cvss-suite 1.1.1 → 2.0.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (38) hide show
  1. checksums.yaml +5 -5
  2. data/.github/ISSUE_TEMPLATE/bug_report.md +21 -0
  3. data/.github/ISSUE_TEMPLATE/custom.md +7 -0
  4. data/.github/ISSUE_TEMPLATE/feature_request.md +17 -0
  5. data/.github/workflows/rspec.yml +23 -0
  6. data/.github/workflows/rubocop.yml +21 -0
  7. data/.gitignore +1 -0
  8. data/.rubocop.yml +45 -1
  9. data/.rubocop_todo.yml +59 -0
  10. data/CHANGES.md +61 -1
  11. data/PULL_REQUEST_TEMPLATE.md +24 -0
  12. data/README.md +43 -16
  13. data/_config.yml +1 -0
  14. data/bin/console +3 -3
  15. data/cvss_suite.gemspec +14 -13
  16. data/lib/cvss_suite.rb +13 -11
  17. data/lib/cvss_suite/cvss.rb +85 -73
  18. data/lib/cvss_suite/cvss2/cvss2.rb +39 -36
  19. data/lib/cvss_suite/cvss2/cvss2_base.rb +69 -75
  20. data/lib/cvss_suite/cvss2/cvss2_environmental.rb +52 -54
  21. data/lib/cvss_suite/cvss2/cvss2_temporal.rb +40 -41
  22. data/lib/cvss_suite/cvss3/cvss3.rb +39 -36
  23. data/lib/cvss_suite/cvss3/cvss3_base.rb +72 -75
  24. data/lib/cvss_suite/cvss3/cvss3_environmental.rb +159 -109
  25. data/lib/cvss_suite/cvss3/cvss3_temporal.rb +41 -42
  26. data/lib/cvss_suite/cvss31/cvss31.rb +60 -0
  27. data/lib/cvss_suite/cvss31/cvss31_base.rb +93 -0
  28. data/lib/cvss_suite/cvss31/cvss31_environmental.rb +194 -0
  29. data/lib/cvss_suite/cvss31/cvss31_temporal.rb +56 -0
  30. data/lib/cvss_suite/cvss_metric.rb +31 -35
  31. data/lib/cvss_suite/cvss_property.rb +57 -56
  32. data/lib/cvss_suite/helpers/cvss31_helper.rb +27 -0
  33. data/lib/cvss_suite/helpers/cvss3_helper.rb +21 -15
  34. data/lib/cvss_suite/invalid_cvss.rb +37 -45
  35. data/lib/cvss_suite/version.rb +2 -2
  36. metadata +21 -25
  37. data/.travis.yml +0 -4
  38. data/lib/cvss_suite/helpers/extensions.rb +0 -32
data/lib/cvss_suite/cvss2/cvss2_environmental.rb CHANGED
@@ -11,64 +11,62 @@
11
11
  require_relative '../cvss_property'
12
12
  require_relative '../cvss_metric'
13
13
 
14
- ##
15
- # This class represents a CVSS Environmental metric in version 2.
16
-
17
- class Cvss2Environmental < CvssMetric
18
-
19
- ##
20
- # Property of this metric
21
-
22
- attr_reader :collateral_damage_potential, :target_distribution, :security_requirements_cr,
23
- :security_requirements_ir, :security_requirements_ar
24
-
14
+ module CvssSuite
25
15
  ##
26
- # Returns score of this metric
27
-
28
- def score(base, temporal_score)
29
- base_score = (base.score @security_requirements_cr.score, @security_requirements_ir.score, @security_requirements_ar.score).round(1)
16
+ # This class represents a CVSS Environmental metric in version 2.
17
+ class Cvss2Environmental < CvssMetric
18
+ ##
19
+ # Property of this metric
20
+ attr_reader :collateral_damage_potential, :target_distribution, :security_requirements_cr,
21
+ :security_requirements_ir, :security_requirements_ar
30
22
 
31
- adjusted_temporal = (base_score * temporal_score).round(1)
32
- (adjusted_temporal + (10 - adjusted_temporal) * @collateral_damage_potential.score) * @target_distribution.score
23
+ ##
24
+ # Returns score of this metric
25
+ def score(base, temporal_score)
26
+ base_score = base.score(@security_requirements_cr.score,
27
+ @security_requirements_ir.score,
28
+ @security_requirements_ar.score).round(1)
33
29
 
34
- end
30
+ adjusted_temporal = (base_score * temporal_score).round(1)
31
+ (adjusted_temporal + (10 - adjusted_temporal) * @collateral_damage_potential.score) * @target_distribution.score
32
+ end
35
33
 
36
- private
34
+ private
37
35
 
38
- def init_properties
39
- @properties.push(@collateral_damage_potential =
40
- CvssProperty.new(name: 'Collateral Damage Potential', abbreviation: 'CDP', position: [6, 9],
41
- choices: [{ name: 'None', abbreviation: 'N', weight: 0.0 },
42
- { name: 'Low', abbreviation: 'L', weight: 0.1 },
43
- { name: 'Low-Medium', abbreviation: 'LM', weight: 0.3 },
44
- { name: 'Medium-High', abbreviation: 'MH', weight: 0.4 },
45
- { name: 'High', abbreviation: 'H', weight: 0.5 },
46
- { name: 'Not Defined', abbreviation: 'ND', weight: 0.0 }]))
47
- @properties.push(@target_distribution =
48
- CvssProperty.new(name: 'Target Distribution', abbreviation: 'TD', position: [7, 10],
49
- choices: [{ name: 'None', abbreviation: 'N', weight: 0.0 },
50
- { name: 'Low', abbreviation: 'L', weight: 0.25 },
51
- { name: 'Medium', abbreviation: 'M', weight: 0.75 },
52
- { name: 'High', abbreviation: 'H', weight: 1.0 },
53
- { name: 'Not Defined', abbreviation: 'ND', weight: 1.0 }]))
54
- @properties.push(@security_requirements_cr =
55
- CvssProperty.new(name: 'Confidentiality Requirement', abbreviation: 'CR', position: [8, 11],
56
- choices: [{ name: 'Low', abbreviation: 'L', weight: 0.5 },
57
- { name: 'Medium', abbreviation: 'M', weight: 1.0 },
58
- { name: 'High', abbreviation: 'H', weight: 1.51 },
59
- { name: 'Not Defined', abbreviation: 'ND', weight: 1.0 }]))
60
- @properties.push(@security_requirements_ir =
61
- CvssProperty.new(name: 'Integrity Requirement', abbreviation: 'IR', position: [9, 12],
62
- choices: [{ name: 'Low', abbreviation: 'L', weight: 0.5 },
63
- { name: 'Medium', abbreviation: 'M', weight: 1.0 },
64
- { name: 'High', abbreviation: 'H', weight: 1.51 },
65
- { name: 'Not Defined', abbreviation: 'ND', weight: 1.0 }]))
66
- @properties.push(@security_requirements_ar =
67
- CvssProperty.new(name: 'Availability Requirement', abbreviation: 'AR', position: [10, 13],
68
- choices: [{ name: 'Low', abbreviation: 'L', weight: 0.5 },
69
- { name: 'Medium', abbreviation: 'M', weight: 1.0 },
70
- { name: 'High', abbreviation: 'H', weight: 1.51 },
71
- { name: 'Not Defined', abbreviation: 'ND', weight: 1.0 }]))
36
+ def init_properties
37
+ @properties.push(@collateral_damage_potential =
38
+ CvssProperty.new(name: 'Collateral Damage Potential', abbreviation: 'CDP', position: [6, 9],
39
+ values: [{ name: 'None', abbreviation: 'N', weight: 0.0 },
40
+ { name: 'Low', abbreviation: 'L', weight: 0.1 },
41
+ { name: 'Low-Medium', abbreviation: 'LM', weight: 0.3 },
42
+ { name: 'Medium-High', abbreviation: 'MH', weight: 0.4 },
43
+ { name: 'High', abbreviation: 'H', weight: 0.5 },
44
+ { name: 'Not Defined', abbreviation: 'ND', weight: 0.0 }]))
45
+ @properties.push(@target_distribution =
46
+ CvssProperty.new(name: 'Target Distribution', abbreviation: 'TD', position: [7, 10],
47
+ values: [{ name: 'None', abbreviation: 'N', weight: 0.0 },
48
+ { name: 'Low', abbreviation: 'L', weight: 0.25 },
49
+ { name: 'Medium', abbreviation: 'M', weight: 0.75 },
50
+ { name: 'High', abbreviation: 'H', weight: 1.0 },
51
+ { name: 'Not Defined', abbreviation: 'ND', weight: 1.0 }]))
52
+ @properties.push(@security_requirements_cr =
53
+ CvssProperty.new(name: 'Confidentiality Requirement', abbreviation: 'CR', position: [8, 11],
54
+ values: [{ name: 'Low', abbreviation: 'L', weight: 0.5 },
55
+ { name: 'Medium', abbreviation: 'M', weight: 1.0 },
56
+ { name: 'High', abbreviation: 'H', weight: 1.51 },
57
+ { name: 'Not Defined', abbreviation: 'ND', weight: 1.0 }]))
58
+ @properties.push(@security_requirements_ir =
59
+ CvssProperty.new(name: 'Integrity Requirement', abbreviation: 'IR', position: [9, 12],
60
+ values: [{ name: 'Low', abbreviation: 'L', weight: 0.5 },
61
+ { name: 'Medium', abbreviation: 'M', weight: 1.0 },
62
+ { name: 'High', abbreviation: 'H', weight: 1.51 },
63
+ { name: 'Not Defined', abbreviation: 'ND', weight: 1.0 }]))
64
+ @properties.push(@security_requirements_ar =
65
+ CvssProperty.new(name: 'Availability Requirement', abbreviation: 'AR', position: [10, 13],
66
+ values: [{ name: 'Low', abbreviation: 'L', weight: 0.5 },
67
+ { name: 'Medium', abbreviation: 'M', weight: 1.0 },
68
+ { name: 'High', abbreviation: 'H', weight: 1.51 },
69
+ { name: 'Not Defined', abbreviation: 'ND', weight: 1.0 }]))
70
+ end
72
71
  end
73
72
  end
74
-
data/lib/cvss_suite/cvss2/cvss2_temporal.rb CHANGED
@@ -11,47 +11,46 @@
11
11
  require_relative '../cvss_property'
12
12
  require_relative '../cvss_metric'
13
13
 
14
- ##
15
- # This class represents a CVSS Temporal metric in version 2.
16
-
17
- class Cvss2Temporal < CvssMetric
18
-
19
- ##
20
- # Property of this metric
21
-
22
- attr_reader :exploitability, :remediation_level, :report_confidence
23
-
14
+ module CvssSuite
24
15
  ##
25
- # Returns score of this metric
26
-
27
- def score
28
- return 1 unless valid?
29
- @exploitability.score * @remediation_level.score * @report_confidence.score
30
- end
31
-
32
- private
33
-
34
- def init_properties
35
- @properties.push(@exploitability =
36
- CvssProperty.new(name: 'Exploitability', abbreviation: 'E', position: [6],
37
- choices: [{ name: 'Not Defined', abbreviation: 'ND', weight: 1 },
38
- { name: 'Unproven', abbreviation: 'U', weight: 0.85 },
39
- { name: 'Proof-of-Concept', abbreviation: 'POC', weight: 0.9 },
40
- { name: 'Functional', abbreviation: 'F', weight: 0.95 },
41
- { name: 'High', abbreviation: 'H', weight: 1 }]))
42
- @properties.push(@remediation_level =
43
- CvssProperty.new(name: 'Remediation Level', abbreviation: 'RL', position: [7],
44
- choices: [{ name: 'Not Defined', abbreviation: 'ND', weight: 1 },
45
- { name: 'Official Fix', abbreviation: 'OF', weight: 0.87 },
46
- { name: 'Temporary Fix', abbreviation: 'TF', weight: 0.9 },
47
- { name: 'Workaround', abbreviation: 'W', weight: 0.95 },
48
- { name: 'Unavailable', abbreviation: 'U', weight: 1 }]))
49
-
50
- @properties.push(@report_confidence =
51
- CvssProperty.new(name: 'Report Confidence', abbreviation: 'RC', position: [8],
52
- choices: [{ name: 'Not Defined', abbreviation: 'ND', weight: 1 },
53
- { name: 'Unconfirmed', abbreviation: 'UC', weight: 0.9 },
54
- { name: 'Uncorroborated', abbreviation: 'UR', weight: 0.95 },
55
- { name: 'Confirmed', abbreviation: 'C', weight: 1 }]))
16
+ # This class represents a CVSS Temporal metric in version 2.
17
+ class Cvss2Temporal < CvssMetric
18
+ ##
19
+ # Property of this metric
20
+ attr_reader :exploitability, :remediation_level, :report_confidence
21
+
22
+ ##
23
+ # Returns score of this metric
24
+ def score
25
+ return 1 unless valid?
26
+
27
+ @exploitability.score * @remediation_level.score * @report_confidence.score
28
+ end
29
+
30
+ private
31
+
32
+ def init_properties
33
+ @properties.push(@exploitability =
34
+ CvssProperty.new(name: 'Exploitability', abbreviation: 'E', position: [6],
35
+ values: [{ name: 'Not Defined', abbreviation: 'ND', weight: 1 },
36
+ { name: 'Unproven', abbreviation: 'U', weight: 0.85 },
37
+ { name: 'Proof-of-Concept', abbreviation: 'POC', weight: 0.9 },
38
+ { name: 'Functional', abbreviation: 'F', weight: 0.95 },
39
+ { name: 'High', abbreviation: 'H', weight: 1 }]))
40
+ @properties.push(@remediation_level =
41
+ CvssProperty.new(name: 'Remediation Level', abbreviation: 'RL', position: [7],
42
+ values: [{ name: 'Not Defined', abbreviation: 'ND', weight: 1 },
43
+ { name: 'Official Fix', abbreviation: 'OF', weight: 0.87 },
44
+ { name: 'Temporary Fix', abbreviation: 'TF', weight: 0.9 },
45
+ { name: 'Workaround', abbreviation: 'W', weight: 0.95 },
46
+ { name: 'Unavailable', abbreviation: 'U', weight: 1 }]))
47
+
48
+ @properties.push(@report_confidence =
49
+ CvssProperty.new(name: 'Report Confidence', abbreviation: 'RC', position: [8],
50
+ values: [{ name: 'Not Defined', abbreviation: 'ND', weight: 1 },
51
+ { name: 'Unconfirmed', abbreviation: 'UC', weight: 0.9 },
52
+ { name: 'Uncorroborated', abbreviation: 'UR', weight: 0.95 },
53
+ { name: 'Confirmed', abbreviation: 'C', weight: 1 }]))
54
+ end
56
55
  end
57
56
  end
data/lib/cvss_suite/cvss3/cvss3.rb CHANGED
@@ -8,45 +8,48 @@
8
8
  # This work is licensed under the terms of the MIT license.
9
9
  # See the LICENSE.md file in the top-level directory.
10
10
 
11
- require_relative '../../../lib/cvss_suite/cvss'
11
+ require_relative '../cvss'
12
12
  require_relative 'cvss3_base'
13
13
  require_relative 'cvss3_temporal'
14
14
  require_relative 'cvss3_environmental'
15
15
 
16
- ##
17
- # This class represents a CVSS vector in version 3.0.
18
-
19
- class Cvss3 < Cvss
20
-
21
- ##
22
- # Returns the Base Score of the CVSS vector.
23
-
24
- def base_score
25
- check_validity
26
- @base.score.round_up(1)
27
- end
28
-
16
+ module CvssSuite
29
17
  ##
30
- # Returns the Temporal Score of the CVSS vector.
31
-
32
- def temporal_score
33
- (@base.score.round_up(1) * @temporal.score).round_up(1)
18
+ # This class represents a CVSS vector in version 3.0.
19
+ class Cvss3 < Cvss
20
+ ##
21
+ # Returns the Version of the CVSS vector.
22
+ def version
23
+ 3.0
24
+ end
25
+
26
+ ##
27
+ # Returns the Base Score of the CVSS vector.
28
+ def base_score
29
+ check_validity
30
+ Cvss3Helper.round_up(@base.score)
31
+ end
32
+
33
+ ##
34
+ # Returns the Temporal Score of the CVSS vector.
35
+ def temporal_score
36
+ Cvss3Helper.round_up(Cvss3Helper.round_up(@base.score) * @temporal.score)
37
+ end
38
+
39
+ ##
40
+ # Returns the Environmental Score of the CVSS vector.
41
+ def environmental_score
42
+ return temporal_score unless @environmental.valid?
43
+
44
+ Cvss3Helper.round_up(@environmental.score(@base, @temporal))
45
+ end
46
+
47
+ private
48
+
49
+ def init_metrics
50
+ @base = Cvss3Base.new(@properties)
51
+ @temporal = Cvss3Temporal.new(@properties)
52
+ @environmental = Cvss3Environmental.new(@properties)
53
+ end
34
54
  end
35
-
36
- ##
37
- # Returns the Environmental Score of the CVSS vector.
38
-
39
- def environmental_score
40
- return temporal_score unless @environmental.valid?
41
- (@environmental.score @temporal.score).round_up(1)
42
- end
43
-
44
- private
45
-
46
- def init_metrics
47
- @base = Cvss3Base.new(@properties)
48
- @temporal = Cvss3Temporal.new(@properties)
49
- @environmental = Cvss3Environmental.new(@properties)
50
- end
51
-
52
- end
55
+ end
data/lib/cvss_suite/cvss3/cvss3_base.rb CHANGED
@@ -12,84 +12,81 @@ require_relative '../cvss_property'
12
12
  require_relative '../cvss_metric'
13
13
  require_relative '../helpers/cvss3_helper'
14
14
 
15
- ##
16
- # This class represents a CVSS Base metric in version 3.
17
-
18
- class Cvss3Base < CvssMetric
19
-
20
- ##
21
- # Property of this metric
22
-
23
- attr_reader :attack_vector, :attack_complexity, :privileges_required, :user_interaction,
24
- :scope, :confidentiality, :integrity, :availability
25
-
15
+ module CvssSuite
26
16
  ##
27
- # Returns score of this metric
28
-
29
- def score
30
-
31
- privilege_score = Cvss3Helper.privileges_required_score @privileges_required, @scope
32
-
33
- exploitability = 8.22 * @attack_vector.score * @attack_complexity.score * privilege_score * @user_interaction.score
34
-
35
- isc_base = 1 - ((1 - @confidentiality.score) * (1 - @integrity.score) * (1 - @availability.score))
36
-
37
- if @scope.selected_choice[:name] == 'Changed'
38
- impact_sub_score = 7.52 * (isc_base - 0.029) - 3.25 * (isc_base - 0.02)**15
39
- else
40
- impact_sub_score = 6.42 * isc_base
17
+ # This class represents a CVSS Base metric in version 3.
18
+ class Cvss3Base < CvssMetric
19
+ ##
20
+ # Property of this metric
21
+ attr_reader :attack_vector, :attack_complexity, :privileges_required, :user_interaction,
22
+ :scope, :confidentiality, :integrity, :availability
23
+
24
+ ##
25
+ # Returns score of this metric
26
+ def score
27
+ privilege_score = Cvss3Helper.privileges_required_score @privileges_required, @scope
28
+
29
+ exploitability = 8.22 * @attack_vector.score * @attack_complexity.score *
30
+ privilege_score * @user_interaction.score
31
+
32
+ isc_base = 1 - ((1 - @confidentiality.score) * (1 - @integrity.score) * (1 - @availability.score))
33
+
34
+ impact_sub_score = if @scope.selected_value[:name] == 'Changed'
35
+ 7.52 * (isc_base - 0.029) - 3.25 * (isc_base - 0.02)**15
36
+ else
37
+ 6.42 * isc_base
38
+ end
39
+
40
+ return 0 if impact_sub_score <= 0
41
+
42
+ if @scope.selected_value[:name] == 'Changed'
43
+ [10, 1.08 * (impact_sub_score + exploitability)].min
44
+ else
45
+ [10, impact_sub_score + exploitability].min
46
+ end
41
47
  end
42
48
 
43
- return 0 if impact_sub_score <= 0
44
-
45
- if @scope.selected_choice[:name] == 'Changed'
46
- [10, 1.08 * (impact_sub_score + exploitability)].min
47
- else
48
- [10, impact_sub_score + exploitability].min
49
+ private
50
+
51
+ def init_properties
52
+ @properties.push(@attack_vector =
53
+ CvssProperty.new(name: 'Attack Vector', abbreviation: 'AV', position: [0],
54
+ values: [{ name: 'Network', abbreviation: 'N', weight: 0.85 },
55
+ { name: 'Adjacent', abbreviation: 'A', weight: 0.62 },
56
+ { name: 'Local', abbreviation: 'L', weight: 0.55 },
57
+ { name: 'Physical', abbreviation: 'P', weight: 0.2 }]))
58
+ @properties.push(@attack_complexity =
59
+ CvssProperty.new(name: 'Attack Complexity', abbreviation: 'AC', position: [1],
60
+ values: [{ name: 'Low', abbreviation: 'L', weight: 0.77 },
61
+ { name: 'High', abbreviation: 'H', weight: 0.44 }]))
62
+ @properties.push(@privileges_required =
63
+ CvssProperty.new(name: 'Privileges Required', abbreviation: 'PR', position: [2],
64
+ values: [{ name: 'None', abbreviation: 'N', weight: 0.85 },
65
+ { name: 'Low', abbreviation: 'L', weight: 0.62 },
66
+ { name: 'High', abbreviation: 'H', weight: 0.27 }]))
67
+ @properties.push(@user_interaction =
68
+ CvssProperty.new(name: 'User Interaction', abbreviation: 'UI', position: [3],
69
+ values: [{ name: 'None', abbreviation: 'N', weight: 0.85 },
70
+ { name: 'Required', abbreviation: 'R', weight: 0.62 }]))
71
+ @properties.push(@scope =
72
+ CvssProperty.new(name: 'Scope', abbreviation: 'S', position: [4],
73
+ values: [{ name: 'Unchanged', abbreviation: 'U' },
74
+ { name: 'Changed', abbreviation: 'C' }]))
75
+ @properties.push(@confidentiality =
76
+ CvssProperty.new(name: 'Confidentiality', abbreviation: 'C', position: [5],
77
+ values: [{ name: 'None', abbreviation: 'N', weight: 0.0 },
78
+ { name: 'Low', abbreviation: 'L', weight: 0.22 },
79
+ { name: 'High', abbreviation: 'H', weight: 0.56 }]))
80
+ @properties.push(@integrity =
81
+ CvssProperty.new(name: 'Integrity', abbreviation: 'I', position: [6],
82
+ values: [{ name: 'None', abbreviation: 'N', weight: 0.0 },
83
+ { name: 'Low', abbreviation: 'L', weight: 0.22 },
84
+ { name: 'High', abbreviation: 'H', weight: 0.56 }]))
85
+ @properties.push(@availability =
86
+ CvssProperty.new(name: 'Availability', abbreviation: 'A', position: [7],
87
+ values: [{ name: 'None', abbreviation: 'N', weight: 0.0 },
88
+ { name: 'Low', abbreviation: 'L', weight: 0.22 },
89
+ { name: 'High', abbreviation: 'H', weight: 0.56 }]))
49
90
  end
50
91
  end
51
-
52
- private
53
-
54
- def init_properties
55
- @properties.push(@attack_vector =
56
- CvssProperty.new(name: 'Attack Vector', abbreviation: 'AV', position: [0],
57
- choices: [{ name: 'Network', abbreviation: 'N', weight: 0.85 },
58
- { name: 'Adjacent', abbreviation: 'A', weight: 0.62 },
59
- { name: 'Local', abbreviation: 'L', weight: 0.55 },
60
- { name: 'Physical', abbreviation: 'P', weight: 0.2 }]))
61
- @properties.push(@attack_complexity =
62
- CvssProperty.new(name: 'Attack Complexity', abbreviation: 'AC', position: [1],
63
- choices: [{ name: 'Low', abbreviation: 'L', weight: 0.77 },
64
- { name: 'High', abbreviation: 'H', weight: 0.44 }]))
65
- @properties.push(@privileges_required =
66
- CvssProperty.new(name: 'Privileges Required', abbreviation: 'PR', position: [2],
67
- choices: [{ name: 'None', abbreviation: 'N', weight: 0.85 },
68
- { name: 'Low', abbreviation: 'L', weight: 0.62 },
69
- { name: 'High', abbreviation: 'H', weight: 0.27 }]))
70
- @properties.push(@user_interaction =
71
- CvssProperty.new(name: 'User Interaction', abbreviation: 'UI', position: [3],
72
- choices: [{ name: 'None', abbreviation: 'N', weight: 0.85 },
73
- { name: 'Required', abbreviation: 'R', weight: 0.62 }]))
74
- @properties.push(@scope =
75
- CvssProperty.new(name: 'Scope', abbreviation: 'S', position: [4],
76
- choices: [{ name: 'Unchanged', abbreviation: 'U' },
77
- { name: 'Changed', abbreviation: 'C' }]))
78
- @properties.push(@confidentiality =
79
- CvssProperty.new(name: 'Confidentiality', abbreviation: 'C', position: [5],
80
- choices: [{ name: 'None', abbreviation: 'N', weight: 0.0 },
81
- { name: 'Low', abbreviation: 'L', weight: 0.22 },
82
- { name: 'High', abbreviation: 'H', weight: 0.56 }]))
83
- @properties.push(@integrity =
84
- CvssProperty.new(name: 'Integrity', abbreviation: 'I', position: [6],
85
- choices: [{ name: 'None', abbreviation: 'N', weight: 0.0 },
86
- { name: 'Low', abbreviation: 'L', weight: 0.22 },
87
- { name: 'High', abbreviation: 'H', weight: 0.56 }]))
88
- @properties.push(@availability =
89
- CvssProperty.new(name: 'Availability', abbreviation: 'A', position: [7],
90
- choices: [{ name: 'None', abbreviation: 'N', weight: 0.0 },
91
- { name: 'Low', abbreviation: 'L', weight: 0.22 },
92
- { name: 'High', abbreviation: 'H', weight: 0.56 }]))
93
- end
94
92
  end
95
-
data/lib/cvss_suite/cvss3/cvss3_environmental.rb CHANGED
@@ -12,133 +12,183 @@ require_relative '../cvss_property'
12
12
  require_relative '../cvss_metric'
13
13
  require_relative '../helpers/cvss3_helper'
14
14
 
15
- ##
16
- # This class represents a CVSS Environmental metric in version 3.
15
+ module CvssSuite
16
+ ##
17
+ # This class represents a CVSS Environmental metric in version 3.
18
+ class Cvss3Environmental < CvssMetric
19
+ ##
20
+ # Property of this metric
21
+ attr_reader :confidentiality_requirement, :integrity_requirement, :availability_requirement,
22
+ :modified_attack_vector, :modified_attack_complexity, :modified_privileges_required,
23
+ :modified_user_interaction, :modified_scope, :modified_confidentiality,
24
+ :modified_integrity, :modified_availability
17
25
 
18
- class Cvss3Environmental < CvssMetric
26
+ ##
27
+ # Returns score of this metric
19
28
 
20
- ##
21
- # Property of this metric
29
+ def score(base, temporal)
30
+ @base = base
22
31
 
23
- attr_reader :confidentiality_requirement, :integrity_requirement, :availability_requirement,
24
- :modified_attack_vector, :modified_attack_complexity, :modified_privileges_required,
25
- :modified_user_interaction, :modified_scope, :modified_confidentiality,
26
- :modified_integrity, :modified_availability
32
+ merged_modified_privileges_required = @modified_privileges_required
33
+ if @modified_privileges_required.selected_value[:name] == 'Not Defined'
34
+ merged_modified_privileges_required = @base.privileges_required
35
+ end
27
36
 
28
- ##
29
- # Returns score of this metric
37
+ merged_modified_scope = @modified_scope
38
+ if @modified_scope.selected_value[:name] == 'Not Defined'
39
+ merged_modified_scope = @base.scope
40
+ end
30
41
 
31
- def score(temporal_score)
42
+ privilege_score = Cvss3Helper.privileges_required_score(merged_modified_privileges_required, merged_modified_scope)
32
43
 
33
- privilege_score = Cvss3Helper.privileges_required_score @modified_privileges_required, @modified_scope
44
+ modified_exploitability_sub_score = modified_exploitability_sub(privilege_score)
34
45
 
35
- modified_exploitability_sub_score = modified_exploitability_sub privilege_score
46
+ modified_impact_sub_score = modified_impact_sub(isc_modified)
36
47
 
37
- isc_modified_score = isc_modified
48
+ return 0 if modified_impact_sub_score <= 0
38
49
 
39
- modified_impact_sub_score = modified_impact_sub isc_modified_score
50
+ calculate_score modified_impact_sub_score, modified_exploitability_sub_score, temporal.score
51
+ end
40
52
 
41
- return 0 if modified_impact_sub_score <= 0
53
+ private
54
+
55
+ def init_properties
56
+ @properties.push(@confidentiality_requirement =
57
+ CvssProperty.new(name: 'Confidentiality Requirement', abbreviation: 'CR', position: [8, 11],
58
+ values: [{ name: 'Low', abbreviation: 'L', weight: 0.5 },
59
+ { name: 'Medium', abbreviation: 'M', weight: 1.0 },
60
+ { name: 'High', abbreviation: 'H', weight: 1.5 },
61
+ { name: 'Not Defined', abbreviation: 'X', weight: 1 }]))
62
+ @properties.push(@integrity_requirement =
63
+ CvssProperty.new(name: 'Integrity Requirement', abbreviation: 'IR', position: [9, 12],
64
+ values: [{ name: 'Low', abbreviation: 'L', weight: 0.5 },
65
+ { name: 'Medium', abbreviation: 'M', weight: 1.0 },
66
+ { name: 'High', abbreviation: 'H', weight: 1.5 },
67
+ { name: 'Not Defined', abbreviation: 'X', weight: 1 }]))
68
+
69
+ @properties.push(@availability_requirement =
70
+ CvssProperty.new(name: 'Availability Requirement', abbreviation: 'AR', position: [10, 13],
71
+ values: [{ name: 'Low', abbreviation: 'L', weight: 0.5 },
72
+ { name: 'Medium', abbreviation: 'M', weight: 1.0 },
73
+ { name: 'High', abbreviation: 'H', weight: 1.5 },
74
+ { name: 'Not Defined', abbreviation: 'X', weight: 1 }]))
75
+ @properties.push(@modified_attack_vector =
76
+ CvssProperty.new(name: 'Modified Attack Vector', abbreviation: 'MAV', position: [11, 14],
77
+ values: [{ name: 'Network', abbreviation: 'N', weight: 0.85 },
78
+ { name: 'Adjacent Network', abbreviation: 'A', weight: 0.62 },
79
+ { name: 'Local', abbreviation: 'L', weight: 0.55 },
80
+ { name: 'Physical', abbreviation: 'P', weight: 0.2 },
81
+ { name: 'Not Defined', abbreviation: 'X', weight: 1 }]))
82
+ @properties.push(@modified_attack_complexity =
83
+ CvssProperty.new(name: 'Modified Attack Complexity', abbreviation: 'MAC', position: [12, 15],
84
+ values: [{ name: 'Low', abbreviation: 'L', weight: 0.77 },
85
+ { name: 'High', abbreviation: 'H', weight: 0.44 },
86
+ { name: 'Not Defined', abbreviation: 'X', weight: 1 }]))
87
+ @properties.push(@modified_privileges_required =
88
+ CvssProperty.new(name: 'Modified Privileges Required', abbreviation: 'MPR', position: [13, 16],
89
+ values: [{ name: 'None', abbreviation: 'N', weight: 0.85 },
90
+ { name: 'Low', abbreviation: 'L', weight: 0.62 },
91
+ { name: 'High', abbreviation: 'H', weight: 0.27 },
92
+ { name: 'Not Defined', abbreviation: 'X', weight: 1 }]))
93
+ @properties.push(@modified_user_interaction =
94
+ CvssProperty.new(name: 'Modified User Interaction', abbreviation: 'MUI', position: [14, 17],
95
+ values: [{ name: 'None', abbreviation: 'N', weight: 0.85 },
96
+ { name: 'Required', abbreviation: 'R', weight: 0.62 },
97
+ { name: 'Not Defined', abbreviation: 'X', weight: 1 }]))
98
+ @properties.push(@modified_scope =
99
+ CvssProperty.new(name: 'Modified Scope', abbreviation: 'MS', position: [15, 18],
100
+ values: [{ name: 'Changed', abbreviation: 'C' },
101
+ { name: 'Unchanged', abbreviation: 'U' },
102
+ { name: 'Not Defined', abbreviation: 'X' }]))
103
+ @properties.push(@modified_confidentiality =
104
+ CvssProperty.new(name: 'Modified Confidentiality', abbreviation: 'MC', position: [16, 19],
105
+ values: [{ name: 'None', abbreviation: 'N', weight: 0 },
106
+ { name: 'Low', abbreviation: 'L', weight: 0.22 },
107
+ { name: 'High', abbreviation: 'H', weight: 0.56 },
108
+ { name: 'Not Defined', abbreviation: 'X', weight: 1 }]))
109
+ @properties.push(@modified_integrity =
110
+ CvssProperty.new(name: 'Modified Integrity', abbreviation: 'MI', position: [17, 20],
111
+ values: [{ name: 'None', abbreviation: 'N', weight: 0 },
112
+ { name: 'Low', abbreviation: 'L', weight: 0.22 },
113
+ { name: 'High', abbreviation: 'H', weight: 0.56 },
114
+ { name: 'Not Defined', abbreviation: 'X', weight: 1 }]))
115
+ @properties.push(@modified_availability =
116
+ CvssProperty.new(name: 'Modified Availability', abbreviation: 'MA', position: [18, 21],
117
+ values: [{ name: 'None', abbreviation: 'N', weight: 0 },
118
+ { name: 'Low', abbreviation: 'L', weight: 0.22 },
119
+ { name: 'High', abbreviation: 'H', weight: 0.56 },
120
+ { name: 'Not Defined', abbreviation: 'X', weight: 1 }]))
121
+ end
42
122
 
43
- calculate_score modified_impact_sub_score, modified_exploitability_sub_score, temporal_score
44
- end
123
+ def modified_impact_sub(isc_modified)
124
+ if @modified_scope.selected_value[:name] == 'Not Defined'
125
+ if @base.scope.selected_value[:name] == 'Changed'
126
+ return 7.52 * (isc_modified - 0.029) - 3.25 * (isc_modified - 0.02)**15
127
+ else
128
+ return 6.42 * isc_modified
129
+ end
130
+ end
131
+
132
+ if @modified_scope.selected_value[:name] == 'Changed'
133
+ 7.52 * (isc_modified - 0.029) - 3.25 * (isc_modified - 0.02)**15
134
+ else
135
+ 6.42 * isc_modified
136
+ end
137
+ end
45
138
 
46
- private
47
-
48
- def init_properties
49
- @properties.push(@confidentiality_requirement =
50
- CvssProperty.new(name: 'Confidentiality Requirement', abbreviation: 'CR', position: [8, 11],
51
- choices: [{name: 'Low', abbreviation: 'L', weight: 0.5},
52
- {name: 'Medium', abbreviation: 'M', weight: 1.0},
53
- {name: 'High', abbreviation: 'H', weight: 1.5},
54
- {name: 'Not Defined', abbreviation: 'X', weight: 1}]))
55
- @properties.push(@integrity_requirement =
56
- CvssProperty.new(name: 'Integrity Requirement', abbreviation: 'IR', position: [9, 12],
57
- choices: [{name: 'Low', abbreviation: 'L', weight: 0.5},
58
- {name: 'Medium', abbreviation: 'M', weight: 1.0},
59
- {name: 'High', abbreviation: 'H', weight: 1.5},
60
- {name: 'Not Defined', abbreviation: 'X', weight: 1}]))
61
-
62
- @properties.push(@availability_requirement =
63
- CvssProperty.new(name: 'Availability Requirement', abbreviation: 'AR', position: [10, 13],
64
- choices: [{name: 'Low', abbreviation: 'L', weight: 0.5},
65
- {name: 'Medium', abbreviation: 'M', weight: 1.0},
66
- {name: 'High', abbreviation: 'H', weight: 1.5},
67
- {name: 'Not Defined', abbreviation: 'X', weight: 1}]))
68
- @properties.push(@modified_attack_vector =
69
- CvssProperty.new(name: 'Modified Attack Vector', abbreviation: 'MAV', position: [11, 14],
70
- choices: [{name: 'Network', abbreviation: 'N', weight: 0.85},
71
- {name: 'Adjacent Network', abbreviation: 'A', weight: 0.62},
72
- {name: 'Local', abbreviation: 'L', weight: 0.55},
73
- {name: 'Physical', abbreviation: 'P', weight: 0.2},
74
- {name: 'Not Defined', abbreviation: 'X', weight: 1}]))
75
- @properties.push(@modified_attack_complexity =
76
- CvssProperty.new(name: 'Modified Attack Complexity', abbreviation: 'MAC', position: [12, 15],
77
- choices: [{name: 'Low', abbreviation: 'L', weight: 0.77},
78
- {name: 'High', abbreviation: 'H', weight: 0.44},
79
- {name: 'Not Defined', abbreviation: 'X', weight: 1}]))
80
- @properties.push(@modified_privileges_required =
81
- CvssProperty.new(name: 'Modified Privileges Required', abbreviation: 'MPR', position: [13, 16],
82
- choices: [{name: 'None', abbreviation: 'N', weight: 0.85},
83
- {name: 'Low', abbreviation: 'L', weight: 0.62},
84
- {name: 'High', abbreviation: 'H', weight: 0.27},
85
- {name: 'Not Defined', abbreviation: 'X', weight: 1}]))
86
- @properties.push(@modified_user_interaction =
87
- CvssProperty.new(name: 'Modified User Interaction', abbreviation: 'MUI', position: [14, 17],
88
- choices: [{name: 'None', abbreviation: 'N', weight: 0.85},
89
- {name: 'Required', abbreviation: 'R', weight: 0.62},
90
- {name: 'Not Defined', abbreviation: 'X', weight: 1}]))
91
- @properties.push(@modified_scope =
92
- CvssProperty.new(name: 'Modified Scope', abbreviation: 'MS', position: [15, 18],
93
- choices: [{name: 'Changed', abbreviation: 'C'},
94
- {name: 'Unchanged', abbreviation: 'U'}]))
95
- @properties.push(@modified_confidentiality =
96
- CvssProperty.new(name: 'Modified Confidentiality', abbreviation: 'MC', position: [16, 19],
97
- choices: [{name: 'None', abbreviation: 'N', weight: 0},
98
- {name: 'Low', abbreviation: 'L', weight: 0.22},
99
- {name: 'High', abbreviation: 'H', weight: 0.56},
100
- {name: 'Not Defined', abbreviation: 'X', weight: 1}]))
101
- @properties.push(@modified_integrity =
102
- CvssProperty.new(name: 'Modified Integrity', abbreviation: 'MI', position: [17, 20],
103
- choices: [{name: 'None', abbreviation: 'N', weight: 0},
104
- {name: 'Low', abbreviation: 'L', weight: 0.22},
105
- {name: 'High', abbreviation: 'H', weight: 0.56},
106
- {name: 'Not Defined', abbreviation: 'X', weight: 1}]))
107
- @properties.push(@modified_availability =
108
- CvssProperty.new(name: 'Modified Availability', abbreviation: 'MA', position: [18, 21],
109
- choices: [{name: 'None', abbreviation: 'N', weight: 0},
110
- {name: 'Low', abbreviation: 'L', weight: 0.22},
111
- {name: 'High', abbreviation: 'H', weight: 0.56},
112
- {name: 'Not Defined', abbreviation: 'X', weight: 1}]))
113
- end
139
+ def isc_modified
140
+ merged_modified_confidentiality = @modified_confidentiality
141
+ if @modified_confidentiality.selected_value[:name] == 'Not Defined'
142
+ merged_modified_confidentiality = @base.confidentiality
143
+ end
114
144
 
115
- def modified_impact_sub(isc_modified)
116
- if @modified_scope.selected_choice[:name] == 'Changed'
117
- 7.52 * (isc_modified - 0.029) - 3.25 * (isc_modified - 0.02)**15
118
- else
119
- 6.42 * isc_modified
145
+ merged_modified_integrity = @modified_integrity
146
+ if @modified_integrity.selected_value[:name] == 'Not Defined'
147
+ merged_modified_integrity = @base.integrity
148
+ end
149
+
150
+ merged_modified_availability = @modified_availability
151
+ if @modified_availability.selected_value[:name] == 'Not Defined'
152
+ merged_modified_availability = @base.availability
153
+ end
154
+
155
+ confidentiality_score = 1 - merged_modified_confidentiality.score * @confidentiality_requirement.score
156
+ integrity_score = 1 - merged_modified_integrity.score * @integrity_requirement.score
157
+ availability_score = 1 - merged_modified_availability.score * @availability_requirement.score
158
+
159
+ [0.915, (1 - confidentiality_score * integrity_score * availability_score)].min
120
160
  end
121
- end
122
161
 
123
- def isc_modified
124
- confidentiality_score = 1 - @modified_confidentiality.score * @confidentiality_requirement.score
125
- integrity_score = 1 - @modified_integrity.score * @integrity_requirement.score
126
- availability_score = 1 - @modified_availability.score * @availability_requirement.score
162
+ def modified_exploitability_sub(privilege_score)
163
+ merged_modified_attack_vector = @modified_attack_vector
164
+ if @modified_attack_vector.selected_value[:name] == 'Not Defined'
165
+ merged_modified_attack_vector = @base.attack_vector
166
+ end
127
167
 
128
- [0.915, (1 - confidentiality_score * integrity_score * availability_score)].min
129
- end
168
+ merged_modified_attack_complexity = @modified_attack_complexity
169
+ if @modified_attack_complexity.selected_value[:name] == 'Not Defined'
170
+ merged_modified_attack_complexity = @base.attack_complexity
171
+ end
130
172
 
131
- def modified_exploitability_sub(privilege_score)
132
- modified_exploitability_sub_score = 8.22 * @modified_attack_vector.score
133
- modified_exploitability_sub_score *= @modified_attack_complexity.score
134
- modified_exploitability_sub_score *= privilege_score
135
- modified_exploitability_sub_score *= @modified_user_interaction.score
136
- end
173
+ merged_modified_user_interaction = @modified_user_interaction
174
+ if @modified_user_interaction.selected_value[:name] == 'Not Defined'
175
+ merged_modified_user_interaction = @base.user_interaction
176
+ end
137
177
 
138
- def calculate_score(modified_impact_sub_score, modified_exploitability_sub_score, temporal_score)
139
- factor = @modified_scope.selected_choice[:name] == 'Changed' ? 1.08 : 1.0
178
+ 8.22 * merged_modified_attack_vector.score * merged_modified_attack_complexity.score *
179
+ privilege_score * merged_modified_user_interaction.score
180
+ end
140
181
 
141
- ([factor * (modified_impact_sub_score + modified_exploitability_sub_score), 10].min.round_up(1) * temporal_score)
182
+ def calculate_score(modified_impact_sub_score, modified_exploitability_sub_score, temporal_score)
183
+ if @modified_scope.selected_value[:name] == 'Not Defined'
184
+ factor = @base.scope.selected_value[:name] == 'Changed' ? 1.08 : 1.0
185
+ else
186
+ factor = @modified_scope.selected_value[:name] == 'Changed' ? 1.08 : 1.0
187
+ end
142
188
 
189
+ Cvss3Helper.round_up(
190
+ [factor * (modified_impact_sub_score + modified_exploitability_sub_score), 10].min
191
+ ) * temporal_score
192
+ end
143
193
  end
144
- end
194
+ end