cvss-suite 1.1.1 → 2.0.1

data/lib/cvss_suite/cvss3/cvss3_temporal.rb

@@ -11,47 +11,46 @@
 require_relative '../cvss_property'
 require_relative '../cvss_metric'
 
-##
-# This class represents a CVSS Temporal metric in version 3.
-
-class Cvss3Temporal < CvssMetric
-
-  ##
-  # Property of this metric
-
-  attr_reader :exploit_code_maturity, :remediation_level, :report_confidence
-
+module CvssSuite
   ##
-  # Returns score of this metric
-
-  def score
-    return 1.0 unless valid?
-    @exploit_code_maturity.score * @remediation_level.score * @report_confidence.score
-  end
-
-  private
-
-  def init_properties
-    @properties.push(@exploit_code_maturity =
-                      CvssProperty.new(name: 'Exploit Code Maturity', abbreviation: 'E', position: [8],
-                                       choices: [{ name: 'Not Defined', abbreviation: 'X', weight: 1.0 },
-                                                 { name: 'Unproven', abbreviation: 'U', weight: 0.91 },
-                                                 { name: 'Proof-of-Concept', abbreviation: 'P', weight: 0.94 },
-                                                 { name: 'Functional', abbreviation: 'F', weight: 0.97 },
-                                                 { name: 'High', abbreviation: 'H', weight: 1.0 }]))
-    @properties.push(@remediation_level =
-                      CvssProperty.new(name: 'Remediation Level', abbreviation: 'RL', position: [9],
-                                       choices: [{ name: 'Not Defined', abbreviation: 'X', weight: 1.0 },
-                                                 { name: 'Official Fix', abbreviation: 'O', weight: 0.95 },
-                                                 { name: 'Temporary Fix', abbreviation: 'T', weight: 0.96 },
-                                                 { name: 'Workaround', abbreviation: 'W', weight: 0.97 },
-                                                 { name: 'Unavailable', abbreviation: 'U', weight: 1.0 }]))
-
-    @properties.push(@report_confidence =
-                      CvssProperty.new(name: 'Report Confidence', abbreviation: 'RC', position: [10],
-                                       choices: [{ name: 'Not Defined', abbreviation: 'X', weight: 1.0 },
-                                                 { name: 'Unknown', abbreviation: 'U', weight: 0.92 },
-                                                 { name: 'Reasonable', abbreviation: 'R', weight: 0.96 },
-                                                 { name: 'Confirmed', abbreviation: 'C', weight: 1.0 }]))
+  # This class represents a CVSS Temporal metric in version 3.
+  class Cvss3Temporal < CvssMetric
+    ##
+    # Property of this metric
+    attr_reader :exploit_code_maturity, :remediation_level, :report_confidence
+
+    ##
+    # Returns score of this metric
+    def score
+      return 1.0 unless valid?
+
+      @exploit_code_maturity.score * @remediation_level.score * @report_confidence.score
+    end
+
+    private
+
+    def init_properties
+      @properties.push(@exploit_code_maturity =
+                         CvssProperty.new(name: 'Exploit Code Maturity', abbreviation: 'E', position: [8],
+                                          values: [{ name: 'Not Defined', abbreviation: 'X', weight: 1.0 },
+                                                   { name: 'Unproven', abbreviation: 'U', weight: 0.91 },
+                                                   { name: 'Proof-of-Concept', abbreviation: 'P', weight: 0.94 },
+                                                   { name: 'Functional', abbreviation: 'F', weight: 0.97 },
+                                                   { name: 'High', abbreviation: 'H', weight: 1.0 }]))
+      @properties.push(@remediation_level =
+                         CvssProperty.new(name: 'Remediation Level', abbreviation: 'RL', position: [9],
+                                          values: [{ name: 'Not Defined', abbreviation: 'X', weight: 1.0 },
+                                                   { name: 'Official Fix', abbreviation: 'O', weight: 0.95 },
+                                                   { name: 'Temporary Fix', abbreviation: 'T', weight: 0.96 },
+                                                   { name: 'Workaround', abbreviation: 'W', weight: 0.97 },
+                                                   { name: 'Unavailable', abbreviation: 'U', weight: 1.0 }]))
+
+      @properties.push(@report_confidence =
+                         CvssProperty.new(name: 'Report Confidence', abbreviation: 'RC', position: [10],
+                                          values: [{ name: 'Not Defined', abbreviation: 'X', weight: 1.0 },
+                                                   { name: 'Unknown', abbreviation: 'U', weight: 0.92 },
+                                                   { name: 'Reasonable', abbreviation: 'R', weight: 0.96 },
+                                                   { name: 'Confirmed', abbreviation: 'C', weight: 1.0 }]))
+    end
   end
-end
+end

data/lib/cvss_suite/cvss31/cvss31.rb

@@ -0,0 +1,60 @@
+# CVSS-Suite, a Ruby gem to manage the CVSS vector
+#
+# Copyright (c) Siemens AG, 2019
+#
+# Authors:
+#   Oliver Hambörger <oliver.hamboerger@siemens.com>
+#
+# This work is licensed under the terms of the MIT license.
+# See the LICENSE.md file in the top-level directory.
+
+require_relative '../cvss'
+require_relative 'cvss31_base'
+require_relative 'cvss31_temporal'
+require_relative 'cvss31_environmental'
+require_relative '../helpers/cvss31_helper'
+
+module CvssSuite
+  ##
+  # This class represents a CVSS vector in version 3.1.
+  class Cvss31 < Cvss
+    ##
+    # Returns the Version of the CVSS vector.
+
+    def version
+      3.1
+    end
+
+    ##
+    # Returns the Base Score of the CVSS vector.
+
+    def base_score
+      check_validity
+      Cvss31Helper.round_up(@base.score)
+    end
+
+    ##
+    # Returns the Temporal Score of the CVSS vector.
+
+    def temporal_score
+      Cvss31Helper.round_up(Cvss31Helper.round_up(@base.score) * @temporal.score)
+    end
+
+    ##
+    # Returns the Environmental Score of the CVSS vector.
+
+    def environmental_score
+      return temporal_score unless @environmental.valid?
+
+      Cvss31Helper.round_up(@environmental.score(@base, @temporal))
+    end
+
+    private
+
+    def init_metrics
+      @base = Cvss31Base.new(@properties)
+      @temporal = Cvss31Temporal.new(@properties)
+      @environmental = Cvss31Environmental.new(@properties)
+    end
+  end
+end

data/lib/cvss_suite/cvss31/cvss31_base.rb

@@ -0,0 +1,93 @@
+# CVSS-Suite, a Ruby gem to manage the CVSS vector
+#
+# Copyright (c) Siemens AG, 2019
+#
+# Authors:
+#   Oliver Hambörger <oliver.hamboerger@siemens.com>
+#
+# This work is licensed under the terms of the MIT license.
+# See the LICENSE.md file in the top-level directory.
+
+require_relative '../cvss_property'
+require_relative '../cvss_metric'
+require_relative '../helpers/cvss3_helper'
+
+module CvssSuite
+  ##
+  # This class represents a CVSS Base metric in version 3.1.
+  class Cvss31Base < CvssMetric
+    ##
+    # Property of this metric
+
+    attr_reader :attack_vector, :attack_complexity, :privileges_required, :user_interaction,
+                :scope, :confidentiality, :integrity, :availability
+
+    ##
+    # Returns score of this metric
+    def score
+      privilege_score = Cvss3Helper.privileges_required_score(@privileges_required, @scope)
+
+      exploitability = 8.22 * @attack_vector.score * @attack_complexity.score *
+                       privilege_score * @user_interaction.score
+
+      isc_base = 1 - ((1 - @confidentiality.score) * (1 - @integrity.score) * (1 - @availability.score))
+
+      impact_sub_score = if @scope.selected_value[:name] == 'Changed'
+                           7.52 * (isc_base - 0.029) - 3.25 * (isc_base - 0.02)**15
+                         else
+                           6.42 * isc_base
+                         end
+
+      return 0 if impact_sub_score <= 0
+
+      if @scope.selected_value[:name] == 'Changed'
+        [10, 1.08 * (impact_sub_score + exploitability)].min
+      else
+        [10, impact_sub_score + exploitability].min
+      end
+    end
+
+    private
+
+    def init_properties
+      @properties.push(@attack_vector =
+                         CvssProperty.new(name: 'Attack Vector', abbreviation: 'AV', position: [0],
+                                          values: [{ name: 'Network', abbreviation: 'N', weight: 0.85 },
+                                                   { name: 'Adjacent', abbreviation: 'A', weight: 0.62 },
+                                                   { name: 'Local', abbreviation: 'L', weight: 0.55 },
+                                                   { name: 'Physical', abbreviation: 'P', weight: 0.2 }]))
+      @properties.push(@attack_complexity =
+                         CvssProperty.new(name: 'Attack Complexity', abbreviation: 'AC', position: [1],
+                                          values: [{ name: 'Low', abbreviation: 'L', weight: 0.77 },
+                                                   { name: 'High', abbreviation: 'H', weight: 0.44 }]))
+      @properties.push(@privileges_required =
+                         CvssProperty.new(name: 'Privileges Required', abbreviation: 'PR', position: [2],
+                                          values: [{ name: 'None', abbreviation: 'N', weight: 0.85 },
+                                                   { name: 'Low', abbreviation: 'L', weight: 0.62 },
+                                                   { name: 'High', abbreviation: 'H', weight: 0.27 }]))
+      @properties.push(@user_interaction =
+                         CvssProperty.new(name: 'User Interaction', abbreviation: 'UI', position: [3],
+                                          values: [{ name: 'None', abbreviation: 'N', weight: 0.85 },
+                                                   { name: 'Required', abbreviation: 'R', weight: 0.62 }]))
+      @properties.push(@scope =
+                         CvssProperty.new(name: 'Scope', abbreviation: 'S', position: [4],
+                                          values: [{ name: 'Unchanged', abbreviation: 'U' },
+                                                   { name: 'Changed', abbreviation: 'C' }]))
+      @properties.push(@confidentiality =
+                         CvssProperty.new(name: 'Confidentiality', abbreviation: 'C', position: [5],
+                                          values: [{ name: 'None', abbreviation: 'N', weight: 0.0 },
+                                                   { name: 'Low', abbreviation: 'L', weight: 0.22 },
+                                                   { name: 'High', abbreviation: 'H', weight: 0.56 }]))
+      @properties.push(@integrity =
+                         CvssProperty.new(name: 'Integrity', abbreviation: 'I', position: [6],
+                                          values: [{ name: 'None', abbreviation: 'N', weight: 0.0 },
+                                                   { name: 'Low', abbreviation: 'L', weight: 0.22 },
+                                                   { name: 'High', abbreviation: 'H', weight: 0.56 }]))
+      @properties.push(@availability =
+                         CvssProperty.new(name: 'Availability', abbreviation: 'A', position: [7],
+                                          values: [{ name: 'None', abbreviation: 'N', weight: 0.0 },
+                                                   { name: 'Low', abbreviation: 'L', weight: 0.22 },
+                                                   { name: 'High', abbreviation: 'H', weight: 0.56 }]))
+    end
+  end
+end

data/lib/cvss_suite/cvss31/cvss31_environmental.rb

@@ -0,0 +1,194 @@
+# CVSS-Suite, a Ruby gem to manage the CVSS vector
+#
+# Copyright (c) Siemens AG, 2019
+#
+# Authors:
+#   Oliver Hambörger <oliver.hamboerger@siemens.com>
+#
+# This work is licensed under the terms of the MIT license.
+# See the LICENSE.md file in the top-level directory.
+
+require_relative '../cvss_property'
+require_relative '../cvss_metric'
+require_relative '../helpers/cvss3_helper'
+require_relative '../helpers/cvss31_helper'
+
+module CvssSuite
+  ##
+  # This class represents a CVSS Environmental metric in version 3.1.
+  class Cvss31Environmental < CvssMetric
+    ##
+    # Property of this metric
+    attr_reader :confidentiality_requirement, :integrity_requirement, :availability_requirement,
+                :modified_attack_vector, :modified_attack_complexity, :modified_privileges_required,
+                :modified_user_interaction, :modified_scope, :modified_confidentiality,
+                :modified_integrity, :modified_availability
+
+    ##
+    # Returns score of this metric
+    def score(base, temporal)
+      @base = base
+
+      merged_modified_privileges_required = @modified_privileges_required
+      if @modified_privileges_required.selected_value[:name] == 'Not Defined'
+        merged_modified_privileges_required = @base.privileges_required
+      end
+
+      merged_modified_scope = @modified_scope
+      if @modified_scope.selected_value[:name] == 'Not Defined'
+        merged_modified_scope = @base.scope
+      end
+
+      privilege_score = Cvss3Helper.privileges_required_score(merged_modified_privileges_required, merged_modified_scope)
+
+      modified_exploitability_sub_score = modified_exploitability_sub(privilege_score)
+
+      modified_impact_sub_score = modified_impact_sub(isc_modified)
+
+      return 0 if modified_impact_sub_score <= 0
+
+      calculate_score modified_impact_sub_score, modified_exploitability_sub_score, temporal.score
+    end
+
+    private
+
+    def init_properties
+      @properties.push(@confidentiality_requirement =
+                         CvssProperty.new(name: 'Confidentiality Requirement', abbreviation: 'CR', position: [8, 11],
+                                          values: [{ name: 'Low', abbreviation: 'L', weight: 0.5 },
+                                                   { name: 'Medium', abbreviation: 'M', weight: 1.0 },
+                                                   { name: 'High', abbreviation: 'H', weight: 1.5 },
+                                                   { name: 'Not Defined', abbreviation: 'X', weight: 1 }]))
+      @properties.push(@integrity_requirement =
+                         CvssProperty.new(name: 'Integrity Requirement', abbreviation: 'IR', position: [9, 12],
+                                          values: [{ name: 'Low', abbreviation: 'L', weight: 0.5 },
+                                                   { name: 'Medium', abbreviation: 'M', weight: 1.0 },
+                                                   { name: 'High', abbreviation: 'H', weight: 1.5 },
+                                                   { name: 'Not Defined', abbreviation: 'X', weight: 1 }]))
+
+      @properties.push(@availability_requirement =
+                         CvssProperty.new(name: 'Availability Requirement', abbreviation: 'AR', position: [10, 13],
+                                          values: [{ name: 'Low', abbreviation: 'L', weight: 0.5 },
+                                                   { name: 'Medium', abbreviation: 'M', weight: 1.0 },
+                                                   { name: 'High', abbreviation: 'H', weight: 1.5 },
+                                                   { name: 'Not Defined', abbreviation: 'X', weight: 1 }]))
+      @properties.push(@modified_attack_vector =
+                         CvssProperty.new(name: 'Modified Attack Vector', abbreviation: 'MAV', position: [11, 14],
+                                          values: [{ name: 'Network', abbreviation: 'N', weight: 0.85 },
+                                                   { name: 'Adjacent Network', abbreviation: 'A', weight: 0.62 },
+                                                   { name: 'Local', abbreviation: 'L', weight: 0.55 },
+                                                   { name: 'Physical', abbreviation: 'P', weight: 0.2 },
+                                                   { name: 'Not Defined', abbreviation: 'X', weight: 1 }]))
+      @properties.push(@modified_attack_complexity =
+                         CvssProperty.new(name: 'Modified Attack Complexity', abbreviation: 'MAC', position: [12, 15],
+                                          values: [{ name: 'Low', abbreviation: 'L', weight: 0.77 },
+                                                   { name: 'High', abbreviation: 'H', weight: 0.44 },
+                                                   { name: 'Not Defined', abbreviation: 'X', weight: 1 }]))
+      @properties.push(@modified_privileges_required =
+                         CvssProperty.new(name: 'Modified Privileges Required', abbreviation: 'MPR', position: [13, 16],
+                                          values: [{ name: 'None', abbreviation: 'N', weight: 0.85 },
+                                                   { name: 'Low', abbreviation: 'L', weight: 0.62 },
+                                                   { name: 'High', abbreviation: 'H', weight: 0.27 },
+                                                   { name: 'Not Defined', abbreviation: 'X', weight: 1 }]))
+      @properties.push(@modified_user_interaction =
+                         CvssProperty.new(name: 'Modified User Interaction', abbreviation: 'MUI', position: [14, 17],
+                                          values: [{ name: 'None', abbreviation: 'N', weight: 0.85 },
+                                                   { name: 'Required', abbreviation: 'R', weight: 0.62 },
+                                                   { name: 'Not Defined', abbreviation: 'X', weight: 1 }]))
+      @properties.push(@modified_scope =
+                         CvssProperty.new(name: 'Modified Scope', abbreviation: 'MS', position: [15, 18],
+                                          values: [{ name: 'Changed', abbreviation: 'C' },
+                                                   { name: 'Unchanged', abbreviation: 'U' },
+                                                   { name: 'Not Defined', abbreviation: 'X' }]))
+      @properties.push(@modified_confidentiality =
+                         CvssProperty.new(name: 'Modified Confidentiality', abbreviation: 'MC', position: [16, 19],
+                                          values: [{ name: 'None', abbreviation: 'N', weight: 0 },
+                                                   { name: 'Low', abbreviation: 'L', weight: 0.22 },
+                                                   { name: 'High', abbreviation: 'H', weight: 0.56 },
+                                                   { name: 'Not Defined', abbreviation: 'X', weight: 1 }]))
+      @properties.push(@modified_integrity =
+                         CvssProperty.new(name: 'Modified Integrity', abbreviation: 'MI', position: [17, 20],
+                                          values: [{ name: 'None', abbreviation: 'N', weight: 0 },
+                                                   { name: 'Low', abbreviation: 'L', weight: 0.22 },
+                                                   { name: 'High', abbreviation: 'H', weight: 0.56 },
+                                                   { name: 'Not Defined', abbreviation: 'X', weight: 1 }]))
+      @properties.push(@modified_availability =
+                         CvssProperty.new(name: 'Modified Availability', abbreviation: 'MA', position: [18, 21],
+                                          values: [{ name: 'None', abbreviation: 'N', weight: 0 },
+                                                   { name: 'Low', abbreviation: 'L', weight: 0.22 },
+                                                   { name: 'High', abbreviation: 'H', weight: 0.56 },
+                                                   { name: 'Not Defined', abbreviation: 'X', weight: 1 }]))
+    end
+
+    def modified_impact_sub(isc_modified)
+      if @modified_scope.selected_value[:name] == 'Not Defined'
+        if @base.scope.selected_value[:name] == 'Changed'
+          return 7.52 * (isc_modified - 0.029) - 3.25 * (isc_modified * 0.9731 - 0.02)**13
+        else
+          return 6.42 * isc_modified
+        end
+      end
+
+      if @modified_scope.selected_value[:name] == 'Changed'
+        7.52 * (isc_modified - 0.029) - 3.25 * (isc_modified * 0.9731 - 0.02)**13
+      else
+        6.42 * isc_modified
+      end
+    end
+
+    def isc_modified
+      merged_modified_confidentiality = @modified_confidentiality
+      if @modified_confidentiality.selected_value[:name] == 'Not Defined'
+        merged_modified_confidentiality = @base.confidentiality
+      end
+
+      merged_modified_integrity = @modified_integrity
+      if @modified_integrity.selected_value[:name] == 'Not Defined'
+        merged_modified_integrity = @base.integrity
+      end
+
+      merged_modified_availability = @modified_availability
+      if @modified_availability.selected_value[:name] == 'Not Defined'
+        merged_modified_availability = @base.availability
+      end
+
+      confidentiality_score = 1 - merged_modified_confidentiality.score * @confidentiality_requirement.score
+      integrity_score = 1 - merged_modified_integrity.score * @integrity_requirement.score
+      availability_score = 1 - merged_modified_availability.score * @availability_requirement.score
+
+      [0.915, (1 - confidentiality_score * integrity_score * availability_score)].min
+    end
+
+    def modified_exploitability_sub(privilege_score)
+      merged_modified_attack_vector = @modified_attack_vector
+      if @modified_attack_vector.selected_value[:name] == 'Not Defined'
+        merged_modified_attack_vector = @base.attack_vector
+      end
+
+      merged_modified_attack_complexity = @modified_attack_complexity
+      if @modified_attack_complexity.selected_value[:name] == 'Not Defined'
+        merged_modified_attack_complexity = @base.attack_complexity
+      end
+
+      merged_modified_user_interaction = @modified_user_interaction
+      if @modified_user_interaction.selected_value[:name] == 'Not Defined'
+        merged_modified_user_interaction = @base.user_interaction
+      end
+
+      8.22 * merged_modified_attack_vector.score * merged_modified_attack_complexity.score *
+        privilege_score * merged_modified_user_interaction.score
+    end
+
+    def calculate_score(modified_impact_sub_score, modified_exploitability_sub_score, temporal_score)
+      if @modified_scope.selected_value[:name] == 'Not Defined'
+        factor = @base.scope.selected_value[:name] == 'Changed' ? 1.08 : 1.0
+      else
+        factor = @modified_scope.selected_value[:name] == 'Changed' ? 1.08 : 1.0
+      end
+
+      Cvss31Helper.round_up(
+        [factor * (modified_impact_sub_score + modified_exploitability_sub_score), 10].min
+      ) * temporal_score
+    end
+  end
+end

data/lib/cvss_suite/cvss31/cvss31_temporal.rb

@@ -0,0 +1,56 @@
+# CVSS-Suite, a Ruby gem to manage the CVSS vector
+#
+# Copyright (c) Siemens AG, 2019
+#
+# Authors:
+#   Oliver Hambörger <oliver.hamboerger@siemens.com>
+#
+# This work is licensed under the terms of the MIT license.
+# See the LICENSE.md file in the top-level directory.
+
+require_relative '../cvss_property'
+require_relative '../cvss_metric'
+
+module CvssSuite
+  ##
+  # This class represents a CVSS Temporal metric in version 3.1.
+  class Cvss31Temporal < CvssMetric
+    ##
+    # Property of this metric
+    attr_reader :exploit_code_maturity, :remediation_level, :report_confidence
+
+    ##
+    # Returns score of this metric
+    def score
+      return 1.0 unless valid?
+
+      @exploit_code_maturity.score * @remediation_level.score * @report_confidence.score
+    end
+
+    private
+
+    def init_properties
+      @properties.push(@exploit_code_maturity =
+                         CvssProperty.new(name: 'Exploit Code Maturity', abbreviation: 'E', position: [8],
+                                          values: [{ name: 'Not Defined', abbreviation: 'X', weight: 1.0 },
+                                                   { name: 'Unproven', abbreviation: 'U', weight: 0.91 },
+                                                   { name: 'Proof-of-Concept', abbreviation: 'P', weight: 0.94 },
+                                                   { name: 'Functional', abbreviation: 'F', weight: 0.97 },
+                                                   { name: 'High', abbreviation: 'H', weight: 1.0 }]))
+      @properties.push(@remediation_level =
+                         CvssProperty.new(name: 'Remediation Level', abbreviation: 'RL', position: [9],
+                                          values: [{ name: 'Not Defined', abbreviation: 'X', weight: 1.0 },
+                                                   { name: 'Official Fix', abbreviation: 'O', weight: 0.95 },
+                                                   { name: 'Temporary Fix', abbreviation: 'T', weight: 0.96 },
+                                                   { name: 'Workaround', abbreviation: 'W', weight: 0.97 },
+                                                   { name: 'Unavailable', abbreviation: 'U', weight: 1.0 }]))
+
+      @properties.push(@report_confidence =
+                         CvssProperty.new(name: 'Report Confidence', abbreviation: 'RC', position: [10],
+                                          values: [{ name: 'Not Defined', abbreviation: 'X', weight: 1.0 },
+                                                   { name: 'Unknown', abbreviation: 'U', weight: 0.92 },
+                                                   { name: 'Reasonable', abbreviation: 'R', weight: 0.96 },
+                                                   { name: 'Confirmed', abbreviation: 'C', weight: 1.0 }]))
+    end
+  end
+end