cvss-suite 1.2.0 → 2.0.2

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 6aacfd5bb6fb48310c6c6c5cb2821a247971ef6115cb7c4c86dddb4335d8dafd
-  data.tar.gz: 5c881abb0186de84cb10596ff12333a9e8934ed290b8fe762471aaf82f008177
+  metadata.gz: f109a2e3d49b66723f39c092692b3cabfa75d829d8ef3f0e07cf9d0d238a3755
+  data.tar.gz: 41660286d0173fa19c37dd49b43f4efc5fc1db025ae6a46741baf0694b5199d3
 SHA512:
-  metadata.gz: 293c41865c1905f2ca44a34d7298813484312af93deb77f443411222df307df80f4a40781af2137b05f561e66fd8317196b5a8512ea82c21d565d4eb221492ff
-  data.tar.gz: 3c33b092a180ca728add5bcb4380881789f98652cf5476eb841ee23ee8b38a72e56cd7be916cfb297aa644d470830280826086561850c4625228a06e43bb82f2
+  metadata.gz: c567e0730cf9e4ef3e2e85a5c1fa35a9b949c59ed278a968bbf336732f1229cbcfbd84c34e67256a91a6de058a71b13275cb4d8eefdbaa2c416b18e106aac7ff
+  data.tar.gz: d883de3fdc12def5106855a221a535751c9846104ee37a6ecbe8a391a9e3f59b752696c7e0fd128b0dcf8fbedf60bdaa6a0c3d1d1a625c71204555133a4e365b

data/.github/workflows/rspec.yml

@@ -0,0 +1,23 @@
+name: RSpec
+
+on: [push,pull_request]
+
+jobs:
+  build:
+
+    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        ruby: [ '2.4', '2.5', '2.6', '2.7' ]
+    steps:
+    - uses: actions/checkout@v2
+    - name: Set up ${{ matrix.ruby }}
+      uses: actions/setup-ruby@v1
+      with:
+        ruby-version: ${{ matrix.ruby }}
+    - name: Install gems
+      run: |
+        gem install bundler -v ">= 1.10"
+        bundle install --jobs 4 --retry 3
+    - name: Run tests
+      run: bundle exec rspec spec

data/.github/workflows/rubocop.yml

@@ -0,0 +1,21 @@
+name: Rubocop
+
+on: [push,pull_request]
+
+jobs:
+  build:
+
+    runs-on: ubuntu-latest
+
+    steps:
+    - uses: actions/checkout@v2
+    - name: Set up Ruby 2.7
+      uses: actions/setup-ruby@v1
+      with:
+        ruby-version: 2.7
+    - name: Install gems
+      run: |
+        gem install bundler -v ">= 1.10"
+        gem install rubocop
+    - name: Run checks
+      run: rubocop -F --fail-level C -f s

data/.rubocop.yml

@@ -1,2 +1,48 @@
+inherit_from: .rubocop_todo.yml
+
+AllCops:
+  TargetRubyVersion: 2.4
+  SuggestExtensions: false
+
 Metrics/LineLength:
-  Max: 120
+  Max: 120
+  Exclude:
+    - 'lib/cvss_suite/cvss3/cvss3_environmental.rb'
+    - 'lib/cvss_suite/cvss31/cvss31_environmental.rb'
+
+Metrics/ClassLength:
+  Exclude:
+    - 'lib/cvss_suite/cvss3/cvss3_environmental.rb'
+    - 'lib/cvss_suite/cvss31/cvss31_environmental.rb'
+
+Metrics/MethodLength:
+  Exclude:
+    - 'lib/cvss_suite/cvss3/cvss3_environmental.rb'
+    - 'lib/cvss_suite/cvss31/cvss31_environmental.rb'
+
+Metrics/BlockLength:
+  Exclude:
+    - 'spec/cvss2/cvss2_spec.rb'
+    - 'spec/cvss3/cvss3_spec.rb'
+    - 'spec/cvss31/cvss31_spec.rb'
+
+Style/IfUnlessModifier:
+  Exclude:
+    - 'lib/cvss_suite/cvss3/cvss3_environmental.rb'
+    - 'lib/cvss_suite/cvss31/cvss31_environmental.rb'
+
+Style/GuardClause:
+  Exclude:
+    - 'lib/cvss_suite/cvss3/cvss3_environmental.rb'
+    - 'lib/cvss_suite/cvss31/cvss31_environmental.rb'
+
+Style/ConditionalAssignment:
+  Exclude:
+    - 'lib/cvss_suite/cvss3/cvss3_environmental.rb'
+    - 'lib/cvss_suite/cvss31/cvss31_environmental.rb'
+
+Style/FrozenStringLiteralComment:
+  Enabled: false
+
+Style/AsciiComments:
+  Enabled: false

data/.rubocop_todo.yml

@@ -0,0 +1,59 @@
+# This configuration was generated by
+# `rubocop --auto-gen-config`
+# on 2020-05-05 17:47:10 +0200 using RuboCop version 0.82.0.
+# The point is for the user to remove these configuration records
+# one by one as the offenses are removed from the code base.
+# Note that changes in the inspected code, or installation of new
+# versions of RuboCop, may require this file to be generated again.
+
+# Offense count: 1
+Lint/IneffectiveAccessModifier:
+  Exclude:
+    - 'lib/cvss_suite.rb'
+
+# Offense count: 1
+# Configuration parameters: ContextCreatingMethods, MethodCreatingMethods.
+Lint/UselessAccessModifier:
+  Exclude:
+    - 'lib/cvss_suite.rb'
+
+# Offense count: 8
+# Configuration parameters: IgnoredMethods.
+Metrics/AbcSize:
+  Max: 35
+
+# Offense count: 5
+# Configuration parameters: CountComments, ExcludedMethods.
+# ExcludedMethods: refine
+Metrics/BlockLength:
+  Max: 58
+
+# Offense count: 2
+# Configuration parameters: CountComments.
+Metrics/ClassLength:
+  Max: 101
+
+# Offense count: 1
+# Configuration parameters: IgnoredMethods.
+Metrics/CyclomaticComplexity:
+  Max: 9
+
+# Offense count: 13
+# Configuration parameters: CountComments, ExcludedMethods.
+Metrics/MethodLength:
+  Max: 63
+
+# Offense count: 1
+# Configuration parameters: CountKeywordArgs.
+Metrics/ParameterLists:
+  Max: 6
+
+# Offense count: 1
+# Configuration parameters: IgnoredMethods.
+Metrics/PerceivedComplexity:
+  Max: 10
+
+# Offense count: 1
+Naming/AccessorMethodName:
+  Exclude:
+    - 'lib/cvss_suite/cvss_property.rb'

data/CHANGES.md

@@ -2,6 +2,45 @@
 All notable changes to this project will be documented in this file.
 This project adheres to [Semantic Versioning](http://semver.org/).
 
+## [2.0.2] - 2020-12-05
+
+### Fixes
+* CVSS v2 now returns the correct severity values based on NVD recommendation
+* CVSS v2 now supports vectors which are enclosed in parenthesis e.g. (AV:N/AC:L/Au:N/C:P/I:P/A:P)
+
+## [2.0.1] - 2020-07-19
+
+### Fixes
+Fixed an error that resulted in incorrect environmental score if modified attributes were not defined.
+
+## [2.0.0] - 2020-05-10
+
+### Breaking Changes
+* Ruby >= 2.4 is now required
+* Renamed choice/choices to value/values
+
+### Improvements
+* Added CvssSuite module to every class (thanks to @fwininger)
+* Removed override for integer and float (thanks to @fwininger)
+* Added rubocop to development environment (thanks to @fwininger)
+
+### Notes
+Adding CvssSuite module everywhere means it’s no longer possible to access a class without it. Since this only affects the undocumented and ‚internal‘ classes this should not affect you. If you’re using them, stop it.
+
+Still works:
+
+```ruby
+cvss = CvssSuite.new('string')
+```
+
+Won’t work anymore (without any code change):
+
+```ruby
+cvss = Cvss31.new('string')
+```
+
+This would need to be CvssSuite::Cvss31.new('string') to work. Or you could include the whole namespace.
+
 ## [1.2.0] - 2019-07-02
 
 ### Notes
@@ -71,4 +110,4 @@ Tried to fix an error. It turned out to be a local problem. Due to this I increa
 
 ## [1.0.0] - 2016-04-15
 ### Initial release
-First release of this gem.
+First release of this gem.

data/README.md

@@ -1,10 +1,11 @@
-# CvssSuite
+# CvssSuite for Ruby
 
 [![Gem Version](http://img.shields.io/gem/v/cvss-suite.svg)](https://rubygems.org/gems/cvss-suite)
-[![Ruby Version](https://img.shields.io/badge/Ruby-2.x-brightgreen.svg)](https://rubygems.org/gems/cvss-suite)
+[![Ruby Version](https://img.shields.io/badge/Ruby-2.4-brightgreen.svg)](https://rubygems.org/gems/cvss-suite)
 [![Cvss Support](https://img.shields.io/badge/CVSS-v2-brightgreen.svg)](https://www.first.org/cvss/v2/guide)
 [![Cvss Support](https://img.shields.io/badge/CVSS-v3.0-brightgreen.svg)](https://www.first.org/cvss/v3.0/user-guide)
 [![Cvss Support](https://img.shields.io/badge/CVSS-v3.1-brightgreen.svg)](https://www.first.org/cvss/v3.1/user-guide)
+[![RSpec](https://github.com/siemens/cvss-suite/workflows/RSpec/badge.svg)](https://github.com/siemens/cvss-suite/actions)
 
 This Ruby gem helps you to process the vector of the [**Common Vulnerability Scoring System**](https://www.first.org/cvss/specification-document).
 Besides calculating the Base, Temporal and Environmental Score, you are able to extract the selected option.
@@ -24,6 +25,10 @@ And then execute:
 Or install it yourself as:
 
     $ gem install cvss-suite
+    
+## Version 1.x
+
+If you are still using CvssSuite 1.x please refer to the [specific branch](https://github.com/siemens/cvss-suite/tree/1.x) for documentation and changelog.
 
 ## Usage
 
@@ -61,15 +66,15 @@ overall_score = cvss.overall_score                  # 3.2
 access_vector = cvss.base.access_vector.name                # 'Access Vector'
 remediation_level = cvss.temporal.remediation_level.name    # 'Remediation Level'
 
-access_vector.choices.each do |choice|
-    choice[:name]           # 'Local', 'Adjacent Network', 'Network'
-    choice[:abbreviation]   # 'L', 'A', 'N'
-    choice[:selected]       # false, true, false
+access_vector.values.each do |value|
+    value[:name]           # 'Local', 'Adjacent Network', 'Network'
+    value[:abbreviation]   # 'L', 'A', 'N'
+    value[:selected]       # false, true, false
 end
 
 # Selected options
-cvss.base.access_vector.selected_choice[:name]          # Adjacent Network
-cvss.temporal.remediation_level.selected_choice[:name]  # Temporary Fix
+cvss.base.access_vector.selected_value[:name]          # Adjacent Network
+cvss.temporal.remediation_level.selected_value[:name]  # Temporary Fix
 
 # Exceptions
 
@@ -99,15 +104,15 @@ Properties (Access Vector, Remediation Level, etc) do have a position attribute,
 
 Currently it is not possible to leave an attribute blank instead of ND/X. If you don't have a value for an attribute, please use ND/X instead.
 
-Because the documentation isn't clear on how to calculate the score if Modified Scope (CVSS 3.0 Environmental) is not defined, Modified Scope has to have a valid value (S/U).
-
 There is a possibility of implementations generating different scores (+/- 0,1) due to small floating-point inaccuracies. This can happen due to differences in floating point arithmetic between different languages and hardware platforms.
 
 ## Changelog
 
-[Click here to see all changes.](https://raw.githubusercontent.com/siemens/cvss-suite/master/CHANGES.md)
+[Click here to see all changes.](https://github.com/siemens/cvss-suite/blob/master/CHANGES.md)
 
 ## Contributing
 
 Bug reports and pull requests are welcome on GitHub at https://github.com/siemens/cvss-suite. This project is intended to be a safe, welcoming space for collaboration.
 
+## References
+[CvssSuite for .NET](https://github.com/oliverhamboerger/CvssSuite)

data/_config.yml

@@ -0,0 +1 @@
+theme: jekyll-theme-cayman

data/bin/console

@@ -1,7 +1,7 @@
 #!/usr/bin/env ruby
 
-require "bundler/setup"
-require "cvss_suite"
+require 'bundler/setup'
+require 'cvss_suite'
 
 # You can add fixtures and/or initialization code here to make experimenting
 # with your gem easier. You can also use a different console, if you like.
@@ -10,5 +10,5 @@ require "cvss_suite"
 # require "pry"
 # Pry.start
 
-require "irb"
+require 'irb'
 IRB.start

data/cvss_suite.gemspec

@@ -9,7 +9,8 @@
 # See the LICENSE.md file in the top-level directory.
 
 # coding: utf-8
-lib = File.expand_path('../lib', __FILE__)
+
+lib = File.expand_path('lib', __dir__)
 $LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
 require 'cvss_suite/version'
 
@@ -17,24 +18,23 @@ Gem::Specification.new do |spec|
   spec.name          = 'cvss-suite'
   spec.version       = CvssSuite::VERSION
   spec.license       = 'MIT'
-  spec.authors       = ["Oliver Hamboerger"]
-  spec.email         = ["oliver.hamboerger@siemens.com"]
+  spec.authors       = ['Oliver Hamboerger']
+  spec.email         = ['oliver.hamboerger@siemens.com']
 
-  spec.summary       = %q{Ruby gem for processing cvss vectors.}
-  spec.description   = %q{This Ruby gem helps you to process the vector of the Common Vulnerability Scoring System (https://www.first.org/cvss/specification-document).
-Besides calculating the Base, Temporal and Environmental Score, you are able to extract the selected option.}
-  spec.homepage      = "https://siemens.github.io/cvss-suite/"
+  spec.summary       = 'Ruby gem for processing cvss vectors.'
+  spec.description   = 'This Ruby gem helps you to process the vector of the Common Vulnerability Scoring System (https://www.first.org/cvss/specification-document).
+Besides calculating the Base, Temporal and Environmental Score, you are able to extract the selected option.'
+  spec.homepage      = 'https://siemens.github.io/cvss-suite/'
 
-  spec.required_ruby_version = '>= 2.0.0'
+  spec.required_ruby_version = '>= 2.4.0'
   spec.files         = `git ls-files -z`.split("\x0").reject { |f| f.match(%r{^(test|spec|features)/}) }
   spec.bindir        = 'exe'
   spec.executables   = spec.files.grep(%r{^exe/}) { |f| File.basename(f) }
   spec.test_files    = spec.files.grep(%r{^(test|spec|features)/})
-  spec.require_paths = ["lib"]
+  spec.require_paths = ['lib']
 
-  spec.add_development_dependency "bundler", "~> 1.10"
-  spec.add_development_dependency "rspec", "~> 3.4"
-  spec.add_development_dependency "rspec-its", "~> 1.2"
-  spec.add_development_dependency "rdoc", "~> 4.2"
-  spec.add_development_dependency "simplecov", "~> 0.11.2"
+  spec.add_development_dependency 'bundler', '>= 1.10'
+  spec.add_development_dependency 'rspec', '~> 3.4'
+  spec.add_development_dependency 'rspec-its', '~> 1.2'
+  spec.add_development_dependency 'simplecov', '~> 0.18'
 end

data/lib/cvss_suite.rb

@@ -12,33 +12,32 @@ require 'cvss_suite/cvss2/cvss2'
 require 'cvss_suite/cvss3/cvss3'
 require 'cvss_suite/cvss31/cvss31'
 require 'cvss_suite/version'
-require 'cvss_suite/helpers/extensions'
 require 'cvss_suite/errors'
 require 'cvss_suite/invalid_cvss'
 
 ##
 # Module of this gem.
-
 module CvssSuite
   CVSS_VECTOR_BEGINNINGS = [
-    {:string => 'AV:', :version => 2}, 
-    {:string => 'CVSS:3.0/', :version => 3.0},
-    {:string => 'CVSS:3.1/', :version => 3.1}
-  ]
+    { string: 'AV:', version: 2 },
+    { string: '(AV:', version: 2 },
+    { string: 'CVSS:3.0/', version: 3.0 },
+    { string: 'CVSS:3.1/', version: 3.1 }
+  ].freeze
 
   ##
   # Returns a CVSS class by a +vector+.
-
   def self.new(vector)
     return InvalidCvss.new unless vector.is_a? String
+
     @vector_string = vector
     case version
     when 2
-      Cvss2.new(@vector_string, version)
+      Cvss2.new(@vector_string)
     when 3.0
-      Cvss3.new(@vector_string, version)
+      Cvss3.new(@vector_string)
     when 3.1
-      Cvss31.new(@vector_string, version)
+      Cvss31.new(@vector_string)
     else
       InvalidCvss.new
     end
@@ -48,10 +47,7 @@ module CvssSuite
 
   def self.version
     CVSS_VECTOR_BEGINNINGS.each do |beginning|
-      if @vector_string.start_with? beginning[:string]
-        return beginning[:version]
-      end
+      return beginning[:version] if @vector_string.start_with? beginning[:string]
     end
   end
-
 end

data/lib/cvss_suite/cvss.rb

@@ -8,118 +8,116 @@
 # This work is licensed under the terms of the MIT license.
 # See the LICENSE.md file in the top-level directory.
 
-##
-# This class represents any CVSS vector. Do not instantiate this class!
-
-class Cvss
-
-  ##
-  # Metric of a CVSS vector.
-
-  attr_reader :base, :temporal, :environmental
-
-  ##
-  # Returns version of current CVSS vector.
-
-  attr_reader :version
-
-  ##
-  # Returns the vector itself.
-
-  attr_reader :vector
-
-  ##
-  # Creates a new CVSS vector by a +vector+ and a +version+.
-  #
-  # Raises an exception if it is called on Cvss class.
-
-  def initialize(vector, version)
-    raise CvssSuite::Errors::InvalidParentClass, 'Do not instantiate this class!' if self.class == Cvss
-    @version = version
-    @vector = vector
-    @properties = []
-    extract_metrics
-    init_metrics
-  end
-
+module CvssSuite
   ##
-  # Returns if CVSS vector is valid.
+  # This class represents any CVSS vector. Do not instantiate this class!
+  class Cvss
+    ##
+    # Metric of a CVSS vector.
+    attr_reader :base, :temporal, :environmental
+
+    ##
+    # Returns the vector itself.
+    attr_reader :vector
+
+    ##
+    # Creates a new CVSS vector by a +vector+.
+    #
+    # Raises an exception if it is called on Cvss class.
+    def initialize(vector)
+      raise CvssSuite::Errors::InvalidParentClass, 'Do not instantiate this class!' if instance_of? Cvss
+
+      @vector = vector
+      @properties = []
+      extract_metrics
+      init_metrics
+    end
 
-  def valid?
-    if @amount_of_properties == required_amount_of_properties
+    ##
+    # Returns if CVSS vector is valid.
+    def valid?
+      if @amount_of_properties == required_amount_of_properties
         base = @base.valid?
         temporal = @base.valid? && @temporal.valid?
         environmental = @base.valid? && @environmental.valid?
         full = @base.valid? && @temporal.valid? && @environmental.valid?
         base || temporal || environmental || full
-    else
-      false
+      else
+        false
+      end
     end
-  end
 
-  ##
-  # Returns the severity of the CVSS vector.
-
-  def severity
-    check_validity
-    
-    score = overall_score
-
-    if 0.0 == score
-      "None"
-    elsif (0.1..3.9).include? score
-     "Low"
-    elsif (4.0..6.9).include? score
-     "Medium"
-    elsif (7.0..8.9).include? score
-     "High"
-    elsif (9.0..10.0).include? score
-     "Critical"
-    else
-     "None"
+    ##
+    # Returns the severity of the CVSS vector.
+    def severity
+      check_validity
+
+      score = overall_score
+
+      if score <= 0.0
+        'None'
+      elsif (0.1..3.9).cover? score
+        'Low'
+      elsif (4.0..6.9).cover? score
+        'Medium'
+      elsif (7.0..8.9).cover? score
+        'High'
+      elsif (9.0..10.0).cover? score
+        'Critical'
+      else
+        'None'
+      end
     end
-  end
 
-  ##
-  # Returns the Overall Score of the CVSS vector.
+    ##
+    # Returns the Overall Score of the CVSS vector.
+    def overall_score
+      check_validity
+      return temporal_score if @temporal.valid? && !@environmental.valid?
+      return environmental_score if @environmental.valid?
 
-  def overall_score
-    check_validity
-    return temporal_score if @temporal.valid? && !@environmental.valid?
-    return environmental_score if @environmental.valid?
-    base_score
-  end
+      base_score
+    end
 
-  private
+    private
 
-  def extract_metrics
-    properties = prepared_vector.split('/')
-    @amount_of_properties = properties.size
-    properties.each_with_index do |property, index|
-      property = property.split(':')
-      @properties.push({ name: property[0], selected: property[1], position: index })
+    def extract_metrics
+      properties = prepared_vector.split('/')
+      @amount_of_properties = properties.size
+      properties.each_with_index do |property, index|
+        property = property.split(':')
+        @properties.push({ name: property[0], selected: property[1], position: index })
+      end
     end
-  end
-
-  def check_validity
-    raise CvssSuite::Errors::InvalidVector, 'Vector is not valid!' unless valid?
-  end
 
-  def prepared_vector
-    start_of_vector = @vector.index('AV')
+    def check_validity
+      raise CvssSuite::Errors::InvalidVector, 'Vector is not valid!' unless valid?
+    end
 
-    if start_of_vector.nil?
-      String.new
-    else
-      @vector[start_of_vector..-1]
+    def prepared_vector
+      start_of_vector = @vector.index('AV')
+
+      if start_of_vector.nil?
+        ''
+      elsif start_of_vector == 1
+        match_array = @vector.scan(/\((?>[^)(]+|\g<0>)*\)/)
+        if match_array.length == 1 && match_array[0] == @vector
+          @vector.slice!(0)
+          @vector.slice!(@vector.length - 1)
+          @vector
+        else
+          ''
+        end
+      else
+        @vector[start_of_vector..-1]
+      end
     end
-  end
 
-  def required_amount_of_properties
-    total = @base.count if @base.valid?
-    total += @temporal.count if @temporal.valid?
-    total += @environmental.count if @environmental.valid?
-    total ||= 0
+    def required_amount_of_properties
+      total = @base.count if @base.valid?
+      total += @temporal.count if @temporal.valid?
+      total += @environmental.count if @environmental.valid?
+      total || 0
+    end
   end
-
-end
+end