cvss-suite 1.2.0 → 2.0.2
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/.github/workflows/rspec.yml +23 -0
- data/.github/workflows/rubocop.yml +21 -0
- data/.rubocop.yml +47 -1
- data/.rubocop_todo.yml +59 -0
- data/CHANGES.md +40 -1
- data/README.md +16 -11
- data/_config.yml +1 -0
- data/bin/console +3 -3
- data/cvss_suite.gemspec +14 -14
- data/lib/cvss_suite.rb +10 -14
- data/lib/cvss_suite/cvss.rb +93 -95
- data/lib/cvss_suite/cvss2/cvss2.rb +50 -28
- data/lib/cvss_suite/cvss2/cvss2_base.rb +69 -75
- data/lib/cvss_suite/cvss2/cvss2_environmental.rb +52 -54
- data/lib/cvss_suite/cvss2/cvss2_temporal.rb +40 -41
- data/lib/cvss_suite/cvss3/cvss3.rb +39 -36
- data/lib/cvss_suite/cvss3/cvss3_base.rb +72 -75
- data/lib/cvss_suite/cvss3/cvss3_environmental.rb +159 -109
- data/lib/cvss_suite/cvss3/cvss3_temporal.rb +41 -42
- data/lib/cvss_suite/cvss31/cvss31.rb +36 -28
- data/lib/cvss_suite/cvss31/cvss31_base.rb +66 -68
- data/lib/cvss_suite/cvss31/cvss31_environmental.rb +159 -109
- data/lib/cvss_suite/cvss31/cvss31_temporal.rb +41 -42
- data/lib/cvss_suite/cvss_metric.rb +31 -35
- data/lib/cvss_suite/cvss_property.rb +57 -56
- data/lib/cvss_suite/errors.rb +2 -0
- data/lib/cvss_suite/helpers/cvss31_helper.rb +27 -0
- data/lib/cvss_suite/helpers/cvss3_helper.rb +21 -15
- data/lib/cvss_suite/invalid_cvss.rb +39 -45
- data/lib/cvss_suite/version.rb +2 -2
- metadata +12 -23
- data/.travis.yml +0 -4
- data/lib/cvss_suite/helpers/extensions.rb +0 -56
@@ -11,47 +11,46 @@
|
|
11
11
|
require_relative '../cvss_property'
|
12
12
|
require_relative '../cvss_metric'
|
13
13
|
|
14
|
-
|
15
|
-
# This class represents a CVSS Temporal metric in version 3.1.
|
16
|
-
|
17
|
-
class Cvss31Temporal < CvssMetric
|
18
|
-
|
19
|
-
##
|
20
|
-
# Property of this metric
|
21
|
-
|
22
|
-
attr_reader :exploit_code_maturity, :remediation_level, :report_confidence
|
23
|
-
|
14
|
+
module CvssSuite
|
24
15
|
##
|
25
|
-
#
|
26
|
-
|
27
|
-
|
28
|
-
|
29
|
-
|
30
|
-
|
31
|
-
|
32
|
-
|
33
|
-
|
34
|
-
|
35
|
-
|
36
|
-
|
37
|
-
|
38
|
-
|
39
|
-
|
40
|
-
|
41
|
-
|
42
|
-
|
43
|
-
|
44
|
-
|
45
|
-
|
46
|
-
|
47
|
-
|
48
|
-
|
49
|
-
|
50
|
-
|
51
|
-
|
52
|
-
|
53
|
-
|
54
|
-
|
55
|
-
|
16
|
+
# This class represents a CVSS Temporal metric in version 3.1.
|
17
|
+
class Cvss31Temporal < CvssMetric
|
18
|
+
##
|
19
|
+
# Property of this metric
|
20
|
+
attr_reader :exploit_code_maturity, :remediation_level, :report_confidence
|
21
|
+
|
22
|
+
##
|
23
|
+
# Returns score of this metric
|
24
|
+
def score
|
25
|
+
return 1.0 unless valid?
|
26
|
+
|
27
|
+
@exploit_code_maturity.score * @remediation_level.score * @report_confidence.score
|
28
|
+
end
|
29
|
+
|
30
|
+
private
|
31
|
+
|
32
|
+
def init_properties
|
33
|
+
@properties.push(@exploit_code_maturity =
|
34
|
+
CvssProperty.new(name: 'Exploit Code Maturity', abbreviation: 'E', position: [8],
|
35
|
+
values: [{ name: 'Not Defined', abbreviation: 'X', weight: 1.0 },
|
36
|
+
{ name: 'Unproven', abbreviation: 'U', weight: 0.91 },
|
37
|
+
{ name: 'Proof-of-Concept', abbreviation: 'P', weight: 0.94 },
|
38
|
+
{ name: 'Functional', abbreviation: 'F', weight: 0.97 },
|
39
|
+
{ name: 'High', abbreviation: 'H', weight: 1.0 }]))
|
40
|
+
@properties.push(@remediation_level =
|
41
|
+
CvssProperty.new(name: 'Remediation Level', abbreviation: 'RL', position: [9],
|
42
|
+
values: [{ name: 'Not Defined', abbreviation: 'X', weight: 1.0 },
|
43
|
+
{ name: 'Official Fix', abbreviation: 'O', weight: 0.95 },
|
44
|
+
{ name: 'Temporary Fix', abbreviation: 'T', weight: 0.96 },
|
45
|
+
{ name: 'Workaround', abbreviation: 'W', weight: 0.97 },
|
46
|
+
{ name: 'Unavailable', abbreviation: 'U', weight: 1.0 }]))
|
47
|
+
|
48
|
+
@properties.push(@report_confidence =
|
49
|
+
CvssProperty.new(name: 'Report Confidence', abbreviation: 'RC', position: [10],
|
50
|
+
values: [{ name: 'Not Defined', abbreviation: 'X', weight: 1.0 },
|
51
|
+
{ name: 'Unknown', abbreviation: 'U', weight: 0.92 },
|
52
|
+
{ name: 'Reasonable', abbreviation: 'R', weight: 0.96 },
|
53
|
+
{ name: 'Confirmed', abbreviation: 'C', weight: 1.0 }]))
|
54
|
+
end
|
56
55
|
end
|
57
|
-
end
|
56
|
+
end
|
@@ -8,46 +8,42 @@
|
|
8
8
|
# This work is licensed under the terms of the MIT license.
|
9
9
|
# See the LICENSE.md file in the top-level directory.
|
10
10
|
|
11
|
-
|
12
|
-
# This class represents any CVSS metric.
|
13
|
-
|
14
|
-
class CvssMetric
|
15
|
-
|
11
|
+
module CvssSuite
|
16
12
|
##
|
17
|
-
#
|
18
|
-
|
19
|
-
|
20
|
-
|
21
|
-
|
22
|
-
|
23
|
-
|
24
|
-
|
25
|
-
##
|
26
|
-
# Returns if the metric is valid.
|
27
|
-
|
28
|
-
def valid?
|
29
|
-
@properties.each do |property|
|
30
|
-
return false unless property.valid?
|
13
|
+
# This class represents any CVSS metric.
|
14
|
+
class CvssMetric
|
15
|
+
##
|
16
|
+
# Creates a new CVSS metric by +properties+
|
17
|
+
def initialize(selected_properties)
|
18
|
+
@properties = []
|
19
|
+
init_properties
|
20
|
+
extract_selected_values_from selected_properties
|
31
21
|
end
|
32
|
-
true
|
33
|
-
end
|
34
22
|
|
35
|
-
|
36
|
-
|
23
|
+
##
|
24
|
+
# Returns if the metric is valid.
|
25
|
+
def valid?
|
26
|
+
@properties.each do |property|
|
27
|
+
return false unless property.valid?
|
28
|
+
end
|
29
|
+
true
|
30
|
+
end
|
37
31
|
|
38
|
-
|
39
|
-
|
40
|
-
|
32
|
+
##
|
33
|
+
# Returns number of properties for this metric.
|
34
|
+
def count
|
35
|
+
@properties.count
|
36
|
+
end
|
41
37
|
|
42
|
-
|
38
|
+
private
|
43
39
|
|
44
|
-
|
45
|
-
|
46
|
-
|
47
|
-
|
48
|
-
|
49
|
-
|
40
|
+
def extract_selected_values_from(selected_properties)
|
41
|
+
selected_properties.each do |selected_property|
|
42
|
+
property = @properties.detect do |p|
|
43
|
+
p.abbreviation == selected_property[:name] && p.position.include?(selected_property[:position])
|
44
|
+
end
|
45
|
+
property&.set_selected_value selected_property[:selected]
|
46
|
+
end
|
50
47
|
end
|
51
48
|
end
|
52
|
-
|
53
|
-
end
|
49
|
+
end
|
@@ -8,78 +8,79 @@
|
|
8
8
|
# This work is licensed under the terms of the MIT license.
|
9
9
|
# See the LICENSE.md file in the top-level directory.
|
10
10
|
|
11
|
-
|
12
|
-
# This class represents a CVSS property of a CVSS metric.
|
13
|
-
|
14
|
-
class CvssProperty
|
15
|
-
|
11
|
+
module CvssSuite
|
16
12
|
##
|
17
|
-
#
|
18
|
-
|
19
|
-
|
20
|
-
|
21
|
-
|
22
|
-
|
23
|
-
|
24
|
-
|
25
|
-
|
13
|
+
# This class represents a CVSS property of a CVSS metric.
|
14
|
+
class CvssProperty
|
15
|
+
##
|
16
|
+
# Creates a new CVSS property by a +property+.
|
17
|
+
#
|
18
|
+
# +Property+ needs to consist of a name, a abbreviation,
|
19
|
+
# the possible positions in the CVSS vector, a weight, and the
|
20
|
+
# available values for the property.
|
21
|
+
|
22
|
+
def initialize(property)
|
23
|
+
@property = property
|
24
|
+
@property[:default_value] ||= 'Not Available'
|
25
|
+
end
|
26
26
|
|
27
|
-
|
28
|
-
|
27
|
+
##
|
28
|
+
# Returns the full name of the property.
|
29
29
|
|
30
|
-
|
31
|
-
|
32
|
-
|
30
|
+
def name
|
31
|
+
@property[:name]
|
32
|
+
end
|
33
33
|
|
34
|
-
|
35
|
-
|
34
|
+
##
|
35
|
+
# Returns the abbreviation of the property.
|
36
36
|
|
37
|
-
|
38
|
-
|
39
|
-
|
37
|
+
def abbreviation
|
38
|
+
@property[:abbreviation]
|
39
|
+
end
|
40
40
|
|
41
|
-
|
42
|
-
|
41
|
+
##
|
42
|
+
# Returns all available values of the property.
|
43
43
|
|
44
|
-
|
45
|
-
|
46
|
-
|
44
|
+
def values
|
45
|
+
@property[:values]
|
46
|
+
end
|
47
47
|
|
48
|
-
|
49
|
-
|
48
|
+
##
|
49
|
+
# Returns the possible positions in the CVSS vector of the property.
|
50
50
|
|
51
|
-
|
52
|
-
|
53
|
-
|
51
|
+
def position
|
52
|
+
@property[:position]
|
53
|
+
end
|
54
54
|
|
55
|
-
|
56
|
-
|
55
|
+
##
|
56
|
+
# Returns the selected value of the property.
|
57
57
|
|
58
|
-
|
59
|
-
|
60
|
-
|
58
|
+
def selected_value
|
59
|
+
@selected_value || @property[:default_value]
|
60
|
+
end
|
61
61
|
|
62
|
-
|
63
|
-
|
62
|
+
##
|
63
|
+
# Returns true if the property is valid.
|
64
64
|
|
65
|
-
|
66
|
-
|
67
|
-
|
65
|
+
def valid?
|
66
|
+
!@selected_value.nil?
|
67
|
+
end
|
68
68
|
|
69
|
-
|
70
|
-
|
69
|
+
##
|
70
|
+
# Returns the score of the selected value.
|
71
71
|
|
72
|
-
|
73
|
-
|
74
|
-
|
72
|
+
def score
|
73
|
+
@selected_value[:weight]
|
74
|
+
end
|
75
75
|
|
76
|
-
|
77
|
-
|
76
|
+
##
|
77
|
+
# Sets the selected value by a +value+.
|
78
78
|
|
79
|
-
|
80
|
-
|
81
|
-
|
79
|
+
def set_selected_value(selected_value)
|
80
|
+
values.each do |value|
|
81
|
+
value[:selected] = selected_value.eql?(value[:abbreviation])
|
82
|
+
end
|
83
|
+
@selected_value = values.detect { |value| value[:selected] }
|
82
84
|
end
|
83
|
-
@selected_choice = choices.detect { |choice| choice[:selected] }
|
84
85
|
end
|
85
|
-
end
|
86
|
+
end
|
data/lib/cvss_suite/errors.rb
CHANGED
@@ -0,0 +1,27 @@
|
|
1
|
+
# CVSS-Suite, a Ruby gem to manage the CVSS vector
|
2
|
+
#
|
3
|
+
# Copyright (c) Siemens AG, 2016
|
4
|
+
#
|
5
|
+
# Authors:
|
6
|
+
# Oliver Hambörger <oliver.hamboerger@siemens.com>
|
7
|
+
#
|
8
|
+
# This work is licensed under the terms of the MIT license.
|
9
|
+
# See the LICENSE.md file in the top-level directory.
|
10
|
+
|
11
|
+
module CvssSuite
|
12
|
+
##
|
13
|
+
# This module includes methods which are used by the CVSS 3 classes.
|
14
|
+
module Cvss31Helper
|
15
|
+
##
|
16
|
+
# Since CVSS 3 all float values are rounded up, therefore this method is used
|
17
|
+
# instead of the mathematically correct method round().
|
18
|
+
def self.round_up(float)
|
19
|
+
output = (float * 100_000).round
|
20
|
+
if (output % 10_000).zero?
|
21
|
+
output / 100_000.0
|
22
|
+
else
|
23
|
+
((output / 10_000).floor + 1) / 10.0
|
24
|
+
end
|
25
|
+
end
|
26
|
+
end
|
27
|
+
end
|
@@ -8,22 +8,28 @@
|
|
8
8
|
# This work is licensed under the terms of the MIT license.
|
9
9
|
# See the LICENSE.md file in the top-level directory.
|
10
10
|
|
11
|
-
|
12
|
-
# This module includes methods which are used by the CVSS 3 classes.
|
13
|
-
|
14
|
-
module Cvss3Helper
|
15
|
-
|
11
|
+
module CvssSuite
|
16
12
|
##
|
17
|
-
#
|
18
|
-
|
13
|
+
# This module includes methods which are used by the CVSS 3 classes.
|
14
|
+
module Cvss3Helper
|
15
|
+
##
|
16
|
+
# Since CVSS 3 all float values are rounded up, therefore this method is used
|
17
|
+
# instead of the mathematically correct method round().
|
18
|
+
def self.round_up(float)
|
19
|
+
float.ceil(1).to_f
|
20
|
+
end
|
19
21
|
|
20
|
-
|
21
|
-
|
22
|
-
|
23
|
-
|
24
|
-
|
25
|
-
privilege_score =
|
22
|
+
##
|
23
|
+
# Since CVSS 3 the Privilege Required score depends on the selected value of the Scope metric.
|
24
|
+
# This method takes a +Privilege+ +Required+ and a +Scope+ metric and returns the newly calculated score.
|
25
|
+
def self.privileges_required_score(privileges_required, scope)
|
26
|
+
changed = scope.selected_value[:name] == 'Changed'
|
27
|
+
privilege_score = privileges_required.score
|
28
|
+
if changed
|
29
|
+
privilege_score = 0.68 if privileges_required.selected_value[:name] == 'Low'
|
30
|
+
privilege_score = 0.50 if privileges_required.selected_value[:name] == 'High'
|
31
|
+
end
|
32
|
+
privilege_score
|
26
33
|
end
|
27
|
-
privilege_score
|
28
34
|
end
|
29
|
-
end
|
35
|
+
end
|
@@ -8,50 +8,44 @@
|
|
8
8
|
# This work is licensed under the terms of the MIT license.
|
9
9
|
# See the LICENSE.md file in the top-level directory.
|
10
10
|
|
11
|
-
|
12
|
-
# # This class represents a invalid CVSS vector.
|
13
|
-
|
14
|
-
class InvalidCvss < Cvss
|
15
|
-
|
16
|
-
##
|
17
|
-
# Creates a new invalid CVSS vector.
|
18
|
-
|
19
|
-
def initialize
|
20
|
-
end
|
21
|
-
|
22
|
-
##
|
23
|
-
# Since this is an invalid CVSS vector, it always returns false.
|
24
|
-
|
25
|
-
def valid?
|
26
|
-
false
|
27
|
-
end
|
28
|
-
|
29
|
-
##
|
30
|
-
# Since this is an invalid CVSS vector, it always throws an exception.
|
31
|
-
|
32
|
-
def version
|
33
|
-
check_validity
|
34
|
-
end
|
35
|
-
|
36
|
-
##
|
37
|
-
# Since this is an invalid CVSS vector, it always throws an exception.
|
38
|
-
|
39
|
-
def base_score
|
40
|
-
check_validity
|
41
|
-
end
|
42
|
-
|
11
|
+
module CvssSuite
|
43
12
|
##
|
44
|
-
#
|
45
|
-
|
46
|
-
|
47
|
-
|
48
|
-
|
49
|
-
|
50
|
-
|
51
|
-
|
52
|
-
|
53
|
-
|
54
|
-
|
13
|
+
# This class represents a invalid CVSS vector.
|
14
|
+
class InvalidCvss < Cvss
|
15
|
+
# rubocop:disable Lint/MissingSuper
|
16
|
+
##
|
17
|
+
# Creates a new invalid CVSS vector.
|
18
|
+
def initialize; end
|
19
|
+
# rubocop:enable Lint/MissingSuper
|
20
|
+
|
21
|
+
##
|
22
|
+
# Since this is an invalid CVSS vector, it always returns false.
|
23
|
+
def valid?
|
24
|
+
false
|
25
|
+
end
|
26
|
+
|
27
|
+
##
|
28
|
+
# Since this is an invalid CVSS vector, it always throws an exception.
|
29
|
+
def version
|
30
|
+
check_validity
|
31
|
+
end
|
32
|
+
|
33
|
+
##
|
34
|
+
# Since this is an invalid CVSS vector, it always throws an exception.
|
35
|
+
def base_score
|
36
|
+
check_validity
|
37
|
+
end
|
38
|
+
|
39
|
+
##
|
40
|
+
# Since this is an invalid CVSS vector, it always throws an exception.
|
41
|
+
def temporal_score
|
42
|
+
check_validity
|
43
|
+
end
|
44
|
+
|
45
|
+
##
|
46
|
+
# Since this is an invalid CVSS vector, it always throws an exception.
|
47
|
+
def environmental_score
|
48
|
+
check_validity
|
49
|
+
end
|
55
50
|
end
|
56
|
-
|
57
|
-
end
|
51
|
+
end
|