-16-csaf-full-validator)  
 		9.1.17 [Conformance Clause 17: CSAF SBOM matching system](#conformance-clause-17-csaf-sbom-matching-system)  
+		9.1.18 [Conformance Clause 18: CSAF 2.0 to CSAF 2.1 converter](#conformance-clause-18-csaf-2-0-to-csaf-2-1-converter)  
 
 Appendix A. [Acknowledgments](#acknowledgments)  
 Appendix B. [Revision History](#revision-history)  
@@ -396,6 +399,8 @@ For purposes of this document, the following terms and definitions apply:
       Examples: A physical file in a file system such as a source file, an object file, a configuration file or a data file;
       a specific version of a file in a version control system; a database table accessed via an HTTP request;
       an arbitrary stream of bytes returned from an HTTP request, a product URL, a common product enumeration value.
+  
    CSAF 2.0 to CSAF 2.1 converter
    
+  
    A CSAF producer which takes a CSAF 2.0 document as input and converts it into a valid CSAF 2.1 document.
    
   
    CSAF asset matching system
    
   
    program that connects to or is an asset database and is able to manage CSAF documents as
       required by CSAF management system
@@ -605,6 +610,8 @@ For purposes of this document, the following terms and definitions apply:
 
 **\[****CVSS31\]** _Common Vulnerability Scoring System v3.1: Specification Document_, FIRST.Org, Inc., June 2019, https://www.first.org/cvss/v3-1/cvss-v31-specification_r1.pdf.
 
+**\[****CVSS40\]** _Common Vulnerability Scoring System v4.0: Specification Document_, FIRST.Org, Inc., 09 November 2023, https://www.first.org/cvss/v4-0/cvss-v40-specification.pdf.
+
 **\[****CWE\]** _Common Weakness Enumeration (CWE) – A Community-Developed List of Software Weakness Types_, MITRE, 2005, http://cwe.mitre.org/about/.
 
 **\[****CYCLONEDX13\]** _CycloneDX Software Bill-of-Material Specification JSON schema version 1.3_, cyclonedx.org, May 2021, https://github.com/CycloneDX/specification/blob/1.3/schema/bom-1.3.schema.json.
@@ -653,7 +660,7 @@ For purposes of this document, the following terms and definitions apply:
 
 **\[****27 September 2021, .\]** 
 
-**\[****XX May 2022, https://www.cisa.gov/sites/default/files/publications/VEX_Status_Justification_Jun22.pdf.\]** 
+**\[****June 2022, https://www.cisa.gov/sites/default/files/publications/VEX_Status_Justification_Jun22.pdf.\]** 
 
 **\[****W3C Recommendation, November 26, 2008, https://www.w3.org/TR/2008/REC-xml-20081126/. Latest version available at .\]** 
 
@@ -751,6 +758,8 @@ Delegation to industry best practices technologies is used in referencing schema
 * Platform Data:
   * Common Platform Enumeration (CPE) Version 2.3 \[[CPE23-N](#CPE23-N)\]
 * Vulnerability Scoring:
+  * Common Vulnerability Scoring System (CVSS) Version 4.0 \[[CVSS40](#CVSS40)\]
+    * JSON Schema Reference https://www.first.org/cvss/cvss-v4.0.json
   * Common Vulnerability Scoring System (CVSS) Version 3.1 \[[CVSS31](#CVSS31)\]
     * JSON Schema Reference https://www.first.org/cvss/cvss-v3.1.json
   * Common Vulnerability Scoring System (CVSS) Version 3.0 \[[CVSS30](#CVSS30)\]
@@ -1474,7 +1483,7 @@ abbreviated (partial) stock keeping units.
 
 A list of stock keeping units SHOULD only be used if the list of relationships is used to decouple e.g. hardware from the software,
 or the stock keeping units change during update.
-In the latter case the remediations SHALL include the new stock keeping units is or a description how it can be obtained.
+In the latter case the remediations SHALL include the new stock keeping units or a description how it can be obtained.
 
 > The use of the list of relationships in the first case is important.
 > Otherwise, the end user is unable to identify which version (the affected or the not affected / fixed one) is used.
@@ -2179,7 +2188,7 @@ The default value is the URL to the definition by FIRST:
 
 ```
     https://www.us-cert.gov/tlp
-    https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Kritis/Merkblatt_TLP.pdf
+    https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/TLP/merkblatt-tlp.pdf
 ```
 
 #### 3.2.1.6 Document Property - Language 
@@ -3450,8 +3459,8 @@ List of scores (`scores`) of value type `array` with 1 or more items of type sco
     },
 ```
 
-Value type of every such Score item is `object` with the mandatory property `products` and the optional properties `cvss_v2` and
-`cvss_v3` specifies information about (at least one) score of the vulnerability and for which products the given value applies.
+Value type of every such Score item is `object` with the mandatory property `products` and the optional properties `cvss_v2`,
+`cvss_v3` and `cvss_v4` specifies information about (at least one) score of the vulnerability and for which products the given value applies.
 Each Score item has at least 2 properties.
 
 ```
@@ -3463,7 +3472,10 @@ Each Score item has at least 2 properties.
             "oneOf": [
               // ...
             ]
-          }
+          },
+          "cvss_v4": {
+            // ...
+          },
           "products": {
             // ...
           }
@@ -3477,6 +3489,8 @@ The property CVSS v3 (`cvss_v3`) holding a CVSS v3.x value abiding by one of the
 [https://www.first.org/cvss/cvss-v3.0.json](https://www.first.org/cvss/cvss-v3.0.json) or
 [https://www.first.org/cvss/cvss-v3.1.json](https://www.first.org/cvss/cvss-v3.1.json).
 
+The property CVSS v4 (`cvss_v4`) holding a CVSS v4.0 value abiding by the schema at [https://www.first.org/cvss/cvss-v4.0.json](https://www.first.org/cvss/cvss-v4.0.json).
+
 Product IDs (`products`) of value type `products_t` with 1 or more items indicates for which products the given scores apply.
 A score object SHOULD reflect the associated product's status (for example,
 a fixed product no longer contains a vulnerability and should have a CVSS score of 0, or simply no score listed;
@@ -3765,6 +3779,30 @@ they MUST be separated by the Record Separator in accordance with \[[RFC7464](#R
 
 The keys within a CSAF document SHOULD be sorted alphabetically.
 
+## 5.4 Usage of Markdown 
+
+The use of GitHub-flavoured Markdown is permitted in the following fields:
+
+```
+  /document/acknowledgments[]/summary
+  /document/distribution/text
+  /document/notes[]/text
+  /document/publisher/issuing_authority
+  /document/references[]/summary
+  /document/tracking/revision_history[]/summary
+  /product_tree/product_groups[]/summary
+  /vulnerabilities[]/acknowledgments[]/summary
+  /vulnerabilities[]/involvements[]/summary
+  /vulnerabilities[]/notes[]/text
+  /vulnerabilities[]/references[]/summary
+  /vulnerabilities[]/remediations[]/details
+  /vulnerabilities[]/remediations[]/entitlements[]
+  /vulnerabilities[]/remediations[]/restart_required/details
+  /vulnerabilities[]/threats[]/details
+```
+
+Other fields MUST NOT contain Markdown.
+
 -------
 
 # 6. Tests 
@@ -4109,6 +4147,7 @@ The relevant paths for this test are:
 ```
   /vulnerabilities[]/scores[]/cvss_v2
   /vulnerabilities[]/scores[]/cvss_v3
+  /vulnerabilities[]/scores[]/cvss_v4
 ```
 
 *Example 1 (which fails the test):*
@@ -4144,6 +4183,12 @@ The relevant paths for this test are:
   /vulnerabilities[]/scores[]/cvss_v3/temporalSeverity
   /vulnerabilities[]/scores[]/cvss_v3/environmentalScore
   /vulnerabilities[]/scores[]/cvss_v3/environmentalSeverity
+  /vulnerabilities[]/scores[]/cvss_v4/baseScore
+  /vulnerabilities[]/scores[]/cvss_v4/baseSeverity
+  /vulnerabilities[]/scores[]/cvss_v4/threatScore
+  /vulnerabilities[]/scores[]/cvss_v4/threatSeverity
+  /vulnerabilities[]/scores[]/cvss_v4/environmentalScore
+  /vulnerabilities[]/scores[]/cvss_v4/environmentalSeverity
 ```
 
 *Example 1 (which fails the test):*
@@ -4170,6 +4215,7 @@ The relevant paths for this test are:
 ```
   /vulnerabilities[]/scores[]/cvss_v2
   /vulnerabilities[]/scores[]/cvss_v3
+  /vulnerabilities[]/scores[]/cvss_v4
 ```
 
 *Example 1 (which fails the test):*
@@ -5948,8 +5994,8 @@ The relevant path for this test is:
 > Neither the `environmentalScore` nor the properties `modifiedIntegrityImpact`, `modifiedAvailabilityImpact`, `modifiedConfidentialityImpact` nor
 > the corresponding attributes in the `vectorString` have been set.
 
-> A tool MAY set the properties `modifiedIntegrityImpact`, `modifiedAvailabilityImpact`, `modifiedConfidentialityImpact` accordingly and
-> compute the `environmentalScore` as quick fix.
+> A tool MAY set the properties `modifiedIntegrityImpact`, `modifiedAvailabilityImpact`, `modifiedConfidentialityImpact` (respectively their
+> equivalents according to the CVSS version used) accordingly and compute the `environmentalScore` as quick fix.
 
 ### 6.2.20 Additional Properties 
 
@@ -6031,7 +6077,7 @@ The relevant path for this test is:
 
 Recommendation:
 
-It is recommended to (also) use the CVSS v3.1.
+It is recommended to (also) use the CVSS v4.0.
 
 ### 6.3.2 Use of CVSS v3.0 
 
@@ -6395,6 +6441,48 @@ The relevant paths for this test are:
 
 -------
 
+### 6.3.12 Missing CVSS v4.0 
+
+For each item in the list of scores it MUST be tested that a `cvss_v4` object is present.
+
+The relevant path for this test is:
+
+```
+    /vulnerabilities[]/scores
+```
+
+*Example 1 (which fails the test):*
+
+```
+  "product_tree": {
+    "full_product_names": [
+      {
+        "product_id": "CSAFPID-9080700",
+        "name": "Product A"
+      }
+    ]
+  },
+  "vulnerabilities": [
+    {
+      "scores": [
+        {
+          "products": [
+            "CSAFPID-9080700"
+          ],
+          "cvss_v3": {
+            "version": "3.1",
+            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
+            "baseScore": 10,
+            "baseSeverity": "CRITICAL"
+          }
+        }
+      ]
+    }
+  ]
+```
+
+> There is no CVSS v4.0 score given for `CSAFPID-9080700`.
+
 # 7. Distributing CSAF documents 
 
 This section lists requirements and roles defined for distributing CSAF documents.
@@ -6467,7 +6555,7 @@ CSAF aggregator SHOULD display over any individual `publisher` values in the CSA
 > * https://psirt.domain.tld/advisories/csaf/provider-metadata.json
 > * https://domain.tld/security/csaf/provider-metadata.json
 
-*Example 1 (minimal with ROLIE document):*
+*Example 1 (minimal with ROLIE document):*
 
 ```
   {
@@ -6528,7 +6616,7 @@ See \[[SECURITY-TXT](#SECURITY-TXT)\] for more details.
 > The security.txt was published as \[[RFC9116](#RFC9116)\] in April 2022. At the time of this writing,
 > the `CSAF` field is in the process of being officially added.
 
-*Examples 1:*
+*Examples 1:*
 
 ```
 CSAF: https://domain.tld/security/data/csaf/provider-metadata.json
@@ -6548,7 +6636,7 @@ The URL path `/.well-known/csaf/provider-metadata.json` under the main domain of
 the `provider-metadata.json` according to requirement 7.
 The use of the scheme "HTTPS" is required. See \[[RFC8615](#RFC8615)\] for more details.
 
-*Example 1:*
+*Example 1:*
 
 ```
   https://www.example.com/.well-known/csaf/provider-metadata.json
@@ -6565,23 +6653,24 @@ The use of the scheme "HTTPS" is required.
 The CSAF documents MUST be located within folders named `` where `` is the year given in the
 value of `/document/tracking/initial_release_date`.
 
-*Examples 1:*
+*Examples 1:*
 
 ```
-2021
-2020
+2024
+2023
 ```
 
 ### 7.1.12 Requirement 12: index.txt 
 
 The index.txt file within MUST provide a list of all filenames of CSAF documents which are located in the sub-directories with their filenames.
 
-*Example 1:*
+*Example 1:*
 
 ```
-2020/example_company_-_2020-yh4711.json
-2019/example_company_-_2019-yh3234.json
-2018/example_company_-_2018-yh2312.json
+2023/esa-2023-09953.json
+2022/esa-2022-02723.json
+2021/esa-2021-31916.json
+2021/esa-2021-03676.json
 ```
 
 > This can be used to download all CSAF documents.
@@ -6591,13 +6680,13 @@ The index.txt file within MUST provide a list of all filenames of CSAF documents
 The file changes.csv MUST contain the filename as well as the value of `/document/tracking/current_release_date` for each
 CSAF document in the sub-directories without a heading; lines MUST be sorted by the `current_release_date` timestamp with the latest one first.
 
-*Example 1:*
+*Example 1:*
 
 ```
-"2020/example_company_-_2020-yh4711.json","2020-07-01T10:09:07Z"
-"2018/example_company_-_2018-yh2312.json","2020-07-01T10:09:01Z"
-"2019/example_company_-_2019-yh3234.json","2019-04-17T15:08:41Z"
-"2018/example_company_-_2018-yh2312.json","2019-03-01T06:01:00Z"
+"2023/esa-2023-09953.json","2023-07-01T10:09:07Z"
+"2021/esa-2021-03676.json","2023-07-01T10:09:01Z"
+"2022/esa-2022-02723.json","2022-04-17T15:08:41Z"
+"2021/esa-2021-31916.json","2022-03-01T06:01:00Z"
 ```
 
 ### 7.1.14 Requirement 14: Directory listings 
@@ -6618,7 +6707,7 @@ At least one of the feeds
 MUST exist.
 Each ROLIE feed document MUST be a JSON file that conforms with \[[RFC8322](#RFC8322)\].
 
-*Example 1:*
+*Example 1:*
 
 ```
   {
@@ -6685,7 +6774,7 @@ having the `rel` value of `signature`.
 The use and therefore the existence of ROLIE service document is optional.
 If it is used, each ROLIE service document MUST be a JSON file that conforms with \[[RFC8322](#RFC8322)\] and lists the ROLIE feed documents.
 
-*Example 1:*
+*Example 1:*
 
 ```
   {
@@ -6728,7 +6817,7 @@ ROLIE categories SHOULD be used for to further dissect CSAF documents by one or
   * `product_version`
 * type of product
 
-  *Examples 1:*
+  *Examples 1:*
 
   ```
     CPU
@@ -6743,7 +6832,7 @@ ROLIE categories SHOULD be used for to further dissect CSAF documents by one or
 
 * areas or sectors, the products are used in
 
-  *Examples 2:*
+  *Examples 2:*
 
   ```
     Chemical
@@ -6758,7 +6847,7 @@ ROLIE categories SHOULD be used for to further dissect CSAF documents by one or
 
 * any other categorization useful to the consumers
 
-*Example 3:*
+*Example 3:*
 
 ```
   {
@@ -6782,21 +6871,21 @@ to ensure their integrity. The filename is constructed by appending the file ext
 
 MD5 and SHA1 SHOULD NOT be used.
 
-*Example 1:*
+*Example 1:*
 
 ```
-File name of CSAF document: example_company_-_2019-yh3234.json
-File name of SHA-256 hash file: example_company_-_2019-yh3234.json.sha256
-File name of SHA-512 hash file: example_company_-_2019-yh3234.json.sha512
+File name of CSAF document: esa-2022-02723.json
+File name of SHA-256 hash file: esa-2022-02723.json.sha256
+File name of SHA-512 hash file: esa-2022-02723.json.sha512
 ```
 
 The file content SHALL start with the first byte of the hexadecimal hash value.
 Any subsequent data (like a filename) which is optional SHALL be separated by at least one space.
 
-*Example 2:*
+*Example 2:*
 
 ```
-ea6a209dba30a958a78d82309d6cdcc6929fcb81673b3dc4d6b16fac18b6ff38  example_company_-_2019-yh3234.json
+ea6a209dba30a958a78d82309d6cdcc6929fcb81673b3dc4d6b16fac18b6ff38  esa-2022-02723.json
 ```
 
 If a ROLIE feed exists, each hash file MUST be listed in it as described in requirement 15.
@@ -6806,11 +6895,11 @@ If a ROLIE feed exists, each hash file MUST be listed in it as described in requ
 All CSAF documents SHALL have at least one OpenPGP signature file which is provided under the same filename which is
 extended by the appropriate extension. See \[[RFC4880](#RFC4880)\] for more details.
 
-*Example 1:*
+*Example 1:*
 
 ```
-File name of CSAF document: example_company_-_2019-yh3234.json
-File name of signature file: example_company_-_2019-yh3234.json.asc
+File name of CSAF document: esa-2022-02723.json
+File name of signature file: esa-2022-02723.json.asc
 ```
 
 If a ROLIE feed exists, each signature file MUST be listed in it as described in requirement 15.
@@ -6841,7 +6930,7 @@ It MUST NOT be stored adjacent to a `provider-metadata.json`.
 
 The file `aggregator.json` SHOULD only list the latest version of the metadata of a CSAF provider.
 
-*Example 1:*
+*Example 1:*
 
 ```
   {
@@ -6897,7 +6986,7 @@ Each such folder MUST at least:
 * provide a `provider-metadata.json` for the current issuing party.
 * provide the ROLIE feed document according to requirement 15 which links to the local copy of the CSAF document.
 
-*Example 1:*
+*Example 1:*
 
 ```
   {
@@ -7106,7 +7195,7 @@ CSAF documents are based on JSON, thus the security considerations of \[[RFC8259
 In addition, CSAF documents may be rendered by consumers in various human-readable formats like HTML or PDF.
 Thus, for security reasons, CSAF producers and consumers SHALL adhere to the following:
 
-* CSAF producers SHOULD NOT emit messages that contain HTML, even though all variants of Markdown permit it.
+* CSAF producers SHOULD NOT emit messages that contain HTML, even though GitHub-flavoured Markdown is permitted.
   To include HTML, source code, or any other content that may be interpreted or executed by a CSAF consumer,
   e.g. to provide a proof-of-concept, the issuing party SHALL use Markdown's fenced code blocks or inline code option.
 * Deeply nested markup can cause a stack overflow in the Markdown processor \[[GFMENG](#GFMENG)\].
@@ -7176,6 +7265,7 @@ The entities ("conformance targets") for which this document defines requirement
 * **CSAF full validator**: A CSAF extended validator that additionally performs informative tests.
 * **CSAF SBOM matching system**: A program that connects to or is an SBOM database and is able to manage CSAF documents as required
   by CSAF management system as well as matching them to SBOM components of the SBOM database.
+* **CSAF 2.0 to CSAF 2.1 converter**: A CSAF producer which takes a CSAF 2.0 document as input and converts it into a valid CSAF 2.1 document.
 
 ### 9.1.1 Conformance Clause 1: CSAF document 
 
@@ -7261,6 +7351,8 @@ Secondly, the program fulfills the following for all items of:
   `first_affected` and `last_affected` into `product_ids`.
   If none of these arrays exist, the CVRF CSAF converter outputs an error that no matching Product ID was found for this remediation element.
 * `/vulnerabilities[]/scores[]`:
+  * For any CVSS v4 element, the CVRF CSAF converter MUST compute the `baseSeverity` from the `baseScore` according to
+    the rules of the applicable CVSS standard. (CSAF CVRF v1.2 predates CVSS v4.0.)
   * For any CVSS v3 element, the CVRF CSAF converter MUST compute the `baseSeverity` from the `baseScore` according to
     the rules of the applicable CVSS standard.
   * If no `product_id` is given, the CVRF CSAF converter appends all Product IDs which are listed under `../product_status` in
@@ -7271,10 +7363,11 @@ Secondly, the program fulfills the following for all items of:
     A CVRF CSAF converter MAY offer a configuration option to delete such elements.
   * If there are CVSS v3.0 and CVSS v3.1 Vectors available for the same product, the CVRF CSAF converter discards
     the CVSS v3.0 information and provide in CSAF only the CVSS v3.1 information.
-  * To determine, which minor version of CVSS v3 is used, the CVRF CSAF converter uses the following steps:
+  * To determine, which minor version of CVSS v3 is used and to evaluate a CVSS v4 that was wrongly inserted in a CVSS v3 element,
+    the CVRF CSAF converter uses the following steps:
     1. Retrieve the CVSS version from the CVSS vector, if present.
 
-        *Example 1:*
+        *Example 1:*
 
         ```
           CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H => 3.1
@@ -7283,7 +7376,7 @@ Secondly, the program fulfills the following for all items of:
     2. Retrieve the CVSS version from the CVSS element's namespace, if present.
        The CVRF CSAF converter outputs a warning that this value was guessed from the element's namespace.
 
-        *Example 2:*
+        *Example 2:*
 
         ```
           xmlns:cvssv31="https://www.first.org/cvss/cvss-v3.1.xsd"
@@ -7293,7 +7386,7 @@ Secondly, the program fulfills the following for all items of:
 
         is handled the same as
 
-        *Example 3:*
+        *Example 3:*
 
         ```
           
@@ -7304,7 +7397,7 @@ Secondly, the program fulfills the following for all items of:
        If more than one CVSS namespace is present and the element is not clearly defined via the namespace,
        this step MUST be skipped without a decision.
 
-        *Example 4:*
+        *Example 4:*
 
         ```
           xmlns:cvssv3="https://www.first.org/cvss/cvss-v3.0.xsd" => 3.0
@@ -7612,6 +7705,21 @@ A CSAF SBOM matching system satisfies the "CSAF SBOM matching system" conformanc
   * matching that CSAF document at all
   * marked with a given status
 
+### 9.1.18 Conformance Clause 18: CSAF 2.0 to CSAF 2.1 converter 
+
+A program satisfies the "CSAF 2.0 to CSAF 2.1 converter" conformance profile if the program fulfills the following two groups of requirements:
+
+Firstly, the program:
+
+* satisfies the "CSAF producer" conformance profile.
+* takes only CSAF 2.0 documents as input.
+* additionally satisfies the normative requirements given below.
+
+Secondly, the program fulfills the following for all items of:
+
+
+> A tool MAY implement options to convert other Markdown formats to GitHub-flavoured Markdown.
+
 -------
 
 # Appendix A. Acknowledgments 
@@ -7767,6 +7875,7 @@ All _CSAF producers_ SHOULD NOT produce CSAF documents which exceed those limits
 A CSAF document in the specified JSON format encoded in UTF-8 SHOULD conform to known size limits of current technologies parsing JSON content,
 e.g.: 50 MiB.
 
+> The CSAF documents observed in the wild expose strongly varying sizes as per the use cases they serve.
 > At least one database technology in wide use for storing CSAF documents rejects insert attempts when
 > the transformed BSON size exceeds 16 megabytes.
 > The BSON format optimizes for accessibility and not size.
@@ -7940,6 +8049,7 @@ A string SHOULD NOT have a length greater than:
   * `/vulnerabilities[]/remediations[]/product_ids[]`
   * `/vulnerabilities[]/scores[]/cvss_v2/vectorString`
   * `/vulnerabilities[]/scores[]/cvss_v3/vectorString`
+  * `/vulnerabilities[]/scores[]/cvss_v4/vectorString`
   * `/vulnerabilities[]/scores[]/products[]`
   * `/vulnerabilities[]/threats[]/group_ids[]`
   * `/vulnerabilities[]/threats[]/product_ids[]`
@@ -8066,6 +8176,42 @@ It seems to be safe to assume that the length of each value is not greater than
 * `/vulnerabilities[]/scores[]/cvss_v3/modifiedIntegrityImpact` (11)
 * `/vulnerabilities[]/scores[]/cvss_v3/modifiedAvailabilityImpact` (11)
 * `/vulnerabilities[]/scores[]/cvss_v3/environmentalSeverity` (8)
+* `/vulnerabilities[]/scores[]/cvss_v4/version` (3)
+* `/vulnerabilities[]/scores[]/cvss_v4/attackVector` (8)
+* `/vulnerabilities[]/scores[]/cvss_v4/attackComplexity` (4)
+* `/vulnerabilities[]/scores[]/cvss_v4/attackRequirements` (7)
+* `/vulnerabilities[]/scores[]/cvss_v4/privilegesRequired` (4)
+* `/vulnerabilities[]/scores[]/cvss_v4/userInteraction` (7)
+* `/vulnerabilities[]/scores[]/cvss_v4/vulnConfidentialityImpact` (4)
+* `/vulnerabilities[]/scores[]/cvss_v4/vulnIntegrityImpact` (4)
+* `/vulnerabilities[]/scores[]/cvss_v4/vulnAvailabilityImpact` (4)
+* `/vulnerabilities[]/scores[]/cvss_v4/subConfidentialityImpact` (4)
+* `/vulnerabilities[]/scores[]/cvss_v4/subIntegrityImpact` (4)
+* `/vulnerabilities[]/scores[]/cvss_v4/subAvailabilityImpact` (4)
+* `/vulnerabilities[]/scores[]/cvss_v4/exploitMaturity` (16)
+* `/vulnerabilities[]/scores[]/cvss_v4/confidentialityRequirement` (11)
+* `/vulnerabilities[]/scores[]/cvss_v4/integrityRequirement` (11)
+* `/vulnerabilities[]/scores[]/cvss_v4/availabilityRequirement` (11)
+* `/vulnerabilities[]/scores[]/cvss_v4/modifiedAttackVector` (11)
+* `/vulnerabilities[]/scores[]/cvss_v4/modifiedAttackComplexity` (11)
+* `/vulnerabilities[]/scores[]/cvss_v4/modifiedAttackRequirements` (11)
+* `/vulnerabilities[]/scores[]/cvss_v4/modifiedPrivilegesRequired` (11)
+* `/vulnerabilities[]/scores[]/cvss_v4/modifiedUserInteraction` (11)
+* `/vulnerabilities[]/scores[]/cvss_v4/modifiedVulnConfidentialityImpact` (11)
+* `/vulnerabilities[]/scores[]/cvss_v4/modifiedVulnIntegrityImpact` (11)
+* `/vulnerabilities[]/scores[]/cvss_v4/modifiedVulnAvailabilityImpact` (11)
+* `/vulnerabilities[]/scores[]/cvss_v4/modifiedSubConfidentialityImpact` (11)
+* `/vulnerabilities[]/scores[]/cvss_v4/modifiedSubIntegrityImpact` (11)
+* `/vulnerabilities[]/scores[]/cvss_v4/modifiedSubAvailabilityImpact` (11)
+* `/vulnerabilities[]/scores[]/cvss_v4/Safety` (11)
+* `/vulnerabilities[]/scores[]/cvss_v4/Automatable` (11)
+* `/vulnerabilities[]/scores[]/cvss_v4/Recovery` (13)
+* `/vulnerabilities[]/scores[]/cvss_v4/valueDensity` (12)
+* `/vulnerabilities[]/scores[]/cvss_v4/vulnerabilityResponseEffort` (11)
+* `/vulnerabilities[]/scores[]/cvss_v4/providerUrgency` (11)
+* `/vulnerabilities[]/scores[]/cvss_v4/baseSeverity` (8)
+* `/vulnerabilities[]/scores[]/cvss_v4/threatSeverity` (8)
+* `/vulnerabilities[]/scores[]/cvss_v4/environmentalSeverity` (8)
 * `/vulnerabilities[]/threats[]/category` (14)
 
 ## C.6 Date