feat(spec1-5): add support for CVSSv4 scoring method

Signed-off-by: nscuro <nscuro@protonmail.com>

convert.go

@@ -77,11 +77,7 @@ func (b *BOM) convert(specVersion SpecVersion) {
 	}
 
 	if b.Vulnerabilities != nil {
-		for i := range *b.Vulnerabilities {
-			if specVersion < SpecVersion1_5 {
-				(*b.Vulnerabilities)[i].Rejected = ""
-			}
-		}
+		convertVulnerabilities(b.Vulnerabilities, specVersion)
 	}
 
 	if b.ExternalReferences != nil {
@@ -213,6 +209,29 @@ func convertLicenses(licenses *Licenses, specVersion SpecVersion) {
 	}
 }
 
+func convertVulnerabilities(vulns *[]Vulnerability, specVersion SpecVersion) {
+	if vulns == nil {
+		return
+	}
+
+	for i := range *vulns {
+		vuln := &(*vulns)[i]
+
+		if specVersion < SpecVersion1_5 {
+			vuln.Rejected = ""
+		}
+
+		if vuln.Ratings != nil {
+			for j := range *vuln.Ratings {
+				rating := &(*vuln.Ratings)[j]
+				if !specVersion.supportsScoringMethod(rating.Method) {
+					rating.Method = ScoringMethodOther
+				}
+			}
+		}
+	}
+}
+
 // serviceConverter modifies a Service such that it adheres to a given SpecVersion.
 func serviceConverter(specVersion SpecVersion) func(*Service) {
 	return func(s *Service) {
@@ -335,3 +354,14 @@ func (sv SpecVersion) supportsScope(scope Scope) bool {
 
 	return false
 }
+
+func (sv SpecVersion) supportsScoringMethod(method ScoringMethod) bool {
+	switch method {
+	case ScoringMethodCVSSv2, ScoringMethodCVSSv3, ScoringMethodCVSSv31, ScoringMethodOWASP, ScoringMethodOther:
+		return sv >= SpecVersion1_4
+	case ScoringMethodCVSSv4:
+		return sv >= SpecVersion1_5
+	}
+
+	return false
+}

cyclonedx.go

@@ -446,6 +446,7 @@ const (
 	ScoringMethodCVSSv2  ScoringMethod = "CVSSv2"
 	ScoringMethodCVSSv3  ScoringMethod = "CVSSv3"
 	ScoringMethodCVSSv31 ScoringMethod = "CVSSv31"
+	ScoringMethodCVSSv4  ScoringMethod = "CVSSv4"
 	ScoringMethodOWASP   ScoringMethod = "OWASP"
 )