cvss-suite 1.1.1 → 1.2.3

data/cvss_suite.gemspec

@@ -9,7 +9,8 @@
 # See the LICENSE.md file in the top-level directory.
 
 # coding: utf-8
-lib = File.expand_path('../lib', __FILE__)
+
+lib = File.expand_path('lib', __dir__)
 $LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
 require 'cvss_suite/version'
 
@@ -17,23 +18,25 @@ Gem::Specification.new do |spec|
   spec.name          = 'cvss-suite'
   spec.version       = CvssSuite::VERSION
   spec.license       = 'MIT'
-  spec.authors       = ["Oliver Hamboerger"]
-  spec.email         = ["oliver.hamboerger@siemens.com"]
+  spec.authors       = ['Oliver Hamboerger']
+  spec.email         = ['oliver.hamboerger@siemens.com']
+
+  spec.summary       = 'Ruby gem for processing cvss vectors.'
+  spec.description   = 'This Ruby gem helps you to process the vector of the Common Vulnerability Scoring System (https://www.first.org/cvss/specification-document).
+Besides calculating the Base, Temporal and Environmental Score, you are able to extract the selected option.'
+  spec.homepage      = 'https://siemens.github.io/cvss-suite/'
 
-  spec.summary       = %q{Ruby gem for processing cvss vectors.}
-  spec.description   = %q{This Ruby gem helps you to process the vector of the Common Vulnerability Scoring System (https://www.first.org/cvss/specification-document).
-Besides calculating the Base, Temporal and Environmental Score, you are able to extract the selected option.}
-  spec.homepage      = "https://siemens.github.io/cvss-suite/"
+  spec.post_install_message = 'Version 1.x of this gem is no longer supported, please update to a supported version.'
 
+  spec.required_ruby_version = '>= 2.0.0'
   spec.files         = `git ls-files -z`.split("\x0").reject { |f| f.match(%r{^(test|spec|features)/}) }
   spec.bindir        = 'exe'
   spec.executables   = spec.files.grep(%r{^exe/}) { |f| File.basename(f) }
   spec.test_files    = spec.files.grep(%r{^(test|spec|features)/})
-  spec.require_paths = ["lib"]
+  spec.require_paths = ['lib']
 
-  spec.add_development_dependency "bundler", "~> 1.10"
-  spec.add_development_dependency "rspec", "~> 3.4"
-  spec.add_development_dependency "rspec-its", "~> 1.2"
-  spec.add_development_dependency "rdoc", "~> 4.2"
-  spec.add_development_dependency "simplecov", "~> 0.11.2"
+  spec.add_development_dependency 'bundler', '>= 1.10'
+  spec.add_development_dependency 'rspec', '~> 3.4'
+  spec.add_development_dependency 'rspec-its', '~> 1.2'
+  spec.add_development_dependency 'simplecov', '~> 0.11'
 end

data/lib/cvss_suite.rb

@@ -10,8 +10,8 @@
 
 require 'cvss_suite/cvss2/cvss2'
 require 'cvss_suite/cvss3/cvss3'
+require 'cvss_suite/cvss31/cvss31'
 require 'cvss_suite/version'
-require 'cvss_suite/helpers/extensions'
 require 'cvss_suite/errors'
 require 'cvss_suite/invalid_cvss'
 
@@ -19,19 +19,27 @@ require 'cvss_suite/invalid_cvss'
 # Module of this gem.
 
 module CvssSuite
-  CVSS_VECTOR_BEGINNINGS = [{:string => 'AV:', :version => 2}, {:string => 'CVSS:3.0/', :version => 3}]
+  CVSS_VECTOR_BEGINNINGS = [
+    { string: 'AV:', version: 2 },
+    { string: '(AV:', version: 2 },
+    { string: 'CVSS:3.0/', version: 3.0 },
+    { string: 'CVSS:3.1/', version: 3.1 }
+  ]
 
   ##
   # Returns a CVSS class by a +vector+.
 
   def self.new(vector)
     return InvalidCvss.new unless vector.is_a? String
+
     @vector_string = vector
     case version
     when 2
-      Cvss2.new(@vector_string, version)
-    when 3
-      Cvss3.new(@vector_string, version)
+      Cvss2.new(@vector_string)
+    when 3.0
+      Cvss3.new(@vector_string)
+    when 3.1
+      Cvss31.new(@vector_string)
     else
       InvalidCvss.new
     end
@@ -46,5 +54,4 @@ module CvssSuite
       end
     end
   end
-
 end

data/lib/cvss_suite/cvss.rb

@@ -11,92 +11,122 @@
 ##
 # This class represents any CVSS vector. Do not instantiate this class!
 
-class Cvss
+module CvssSuite
+  class Cvss
+    ##
+    # Metric of a CVSS vector.
 
-  ##
-  # Metric of a CVSS vector.
+    attr_reader :base, :temporal, :environmental
 
-  attr_reader :base, :temporal, :environmental
+    ##
+    # Returns the vector itself.
 
-  ##
-  # Returns version of current CVSS vector.
+    attr_reader :vector
 
-  attr_reader :version
+    ##
+    # Creates a new CVSS vector by a +vector+.
+    #
+    # Raises an exception if it is called on Cvss class.
 
-  ##
-  # Returns the vector itself.
+    def initialize(vector)
+      raise CvssSuite::Errors::InvalidParentClass, 'Do not instantiate this class!' if self.class == Cvss
 
-  attr_reader :vector
-
-  ##
-  # Creates a new CVSS vector by a +vector+ and a +version+.
-  #
-  # Raises an exception if it is called on Cvss class.
-
-  def initialize(vector, version)
-    raise CvssSuite::Errors::InvalidParentClass, 'Do not instantiate this class!' if self.class == Cvss
-    @version = version
-    @vector = vector
-    @properties = []
-    extract_metrics
-    init_metrics
-  end
+      @vector = vector
+      @properties = []
+      extract_metrics
+      init_metrics
+    end
 
-  ##
-  # Returns if CVSS vector is valid.
+    ##
+    # Returns if CVSS vector is valid.
 
-  def valid?
-    if @amount_of_properties == required_amount_of_properties
+    def valid?
+      if @amount_of_properties == required_amount_of_properties
         base = @base.valid?
         temporal = @base.valid? && @temporal.valid?
         environmental = @base.valid? && @environmental.valid?
         full = @base.valid? && @temporal.valid? && @environmental.valid?
         base || temporal || environmental || full
-    else
-      false
+      else
+        false
+      end
     end
-  end
 
-  ##
-  # Returns the Overall Score of the CVSS vector.
+    ##
+    # Returns the severity of the CVSS vector.
+
+    def severity
+      check_validity
+
+      score = overall_score
+
+      if score == 0.0
+        'None'
+      elsif (0.1..3.9).include? score
+        'Low'
+      elsif (4.0..6.9).include? score
+        'Medium'
+      elsif (7.0..8.9).include? score
+        'High'
+      elsif (9.0..10.0).include? score
+        'Critical'
+      else
+        'None'
+      end
+    end
 
-  def overall_score
-    check_validity
-    return temporal_score if @temporal.valid? && !@environmental.valid?
-    return environmental_score if @environmental.valid?
-    base_score
-  end
+    ##
+    # Returns the Overall Score of the CVSS vector.
 
-  private
+    def overall_score
+      check_validity
+      return temporal_score if @temporal.valid? && !@environmental.valid?
+      return environmental_score if @environmental.valid?
 
-  def extract_metrics
-    properties = prepared_vector.split('/')
-    @amount_of_properties = properties.size
-    properties.each_with_index do |property, index|
-      property = property.split(':')
-      @properties.push({ name: property[0], selected: property[1], position: index })
+      base_score
     end
-  end
 
-  def check_validity
-    raise CvssSuite::Errors::InvalidVector, 'Vector is not valid!' unless valid?
-  end
+    private
 
-  def prepared_vector
-    start_of_vector = @vector.index('AV')
+    def extract_metrics
+      properties = prepared_vector.split('/')
+      @amount_of_properties = properties.size
+      properties.each_with_index do |property, index|
+        property = property.split(':')
+        @properties.push({ name: property[0], selected: property[1], position: index })
+      end
+    end
 
-    if start_of_vector.nil?
-      String.new
-    else
-      @vector[start_of_vector..-1]
+    def check_validity
+      raise CvssSuite::Errors::InvalidVector, 'Vector is not valid!' unless valid?
     end
-  end
 
-  def required_amount_of_properties
-    total = @base.count if @base.valid?
-    total += @temporal.count if @temporal.valid?
-    total += @environmental.count if @environmental.valid?
-    total ||= 0
-  end
+    def prepared_vector
+      start_of_vector = @vector.index('AV')
+
+      if start_of_vector.nil?
+        ''
+      else
+        if start_of_vector == 1
+          matchArray =  @vector.scan(/\((?>[^)(]+|\g<0>)*\)/)
+          if matchArray.length == 1 && matchArray[0] == @vector
+            @vector.slice!(0)
+            @vector.slice!(@vector.length - 1)
+            @vector
+          else
+              ''
+          end
+        else          
+          @vector[start_of_vector..-1]
+        end
+      end
+    end
 
-end
+    def required_amount_of_properties
+      total = @base.count if @base.valid?
+      total += @temporal.count if @temporal.valid?
+      total += @environmental.count if @environmental.valid?
+      total ||= 0
+    end
+  end
+end

data/lib/cvss_suite/cvss2/cvss2.rb

@@ -8,7 +8,7 @@
 # This work is licensed under the terms of the MIT license.
 # See the LICENSE.md file in the top-level directory.
 
-require_relative '../../../lib/cvss_suite/cvss'
+require_relative '../cvss'
 require_relative 'cvss2_base'
 require_relative 'cvss2_temporal'
 require_relative 'cvss2_environmental'
@@ -16,37 +16,63 @@ require_relative 'cvss2_environmental'
 ##
 # This class represents a CVSS vector in version 2.
 
-class Cvss2 < Cvss
+module CvssSuite
+  class Cvss2 < Cvss
+    ##
+    # Returns the Version of the CVSS vector.
 
-  ##
-  # Returns the Base Score of the CVSS vector.
+    def version
+      2
+    end
 
-  def base_score
-    check_validity
-    @base.score.round(1)
-  end
+    # Returns the severity of the CVSSv2 vector.
+    # https://nvd.nist.gov/vuln-metrics/cvss
+    def severity
+      check_validity
 
-  ##
-  # Returns the Temporal Score of the CVSS vector.
+      score = overall_score
 
-  def temporal_score
-    (base_score * @temporal.score).round(1)
-  end
+      if (0.0..3.9).include? score
+        'Low'
+      elsif (4.0..6.9).include? score
+        'Medium'
+      elsif (7.0..10.0).include? score
+        'High'
+      else
+        'None'
+      end
+    end
 
-  ##
-  # Returns the Environmental Score of the CVSS vector.
+    ##
+    # Returns the Base Score of the CVSS vector.
 
-  def environmental_score
-    return temporal_score unless @environmental.valid?
-    (@environmental.score @base, @temporal.score).round(1)
-  end
+    def base_score
+      check_validity
+      @base.score.round(1)
+    end
 
-  private
+    ##
+    # Returns the Temporal Score of the CVSS vector.
 
-  def init_metrics
-    @base = Cvss2Base.new(@properties)
-    @temporal = Cvss2Temporal.new(@properties)
-    @environmental = Cvss2Environmental.new(@properties)
-  end
+    def temporal_score
+      (base_score * @temporal.score).round(1)
+    end
+
+    ##
+    # Returns the Environmental Score of the CVSS vector.
 
-end
+    def environmental_score
+      return temporal_score unless @environmental.valid?
+
+      (@environmental.score @base, @temporal.score).round(1)
+    end
+
+    private
+
+    def init_metrics
+      @base = Cvss2Base.new(@properties)
+      @temporal = Cvss2Temporal.new(@properties)
+      @environmental = Cvss2Environmental.new(@properties)
+    end
+  end
+end

data/lib/cvss_suite/cvss2/cvss2_base.rb

@@ -14,78 +14,75 @@ require_relative '../cvss_metric'
 ##
 # This class represents a CVSS Base metric in version 2.
 
-class Cvss2Base < CvssMetric
-
-  ##
-  # Property of this metric
-
-  attr_reader :access_vector, :access_complexity, :authentication,
-              :confidentiality_impact, :integrity_impact, :availability_impact
-
-  ##
-  # Returns the base score of the CVSS vector. The calculation is based on formula version 2.10 .
-  # See CVSS documentation for further information https://www.first.org/cvss/v2/guide#i3.2.1 .
-  #
-  # Takes +Security+ +Requirement+ +Impacts+ for calculating environmental score.
-
-  def score(sr_cr_score = 1, sr_ir_score = 1, sr_ar_score = 1)
-
-    impact = calc_impact sr_cr_score, sr_ir_score, sr_ar_score
-
-    exploitability = calc_exploitability
-
-    additional_impact = (impact == 0 ? 0 : 1.176)
-
-    ((0.6 * impact) + (0.4 * exploitability) - 1.5) * additional_impact
-
+module CvssSuite
+  class Cvss2Base < CvssMetric
+    ##
+    # Property of this metric
+
+    attr_reader :access_vector, :access_complexity, :authentication,
+                :confidentiality_impact, :integrity_impact, :availability_impact
+
+    ##
+    # Returns the base score of the CVSS vector. The calculation is based on formula version 2.10 .
+    # See CVSS documentation for further information https://www.first.org/cvss/v2/guide#i3.2.1 .
+    #
+    # Takes +Security+ +Requirement+ +Impacts+ for calculating environmental score.
+
+    def score(sr_cr_score = 1, sr_ir_score = 1, sr_ar_score = 1)
+      impact = calc_impact(sr_cr_score, sr_ir_score, sr_ar_score)
+
+      exploitability = calc_exploitability
+
+      additional_impact = (impact == 0 ? 0 : 1.176)
+
+      ((0.6 * impact) + (0.4 * exploitability) - 1.5) * additional_impact
+    end
+
+    private
+
+    def init_properties
+      @properties.push(@access_vector =
+                         CvssProperty.new(name: 'Access Vector', abbreviation: 'AV', position: [0],
+                                          choices: [{ name: 'Network', abbreviation: 'N', weight: 1.0 },
+                                                    { name: 'Adjacent Network', abbreviation: 'A', weight: 0.646 },
+                                                    { name: 'Local', abbreviation: 'L', weight: 0.395 }]))
+      @properties.push(@access_complexity =
+                         CvssProperty.new(name: 'Access Complexity', abbreviation: 'AC', position: [1],
+                                          choices: [{ name: 'Low', abbreviation: 'L', weight: 0.71 },
+                                                    { name: 'Medium', abbreviation: 'M', weight: 0.61 },
+                                                    { name: 'High', abbreviation: 'H', weight: 0.35 }]))
+      @properties.push(@authentication =
+                         CvssProperty.new(name: 'Authentication', abbreviation: 'Au', position: [2],
+                                          choices: [{ name: 'None', abbreviation: 'N', weight: 0.704 },
+                                                    { name: 'Single', abbreviation: 'S', weight: 0.56 },
+                                                    { name: 'Multiple', abbreviation: 'M', weight: 0.45 }]))
+      @properties.push(@confidentiality_impact =
+                         CvssProperty.new(name: 'Confidentiality Impact', abbreviation: 'C', position: [3],
+                                          choices: [{ name: 'None', abbreviation: 'N', weight: 0.0 },
+                                                    { name: 'Partial', abbreviation: 'P', weight: 0.275 },
+                                                    { name: 'Complete', abbreviation: 'C', weight: 0.66 }]))
+      @properties.push(@integrity_impact =
+                         CvssProperty.new(name: 'Integrity Impact', abbreviation: 'I', position: [4],
+                                          choices: [{ name: 'None', abbreviation: 'N', weight: 0.0 },
+                                                    { name: 'Partial', abbreviation: 'P', weight: 0.275 },
+                                                    { name: 'Complete', abbreviation: 'C', weight: 0.66 }]))
+      @properties.push(@availability_impact =
+                         CvssProperty.new(name: 'Availability Impact', abbreviation: 'A', position: [5],
+                                          choices: [{ name: 'None', abbreviation: 'N', weight: 0.0 },
+                                                    { name: 'Partial', abbreviation: 'P', weight: 0.275 },
+                                                    { name: 'Complete', abbreviation: 'C', weight: 0.66 }]))
+    end
+
+    def calc_impact(sr_cr_score, sr_ir_score, sr_ar_score)
+      confidentiality_score = 1 - @confidentiality_impact.score * sr_cr_score
+      integrity_score = 1 - @integrity_impact.score * sr_ir_score
+      availability_score = 1 - @availability_impact.score * sr_ar_score
+
+      [10, 10.41 * (1 - confidentiality_score * integrity_score * availability_score)].min
+    end
+
+    def calc_exploitability
+      20 * @access_vector.score * @access_complexity.score * @authentication.score
+    end
   end
-
-  private
-
-  def init_properties
-    @properties.push(@access_vector =
-                      CvssProperty.new(name: 'Access Vector', abbreviation: 'AV', position: [0],
-                                       choices: [{ name: 'Network', abbreviation: 'N', weight: 1.0 },
-                                                 { name: 'Adjacent Network', abbreviation: 'A', weight: 0.646 },
-                                                 { name: 'Local', abbreviation: 'L', weight: 0.395 }]))
-    @properties.push(@access_complexity =
-                      CvssProperty.new(name: 'Access Complexity', abbreviation: 'AC', position: [1],
-                                       choices: [{ name: 'Low', abbreviation: 'L', weight: 0.71 },
-                                                 { name: 'Medium', abbreviation: 'M', weight: 0.61 },
-                                                 { name: 'High', abbreviation: 'H', weight: 0.35 }]))
-    @properties.push(@authentication =
-                      CvssProperty.new(name: 'Authentication', abbreviation: 'Au', position: [2],
-                                       choices: [{ name: 'None', abbreviation: 'N', weight: 0.704 },
-                                                 { name: 'Single', abbreviation: 'S', weight: 0.56 },
-                                                 { name: 'Multiple', abbreviation: 'M', weight: 0.45 }]))
-    @properties.push(@confidentiality_impact =
-                      CvssProperty.new(name: 'Confidentiality Impact', abbreviation: 'C', position: [3],
-                                       choices: [{ name: 'None', abbreviation: 'N', weight: 0.0 },
-                                                 { name: 'Partial', abbreviation: 'P', weight: 0.275 },
-                                                 { name: 'Complete', abbreviation: 'C', weight: 0.66 }]))
-    @properties.push(@integrity_impact =
-                      CvssProperty.new(name: 'Integrity Impact', abbreviation: 'I', position: [4],
-                                       choices: [{ name: 'None', abbreviation: 'N', weight: 0.0 },
-                                                 { name: 'Partial', abbreviation: 'P', weight: 0.275 },
-                                                 { name: 'Complete', abbreviation: 'C', weight: 0.66 }]))
-    @properties.push(@availability_impact =
-                      CvssProperty.new(name: 'Availability Impact', abbreviation: 'A', position: [5],
-                                       choices: [{ name: 'None', abbreviation: 'N', weight: 0.0},
-                                                 { name: 'Partial', abbreviation: 'P', weight: 0.275},
-                                                 { name: 'Complete', abbreviation: 'C', weight: 0.66}]))
-  end
-
-  def calc_impact(sr_cr_score, sr_ir_score, sr_ar_score)
-    confidentiality_score = 1 - @confidentiality_impact.score * sr_cr_score
-    integrity_score = 1 - @integrity_impact.score * sr_ir_score
-    availability_score = 1 - @availability_impact.score * sr_ar_score
-
-    [10, 10.41 * (1-confidentiality_score*integrity_score*availability_score)].min
-  end
-
-  def calc_exploitability
-    20 * @access_vector.score * @access_complexity.score * @authentication.score
-  end
-
 end
-