Create a Requirements/Prerequisites Association for Vulnerabilities

[andrewbwm]

Create a Requirements/Prerequisites association between SoftwareVulnerabilities and Data, Information, Application, or any other asset that could fit the concept. The attacker would have to compromise these assets before they are able to attempt to abuse the SoftwareVulnerabilities. The compromise would have to be asset specific FullAccess for Applications and Write for Data/Information might be good candidates.

While some SoftwareVulnerabilities would still have some more nuanced or specific requirements that the coarse design outlined above, but the change would still significantly increase the modelling capabilities of the language.

Something similar could be done for HardwareVulnerabilities if deemed relevant.

[andrewbwm]

Update regarding the new CVSS v4.0 Vulnerability Score(https://www.first.org/cvss/v4.0/specification-document):

1. They sort of took out the special conditions(race conditions or other timing related things) out of Attack Complexity and it is now a separate score called Attack Requirements. We had some debates regarding how to interpret attack complexity early on.

2. They have three values for User Interaction - None, Passive, Active. This is also something that we had issues with, that's why now vulnerabilities come with inherent user interaction. So, we were sort of ahead of them with this one.

3. The scope change score is gone. They now have two separate sets of impact metrics. One set for the vulnerable system and one set for "subsequent systems". And I think this is cleaner and easier for us to work with if we create requirements and/or non-vulnerable targets for vulnerabilities. I quite like their approach and I think we could come up with a nice way to implement this in coreLang 1.1(1.2 or 2.0). Just a note, this would really make a relatively complex system even more complex, but I'd argue it might be worth it.