cvss-suite 1.2.0 → 2.0.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (34) hide show
  1. checksums.yaml +4 -4
  2. data/.github/workflows/rspec.yml +23 -0
  3. data/.github/workflows/rubocop.yml +21 -0
  4. data/.rubocop.yml +47 -1
  5. data/.rubocop_todo.yml +59 -0
  6. data/CHANGES.md +40 -1
  7. data/README.md +16 -11
  8. data/_config.yml +1 -0
  9. data/bin/console +3 -3
  10. data/cvss_suite.gemspec +14 -14
  11. data/lib/cvss_suite.rb +10 -14
  12. data/lib/cvss_suite/cvss.rb +93 -95
  13. data/lib/cvss_suite/cvss2/cvss2.rb +50 -28
  14. data/lib/cvss_suite/cvss2/cvss2_base.rb +69 -75
  15. data/lib/cvss_suite/cvss2/cvss2_environmental.rb +52 -54
  16. data/lib/cvss_suite/cvss2/cvss2_temporal.rb +40 -41
  17. data/lib/cvss_suite/cvss3/cvss3.rb +39 -36
  18. data/lib/cvss_suite/cvss3/cvss3_base.rb +72 -75
  19. data/lib/cvss_suite/cvss3/cvss3_environmental.rb +159 -109
  20. data/lib/cvss_suite/cvss3/cvss3_temporal.rb +41 -42
  21. data/lib/cvss_suite/cvss31/cvss31.rb +36 -28
  22. data/lib/cvss_suite/cvss31/cvss31_base.rb +66 -68
  23. data/lib/cvss_suite/cvss31/cvss31_environmental.rb +159 -109
  24. data/lib/cvss_suite/cvss31/cvss31_temporal.rb +41 -42
  25. data/lib/cvss_suite/cvss_metric.rb +31 -35
  26. data/lib/cvss_suite/cvss_property.rb +57 -56
  27. data/lib/cvss_suite/errors.rb +2 -0
  28. data/lib/cvss_suite/helpers/cvss31_helper.rb +27 -0
  29. data/lib/cvss_suite/helpers/cvss3_helper.rb +21 -15
  30. data/lib/cvss_suite/invalid_cvss.rb +39 -45
  31. data/lib/cvss_suite/version.rb +2 -2
  32. metadata +12 -23
  33. data/.travis.yml +0 -4
  34. data/lib/cvss_suite/helpers/extensions.rb +0 -56
data/lib/cvss_suite/cvss3/cvss3_temporal.rb CHANGED
@@ -11,47 +11,46 @@
11
11
  require_relative '../cvss_property'
12
12
  require_relative '../cvss_metric'
13
13
 
14
- ##
15
- # This class represents a CVSS Temporal metric in version 3.
16
-
17
- class Cvss3Temporal < CvssMetric
18
-
19
- ##
20
- # Property of this metric
21
-
22
- attr_reader :exploit_code_maturity, :remediation_level, :report_confidence
23
-
14
+ module CvssSuite
24
15
  ##
25
- # Returns score of this metric
26
-
27
- def score
28
- return 1.0 unless valid?
29
- @exploit_code_maturity.score * @remediation_level.score * @report_confidence.score
30
- end
31
-
32
- private
33
-
34
- def init_properties
35
- @properties.push(@exploit_code_maturity =
36
- CvssProperty.new(name: 'Exploit Code Maturity', abbreviation: 'E', position: [8],
37
- choices: [{ name: 'Not Defined', abbreviation: 'X', weight: 1.0 },
38
- { name: 'Unproven', abbreviation: 'U', weight: 0.91 },
39
- { name: 'Proof-of-Concept', abbreviation: 'P', weight: 0.94 },
40
- { name: 'Functional', abbreviation: 'F', weight: 0.97 },
41
- { name: 'High', abbreviation: 'H', weight: 1.0 }]))
42
- @properties.push(@remediation_level =
43
- CvssProperty.new(name: 'Remediation Level', abbreviation: 'RL', position: [9],
44
- choices: [{ name: 'Not Defined', abbreviation: 'X', weight: 1.0 },
45
- { name: 'Official Fix', abbreviation: 'O', weight: 0.95 },
46
- { name: 'Temporary Fix', abbreviation: 'T', weight: 0.96 },
47
- { name: 'Workaround', abbreviation: 'W', weight: 0.97 },
48
- { name: 'Unavailable', abbreviation: 'U', weight: 1.0 }]))
49
-
50
- @properties.push(@report_confidence =
51
- CvssProperty.new(name: 'Report Confidence', abbreviation: 'RC', position: [10],
52
- choices: [{ name: 'Not Defined', abbreviation: 'X', weight: 1.0 },
53
- { name: 'Unknown', abbreviation: 'U', weight: 0.92 },
54
- { name: 'Reasonable', abbreviation: 'R', weight: 0.96 },
55
- { name: 'Confirmed', abbreviation: 'C', weight: 1.0 }]))
16
+ # This class represents a CVSS Temporal metric in version 3.
17
+ class Cvss3Temporal < CvssMetric
18
+ ##
19
+ # Property of this metric
20
+ attr_reader :exploit_code_maturity, :remediation_level, :report_confidence
21
+
22
+ ##
23
+ # Returns score of this metric
24
+ def score
25
+ return 1.0 unless valid?
26
+
27
+ @exploit_code_maturity.score * @remediation_level.score * @report_confidence.score
28
+ end
29
+
30
+ private
31
+
32
+ def init_properties
33
+ @properties.push(@exploit_code_maturity =
34
+ CvssProperty.new(name: 'Exploit Code Maturity', abbreviation: 'E', position: [8],
35
+ values: [{ name: 'Not Defined', abbreviation: 'X', weight: 1.0 },
36
+ { name: 'Unproven', abbreviation: 'U', weight: 0.91 },
37
+ { name: 'Proof-of-Concept', abbreviation: 'P', weight: 0.94 },
38
+ { name: 'Functional', abbreviation: 'F', weight: 0.97 },
39
+ { name: 'High', abbreviation: 'H', weight: 1.0 }]))
40
+ @properties.push(@remediation_level =
41
+ CvssProperty.new(name: 'Remediation Level', abbreviation: 'RL', position: [9],
42
+ values: [{ name: 'Not Defined', abbreviation: 'X', weight: 1.0 },
43
+ { name: 'Official Fix', abbreviation: 'O', weight: 0.95 },
44
+ { name: 'Temporary Fix', abbreviation: 'T', weight: 0.96 },
45
+ { name: 'Workaround', abbreviation: 'W', weight: 0.97 },
46
+ { name: 'Unavailable', abbreviation: 'U', weight: 1.0 }]))
47
+
48
+ @properties.push(@report_confidence =
49
+ CvssProperty.new(name: 'Report Confidence', abbreviation: 'RC', position: [10],
50
+ values: [{ name: 'Not Defined', abbreviation: 'X', weight: 1.0 },
51
+ { name: 'Unknown', abbreviation: 'U', weight: 0.92 },
52
+ { name: 'Reasonable', abbreviation: 'R', weight: 0.96 },
53
+ { name: 'Confirmed', abbreviation: 'C', weight: 1.0 }]))
54
+ end
56
55
  end
57
- end
56
+ end
data/lib/cvss_suite/cvss31/cvss31.rb CHANGED
@@ -8,45 +8,53 @@
8
8
  # This work is licensed under the terms of the MIT license.
9
9
  # See the LICENSE.md file in the top-level directory.
10
10
 
11
- require_relative '../../../lib/cvss_suite/cvss'
11
+ require_relative '../cvss'
12
12
  require_relative 'cvss31_base'
13
13
  require_relative 'cvss31_temporal'
14
14
  require_relative 'cvss31_environmental'
15
+ require_relative '../helpers/cvss31_helper'
15
16
 
16
- ##
17
- # This class represents a CVSS vector in version 3.1.
17
+ module CvssSuite
18
+ ##
19
+ # This class represents a CVSS vector in version 3.1.
20
+ class Cvss31 < Cvss
21
+ ##
22
+ # Returns the Version of the CVSS vector.
18
23
 
19
- class Cvss31 < Cvss
24
+ def version
25
+ 3.1
26
+ end
20
27
 
21
- ##
22
- # Returns the Base Score of the CVSS vector.
28
+ ##
29
+ # Returns the Base Score of the CVSS vector.
23
30
 
24
- def base_score
25
- check_validity
26
- @base.score.roundup
27
- end
31
+ def base_score
32
+ check_validity
33
+ Cvss31Helper.round_up(@base.score)
34
+ end
28
35
 
29
- ##
30
- # Returns the Temporal Score of the CVSS vector.
36
+ ##
37
+ # Returns the Temporal Score of the CVSS vector.
31
38
 
32
- def temporal_score
33
- (@base.score.roundup * @temporal.score).roundup
34
- end
39
+ def temporal_score
40
+ Cvss31Helper.round_up(Cvss31Helper.round_up(@base.score) * @temporal.score)
41
+ end
35
42
 
36
- ##
37
- # Returns the Environmental Score of the CVSS vector.
43
+ ##
44
+ # Returns the Environmental Score of the CVSS vector.
38
45
 
39
- def environmental_score
40
- return temporal_score unless @environmental.valid?
41
- (@environmental.score @temporal.score).roundup
42
- end
46
+ def environmental_score
47
+ return temporal_score unless @environmental.valid?
43
48
 
44
- private
49
+ Cvss31Helper.round_up(@environmental.score(@base, @temporal))
50
+ end
45
51
 
46
- def init_metrics
47
- @base = Cvss31Base.new(@properties)
48
- @temporal = Cvss31Temporal.new(@properties)
49
- @environmental = Cvss31Environmental.new(@properties)
50
- end
52
+ private
51
53
 
52
- end
54
+ def init_metrics
55
+ @base = Cvss31Base.new(@properties)
56
+ @temporal = Cvss31Temporal.new(@properties)
57
+ @environmental = Cvss31Environmental.new(@properties)
58
+ end
59
+ end
60
+ end
data/lib/cvss_suite/cvss31/cvss31_base.rb CHANGED
@@ -12,84 +12,82 @@ require_relative '../cvss_property'
12
12
  require_relative '../cvss_metric'
13
13
  require_relative '../helpers/cvss3_helper'
14
14
 
15
- ##
16
- # This class represents a CVSS Base metric in version 3.1.
17
-
18
- class Cvss31Base < CvssMetric
19
-
15
+ module CvssSuite
20
16
  ##
21
- # Property of this metric
17
+ # This class represents a CVSS Base metric in version 3.1.
18
+ class Cvss31Base < CvssMetric
19
+ ##
20
+ # Property of this metric
22
21
 
23
- attr_reader :attack_vector, :attack_complexity, :privileges_required, :user_interaction,
24
- :scope, :confidentiality, :integrity, :availability
22
+ attr_reader :attack_vector, :attack_complexity, :privileges_required, :user_interaction,
23
+ :scope, :confidentiality, :integrity, :availability
25
24
 
26
- ##
27
- # Returns score of this metric
25
+ ##
26
+ # Returns score of this metric
27
+ def score
28
+ privilege_score = Cvss3Helper.privileges_required_score(@privileges_required, @scope)
28
29
 
29
- def score
30
+ exploitability = 8.22 * @attack_vector.score * @attack_complexity.score *
31
+ privilege_score * @user_interaction.score
30
32
 
31
- privilege_score = Cvss3Helper.privileges_required_score @privileges_required, @scope
33
+ isc_base = 1 - ((1 - @confidentiality.score) * (1 - @integrity.score) * (1 - @availability.score))
32
34
 
33
- exploitability = 8.22 * @attack_vector.score * @attack_complexity.score * privilege_score * @user_interaction.score
35
+ impact_sub_score = if @scope.selected_value[:name] == 'Changed'
36
+ 7.52 * (isc_base - 0.029) - 3.25 * (isc_base - 0.02)**15
37
+ else
38
+ 6.42 * isc_base
39
+ end
34
40
 
35
- isc_base = 1 - ((1 - @confidentiality.score) * (1 - @integrity.score) * (1 - @availability.score))
41
+ return 0 if impact_sub_score <= 0
36
42
 
37
- if @scope.selected_choice[:name] == 'Changed'
38
- impact_sub_score = 7.52 * (isc_base - 0.029) - 3.25 * (isc_base - 0.02)**15
39
- else
40
- impact_sub_score = 6.42 * isc_base
43
+ if @scope.selected_value[:name] == 'Changed'
44
+ [10, 1.08 * (impact_sub_score + exploitability)].min
45
+ else
46
+ [10, impact_sub_score + exploitability].min
47
+ end
41
48
  end
42
49
 
43
- return 0 if impact_sub_score <= 0
44
-
45
- if @scope.selected_choice[:name] == 'Changed'
46
- [10, 1.08 * (impact_sub_score + exploitability)].min
47
- else
48
- [10, impact_sub_score + exploitability].min
50
+ private
51
+
52
+ def init_properties
53
+ @properties.push(@attack_vector =
54
+ CvssProperty.new(name: 'Attack Vector', abbreviation: 'AV', position: [0],
55
+ values: [{ name: 'Network', abbreviation: 'N', weight: 0.85 },
56
+ { name: 'Adjacent', abbreviation: 'A', weight: 0.62 },
57
+ { name: 'Local', abbreviation: 'L', weight: 0.55 },
58
+ { name: 'Physical', abbreviation: 'P', weight: 0.2 }]))
59
+ @properties.push(@attack_complexity =
60
+ CvssProperty.new(name: 'Attack Complexity', abbreviation: 'AC', position: [1],
61
+ values: [{ name: 'Low', abbreviation: 'L', weight: 0.77 },
62
+ { name: 'High', abbreviation: 'H', weight: 0.44 }]))
63
+ @properties.push(@privileges_required =
64
+ CvssProperty.new(name: 'Privileges Required', abbreviation: 'PR', position: [2],
65
+ values: [{ name: 'None', abbreviation: 'N', weight: 0.85 },
66
+ { name: 'Low', abbreviation: 'L', weight: 0.62 },
67
+ { name: 'High', abbreviation: 'H', weight: 0.27 }]))
68
+ @properties.push(@user_interaction =
69
+ CvssProperty.new(name: 'User Interaction', abbreviation: 'UI', position: [3],
70
+ values: [{ name: 'None', abbreviation: 'N', weight: 0.85 },
71
+ { name: 'Required', abbreviation: 'R', weight: 0.62 }]))
72
+ @properties.push(@scope =
73
+ CvssProperty.new(name: 'Scope', abbreviation: 'S', position: [4],
74
+ values: [{ name: 'Unchanged', abbreviation: 'U' },
75
+ { name: 'Changed', abbreviation: 'C' }]))
76
+ @properties.push(@confidentiality =
77
+ CvssProperty.new(name: 'Confidentiality', abbreviation: 'C', position: [5],
78
+ values: [{ name: 'None', abbreviation: 'N', weight: 0.0 },
79
+ { name: 'Low', abbreviation: 'L', weight: 0.22 },
80
+ { name: 'High', abbreviation: 'H', weight: 0.56 }]))
81
+ @properties.push(@integrity =
82
+ CvssProperty.new(name: 'Integrity', abbreviation: 'I', position: [6],
83
+ values: [{ name: 'None', abbreviation: 'N', weight: 0.0 },
84
+ { name: 'Low', abbreviation: 'L', weight: 0.22 },
85
+ { name: 'High', abbreviation: 'H', weight: 0.56 }]))
86
+ @properties.push(@availability =
87
+ CvssProperty.new(name: 'Availability', abbreviation: 'A', position: [7],
88
+ values: [{ name: 'None', abbreviation: 'N', weight: 0.0 },
89
+ { name: 'Low', abbreviation: 'L', weight: 0.22 },
90
+ { name: 'High', abbreviation: 'H', weight: 0.56 }]))
49
91
  end
50
92
  end
51
-
52
- private
53
-
54
- def init_properties
55
- @properties.push(@attack_vector =
56
- CvssProperty.new(name: 'Attack Vector', abbreviation: 'AV', position: [0],
57
- choices: [{ name: 'Network', abbreviation: 'N', weight: 0.85 },
58
- { name: 'Adjacent', abbreviation: 'A', weight: 0.62 },
59
- { name: 'Local', abbreviation: 'L', weight: 0.55 },
60
- { name: 'Physical', abbreviation: 'P', weight: 0.2 }]))
61
- @properties.push(@attack_complexity =
62
- CvssProperty.new(name: 'Attack Complexity', abbreviation: 'AC', position: [1],
63
- choices: [{ name: 'Low', abbreviation: 'L', weight: 0.77 },
64
- { name: 'High', abbreviation: 'H', weight: 0.44 }]))
65
- @properties.push(@privileges_required =
66
- CvssProperty.new(name: 'Privileges Required', abbreviation: 'PR', position: [2],
67
- choices: [{ name: 'None', abbreviation: 'N', weight: 0.85 },
68
- { name: 'Low', abbreviation: 'L', weight: 0.62 },
69
- { name: 'High', abbreviation: 'H', weight: 0.27 }]))
70
- @properties.push(@user_interaction =
71
- CvssProperty.new(name: 'User Interaction', abbreviation: 'UI', position: [3],
72
- choices: [{ name: 'None', abbreviation: 'N', weight: 0.85 },
73
- { name: 'Required', abbreviation: 'R', weight: 0.62 }]))
74
- @properties.push(@scope =
75
- CvssProperty.new(name: 'Scope', abbreviation: 'S', position: [4],
76
- choices: [{ name: 'Unchanged', abbreviation: 'U' },
77
- { name: 'Changed', abbreviation: 'C' }]))
78
- @properties.push(@confidentiality =
79
- CvssProperty.new(name: 'Confidentiality', abbreviation: 'C', position: [5],
80
- choices: [{ name: 'None', abbreviation: 'N', weight: 0.0 },
81
- { name: 'Low', abbreviation: 'L', weight: 0.22 },
82
- { name: 'High', abbreviation: 'H', weight: 0.56 }]))
83
- @properties.push(@integrity =
84
- CvssProperty.new(name: 'Integrity', abbreviation: 'I', position: [6],
85
- choices: [{ name: 'None', abbreviation: 'N', weight: 0.0 },
86
- { name: 'Low', abbreviation: 'L', weight: 0.22 },
87
- { name: 'High', abbreviation: 'H', weight: 0.56 }]))
88
- @properties.push(@availability =
89
- CvssProperty.new(name: 'Availability', abbreviation: 'A', position: [7],
90
- choices: [{ name: 'None', abbreviation: 'N', weight: 0.0 },
91
- { name: 'Low', abbreviation: 'L', weight: 0.22 },
92
- { name: 'High', abbreviation: 'H', weight: 0.56 }]))
93
- end
94
93
  end
95
-
data/lib/cvss_suite/cvss31/cvss31_environmental.rb CHANGED
@@ -11,134 +11,184 @@
11
11
  require_relative '../cvss_property'
12
12
  require_relative '../cvss_metric'
13
13
  require_relative '../helpers/cvss3_helper'
14
+ require_relative '../helpers/cvss31_helper'
14
15
 
15
- ##
16
- # This class represents a CVSS Environmental metric in version 3.1.
16
+ module CvssSuite
17
+ ##
18
+ # This class represents a CVSS Environmental metric in version 3.1.
19
+ class Cvss31Environmental < CvssMetric
20
+ ##
21
+ # Property of this metric
22
+ attr_reader :confidentiality_requirement, :integrity_requirement, :availability_requirement,
23
+ :modified_attack_vector, :modified_attack_complexity, :modified_privileges_required,
24
+ :modified_user_interaction, :modified_scope, :modified_confidentiality,
25
+ :modified_integrity, :modified_availability
17
26
 
18
- class Cvss31Environmental < CvssMetric
27
+ ##
28
+ # Returns score of this metric
29
+ def score(base, temporal)
30
+ @base = base
19
31
 
20
- ##
21
- # Property of this metric
32
+ merged_modified_privileges_required = @modified_privileges_required
33
+ if @modified_privileges_required.selected_value[:name] == 'Not Defined'
34
+ merged_modified_privileges_required = @base.privileges_required
35
+ end
22
36
 
23
- attr_reader :confidentiality_requirement, :integrity_requirement, :availability_requirement,
24
- :modified_attack_vector, :modified_attack_complexity, :modified_privileges_required,
25
- :modified_user_interaction, :modified_scope, :modified_confidentiality,
26
- :modified_integrity, :modified_availability
37
+ merged_modified_scope = @modified_scope
38
+ if @modified_scope.selected_value[:name] == 'Not Defined'
39
+ merged_modified_scope = @base.scope
40
+ end
27
41
 
28
- ##
29
- # Returns score of this metric
42
+ privilege_score = Cvss3Helper.privileges_required_score(merged_modified_privileges_required, merged_modified_scope)
30
43
 
31
- def score(temporal_score)
44
+ modified_exploitability_sub_score = modified_exploitability_sub(privilege_score)
32
45
 
33
- privilege_score = Cvss3Helper.privileges_required_score @modified_privileges_required, @modified_scope
46
+ modified_impact_sub_score = modified_impact_sub(isc_modified)
34
47
 
35
- modified_exploitability_sub_score = modified_exploitability_sub privilege_score
48
+ return 0 if modified_impact_sub_score <= 0
36
49
 
37
- isc_modified_score = isc_modified
50
+ calculate_score modified_impact_sub_score, modified_exploitability_sub_score, temporal.score
51
+ end
38
52
 
39
- modified_impact_sub_score = modified_impact_sub isc_modified_score
53
+ private
54
+
55
+ def init_properties
56
+ @properties.push(@confidentiality_requirement =
57
+ CvssProperty.new(name: 'Confidentiality Requirement', abbreviation: 'CR', position: [8, 11],
58
+ values: [{ name: 'Low', abbreviation: 'L', weight: 0.5 },
59
+ { name: 'Medium', abbreviation: 'M', weight: 1.0 },
60
+ { name: 'High', abbreviation: 'H', weight: 1.5 },
61
+ { name: 'Not Defined', abbreviation: 'X', weight: 1 }]))
62
+ @properties.push(@integrity_requirement =
63
+ CvssProperty.new(name: 'Integrity Requirement', abbreviation: 'IR', position: [9, 12],
64
+ values: [{ name: 'Low', abbreviation: 'L', weight: 0.5 },
65
+ { name: 'Medium', abbreviation: 'M', weight: 1.0 },
66
+ { name: 'High', abbreviation: 'H', weight: 1.5 },
67
+ { name: 'Not Defined', abbreviation: 'X', weight: 1 }]))
68
+
69
+ @properties.push(@availability_requirement =
70
+ CvssProperty.new(name: 'Availability Requirement', abbreviation: 'AR', position: [10, 13],
71
+ values: [{ name: 'Low', abbreviation: 'L', weight: 0.5 },
72
+ { name: 'Medium', abbreviation: 'M', weight: 1.0 },
73
+ { name: 'High', abbreviation: 'H', weight: 1.5 },
74
+ { name: 'Not Defined', abbreviation: 'X', weight: 1 }]))
75
+ @properties.push(@modified_attack_vector =
76
+ CvssProperty.new(name: 'Modified Attack Vector', abbreviation: 'MAV', position: [11, 14],
77
+ values: [{ name: 'Network', abbreviation: 'N', weight: 0.85 },
78
+ { name: 'Adjacent Network', abbreviation: 'A', weight: 0.62 },
79
+ { name: 'Local', abbreviation: 'L', weight: 0.55 },
80
+ { name: 'Physical', abbreviation: 'P', weight: 0.2 },
81
+ { name: 'Not Defined', abbreviation: 'X', weight: 1 }]))
82
+ @properties.push(@modified_attack_complexity =
83
+ CvssProperty.new(name: 'Modified Attack Complexity', abbreviation: 'MAC', position: [12, 15],
84
+ values: [{ name: 'Low', abbreviation: 'L', weight: 0.77 },
85
+ { name: 'High', abbreviation: 'H', weight: 0.44 },
86
+ { name: 'Not Defined', abbreviation: 'X', weight: 1 }]))
87
+ @properties.push(@modified_privileges_required =
88
+ CvssProperty.new(name: 'Modified Privileges Required', abbreviation: 'MPR', position: [13, 16],
89
+ values: [{ name: 'None', abbreviation: 'N', weight: 0.85 },
90
+ { name: 'Low', abbreviation: 'L', weight: 0.62 },
91
+ { name: 'High', abbreviation: 'H', weight: 0.27 },
92
+ { name: 'Not Defined', abbreviation: 'X', weight: 1 }]))
93
+ @properties.push(@modified_user_interaction =
94
+ CvssProperty.new(name: 'Modified User Interaction', abbreviation: 'MUI', position: [14, 17],
95
+ values: [{ name: 'None', abbreviation: 'N', weight: 0.85 },
96
+ { name: 'Required', abbreviation: 'R', weight: 0.62 },
97
+ { name: 'Not Defined', abbreviation: 'X', weight: 1 }]))
98
+ @properties.push(@modified_scope =
99
+ CvssProperty.new(name: 'Modified Scope', abbreviation: 'MS', position: [15, 18],
100
+ values: [{ name: 'Changed', abbreviation: 'C' },
101
+ { name: 'Unchanged', abbreviation: 'U' },
102
+ { name: 'Not Defined', abbreviation: 'X' }]))
103
+ @properties.push(@modified_confidentiality =
104
+ CvssProperty.new(name: 'Modified Confidentiality', abbreviation: 'MC', position: [16, 19],
105
+ values: [{ name: 'None', abbreviation: 'N', weight: 0 },
106
+ { name: 'Low', abbreviation: 'L', weight: 0.22 },
107
+ { name: 'High', abbreviation: 'H', weight: 0.56 },
108
+ { name: 'Not Defined', abbreviation: 'X', weight: 1 }]))
109
+ @properties.push(@modified_integrity =
110
+ CvssProperty.new(name: 'Modified Integrity', abbreviation: 'MI', position: [17, 20],
111
+ values: [{ name: 'None', abbreviation: 'N', weight: 0 },
112
+ { name: 'Low', abbreviation: 'L', weight: 0.22 },
113
+ { name: 'High', abbreviation: 'H', weight: 0.56 },
114
+ { name: 'Not Defined', abbreviation: 'X', weight: 1 }]))
115
+ @properties.push(@modified_availability =
116
+ CvssProperty.new(name: 'Modified Availability', abbreviation: 'MA', position: [18, 21],
117
+ values: [{ name: 'None', abbreviation: 'N', weight: 0 },
118
+ { name: 'Low', abbreviation: 'L', weight: 0.22 },
119
+ { name: 'High', abbreviation: 'H', weight: 0.56 },
120
+ { name: 'Not Defined', abbreviation: 'X', weight: 1 }]))
121
+ end
40
122
 
41
- return 0 if modified_impact_sub_score <= 0
123
+ def modified_impact_sub(isc_modified)
124
+ if @modified_scope.selected_value[:name] == 'Not Defined'
125
+ if @base.scope.selected_value[:name] == 'Changed'
126
+ return 7.52 * (isc_modified - 0.029) - 3.25 * (isc_modified * 0.9731 - 0.02)**13
127
+ else
128
+ return 6.42 * isc_modified
129
+ end
130
+ end
131
+
132
+ if @modified_scope.selected_value[:name] == 'Changed'
133
+ 7.52 * (isc_modified - 0.029) - 3.25 * (isc_modified * 0.9731 - 0.02)**13
134
+ else
135
+ 6.42 * isc_modified
136
+ end
137
+ end
42
138
 
43
- calculate_score modified_impact_sub_score, modified_exploitability_sub_score, temporal_score
44
- end
139
+ def isc_modified
140
+ merged_modified_confidentiality = @modified_confidentiality
141
+ if @modified_confidentiality.selected_value[:name] == 'Not Defined'
142
+ merged_modified_confidentiality = @base.confidentiality
143
+ end
45
144
 
46
- private
47
-
48
- def init_properties
49
- @properties.push(@confidentiality_requirement =
50
- CvssProperty.new(name: 'Confidentiality Requirement', abbreviation: 'CR', position: [8, 11],
51
- choices: [{name: 'Low', abbreviation: 'L', weight: 0.5},
52
- {name: 'Medium', abbreviation: 'M', weight: 1.0},
53
- {name: 'High', abbreviation: 'H', weight: 1.5},
54
- {name: 'Not Defined', abbreviation: 'X', weight: 1}]))
55
- @properties.push(@integrity_requirement =
56
- CvssProperty.new(name: 'Integrity Requirement', abbreviation: 'IR', position: [9, 12],
57
- choices: [{name: 'Low', abbreviation: 'L', weight: 0.5},
58
- {name: 'Medium', abbreviation: 'M', weight: 1.0},
59
- {name: 'High', abbreviation: 'H', weight: 1.5},
60
- {name: 'Not Defined', abbreviation: 'X', weight: 1}]))
61
-
62
- @properties.push(@availability_requirement =
63
- CvssProperty.new(name: 'Availability Requirement', abbreviation: 'AR', position: [10, 13],
64
- choices: [{name: 'Low', abbreviation: 'L', weight: 0.5},
65
- {name: 'Medium', abbreviation: 'M', weight: 1.0},
66
- {name: 'High', abbreviation: 'H', weight: 1.5},
67
- {name: 'Not Defined', abbreviation: 'X', weight: 1}]))
68
- @properties.push(@modified_attack_vector =
69
- CvssProperty.new(name: 'Modified Attack Vector', abbreviation: 'MAV', position: [11, 14],
70
- choices: [{name: 'Network', abbreviation: 'N', weight: 0.85},
71
- {name: 'Adjacent Network', abbreviation: 'A', weight: 0.62},
72
- {name: 'Local', abbreviation: 'L', weight: 0.55},
73
- {name: 'Physical', abbreviation: 'P', weight: 0.2},
74
- {name: 'Not Defined', abbreviation: 'X', weight: 1}]))
75
- @properties.push(@modified_attack_complexity =
76
- CvssProperty.new(name: 'Modified Attack Complexity', abbreviation: 'MAC', position: [12, 15],
77
- choices: [{name: 'Low', abbreviation: 'L', weight: 0.77},
78
- {name: 'High', abbreviation: 'H', weight: 0.44},
79
- {name: 'Not Defined', abbreviation: 'X', weight: 1}]))
80
- @properties.push(@modified_privileges_required =
81
- CvssProperty.new(name: 'Modified Privileges Required', abbreviation: 'MPR', position: [13, 16],
82
- choices: [{name: 'None', abbreviation: 'N', weight: 0.85},
83
- {name: 'Low', abbreviation: 'L', weight: 0.62},
84
- {name: 'High', abbreviation: 'H', weight: 0.27},
85
- {name: 'Not Defined', abbreviation: 'X', weight: 1}]))
86
- @properties.push(@modified_user_interaction =
87
- CvssProperty.new(name: 'Modified User Interaction', abbreviation: 'MUI', position: [14, 17],
88
- choices: [{name: 'None', abbreviation: 'N', weight: 0.85},
89
- {name: 'Required', abbreviation: 'R', weight: 0.62},
90
- {name: 'Not Defined', abbreviation: 'X', weight: 1}]))
91
- @properties.push(@modified_scope =
92
- CvssProperty.new(name: 'Modified Scope', abbreviation: 'MS', position: [15, 18],
93
- choices: [{name: 'Changed', abbreviation: 'C'},
94
- {name: 'Unchanged', abbreviation: 'U'}]))
95
- @properties.push(@modified_confidentiality =
96
- CvssProperty.new(name: 'Modified Confidentiality', abbreviation: 'MC', position: [16, 19],
97
- choices: [{name: 'None', abbreviation: 'N', weight: 0},
98
- {name: 'Low', abbreviation: 'L', weight: 0.22},
99
- {name: 'High', abbreviation: 'H', weight: 0.56},
100
- {name: 'Not Defined', abbreviation: 'X', weight: 1}]))
101
- @properties.push(@modified_integrity =
102
- CvssProperty.new(name: 'Modified Integrity', abbreviation: 'MI', position: [17, 20],
103
- choices: [{name: 'None', abbreviation: 'N', weight: 0},
104
- {name: 'Low', abbreviation: 'L', weight: 0.22},
105
- {name: 'High', abbreviation: 'H', weight: 0.56},
106
- {name: 'Not Defined', abbreviation: 'X', weight: 1}]))
107
- @properties.push(@modified_availability =
108
- CvssProperty.new(name: 'Modified Availability', abbreviation: 'MA', position: [18, 21],
109
- choices: [{name: 'None', abbreviation: 'N', weight: 0},
110
- {name: 'Low', abbreviation: 'L', weight: 0.22},
111
- {name: 'High', abbreviation: 'H', weight: 0.56},
112
- {name: 'Not Defined', abbreviation: 'X', weight: 1}]))
113
- end
145
+ merged_modified_integrity = @modified_integrity
146
+ if @modified_integrity.selected_value[:name] == 'Not Defined'
147
+ merged_modified_integrity = @base.integrity
148
+ end
114
149
 
115
- def modified_impact_sub(isc_modified)
116
- if @modified_scope.selected_choice[:name] == 'Changed'
117
- 7.52 * (isc_modified - 0.029) - 3.25 * (isc_modified * 0.9731 - 0.02)**13
118
- else
119
- 6.42 * isc_modified
150
+ merged_modified_availability = @modified_availability
151
+ if @modified_availability.selected_value[:name] == 'Not Defined'
152
+ merged_modified_availability = @base.availability
153
+ end
154
+
155
+ confidentiality_score = 1 - merged_modified_confidentiality.score * @confidentiality_requirement.score
156
+ integrity_score = 1 - merged_modified_integrity.score * @integrity_requirement.score
157
+ availability_score = 1 - merged_modified_availability.score * @availability_requirement.score
158
+
159
+ [0.915, (1 - confidentiality_score * integrity_score * availability_score)].min
120
160
  end
121
- end
122
161
 
123
- def isc_modified
124
- confidentiality_score = 1 - @modified_confidentiality.score * @confidentiality_requirement.score
125
- integrity_score = 1 - @modified_integrity.score * @integrity_requirement.score
126
- availability_score = 1 - @modified_availability.score * @availability_requirement.score
162
+ def modified_exploitability_sub(privilege_score)
163
+ merged_modified_attack_vector = @modified_attack_vector
164
+ if @modified_attack_vector.selected_value[:name] == 'Not Defined'
165
+ merged_modified_attack_vector = @base.attack_vector
166
+ end
127
167
 
128
- [0.915, (1 - confidentiality_score * integrity_score * availability_score)].min
129
- end
168
+ merged_modified_attack_complexity = @modified_attack_complexity
169
+ if @modified_attack_complexity.selected_value[:name] == 'Not Defined'
170
+ merged_modified_attack_complexity = @base.attack_complexity
171
+ end
130
172
 
131
- def modified_exploitability_sub(privilege_score)
132
- modified_exploitability_sub_score = 8.22 * @modified_attack_vector.score
133
- modified_exploitability_sub_score *= @modified_attack_complexity.score
134
- modified_exploitability_sub_score *= privilege_score
135
- modified_exploitability_sub_score *= @modified_user_interaction.score
136
- end
173
+ merged_modified_user_interaction = @modified_user_interaction
174
+ if @modified_user_interaction.selected_value[:name] == 'Not Defined'
175
+ merged_modified_user_interaction = @base.user_interaction
176
+ end
137
177
 
138
- def calculate_score(modified_impact_sub_score, modified_exploitability_sub_score, temporal_score)
139
- factor = @modified_scope.selected_choice[:name] == 'Changed' ? 1.08 : 1.0
178
+ 8.22 * merged_modified_attack_vector.score * merged_modified_attack_complexity.score *
179
+ privilege_score * merged_modified_user_interaction.score
180
+ end
140
181
 
141
- ([factor * (modified_impact_sub_score + modified_exploitability_sub_score), 10].min.round_up(1) * temporal_score)
182
+ def calculate_score(modified_impact_sub_score, modified_exploitability_sub_score, temporal_score)
183
+ if @modified_scope.selected_value[:name] == 'Not Defined'
184
+ factor = @base.scope.selected_value[:name] == 'Changed' ? 1.08 : 1.0
185
+ else
186
+ factor = @modified_scope.selected_value[:name] == 'Changed' ? 1.08 : 1.0
187
+ end
142
188
 
189
+ Cvss31Helper.round_up(
190
+ [factor * (modified_impact_sub_score + modified_exploitability_sub_score), 10].min
191
+ ) * temporal_score
192
+ end
143
193
  end
144
- end
194
+ end