cvss-suite 1.1.1 → 2.0.1
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +5 -5
- data/.github/ISSUE_TEMPLATE/bug_report.md +21 -0
- data/.github/ISSUE_TEMPLATE/custom.md +7 -0
- data/.github/ISSUE_TEMPLATE/feature_request.md +17 -0
- data/.github/workflows/rspec.yml +23 -0
- data/.github/workflows/rubocop.yml +21 -0
- data/.gitignore +1 -0
- data/.rubocop.yml +45 -1
- data/.rubocop_todo.yml +59 -0
- data/CHANGES.md +61 -1
- data/PULL_REQUEST_TEMPLATE.md +24 -0
- data/README.md +43 -16
- data/_config.yml +1 -0
- data/bin/console +3 -3
- data/cvss_suite.gemspec +14 -13
- data/lib/cvss_suite.rb +13 -11
- data/lib/cvss_suite/cvss.rb +85 -73
- data/lib/cvss_suite/cvss2/cvss2.rb +39 -36
- data/lib/cvss_suite/cvss2/cvss2_base.rb +69 -75
- data/lib/cvss_suite/cvss2/cvss2_environmental.rb +52 -54
- data/lib/cvss_suite/cvss2/cvss2_temporal.rb +40 -41
- data/lib/cvss_suite/cvss3/cvss3.rb +39 -36
- data/lib/cvss_suite/cvss3/cvss3_base.rb +72 -75
- data/lib/cvss_suite/cvss3/cvss3_environmental.rb +159 -109
- data/lib/cvss_suite/cvss3/cvss3_temporal.rb +41 -42
- data/lib/cvss_suite/cvss31/cvss31.rb +60 -0
- data/lib/cvss_suite/cvss31/cvss31_base.rb +93 -0
- data/lib/cvss_suite/cvss31/cvss31_environmental.rb +194 -0
- data/lib/cvss_suite/cvss31/cvss31_temporal.rb +56 -0
- data/lib/cvss_suite/cvss_metric.rb +31 -35
- data/lib/cvss_suite/cvss_property.rb +57 -56
- data/lib/cvss_suite/helpers/cvss31_helper.rb +27 -0
- data/lib/cvss_suite/helpers/cvss3_helper.rb +21 -15
- data/lib/cvss_suite/invalid_cvss.rb +37 -45
- data/lib/cvss_suite/version.rb +2 -2
- metadata +21 -25
- data/.travis.yml +0 -4
- data/lib/cvss_suite/helpers/extensions.rb +0 -32
@@ -11,64 +11,62 @@
|
|
11
11
|
require_relative '../cvss_property'
|
12
12
|
require_relative '../cvss_metric'
|
13
13
|
|
14
|
-
|
15
|
-
# This class represents a CVSS Environmental metric in version 2.
|
16
|
-
|
17
|
-
class Cvss2Environmental < CvssMetric
|
18
|
-
|
19
|
-
##
|
20
|
-
# Property of this metric
|
21
|
-
|
22
|
-
attr_reader :collateral_damage_potential, :target_distribution, :security_requirements_cr,
|
23
|
-
:security_requirements_ir, :security_requirements_ar
|
24
|
-
|
14
|
+
module CvssSuite
|
25
15
|
##
|
26
|
-
#
|
27
|
-
|
28
|
-
|
29
|
-
|
16
|
+
# This class represents a CVSS Environmental metric in version 2.
|
17
|
+
class Cvss2Environmental < CvssMetric
|
18
|
+
##
|
19
|
+
# Property of this metric
|
20
|
+
attr_reader :collateral_damage_potential, :target_distribution, :security_requirements_cr,
|
21
|
+
:security_requirements_ir, :security_requirements_ar
|
30
22
|
|
31
|
-
|
32
|
-
|
23
|
+
##
|
24
|
+
# Returns score of this metric
|
25
|
+
def score(base, temporal_score)
|
26
|
+
base_score = base.score(@security_requirements_cr.score,
|
27
|
+
@security_requirements_ir.score,
|
28
|
+
@security_requirements_ar.score).round(1)
|
33
29
|
|
34
|
-
|
30
|
+
adjusted_temporal = (base_score * temporal_score).round(1)
|
31
|
+
(adjusted_temporal + (10 - adjusted_temporal) * @collateral_damage_potential.score) * @target_distribution.score
|
32
|
+
end
|
35
33
|
|
36
|
-
|
34
|
+
private
|
37
35
|
|
38
|
-
|
39
|
-
|
40
|
-
|
41
|
-
|
42
|
-
|
43
|
-
|
44
|
-
|
45
|
-
|
46
|
-
|
47
|
-
|
48
|
-
|
49
|
-
|
50
|
-
|
51
|
-
|
52
|
-
|
53
|
-
|
54
|
-
|
55
|
-
|
56
|
-
|
57
|
-
|
58
|
-
|
59
|
-
|
60
|
-
|
61
|
-
|
62
|
-
|
63
|
-
|
64
|
-
|
65
|
-
|
66
|
-
|
67
|
-
|
68
|
-
|
69
|
-
|
70
|
-
|
71
|
-
|
36
|
+
def init_properties
|
37
|
+
@properties.push(@collateral_damage_potential =
|
38
|
+
CvssProperty.new(name: 'Collateral Damage Potential', abbreviation: 'CDP', position: [6, 9],
|
39
|
+
values: [{ name: 'None', abbreviation: 'N', weight: 0.0 },
|
40
|
+
{ name: 'Low', abbreviation: 'L', weight: 0.1 },
|
41
|
+
{ name: 'Low-Medium', abbreviation: 'LM', weight: 0.3 },
|
42
|
+
{ name: 'Medium-High', abbreviation: 'MH', weight: 0.4 },
|
43
|
+
{ name: 'High', abbreviation: 'H', weight: 0.5 },
|
44
|
+
{ name: 'Not Defined', abbreviation: 'ND', weight: 0.0 }]))
|
45
|
+
@properties.push(@target_distribution =
|
46
|
+
CvssProperty.new(name: 'Target Distribution', abbreviation: 'TD', position: [7, 10],
|
47
|
+
values: [{ name: 'None', abbreviation: 'N', weight: 0.0 },
|
48
|
+
{ name: 'Low', abbreviation: 'L', weight: 0.25 },
|
49
|
+
{ name: 'Medium', abbreviation: 'M', weight: 0.75 },
|
50
|
+
{ name: 'High', abbreviation: 'H', weight: 1.0 },
|
51
|
+
{ name: 'Not Defined', abbreviation: 'ND', weight: 1.0 }]))
|
52
|
+
@properties.push(@security_requirements_cr =
|
53
|
+
CvssProperty.new(name: 'Confidentiality Requirement', abbreviation: 'CR', position: [8, 11],
|
54
|
+
values: [{ name: 'Low', abbreviation: 'L', weight: 0.5 },
|
55
|
+
{ name: 'Medium', abbreviation: 'M', weight: 1.0 },
|
56
|
+
{ name: 'High', abbreviation: 'H', weight: 1.51 },
|
57
|
+
{ name: 'Not Defined', abbreviation: 'ND', weight: 1.0 }]))
|
58
|
+
@properties.push(@security_requirements_ir =
|
59
|
+
CvssProperty.new(name: 'Integrity Requirement', abbreviation: 'IR', position: [9, 12],
|
60
|
+
values: [{ name: 'Low', abbreviation: 'L', weight: 0.5 },
|
61
|
+
{ name: 'Medium', abbreviation: 'M', weight: 1.0 },
|
62
|
+
{ name: 'High', abbreviation: 'H', weight: 1.51 },
|
63
|
+
{ name: 'Not Defined', abbreviation: 'ND', weight: 1.0 }]))
|
64
|
+
@properties.push(@security_requirements_ar =
|
65
|
+
CvssProperty.new(name: 'Availability Requirement', abbreviation: 'AR', position: [10, 13],
|
66
|
+
values: [{ name: 'Low', abbreviation: 'L', weight: 0.5 },
|
67
|
+
{ name: 'Medium', abbreviation: 'M', weight: 1.0 },
|
68
|
+
{ name: 'High', abbreviation: 'H', weight: 1.51 },
|
69
|
+
{ name: 'Not Defined', abbreviation: 'ND', weight: 1.0 }]))
|
70
|
+
end
|
72
71
|
end
|
73
72
|
end
|
74
|
-
|
@@ -11,47 +11,46 @@
|
|
11
11
|
require_relative '../cvss_property'
|
12
12
|
require_relative '../cvss_metric'
|
13
13
|
|
14
|
-
|
15
|
-
# This class represents a CVSS Temporal metric in version 2.
|
16
|
-
|
17
|
-
class Cvss2Temporal < CvssMetric
|
18
|
-
|
19
|
-
##
|
20
|
-
# Property of this metric
|
21
|
-
|
22
|
-
attr_reader :exploitability, :remediation_level, :report_confidence
|
23
|
-
|
14
|
+
module CvssSuite
|
24
15
|
##
|
25
|
-
#
|
26
|
-
|
27
|
-
|
28
|
-
|
29
|
-
|
30
|
-
|
31
|
-
|
32
|
-
|
33
|
-
|
34
|
-
|
35
|
-
|
36
|
-
|
37
|
-
|
38
|
-
|
39
|
-
|
40
|
-
|
41
|
-
|
42
|
-
|
43
|
-
|
44
|
-
|
45
|
-
|
46
|
-
|
47
|
-
|
48
|
-
|
49
|
-
|
50
|
-
|
51
|
-
|
52
|
-
|
53
|
-
|
54
|
-
|
55
|
-
|
16
|
+
# This class represents a CVSS Temporal metric in version 2.
|
17
|
+
class Cvss2Temporal < CvssMetric
|
18
|
+
##
|
19
|
+
# Property of this metric
|
20
|
+
attr_reader :exploitability, :remediation_level, :report_confidence
|
21
|
+
|
22
|
+
##
|
23
|
+
# Returns score of this metric
|
24
|
+
def score
|
25
|
+
return 1 unless valid?
|
26
|
+
|
27
|
+
@exploitability.score * @remediation_level.score * @report_confidence.score
|
28
|
+
end
|
29
|
+
|
30
|
+
private
|
31
|
+
|
32
|
+
def init_properties
|
33
|
+
@properties.push(@exploitability =
|
34
|
+
CvssProperty.new(name: 'Exploitability', abbreviation: 'E', position: [6],
|
35
|
+
values: [{ name: 'Not Defined', abbreviation: 'ND', weight: 1 },
|
36
|
+
{ name: 'Unproven', abbreviation: 'U', weight: 0.85 },
|
37
|
+
{ name: 'Proof-of-Concept', abbreviation: 'POC', weight: 0.9 },
|
38
|
+
{ name: 'Functional', abbreviation: 'F', weight: 0.95 },
|
39
|
+
{ name: 'High', abbreviation: 'H', weight: 1 }]))
|
40
|
+
@properties.push(@remediation_level =
|
41
|
+
CvssProperty.new(name: 'Remediation Level', abbreviation: 'RL', position: [7],
|
42
|
+
values: [{ name: 'Not Defined', abbreviation: 'ND', weight: 1 },
|
43
|
+
{ name: 'Official Fix', abbreviation: 'OF', weight: 0.87 },
|
44
|
+
{ name: 'Temporary Fix', abbreviation: 'TF', weight: 0.9 },
|
45
|
+
{ name: 'Workaround', abbreviation: 'W', weight: 0.95 },
|
46
|
+
{ name: 'Unavailable', abbreviation: 'U', weight: 1 }]))
|
47
|
+
|
48
|
+
@properties.push(@report_confidence =
|
49
|
+
CvssProperty.new(name: 'Report Confidence', abbreviation: 'RC', position: [8],
|
50
|
+
values: [{ name: 'Not Defined', abbreviation: 'ND', weight: 1 },
|
51
|
+
{ name: 'Unconfirmed', abbreviation: 'UC', weight: 0.9 },
|
52
|
+
{ name: 'Uncorroborated', abbreviation: 'UR', weight: 0.95 },
|
53
|
+
{ name: 'Confirmed', abbreviation: 'C', weight: 1 }]))
|
54
|
+
end
|
56
55
|
end
|
57
56
|
end
|
@@ -8,45 +8,48 @@
|
|
8
8
|
# This work is licensed under the terms of the MIT license.
|
9
9
|
# See the LICENSE.md file in the top-level directory.
|
10
10
|
|
11
|
-
require_relative '
|
11
|
+
require_relative '../cvss'
|
12
12
|
require_relative 'cvss3_base'
|
13
13
|
require_relative 'cvss3_temporal'
|
14
14
|
require_relative 'cvss3_environmental'
|
15
15
|
|
16
|
-
|
17
|
-
# This class represents a CVSS vector in version 3.0.
|
18
|
-
|
19
|
-
class Cvss3 < Cvss
|
20
|
-
|
21
|
-
##
|
22
|
-
# Returns the Base Score of the CVSS vector.
|
23
|
-
|
24
|
-
def base_score
|
25
|
-
check_validity
|
26
|
-
@base.score.round_up(1)
|
27
|
-
end
|
28
|
-
|
16
|
+
module CvssSuite
|
29
17
|
##
|
30
|
-
#
|
31
|
-
|
32
|
-
|
33
|
-
|
18
|
+
# This class represents a CVSS vector in version 3.0.
|
19
|
+
class Cvss3 < Cvss
|
20
|
+
##
|
21
|
+
# Returns the Version of the CVSS vector.
|
22
|
+
def version
|
23
|
+
3.0
|
24
|
+
end
|
25
|
+
|
26
|
+
##
|
27
|
+
# Returns the Base Score of the CVSS vector.
|
28
|
+
def base_score
|
29
|
+
check_validity
|
30
|
+
Cvss3Helper.round_up(@base.score)
|
31
|
+
end
|
32
|
+
|
33
|
+
##
|
34
|
+
# Returns the Temporal Score of the CVSS vector.
|
35
|
+
def temporal_score
|
36
|
+
Cvss3Helper.round_up(Cvss3Helper.round_up(@base.score) * @temporal.score)
|
37
|
+
end
|
38
|
+
|
39
|
+
##
|
40
|
+
# Returns the Environmental Score of the CVSS vector.
|
41
|
+
def environmental_score
|
42
|
+
return temporal_score unless @environmental.valid?
|
43
|
+
|
44
|
+
Cvss3Helper.round_up(@environmental.score(@base, @temporal))
|
45
|
+
end
|
46
|
+
|
47
|
+
private
|
48
|
+
|
49
|
+
def init_metrics
|
50
|
+
@base = Cvss3Base.new(@properties)
|
51
|
+
@temporal = Cvss3Temporal.new(@properties)
|
52
|
+
@environmental = Cvss3Environmental.new(@properties)
|
53
|
+
end
|
34
54
|
end
|
35
|
-
|
36
|
-
##
|
37
|
-
# Returns the Environmental Score of the CVSS vector.
|
38
|
-
|
39
|
-
def environmental_score
|
40
|
-
return temporal_score unless @environmental.valid?
|
41
|
-
(@environmental.score @temporal.score).round_up(1)
|
42
|
-
end
|
43
|
-
|
44
|
-
private
|
45
|
-
|
46
|
-
def init_metrics
|
47
|
-
@base = Cvss3Base.new(@properties)
|
48
|
-
@temporal = Cvss3Temporal.new(@properties)
|
49
|
-
@environmental = Cvss3Environmental.new(@properties)
|
50
|
-
end
|
51
|
-
|
52
|
-
end
|
55
|
+
end
|
@@ -12,84 +12,81 @@ require_relative '../cvss_property'
|
|
12
12
|
require_relative '../cvss_metric'
|
13
13
|
require_relative '../helpers/cvss3_helper'
|
14
14
|
|
15
|
-
|
16
|
-
# This class represents a CVSS Base metric in version 3.
|
17
|
-
|
18
|
-
class Cvss3Base < CvssMetric
|
19
|
-
|
20
|
-
##
|
21
|
-
# Property of this metric
|
22
|
-
|
23
|
-
attr_reader :attack_vector, :attack_complexity, :privileges_required, :user_interaction,
|
24
|
-
:scope, :confidentiality, :integrity, :availability
|
25
|
-
|
15
|
+
module CvssSuite
|
26
16
|
##
|
27
|
-
#
|
28
|
-
|
29
|
-
|
30
|
-
|
31
|
-
|
32
|
-
|
33
|
-
|
34
|
-
|
35
|
-
|
36
|
-
|
37
|
-
|
38
|
-
|
39
|
-
|
40
|
-
|
17
|
+
# This class represents a CVSS Base metric in version 3.
|
18
|
+
class Cvss3Base < CvssMetric
|
19
|
+
##
|
20
|
+
# Property of this metric
|
21
|
+
attr_reader :attack_vector, :attack_complexity, :privileges_required, :user_interaction,
|
22
|
+
:scope, :confidentiality, :integrity, :availability
|
23
|
+
|
24
|
+
##
|
25
|
+
# Returns score of this metric
|
26
|
+
def score
|
27
|
+
privilege_score = Cvss3Helper.privileges_required_score @privileges_required, @scope
|
28
|
+
|
29
|
+
exploitability = 8.22 * @attack_vector.score * @attack_complexity.score *
|
30
|
+
privilege_score * @user_interaction.score
|
31
|
+
|
32
|
+
isc_base = 1 - ((1 - @confidentiality.score) * (1 - @integrity.score) * (1 - @availability.score))
|
33
|
+
|
34
|
+
impact_sub_score = if @scope.selected_value[:name] == 'Changed'
|
35
|
+
7.52 * (isc_base - 0.029) - 3.25 * (isc_base - 0.02)**15
|
36
|
+
else
|
37
|
+
6.42 * isc_base
|
38
|
+
end
|
39
|
+
|
40
|
+
return 0 if impact_sub_score <= 0
|
41
|
+
|
42
|
+
if @scope.selected_value[:name] == 'Changed'
|
43
|
+
[10, 1.08 * (impact_sub_score + exploitability)].min
|
44
|
+
else
|
45
|
+
[10, impact_sub_score + exploitability].min
|
46
|
+
end
|
41
47
|
end
|
42
48
|
|
43
|
-
|
44
|
-
|
45
|
-
|
46
|
-
|
47
|
-
|
48
|
-
|
49
|
+
private
|
50
|
+
|
51
|
+
def init_properties
|
52
|
+
@properties.push(@attack_vector =
|
53
|
+
CvssProperty.new(name: 'Attack Vector', abbreviation: 'AV', position: [0],
|
54
|
+
values: [{ name: 'Network', abbreviation: 'N', weight: 0.85 },
|
55
|
+
{ name: 'Adjacent', abbreviation: 'A', weight: 0.62 },
|
56
|
+
{ name: 'Local', abbreviation: 'L', weight: 0.55 },
|
57
|
+
{ name: 'Physical', abbreviation: 'P', weight: 0.2 }]))
|
58
|
+
@properties.push(@attack_complexity =
|
59
|
+
CvssProperty.new(name: 'Attack Complexity', abbreviation: 'AC', position: [1],
|
60
|
+
values: [{ name: 'Low', abbreviation: 'L', weight: 0.77 },
|
61
|
+
{ name: 'High', abbreviation: 'H', weight: 0.44 }]))
|
62
|
+
@properties.push(@privileges_required =
|
63
|
+
CvssProperty.new(name: 'Privileges Required', abbreviation: 'PR', position: [2],
|
64
|
+
values: [{ name: 'None', abbreviation: 'N', weight: 0.85 },
|
65
|
+
{ name: 'Low', abbreviation: 'L', weight: 0.62 },
|
66
|
+
{ name: 'High', abbreviation: 'H', weight: 0.27 }]))
|
67
|
+
@properties.push(@user_interaction =
|
68
|
+
CvssProperty.new(name: 'User Interaction', abbreviation: 'UI', position: [3],
|
69
|
+
values: [{ name: 'None', abbreviation: 'N', weight: 0.85 },
|
70
|
+
{ name: 'Required', abbreviation: 'R', weight: 0.62 }]))
|
71
|
+
@properties.push(@scope =
|
72
|
+
CvssProperty.new(name: 'Scope', abbreviation: 'S', position: [4],
|
73
|
+
values: [{ name: 'Unchanged', abbreviation: 'U' },
|
74
|
+
{ name: 'Changed', abbreviation: 'C' }]))
|
75
|
+
@properties.push(@confidentiality =
|
76
|
+
CvssProperty.new(name: 'Confidentiality', abbreviation: 'C', position: [5],
|
77
|
+
values: [{ name: 'None', abbreviation: 'N', weight: 0.0 },
|
78
|
+
{ name: 'Low', abbreviation: 'L', weight: 0.22 },
|
79
|
+
{ name: 'High', abbreviation: 'H', weight: 0.56 }]))
|
80
|
+
@properties.push(@integrity =
|
81
|
+
CvssProperty.new(name: 'Integrity', abbreviation: 'I', position: [6],
|
82
|
+
values: [{ name: 'None', abbreviation: 'N', weight: 0.0 },
|
83
|
+
{ name: 'Low', abbreviation: 'L', weight: 0.22 },
|
84
|
+
{ name: 'High', abbreviation: 'H', weight: 0.56 }]))
|
85
|
+
@properties.push(@availability =
|
86
|
+
CvssProperty.new(name: 'Availability', abbreviation: 'A', position: [7],
|
87
|
+
values: [{ name: 'None', abbreviation: 'N', weight: 0.0 },
|
88
|
+
{ name: 'Low', abbreviation: 'L', weight: 0.22 },
|
89
|
+
{ name: 'High', abbreviation: 'H', weight: 0.56 }]))
|
49
90
|
end
|
50
91
|
end
|
51
|
-
|
52
|
-
private
|
53
|
-
|
54
|
-
def init_properties
|
55
|
-
@properties.push(@attack_vector =
|
56
|
-
CvssProperty.new(name: 'Attack Vector', abbreviation: 'AV', position: [0],
|
57
|
-
choices: [{ name: 'Network', abbreviation: 'N', weight: 0.85 },
|
58
|
-
{ name: 'Adjacent', abbreviation: 'A', weight: 0.62 },
|
59
|
-
{ name: 'Local', abbreviation: 'L', weight: 0.55 },
|
60
|
-
{ name: 'Physical', abbreviation: 'P', weight: 0.2 }]))
|
61
|
-
@properties.push(@attack_complexity =
|
62
|
-
CvssProperty.new(name: 'Attack Complexity', abbreviation: 'AC', position: [1],
|
63
|
-
choices: [{ name: 'Low', abbreviation: 'L', weight: 0.77 },
|
64
|
-
{ name: 'High', abbreviation: 'H', weight: 0.44 }]))
|
65
|
-
@properties.push(@privileges_required =
|
66
|
-
CvssProperty.new(name: 'Privileges Required', abbreviation: 'PR', position: [2],
|
67
|
-
choices: [{ name: 'None', abbreviation: 'N', weight: 0.85 },
|
68
|
-
{ name: 'Low', abbreviation: 'L', weight: 0.62 },
|
69
|
-
{ name: 'High', abbreviation: 'H', weight: 0.27 }]))
|
70
|
-
@properties.push(@user_interaction =
|
71
|
-
CvssProperty.new(name: 'User Interaction', abbreviation: 'UI', position: [3],
|
72
|
-
choices: [{ name: 'None', abbreviation: 'N', weight: 0.85 },
|
73
|
-
{ name: 'Required', abbreviation: 'R', weight: 0.62 }]))
|
74
|
-
@properties.push(@scope =
|
75
|
-
CvssProperty.new(name: 'Scope', abbreviation: 'S', position: [4],
|
76
|
-
choices: [{ name: 'Unchanged', abbreviation: 'U' },
|
77
|
-
{ name: 'Changed', abbreviation: 'C' }]))
|
78
|
-
@properties.push(@confidentiality =
|
79
|
-
CvssProperty.new(name: 'Confidentiality', abbreviation: 'C', position: [5],
|
80
|
-
choices: [{ name: 'None', abbreviation: 'N', weight: 0.0 },
|
81
|
-
{ name: 'Low', abbreviation: 'L', weight: 0.22 },
|
82
|
-
{ name: 'High', abbreviation: 'H', weight: 0.56 }]))
|
83
|
-
@properties.push(@integrity =
|
84
|
-
CvssProperty.new(name: 'Integrity', abbreviation: 'I', position: [6],
|
85
|
-
choices: [{ name: 'None', abbreviation: 'N', weight: 0.0 },
|
86
|
-
{ name: 'Low', abbreviation: 'L', weight: 0.22 },
|
87
|
-
{ name: 'High', abbreviation: 'H', weight: 0.56 }]))
|
88
|
-
@properties.push(@availability =
|
89
|
-
CvssProperty.new(name: 'Availability', abbreviation: 'A', position: [7],
|
90
|
-
choices: [{ name: 'None', abbreviation: 'N', weight: 0.0 },
|
91
|
-
{ name: 'Low', abbreviation: 'L', weight: 0.22 },
|
92
|
-
{ name: 'High', abbreviation: 'H', weight: 0.56 }]))
|
93
|
-
end
|
94
92
|
end
|
95
|
-
|
@@ -12,133 +12,183 @@ require_relative '../cvss_property'
|
|
12
12
|
require_relative '../cvss_metric'
|
13
13
|
require_relative '../helpers/cvss3_helper'
|
14
14
|
|
15
|
-
|
16
|
-
|
15
|
+
module CvssSuite
|
16
|
+
##
|
17
|
+
# This class represents a CVSS Environmental metric in version 3.
|
18
|
+
class Cvss3Environmental < CvssMetric
|
19
|
+
##
|
20
|
+
# Property of this metric
|
21
|
+
attr_reader :confidentiality_requirement, :integrity_requirement, :availability_requirement,
|
22
|
+
:modified_attack_vector, :modified_attack_complexity, :modified_privileges_required,
|
23
|
+
:modified_user_interaction, :modified_scope, :modified_confidentiality,
|
24
|
+
:modified_integrity, :modified_availability
|
17
25
|
|
18
|
-
|
26
|
+
##
|
27
|
+
# Returns score of this metric
|
19
28
|
|
20
|
-
|
21
|
-
|
29
|
+
def score(base, temporal)
|
30
|
+
@base = base
|
22
31
|
|
23
|
-
|
24
|
-
|
25
|
-
|
26
|
-
|
32
|
+
merged_modified_privileges_required = @modified_privileges_required
|
33
|
+
if @modified_privileges_required.selected_value[:name] == 'Not Defined'
|
34
|
+
merged_modified_privileges_required = @base.privileges_required
|
35
|
+
end
|
27
36
|
|
28
|
-
|
29
|
-
|
37
|
+
merged_modified_scope = @modified_scope
|
38
|
+
if @modified_scope.selected_value[:name] == 'Not Defined'
|
39
|
+
merged_modified_scope = @base.scope
|
40
|
+
end
|
30
41
|
|
31
|
-
|
42
|
+
privilege_score = Cvss3Helper.privileges_required_score(merged_modified_privileges_required, merged_modified_scope)
|
32
43
|
|
33
|
-
|
44
|
+
modified_exploitability_sub_score = modified_exploitability_sub(privilege_score)
|
34
45
|
|
35
|
-
|
46
|
+
modified_impact_sub_score = modified_impact_sub(isc_modified)
|
36
47
|
|
37
|
-
|
48
|
+
return 0 if modified_impact_sub_score <= 0
|
38
49
|
|
39
|
-
|
50
|
+
calculate_score modified_impact_sub_score, modified_exploitability_sub_score, temporal.score
|
51
|
+
end
|
40
52
|
|
41
|
-
|
53
|
+
private
|
54
|
+
|
55
|
+
def init_properties
|
56
|
+
@properties.push(@confidentiality_requirement =
|
57
|
+
CvssProperty.new(name: 'Confidentiality Requirement', abbreviation: 'CR', position: [8, 11],
|
58
|
+
values: [{ name: 'Low', abbreviation: 'L', weight: 0.5 },
|
59
|
+
{ name: 'Medium', abbreviation: 'M', weight: 1.0 },
|
60
|
+
{ name: 'High', abbreviation: 'H', weight: 1.5 },
|
61
|
+
{ name: 'Not Defined', abbreviation: 'X', weight: 1 }]))
|
62
|
+
@properties.push(@integrity_requirement =
|
63
|
+
CvssProperty.new(name: 'Integrity Requirement', abbreviation: 'IR', position: [9, 12],
|
64
|
+
values: [{ name: 'Low', abbreviation: 'L', weight: 0.5 },
|
65
|
+
{ name: 'Medium', abbreviation: 'M', weight: 1.0 },
|
66
|
+
{ name: 'High', abbreviation: 'H', weight: 1.5 },
|
67
|
+
{ name: 'Not Defined', abbreviation: 'X', weight: 1 }]))
|
68
|
+
|
69
|
+
@properties.push(@availability_requirement =
|
70
|
+
CvssProperty.new(name: 'Availability Requirement', abbreviation: 'AR', position: [10, 13],
|
71
|
+
values: [{ name: 'Low', abbreviation: 'L', weight: 0.5 },
|
72
|
+
{ name: 'Medium', abbreviation: 'M', weight: 1.0 },
|
73
|
+
{ name: 'High', abbreviation: 'H', weight: 1.5 },
|
74
|
+
{ name: 'Not Defined', abbreviation: 'X', weight: 1 }]))
|
75
|
+
@properties.push(@modified_attack_vector =
|
76
|
+
CvssProperty.new(name: 'Modified Attack Vector', abbreviation: 'MAV', position: [11, 14],
|
77
|
+
values: [{ name: 'Network', abbreviation: 'N', weight: 0.85 },
|
78
|
+
{ name: 'Adjacent Network', abbreviation: 'A', weight: 0.62 },
|
79
|
+
{ name: 'Local', abbreviation: 'L', weight: 0.55 },
|
80
|
+
{ name: 'Physical', abbreviation: 'P', weight: 0.2 },
|
81
|
+
{ name: 'Not Defined', abbreviation: 'X', weight: 1 }]))
|
82
|
+
@properties.push(@modified_attack_complexity =
|
83
|
+
CvssProperty.new(name: 'Modified Attack Complexity', abbreviation: 'MAC', position: [12, 15],
|
84
|
+
values: [{ name: 'Low', abbreviation: 'L', weight: 0.77 },
|
85
|
+
{ name: 'High', abbreviation: 'H', weight: 0.44 },
|
86
|
+
{ name: 'Not Defined', abbreviation: 'X', weight: 1 }]))
|
87
|
+
@properties.push(@modified_privileges_required =
|
88
|
+
CvssProperty.new(name: 'Modified Privileges Required', abbreviation: 'MPR', position: [13, 16],
|
89
|
+
values: [{ name: 'None', abbreviation: 'N', weight: 0.85 },
|
90
|
+
{ name: 'Low', abbreviation: 'L', weight: 0.62 },
|
91
|
+
{ name: 'High', abbreviation: 'H', weight: 0.27 },
|
92
|
+
{ name: 'Not Defined', abbreviation: 'X', weight: 1 }]))
|
93
|
+
@properties.push(@modified_user_interaction =
|
94
|
+
CvssProperty.new(name: 'Modified User Interaction', abbreviation: 'MUI', position: [14, 17],
|
95
|
+
values: [{ name: 'None', abbreviation: 'N', weight: 0.85 },
|
96
|
+
{ name: 'Required', abbreviation: 'R', weight: 0.62 },
|
97
|
+
{ name: 'Not Defined', abbreviation: 'X', weight: 1 }]))
|
98
|
+
@properties.push(@modified_scope =
|
99
|
+
CvssProperty.new(name: 'Modified Scope', abbreviation: 'MS', position: [15, 18],
|
100
|
+
values: [{ name: 'Changed', abbreviation: 'C' },
|
101
|
+
{ name: 'Unchanged', abbreviation: 'U' },
|
102
|
+
{ name: 'Not Defined', abbreviation: 'X' }]))
|
103
|
+
@properties.push(@modified_confidentiality =
|
104
|
+
CvssProperty.new(name: 'Modified Confidentiality', abbreviation: 'MC', position: [16, 19],
|
105
|
+
values: [{ name: 'None', abbreviation: 'N', weight: 0 },
|
106
|
+
{ name: 'Low', abbreviation: 'L', weight: 0.22 },
|
107
|
+
{ name: 'High', abbreviation: 'H', weight: 0.56 },
|
108
|
+
{ name: 'Not Defined', abbreviation: 'X', weight: 1 }]))
|
109
|
+
@properties.push(@modified_integrity =
|
110
|
+
CvssProperty.new(name: 'Modified Integrity', abbreviation: 'MI', position: [17, 20],
|
111
|
+
values: [{ name: 'None', abbreviation: 'N', weight: 0 },
|
112
|
+
{ name: 'Low', abbreviation: 'L', weight: 0.22 },
|
113
|
+
{ name: 'High', abbreviation: 'H', weight: 0.56 },
|
114
|
+
{ name: 'Not Defined', abbreviation: 'X', weight: 1 }]))
|
115
|
+
@properties.push(@modified_availability =
|
116
|
+
CvssProperty.new(name: 'Modified Availability', abbreviation: 'MA', position: [18, 21],
|
117
|
+
values: [{ name: 'None', abbreviation: 'N', weight: 0 },
|
118
|
+
{ name: 'Low', abbreviation: 'L', weight: 0.22 },
|
119
|
+
{ name: 'High', abbreviation: 'H', weight: 0.56 },
|
120
|
+
{ name: 'Not Defined', abbreviation: 'X', weight: 1 }]))
|
121
|
+
end
|
42
122
|
|
43
|
-
|
44
|
-
|
123
|
+
def modified_impact_sub(isc_modified)
|
124
|
+
if @modified_scope.selected_value[:name] == 'Not Defined'
|
125
|
+
if @base.scope.selected_value[:name] == 'Changed'
|
126
|
+
return 7.52 * (isc_modified - 0.029) - 3.25 * (isc_modified - 0.02)**15
|
127
|
+
else
|
128
|
+
return 6.42 * isc_modified
|
129
|
+
end
|
130
|
+
end
|
131
|
+
|
132
|
+
if @modified_scope.selected_value[:name] == 'Changed'
|
133
|
+
7.52 * (isc_modified - 0.029) - 3.25 * (isc_modified - 0.02)**15
|
134
|
+
else
|
135
|
+
6.42 * isc_modified
|
136
|
+
end
|
137
|
+
end
|
45
138
|
|
46
|
-
|
47
|
-
|
48
|
-
|
49
|
-
|
50
|
-
|
51
|
-
choices: [{name: 'Low', abbreviation: 'L', weight: 0.5},
|
52
|
-
{name: 'Medium', abbreviation: 'M', weight: 1.0},
|
53
|
-
{name: 'High', abbreviation: 'H', weight: 1.5},
|
54
|
-
{name: 'Not Defined', abbreviation: 'X', weight: 1}]))
|
55
|
-
@properties.push(@integrity_requirement =
|
56
|
-
CvssProperty.new(name: 'Integrity Requirement', abbreviation: 'IR', position: [9, 12],
|
57
|
-
choices: [{name: 'Low', abbreviation: 'L', weight: 0.5},
|
58
|
-
{name: 'Medium', abbreviation: 'M', weight: 1.0},
|
59
|
-
{name: 'High', abbreviation: 'H', weight: 1.5},
|
60
|
-
{name: 'Not Defined', abbreviation: 'X', weight: 1}]))
|
61
|
-
|
62
|
-
@properties.push(@availability_requirement =
|
63
|
-
CvssProperty.new(name: 'Availability Requirement', abbreviation: 'AR', position: [10, 13],
|
64
|
-
choices: [{name: 'Low', abbreviation: 'L', weight: 0.5},
|
65
|
-
{name: 'Medium', abbreviation: 'M', weight: 1.0},
|
66
|
-
{name: 'High', abbreviation: 'H', weight: 1.5},
|
67
|
-
{name: 'Not Defined', abbreviation: 'X', weight: 1}]))
|
68
|
-
@properties.push(@modified_attack_vector =
|
69
|
-
CvssProperty.new(name: 'Modified Attack Vector', abbreviation: 'MAV', position: [11, 14],
|
70
|
-
choices: [{name: 'Network', abbreviation: 'N', weight: 0.85},
|
71
|
-
{name: 'Adjacent Network', abbreviation: 'A', weight: 0.62},
|
72
|
-
{name: 'Local', abbreviation: 'L', weight: 0.55},
|
73
|
-
{name: 'Physical', abbreviation: 'P', weight: 0.2},
|
74
|
-
{name: 'Not Defined', abbreviation: 'X', weight: 1}]))
|
75
|
-
@properties.push(@modified_attack_complexity =
|
76
|
-
CvssProperty.new(name: 'Modified Attack Complexity', abbreviation: 'MAC', position: [12, 15],
|
77
|
-
choices: [{name: 'Low', abbreviation: 'L', weight: 0.77},
|
78
|
-
{name: 'High', abbreviation: 'H', weight: 0.44},
|
79
|
-
{name: 'Not Defined', abbreviation: 'X', weight: 1}]))
|
80
|
-
@properties.push(@modified_privileges_required =
|
81
|
-
CvssProperty.new(name: 'Modified Privileges Required', abbreviation: 'MPR', position: [13, 16],
|
82
|
-
choices: [{name: 'None', abbreviation: 'N', weight: 0.85},
|
83
|
-
{name: 'Low', abbreviation: 'L', weight: 0.62},
|
84
|
-
{name: 'High', abbreviation: 'H', weight: 0.27},
|
85
|
-
{name: 'Not Defined', abbreviation: 'X', weight: 1}]))
|
86
|
-
@properties.push(@modified_user_interaction =
|
87
|
-
CvssProperty.new(name: 'Modified User Interaction', abbreviation: 'MUI', position: [14, 17],
|
88
|
-
choices: [{name: 'None', abbreviation: 'N', weight: 0.85},
|
89
|
-
{name: 'Required', abbreviation: 'R', weight: 0.62},
|
90
|
-
{name: 'Not Defined', abbreviation: 'X', weight: 1}]))
|
91
|
-
@properties.push(@modified_scope =
|
92
|
-
CvssProperty.new(name: 'Modified Scope', abbreviation: 'MS', position: [15, 18],
|
93
|
-
choices: [{name: 'Changed', abbreviation: 'C'},
|
94
|
-
{name: 'Unchanged', abbreviation: 'U'}]))
|
95
|
-
@properties.push(@modified_confidentiality =
|
96
|
-
CvssProperty.new(name: 'Modified Confidentiality', abbreviation: 'MC', position: [16, 19],
|
97
|
-
choices: [{name: 'None', abbreviation: 'N', weight: 0},
|
98
|
-
{name: 'Low', abbreviation: 'L', weight: 0.22},
|
99
|
-
{name: 'High', abbreviation: 'H', weight: 0.56},
|
100
|
-
{name: 'Not Defined', abbreviation: 'X', weight: 1}]))
|
101
|
-
@properties.push(@modified_integrity =
|
102
|
-
CvssProperty.new(name: 'Modified Integrity', abbreviation: 'MI', position: [17, 20],
|
103
|
-
choices: [{name: 'None', abbreviation: 'N', weight: 0},
|
104
|
-
{name: 'Low', abbreviation: 'L', weight: 0.22},
|
105
|
-
{name: 'High', abbreviation: 'H', weight: 0.56},
|
106
|
-
{name: 'Not Defined', abbreviation: 'X', weight: 1}]))
|
107
|
-
@properties.push(@modified_availability =
|
108
|
-
CvssProperty.new(name: 'Modified Availability', abbreviation: 'MA', position: [18, 21],
|
109
|
-
choices: [{name: 'None', abbreviation: 'N', weight: 0},
|
110
|
-
{name: 'Low', abbreviation: 'L', weight: 0.22},
|
111
|
-
{name: 'High', abbreviation: 'H', weight: 0.56},
|
112
|
-
{name: 'Not Defined', abbreviation: 'X', weight: 1}]))
|
113
|
-
end
|
139
|
+
def isc_modified
|
140
|
+
merged_modified_confidentiality = @modified_confidentiality
|
141
|
+
if @modified_confidentiality.selected_value[:name] == 'Not Defined'
|
142
|
+
merged_modified_confidentiality = @base.confidentiality
|
143
|
+
end
|
114
144
|
|
115
|
-
|
116
|
-
|
117
|
-
|
118
|
-
|
119
|
-
|
145
|
+
merged_modified_integrity = @modified_integrity
|
146
|
+
if @modified_integrity.selected_value[:name] == 'Not Defined'
|
147
|
+
merged_modified_integrity = @base.integrity
|
148
|
+
end
|
149
|
+
|
150
|
+
merged_modified_availability = @modified_availability
|
151
|
+
if @modified_availability.selected_value[:name] == 'Not Defined'
|
152
|
+
merged_modified_availability = @base.availability
|
153
|
+
end
|
154
|
+
|
155
|
+
confidentiality_score = 1 - merged_modified_confidentiality.score * @confidentiality_requirement.score
|
156
|
+
integrity_score = 1 - merged_modified_integrity.score * @integrity_requirement.score
|
157
|
+
availability_score = 1 - merged_modified_availability.score * @availability_requirement.score
|
158
|
+
|
159
|
+
[0.915, (1 - confidentiality_score * integrity_score * availability_score)].min
|
120
160
|
end
|
121
|
-
end
|
122
161
|
|
123
|
-
|
124
|
-
|
125
|
-
|
126
|
-
|
162
|
+
def modified_exploitability_sub(privilege_score)
|
163
|
+
merged_modified_attack_vector = @modified_attack_vector
|
164
|
+
if @modified_attack_vector.selected_value[:name] == 'Not Defined'
|
165
|
+
merged_modified_attack_vector = @base.attack_vector
|
166
|
+
end
|
127
167
|
|
128
|
-
|
129
|
-
|
168
|
+
merged_modified_attack_complexity = @modified_attack_complexity
|
169
|
+
if @modified_attack_complexity.selected_value[:name] == 'Not Defined'
|
170
|
+
merged_modified_attack_complexity = @base.attack_complexity
|
171
|
+
end
|
130
172
|
|
131
|
-
|
132
|
-
|
133
|
-
|
134
|
-
|
135
|
-
modified_exploitability_sub_score *= @modified_user_interaction.score
|
136
|
-
end
|
173
|
+
merged_modified_user_interaction = @modified_user_interaction
|
174
|
+
if @modified_user_interaction.selected_value[:name] == 'Not Defined'
|
175
|
+
merged_modified_user_interaction = @base.user_interaction
|
176
|
+
end
|
137
177
|
|
138
|
-
|
139
|
-
|
178
|
+
8.22 * merged_modified_attack_vector.score * merged_modified_attack_complexity.score *
|
179
|
+
privilege_score * merged_modified_user_interaction.score
|
180
|
+
end
|
140
181
|
|
141
|
-
|
182
|
+
def calculate_score(modified_impact_sub_score, modified_exploitability_sub_score, temporal_score)
|
183
|
+
if @modified_scope.selected_value[:name] == 'Not Defined'
|
184
|
+
factor = @base.scope.selected_value[:name] == 'Changed' ? 1.08 : 1.0
|
185
|
+
else
|
186
|
+
factor = @modified_scope.selected_value[:name] == 'Changed' ? 1.08 : 1.0
|
187
|
+
end
|
142
188
|
|
189
|
+
Cvss3Helper.round_up(
|
190
|
+
[factor * (modified_impact_sub_score + modified_exploitability_sub_score), 10].min
|
191
|
+
) * temporal_score
|
192
|
+
end
|
143
193
|
end
|
144
|
-
end
|
194
|
+
end
|