RubyGems - cvss-suite - Versions diffs - 1.1.2 → 1.2.0 - Mend

cvss-suite 1.1.2 → 1.2.0

Files changed (12) hide show

checksums.yaml +5 -5
data/CHANGES.md +19 -0
data/README.md +25 -9
data/lib/cvss_suite.rb +9 -2
data/lib/cvss_suite/cvss.rb +23 -0
data/lib/cvss_suite/cvss31/cvss31.rb +52 -0
data/lib/cvss_suite/cvss31/cvss31_base.rb +95 -0
data/lib/cvss_suite/cvss31/cvss31_environmental.rb +144 -0
data/lib/cvss_suite/cvss31/cvss31_temporal.rb +57 -0
data/lib/cvss_suite/helpers/extensions.rb +24 -0
data/lib/cvss_suite/version.rb +2 -2
metadata +7 -4

checksums.yaml CHANGED

@@ -1,7 +1,7 @@
 ---
-SHA1:
-  metadata.gz: afb88b54004ef3913747597ae1168ed958f0c9b5
-  data.tar.gz: 8c94135d2769d08a6bcc3c08681d09e586bcd959
+SHA256:
+  metadata.gz: 6aacfd5bb6fb48310c6c6c5cb2821a247971ef6115cb7c4c86dddb4335d8dafd
+  data.tar.gz: 5c881abb0186de84cb10596ff12333a9e8934ed290b8fe762471aaf82f008177
 SHA512:
-  metadata.gz: dd42ce66b758b6113fe4865efb111ee76b6b37c19cbbd33169447b92a143029edbc92222b32f1fd520a4737914b9de8609eb6b63dda957d4a41eedf038792454
-  data.tar.gz: 8d84caab47da1365b5fec94a93d5cb4fa1e0990e749121edf7d529687301d1e694c33bd8c16cef6faaa560f5835d86f86b52a895d5fb92e8dc57116fafe4c03e
+  metadata.gz: 293c41865c1905f2ca44a34d7298813484312af93deb77f443411222df307df80f4a40781af2137b05f561e66fd8317196b5a8512ea82c21d565d4eb221492ff
+  data.tar.gz: 3c33b092a180ca728add5bcb4380881789f98652cf5476eb841ee23ee8b38a72e56cd7be916cfb297aa644d470830280826086561850c4625228a06e43bb82f2

data/CHANGES.md CHANGED

@@ -2,6 +2,25 @@
 All notable changes to this project will be documented in this file.
 This project adheres to [Semantic Versioning](http://semver.org/).
+## [1.2.0] - 2019-07-02
+### Notes
+Because version 2.0 of this gem will include breaking changes, please make sure to include this gem in your gemfile as shown below to not automatically update to version 2.0.
+```ruby
+gem 'cvss-suite', '~> 1.2'
+```
+### Improvements
+* Added Severity
+* Added CVSS 3.1
+* CVSS 3.0 vectors now return 3.0 instead of 3 as version
+### Changes in CVSS 3.1 [Source] (https://www.first.org/cvss/v3.1/user-guide)
+* The Temporal Score for all vulnerabilities which have a Base Score of 2.5, 5.0 or 10.0, Exploit Code Maturity (E) of High (H), Remediation Level (RL) of Unavailable (U) and Report Confidence (RC) of Unknown (U) is 0.1 lower in CVSS v3.1 than for 3.0.
+* Some combinations of metrics have Environmental Scores that differ when scored with CVSS v3.1 rather than v3.0. This is due to a combination of the redefinition of Roundup and the change to the ModifiedImpact sub-formula. Less than 7% of metric combinations are 0.1 higher in CVSS v3.1 than v3.0, and less than 1% are 0.1 lower. No Environmental Scores differ by more than 0.1.
+* Other implementations of the CVSS formulas may see different scoring changes between CVSS v3.0 and v3.1 if they previously generated different CVSS v3.0 scores due to the problems that the CVSS v3.1 formula changes are intended to fix.
 ## [1.1.2] - 2018-12-28
 ### Fixes

data/README.md CHANGED

@@ -2,8 +2,9 @@
 [![Gem Version](http://img.shields.io/gem/v/cvss-suite.svg)](https://rubygems.org/gems/cvss-suite)
 [![Ruby Version](https://img.shields.io/badge/Ruby-2.x-brightgreen.svg)](https://rubygems.org/gems/cvss-suite)
-[![Cvss Support](https://img.shields.io/badge/CVSS-v2-brightgreen.svg)](https://www.first.org/cvss/cvss-v2-guide.pdf)
-[![Cvss Support](https://img.shields.io/badge/CVSS-v3.0-brightgreen.svg)](https://www.first.org/cvss/cvss-v3-guide.pdf)
+[![Cvss Support](https://img.shields.io/badge/CVSS-v2-brightgreen.svg)](https://www.first.org/cvss/v2/guide)
+[![Cvss Support](https://img.shields.io/badge/CVSS-v3.0-brightgreen.svg)](https://www.first.org/cvss/v3.0/user-guide)
+[![Cvss Support](https://img.shields.io/badge/CVSS-v3.1-brightgreen.svg)](https://www.first.org/cvss/v3.1/user-guide)
 This Ruby gem helps you to process the vector of the [**Common Vulnerability Scoring System**](https://www.first.org/cvss/specification-document).
 Besides calculating the Base, Temporal and Environmental Score, you are able to extract the selected option.
@@ -31,15 +32,24 @@ require 'cvss_suite'
 cvss3 = CvssSuite.new('CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:L/CR:L/IR:M/AR:H/MAV:N/MAC:H/MPR:N/MUI:R/MS:U/MC:N/MI:L/MA:H')
-vector = cvss3.vector    # 'CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:L/CR:L/IR:M/AR:H/MAV:N/MAC:H/MPR:N/MUI:R/MS:U/MC:N/MI:L/MA:H"'
-version = cvss3.version  # 3
-valid = cvss3.valid?     # true
+vector = cvss3.vector       # 'CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:L/CR:L/IR:M/AR:H/MAV:N/MAC:H/MPR:N/MUI:R/MS:U/MC:N/MI:L/MA:H'
+version = cvss3.version     # 3.0
+valid = cvss3.valid?        # true
+severity = cvss3.severity   # 'High'
+cvss31 = CvssSuite.new('CVSS:3.1/AV:P/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:H/E:H/RL:U/RC:U')
+vector = cvss31.vector     # 'CVSS:3.1/AV:P/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:H/E:H/RL:U/RC:U'
+version = cvss31.version   # 3.1
+valid = cvss31.valid?      # true
+severity = cvss31.severity # 'Medium'
 cvss = CvssSuite.new('AV:A/AC:M/Au:S/C:P/I:P/A:P/E:POC/RL:TF/RC:UC/CDP:L/TD:M/CR:M/IR:M/AR:M')
-vector = cvss.vector    # 'AV:A/AC:M/Au:S/C:P/I:P/A:P/E:POC/RL:TF/RC:UC/CDP:L/TD:M/CR:M/IR:M/AR:M'
-version = cvss.version  # 2
-valid = cvss.valid?     # true
+vector = cvss.vector       # 'AV:A/AC:M/Au:S/C:P/I:P/A:P/E:POC/RL:TF/RC:UC/CDP:L/TD:M/CR:M/IR:M/AR:M'
+version = cvss.version     # 2
+valid = cvss.valid?        # true
+severity = cvss.severity   # 'Low'
 # Scores
 base_score = cvss.base_score                        # 4.9
@@ -73,7 +83,7 @@ valid = cvss.valid?     # false
 version = cvss.version  # will throw CvssSuite::Errors::InvalidVector: Vector is not valid!
 cvss.base_score         # will throw CvssSuite::Errors::InvalidVector: Vector is not valid!
-CvssSuite.new()                        # will throw a ArgumentError
+CvssSuite.new()         # will throw a ArgumentError
 cvss = CvssSuite.new('AV:N/AC:P/C:P/AV:U/RL:OF/RC:C')   # invalid vector, authentication is missing
 version = cvss.version  # 2
@@ -91,6 +101,12 @@ Currently it is not possible to leave an attribute blank instead of ND/X. If you
 Because the documentation isn't clear on how to calculate the score if Modified Scope (CVSS 3.0 Environmental) is not defined, Modified Scope has to have a valid value (S/U).
+There is a possibility of implementations generating different scores (+/- 0,1) due to small floating-point inaccuracies. This can happen due to differences in floating point arithmetic between different languages and hardware platforms.
+## Changelog
+[Click here to see all changes.](https://raw.githubusercontent.com/siemens/cvss-suite/master/CHANGES.md)
 ## Contributing
 Bug reports and pull requests are welcome on GitHub at https://github.com/siemens/cvss-suite. This project is intended to be a safe, welcoming space for collaboration.

data/lib/cvss_suite.rb CHANGED

@@ -10,6 +10,7 @@
 require 'cvss_suite/cvss2/cvss2'
 require 'cvss_suite/cvss3/cvss3'
+require 'cvss_suite/cvss31/cvss31'
 require 'cvss_suite/version'
 require 'cvss_suite/helpers/extensions'
 require 'cvss_suite/errors'
@@ -19,7 +20,11 @@ require 'cvss_suite/invalid_cvss'
 # Module of this gem.
 module CvssSuite
-  CVSS_VECTOR_BEGINNINGS = [{:string => 'AV:', :version => 2}, {:string => 'CVSS:3.0/', :version => 3}]
+  CVSS_VECTOR_BEGINNINGS = [
+    {:string => 'AV:', :version => 2},
+    {:string => 'CVSS:3.0/', :version => 3.0},
+    {:string => 'CVSS:3.1/', :version => 3.1}
+  ]
   ##
   # Returns a CVSS class by a +vector+.
@@ -30,8 +35,10 @@ module CvssSuite
     case version
     when 2
       Cvss2.new(@vector_string, version)
-    when 3
+    when 3.0
       Cvss3.new(@vector_string, version)
+    when 3.1
+      Cvss31.new(@vector_string, version)
     else
       InvalidCvss.new
     end

data/lib/cvss_suite/cvss.rb CHANGED

@@ -57,6 +57,29 @@ class Cvss
     end
   end
+  ##
+  # Returns the severity of the CVSS vector.
+  def severity
+    check_validity
+    score = overall_score
+    if 0.0 == score
+      "None"
+    elsif (0.1..3.9).include? score
+     "Low"
+    elsif (4.0..6.9).include? score
+     "Medium"
+    elsif (7.0..8.9).include? score
+     "High"
+    elsif (9.0..10.0).include? score
+     "Critical"
+    else
+     "None"
+    end
+  end
   ##
   # Returns the Overall Score of the CVSS vector.

data/lib/cvss_suite/cvss31/cvss31.rb ADDED

@@ -0,0 +1,52 @@
+# CVSS-Suite, a Ruby gem to manage the CVSS vector
+#
+# Copyright (c) Siemens AG, 2019
+#
+# Authors:
+#   Oliver Hambörger <oliver.hamboerger@siemens.com>
+#
+# This work is licensed under the terms of the MIT license.
+# See the LICENSE.md file in the top-level directory.
+require_relative '../../../lib/cvss_suite/cvss'
+require_relative 'cvss31_base'
+require_relative 'cvss31_temporal'
+require_relative 'cvss31_environmental'
+##
+# This class represents a CVSS vector in version 3.1.
+class Cvss31 < Cvss
+  ##
+  # Returns the Base Score of the CVSS vector.
+  def base_score
+    check_validity
+    @base.score.roundup
+  end
+  ##
+  # Returns the Temporal Score of the CVSS vector.
+  def temporal_score
+    (@base.score.roundup * @temporal.score).roundup
+  end
+  ##
+  # Returns the Environmental Score of the CVSS vector.
+  def environmental_score
+    return temporal_score unless @environmental.valid?
+    (@environmental.score @temporal.score).roundup
+  end
+  private
+  def init_metrics
+    @base = Cvss31Base.new(@properties)
+    @temporal = Cvss31Temporal.new(@properties)
+    @environmental = Cvss31Environmental.new(@properties)
+  end
+end

data/lib/cvss_suite/cvss31/cvss31_base.rb ADDED

@@ -0,0 +1,95 @@
+# CVSS-Suite, a Ruby gem to manage the CVSS vector
+#
+# Copyright (c) Siemens AG, 2019
+#
+# Authors:
+#   Oliver Hambörger <oliver.hamboerger@siemens.com>
+#
+# This work is licensed under the terms of the MIT license.
+# See the LICENSE.md file in the top-level directory.
+require_relative '../cvss_property'
+require_relative '../cvss_metric'
+require_relative '../helpers/cvss3_helper'
+##
+# This class represents a CVSS Base metric in version 3.1.
+class Cvss31Base < CvssMetric
+  ##
+  # Property of this metric
+  attr_reader :attack_vector, :attack_complexity, :privileges_required, :user_interaction,
+              :scope, :confidentiality, :integrity, :availability
+  ##
+  # Returns score of this metric
+  def score
+    privilege_score = Cvss3Helper.privileges_required_score @privileges_required, @scope
+    exploitability = 8.22 * @attack_vector.score * @attack_complexity.score * privilege_score * @user_interaction.score
+    isc_base = 1 - ((1 - @confidentiality.score) * (1 - @integrity.score) * (1 - @availability.score))
+    if @scope.selected_choice[:name] == 'Changed'
+      impact_sub_score = 7.52 * (isc_base - 0.029) - 3.25 * (isc_base - 0.02)**15
+    else
+      impact_sub_score = 6.42 * isc_base
+    end
+    return 0 if impact_sub_score <= 0
+    if @scope.selected_choice[:name] == 'Changed'
+      [10, 1.08 * (impact_sub_score + exploitability)].min
+    else
+      [10, impact_sub_score + exploitability].min
+    end
+  end
+  private
+  def init_properties
+    @properties.push(@attack_vector =
+                      CvssProperty.new(name: 'Attack Vector', abbreviation: 'AV', position: [0],
+                                       choices: [{ name: 'Network', abbreviation: 'N', weight: 0.85 },
+                                                 { name: 'Adjacent', abbreviation: 'A', weight: 0.62 },
+                                                 { name: 'Local', abbreviation: 'L', weight: 0.55 },
+                                                 { name: 'Physical', abbreviation: 'P', weight: 0.2 }]))
+    @properties.push(@attack_complexity =
+                      CvssProperty.new(name: 'Attack Complexity', abbreviation: 'AC', position: [1],
+                                       choices: [{ name: 'Low', abbreviation: 'L', weight: 0.77 },
+                                                 { name: 'High', abbreviation: 'H', weight: 0.44 }]))
+    @properties.push(@privileges_required =
+                      CvssProperty.new(name: 'Privileges Required', abbreviation: 'PR', position: [2],
+                                       choices: [{ name: 'None', abbreviation: 'N', weight: 0.85 },
+                                                 { name: 'Low', abbreviation: 'L', weight: 0.62 },
+                                                 { name: 'High', abbreviation: 'H', weight: 0.27 }]))
+    @properties.push(@user_interaction =
+                      CvssProperty.new(name: 'User Interaction', abbreviation: 'UI', position: [3],
+                                       choices: [{ name: 'None', abbreviation: 'N', weight: 0.85 },
+                                                 { name: 'Required', abbreviation: 'R', weight: 0.62 }]))
+    @properties.push(@scope =
+                      CvssProperty.new(name: 'Scope', abbreviation: 'S', position: [4],
+                                       choices: [{ name: 'Unchanged', abbreviation: 'U' },
+                                                 { name: 'Changed', abbreviation: 'C' }]))
+    @properties.push(@confidentiality =
+                      CvssProperty.new(name: 'Confidentiality', abbreviation: 'C', position: [5],
+                                       choices: [{ name: 'None', abbreviation: 'N', weight: 0.0 },
+                                                 { name: 'Low', abbreviation: 'L', weight: 0.22 },
+                                                 { name: 'High', abbreviation: 'H', weight: 0.56 }]))
+    @properties.push(@integrity =
+                      CvssProperty.new(name: 'Integrity', abbreviation: 'I', position: [6],
+                                       choices: [{ name: 'None', abbreviation: 'N', weight: 0.0 },
+                                                 { name: 'Low', abbreviation: 'L', weight: 0.22 },
+                                                 { name: 'High', abbreviation: 'H', weight: 0.56 }]))
+    @properties.push(@availability =
+                      CvssProperty.new(name: 'Availability', abbreviation: 'A', position: [7],
+                                       choices: [{ name: 'None', abbreviation: 'N', weight: 0.0 },
+                                                 { name: 'Low', abbreviation: 'L', weight: 0.22 },
+                                                 { name: 'High', abbreviation: 'H', weight: 0.56 }]))
+  end
+end

data/lib/cvss_suite/cvss31/cvss31_environmental.rb ADDED

@@ -0,0 +1,144 @@
+# CVSS-Suite, a Ruby gem to manage the CVSS vector
+#
+# Copyright (c) Siemens AG, 2019
+#
+# Authors:
+#   Oliver Hambörger <oliver.hamboerger@siemens.com>
+#
+# This work is licensed under the terms of the MIT license.
+# See the LICENSE.md file in the top-level directory.
+require_relative '../cvss_property'
+require_relative '../cvss_metric'
+require_relative '../helpers/cvss3_helper'
+##
+# This class represents a CVSS Environmental metric in version 3.1.
+class Cvss31Environmental < CvssMetric
+  ##
+  # Property of this metric
+  attr_reader :confidentiality_requirement, :integrity_requirement, :availability_requirement,
+              :modified_attack_vector, :modified_attack_complexity, :modified_privileges_required,
+              :modified_user_interaction, :modified_scope, :modified_confidentiality,
+              :modified_integrity, :modified_availability
+  ##
+  # Returns score of this metric
+  def score(temporal_score)
+    privilege_score = Cvss3Helper.privileges_required_score @modified_privileges_required, @modified_scope
+    modified_exploitability_sub_score = modified_exploitability_sub privilege_score
+    isc_modified_score = isc_modified
+    modified_impact_sub_score = modified_impact_sub isc_modified_score
+    return 0 if modified_impact_sub_score <= 0
+    calculate_score modified_impact_sub_score, modified_exploitability_sub_score, temporal_score
+  end
+  private
+  def init_properties
+    @properties.push(@confidentiality_requirement =
+                      CvssProperty.new(name: 'Confidentiality Requirement', abbreviation: 'CR', position: [8, 11],
+                                       choices: [{name: 'Low', abbreviation: 'L', weight: 0.5},
+                                                 {name: 'Medium', abbreviation: 'M', weight: 1.0},
+                                                 {name: 'High', abbreviation: 'H', weight: 1.5},
+                                                 {name: 'Not Defined', abbreviation: 'X', weight: 1}]))
+    @properties.push(@integrity_requirement =
+                      CvssProperty.new(name: 'Integrity Requirement', abbreviation: 'IR', position: [9, 12],
+                                       choices: [{name: 'Low', abbreviation: 'L', weight: 0.5},
+                                                 {name: 'Medium', abbreviation: 'M', weight: 1.0},
+                                                 {name: 'High', abbreviation: 'H', weight: 1.5},
+                                                 {name: 'Not Defined', abbreviation: 'X', weight: 1}]))
+    @properties.push(@availability_requirement =
+                      CvssProperty.new(name: 'Availability Requirement', abbreviation: 'AR', position: [10, 13],
+                                       choices: [{name: 'Low', abbreviation: 'L', weight: 0.5},
+                                                 {name: 'Medium', abbreviation: 'M', weight: 1.0},
+                                                 {name: 'High', abbreviation: 'H', weight: 1.5},
+                                                 {name: 'Not Defined', abbreviation: 'X', weight: 1}]))
+    @properties.push(@modified_attack_vector =
+                      CvssProperty.new(name: 'Modified Attack Vector', abbreviation: 'MAV', position: [11, 14],
+                                       choices: [{name: 'Network', abbreviation: 'N', weight: 0.85},
+                                                 {name: 'Adjacent Network', abbreviation: 'A', weight: 0.62},
+                                                 {name: 'Local', abbreviation: 'L', weight: 0.55},
+                                                 {name: 'Physical', abbreviation: 'P', weight: 0.2},
+                                                 {name: 'Not Defined', abbreviation: 'X', weight: 1}]))
+    @properties.push(@modified_attack_complexity =
+                      CvssProperty.new(name: 'Modified Attack Complexity', abbreviation: 'MAC', position: [12, 15],
+                                       choices: [{name: 'Low', abbreviation: 'L', weight: 0.77},
+                                                 {name: 'High', abbreviation: 'H', weight: 0.44},
+                                                 {name: 'Not Defined', abbreviation: 'X', weight: 1}]))
+    @properties.push(@modified_privileges_required =
+                      CvssProperty.new(name: 'Modified Privileges Required', abbreviation: 'MPR', position: [13, 16],
+                                       choices: [{name: 'None', abbreviation: 'N', weight: 0.85},
+                                                 {name: 'Low', abbreviation: 'L', weight: 0.62},
+                                                 {name: 'High', abbreviation: 'H', weight: 0.27},
+                                                 {name: 'Not Defined', abbreviation: 'X', weight: 1}]))
+    @properties.push(@modified_user_interaction =
+                      CvssProperty.new(name: 'Modified User Interaction', abbreviation: 'MUI', position: [14, 17],
+                                       choices: [{name: 'None', abbreviation: 'N', weight: 0.85},
+                                                 {name: 'Required', abbreviation: 'R', weight: 0.62},
+                                                 {name: 'Not Defined', abbreviation: 'X', weight: 1}]))
+    @properties.push(@modified_scope =
+                      CvssProperty.new(name: 'Modified Scope', abbreviation: 'MS', position: [15, 18],
+                                       choices: [{name: 'Changed', abbreviation: 'C'},
+                                                 {name: 'Unchanged', abbreviation: 'U'}]))
+    @properties.push(@modified_confidentiality =
+                      CvssProperty.new(name: 'Modified Confidentiality', abbreviation: 'MC', position: [16, 19],
+                                       choices: [{name: 'None', abbreviation: 'N', weight: 0},
+                                                 {name: 'Low', abbreviation: 'L', weight: 0.22},
+                                                 {name: 'High', abbreviation: 'H', weight: 0.56},
+                                                 {name: 'Not Defined', abbreviation: 'X', weight: 1}]))
+    @properties.push(@modified_integrity =
+                      CvssProperty.new(name: 'Modified Integrity', abbreviation: 'MI', position: [17, 20],
+                                       choices: [{name: 'None', abbreviation: 'N', weight: 0},
+                                                 {name: 'Low', abbreviation: 'L', weight: 0.22},
+                                                 {name: 'High', abbreviation: 'H', weight: 0.56},
+                                                 {name: 'Not Defined', abbreviation: 'X', weight: 1}]))
+    @properties.push(@modified_availability =
+                      CvssProperty.new(name: 'Modified Availability', abbreviation: 'MA', position: [18, 21],
+                                       choices: [{name: 'None', abbreviation: 'N', weight: 0},
+                                                 {name: 'Low', abbreviation: 'L', weight: 0.22},
+                                                 {name: 'High', abbreviation: 'H', weight: 0.56},
+                                                 {name: 'Not Defined', abbreviation: 'X', weight: 1}]))
+  end
+  def modified_impact_sub(isc_modified)
+    if @modified_scope.selected_choice[:name] == 'Changed'
+      7.52 * (isc_modified - 0.029) - 3.25 * (isc_modified * 0.9731 - 0.02)**13
+    else
+      6.42 * isc_modified
+    end
+  end
+  def isc_modified
+    confidentiality_score = 1 - @modified_confidentiality.score * @confidentiality_requirement.score
+    integrity_score = 1 - @modified_integrity.score * @integrity_requirement.score
+    availability_score = 1 - @modified_availability.score * @availability_requirement.score
+    [0.915, (1 - confidentiality_score * integrity_score * availability_score)].min
+  end
+  def modified_exploitability_sub(privilege_score)
+    modified_exploitability_sub_score = 8.22 * @modified_attack_vector.score
+    modified_exploitability_sub_score *= @modified_attack_complexity.score
+    modified_exploitability_sub_score *= privilege_score
+    modified_exploitability_sub_score *= @modified_user_interaction.score
+  end
+  def calculate_score(modified_impact_sub_score, modified_exploitability_sub_score, temporal_score)
+    factor = @modified_scope.selected_choice[:name] == 'Changed' ? 1.08 : 1.0
+    ([factor * (modified_impact_sub_score + modified_exploitability_sub_score), 10].min.round_up(1) * temporal_score)
+  end
+end

data/lib/cvss_suite/cvss31/cvss31_temporal.rb ADDED

@@ -0,0 +1,57 @@
+# CVSS-Suite, a Ruby gem to manage the CVSS vector
+#
+# Copyright (c) Siemens AG, 2019
+#
+# Authors:
+#   Oliver Hambörger <oliver.hamboerger@siemens.com>
+#
+# This work is licensed under the terms of the MIT license.
+# See the LICENSE.md file in the top-level directory.
+require_relative '../cvss_property'
+require_relative '../cvss_metric'
+##
+# This class represents a CVSS Temporal metric in version 3.1.
+class Cvss31Temporal < CvssMetric
+  ##
+  # Property of this metric
+  attr_reader :exploit_code_maturity, :remediation_level, :report_confidence
+  ##
+  # Returns score of this metric
+  def score
+    return 1.0 unless valid?
+    @exploit_code_maturity.score * @remediation_level.score * @report_confidence.score
+  end
+  private
+  def init_properties
+    @properties.push(@exploit_code_maturity =
+                      CvssProperty.new(name: 'Exploit Code Maturity', abbreviation: 'E', position: [8],
+                                       choices: [{ name: 'Not Defined', abbreviation: 'X', weight: 1.0 },
+                                                 { name: 'Unproven', abbreviation: 'U', weight: 0.91 },
+                                                 { name: 'Proof-of-Concept', abbreviation: 'P', weight: 0.94 },
+                                                 { name: 'Functional', abbreviation: 'F', weight: 0.97 },
+                                                 { name: 'High', abbreviation: 'H', weight: 1.0 }]))
+    @properties.push(@remediation_level =
+                      CvssProperty.new(name: 'Remediation Level', abbreviation: 'RL', position: [9],
+                                       choices: [{ name: 'Not Defined', abbreviation: 'X', weight: 1.0 },
+                                                 { name: 'Official Fix', abbreviation: 'O', weight: 0.95 },
+                                                 { name: 'Temporary Fix', abbreviation: 'T', weight: 0.96 },
+                                                 { name: 'Workaround', abbreviation: 'W', weight: 0.97 },
+                                                 { name: 'Unavailable', abbreviation: 'U', weight: 1.0 }]))
+    @properties.push(@report_confidence =
+                      CvssProperty.new(name: 'Report Confidence', abbreviation: 'RC', position: [10],
+                                       choices: [{ name: 'Not Defined', abbreviation: 'X', weight: 1.0 },
+                                                 { name: 'Unknown', abbreviation: 'U', weight: 0.92 },
+                                                 { name: 'Reasonable', abbreviation: 'R', weight: 0.96 },
+                                                 { name: 'Confirmed', abbreviation: 'C', weight: 1.0 }]))
+  end
+end

data/lib/cvss_suite/helpers/extensions.rb CHANGED

@@ -19,6 +19,18 @@ class Float
   def round_up(decimal_paces = 0)
     (self * 10.0**decimal_paces).ceil / 10.0**decimal_paces
   end
+  ##
+  # The “Round up” function in CVSS v3.0 has been renamed Roundup and is now defined more precisely to minimize the possibility of implementations generating different scores due to small floating-point inaccuracies. This can happen due to differences in floating point arithmetic between different languages and hardware platforms.
+  def roundup
+    output = (self * 100000).round
+    if (output % 10000) == 0
+      return output / 100000.0
+    else
+      return ((output / 10000).floor + 1) / 10.0
+    end
+  end
 end
 class Integer
@@ -29,4 +41,16 @@ class Integer
   def round_up(decimal_paces = 0)
     (self * 10.0**decimal_paces).ceil / 10.0**decimal_paces
   end
+  ##
+  # The “Round up” function in CVSS v3.0 has been renamed Roundup and is now defined more precisely to minimize the possibility of implementations generating different scores due to small floating-point inaccuracies. This can happen due to differences in floating point arithmetic between different languages and hardware platforms.
+  def roundup
+    output = (self * 100000).round
+    if (output % 10000) == 0
+      return output / 100000.0
+    else
+      return ((output / 10000).floor + 1) / 10.0
+    end
+  end
 end

data/lib/cvss_suite/version.rb CHANGED

@@ -1,6 +1,6 @@
 # CVSS-Suite, a Ruby gem to manage the CVSS vector
 #
-# Copyright (c) Siemens AG, 2016
+# Copyright (c) Siemens AG, 2019
 #
 # Authors:
 #   Oliver Hambörger <oliver.hamboerger@siemens.com>
@@ -9,5 +9,5 @@
 # See the LICENSE.md file in the top-level directory.
 module CvssSuite
-  VERSION = "1.1.2"
+  VERSION = "1.2.0"
 end

metadata CHANGED

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: cvss-suite
 version: !ruby/object:Gem::Version
-  version: 1.1.2
+  version: 1.2.0
 platform: ruby
 authors:
 - Oliver Hamboerger
 autorequire:
 bindir: exe
 cert_chain: []
-date: 2018-12-28 00:00:00.000000000 Z
+date: 2019-07-02 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: bundler
@@ -115,6 +115,10 @@ files:
 - lib/cvss_suite/cvss3/cvss3_base.rb
 - lib/cvss_suite/cvss3/cvss3_environmental.rb
 - lib/cvss_suite/cvss3/cvss3_temporal.rb
+- lib/cvss_suite/cvss31/cvss31.rb
+- lib/cvss_suite/cvss31/cvss31_base.rb
+- lib/cvss_suite/cvss31/cvss31_environmental.rb
+- lib/cvss_suite/cvss31/cvss31_temporal.rb
 - lib/cvss_suite/cvss_metric.rb
 - lib/cvss_suite/cvss_property.rb
 - lib/cvss_suite/errors.rb
@@ -141,8 +145,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubyforge_project:
-rubygems_version: 2.5.1
+rubygems_version: 3.0.3
 signing_key:
 specification_version: 4
 summary: Ruby gem for processing cvss vectors.