We need a schema for an array of decision point downselects

[ahouseholder]

Is your feature request related to a problem? Please describe.

Issue #576 describes a concern originating from cisagov/vulnrichment#40.

For their vulnrichment implementation, CISA used a fragment of a JSON format consistent with our example. However, that JSON fragment has no corresponding standalone schema, and so it's not possible to validate the fragment as is.

Further, the issue that is the subject of cisagov/vulnrichment#40 is to make the CVE ADP vulnrichment JSON blob more concise. This in turn led to #576 which puts the ball in our court.

Describe the solution you'd like

We currently do not have a schema to describe a list of decision points with values selected as a standalone object. Our existing JSON schemas are larger than that, owing to their origin in support of the SSVC calculator.

We need to have a separate schema that can handle just the selected options for a list of decision points.

The suggestion is that a new schema should be created that:

1. Represents an array
2. Elements of the array represent one decision point per element
3. Each object within the array can be a decision point and a list of selected values. Note that SSVC permits multiple options to be included when some but not all options can be ruled out. This implies that the selected values list for each decision point should be an array, possibly of length 1.
4. Decision point value selections are specific to a vulnerability, therefore the array object should indicate which vulnerability the array is relevant to (either in one place or per decision point)
5. Decision points are versioned objects, so it is necessary for any list of decision points with values selected to also specify which version of the decision point was used.
6. Decision points are namespaced so that we can accomodate decision points modeled on other vocabulary systems (e.g., CVSS)

So roughly, something akin to:

{
vulnerability_id: "VU#00000",
selections: [
  {
    namespace: "ssvc",
    name: "decision point 1",
    version: "1.0.0",
    selected: ["yes", "maybe"]
  },
  {
    namespace: "cvss",
    name: "Authentication",
    version: "2.0.0",
    selected: ["Single"]
  },
  ...
]
}

Describe alternatives you've considered

The suggestion in cisagov/vulnrichment#40

                "options": [
                  {
                    "Exploitation": "none",
                    "Automatable": "no",
                    "Technical Impact": "partial"
                  }
                ],

is unworkable since it does not fully identify which version or namespace of a decision point was used.

Additional context

There is additional discussion in #576 that is pertinent to this issue and a few other related items. However, we're splitting this out into a separate issue so we can address the specific use case of representing the recorded analysis of a set of SSVC decision points.

[ahouseholder]

Noting for posterity that this issue is part of breaking up #588 into more manageable chunks, so there's already some relevant work in progress there that should be split into a smaller PR for this particular issue.

[ahouseholder]

Relevant prior discussion:

• How to integrate SSVC into CVE ADP? #288

[ahouseholder]

• resolved by Add Decision Point Value Selection schema with an example #599