cvss-suite 1.2.0 → 3.1.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 6aacfd5bb6fb48310c6c6c5cb2821a247971ef6115cb7c4c86dddb4335d8dafd
-  data.tar.gz: 5c881abb0186de84cb10596ff12333a9e8934ed290b8fe762471aaf82f008177
+  metadata.gz: 8d6c9f7e41ba7184e8140cf17c6fc0a1b2dced70a3a0e80a603700c2517f413c
+  data.tar.gz: 8277aaf7c847feb0d83adcf96f33e85dbbaa4916bb84fb3b1fad5fc1eb99ef57
 SHA512:
-  metadata.gz: 293c41865c1905f2ca44a34d7298813484312af93deb77f443411222df307df80f4a40781af2137b05f561e66fd8317196b5a8512ea82c21d565d4eb221492ff
-  data.tar.gz: 3c33b092a180ca728add5bcb4380881789f98652cf5476eb841ee23ee8b38a72e56cd7be916cfb297aa644d470830280826086561850c4625228a06e43bb82f2
+  metadata.gz: 3640b87d41a2b7533b756b416e115e8cde0bb4459a8aefe325d0db82816b48dc0b3f32bd2d6c9dde4ab48ec0bec94efc8572e0c94412618070a45ab04012dd04
+  data.tar.gz: fe15648aa4362009d44ef9159e38f40494b09911582845b29732cb6c6512694c6bdf4d3b57ec412a6e9e76c783c197746dd76a2cce79ce298facad8f4a8ac334

data/.github/workflows/rspec.yml

@@ -0,0 +1,23 @@
+name: RSpec
+
+on: [push,pull_request]
+
+jobs:
+  build:
+
+    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        ruby: [ '2.6', '2.7', '3.0', '3.1' ]
+    steps:
+    - uses: actions/checkout@v2
+    - name: Set up ${{ matrix.ruby }}
+      uses: ruby/setup-ruby@v1
+      with:
+        ruby-version: ${{ matrix.ruby }}
+    - name: Install gems
+      run: |
+        gem install bundler -v ">= 1.10"
+        bundle install --jobs 4 --retry 3
+    - name: Run tests
+      run: bundle exec rspec spec

data/.github/workflows/rubocop.yml

@@ -0,0 +1,22 @@
+name: Rubocop
+
+on: [push,pull_request]
+
+jobs:
+  build:
+
+    runs-on: ubuntu-latest
+
+    steps:
+    - uses: actions/checkout@v2
+    - name: Set up Ruby 2.6
+      uses: ruby/setup-ruby@v1
+      with:
+        ruby-version: 2.6
+    - name: Install gems
+      run: |
+        gem update --system
+        gem install bundler -v ">= 1.10"
+        gem install rubocop
+    - name: Run checks
+      run: rubocop -F --fail-level C -f s

data/.rubocop.yml

@@ -1,2 +1,48 @@
+inherit_from: .rubocop_todo.yml
+
+AllCops:
+  TargetRubyVersion: 2.6
+  SuggestExtensions: false
+
 Metrics/LineLength:
-  Max: 120
+  Max: 120
+  Exclude:
+    - 'lib/cvss_suite/cvss3/cvss3_environmental.rb'
+    - 'lib/cvss_suite/cvss31/cvss31_environmental.rb'
+
+Metrics/ClassLength:
+  Exclude:
+    - 'lib/cvss_suite/cvss3/cvss3_environmental.rb'
+    - 'lib/cvss_suite/cvss31/cvss31_environmental.rb'
+
+Metrics/MethodLength:
+  Exclude:
+    - 'lib/cvss_suite/cvss3/cvss3_environmental.rb'
+    - 'lib/cvss_suite/cvss31/cvss31_environmental.rb'
+
+Metrics/BlockLength:
+  Exclude:
+    - 'spec/cvss2/cvss2_spec.rb'
+    - 'spec/cvss3/cvss3_spec.rb'
+    - 'spec/cvss31/cvss31_spec.rb'
+
+Style/IfUnlessModifier:
+  Exclude:
+    - 'lib/cvss_suite/cvss3/cvss3_environmental.rb'
+    - 'lib/cvss_suite/cvss31/cvss31_environmental.rb'
+
+Style/GuardClause:
+  Exclude:
+    - 'lib/cvss_suite/cvss3/cvss3_environmental.rb'
+    - 'lib/cvss_suite/cvss31/cvss31_environmental.rb'
+
+Style/ConditionalAssignment:
+  Exclude:
+    - 'lib/cvss_suite/cvss3/cvss3_environmental.rb'
+    - 'lib/cvss_suite/cvss31/cvss31_environmental.rb'
+
+Style/FrozenStringLiteralComment:
+  Enabled: false
+
+Style/AsciiComments:
+  Enabled: false

data/.rubocop_todo.yml

@@ -0,0 +1,59 @@
+# This configuration was generated by
+# `rubocop --auto-gen-config`
+# on 2020-05-05 17:47:10 +0200 using RuboCop version 0.82.0.
+# The point is for the user to remove these configuration records
+# one by one as the offenses are removed from the code base.
+# Note that changes in the inspected code, or installation of new
+# versions of RuboCop, may require this file to be generated again.
+
+# Offense count: 1
+Lint/IneffectiveAccessModifier:
+  Exclude:
+    - 'lib/cvss_suite.rb'
+
+# Offense count: 1
+# Configuration parameters: ContextCreatingMethods, MethodCreatingMethods.
+Lint/UselessAccessModifier:
+  Exclude:
+    - 'lib/cvss_suite.rb'
+
+# Offense count: 8
+# Configuration parameters: IgnoredMethods.
+Metrics/AbcSize:
+  Max: 35
+
+# Offense count: 5
+# Configuration parameters: CountComments, ExcludedMethods.
+# ExcludedMethods: refine
+Metrics/BlockLength:
+  Max: 58
+
+# Offense count: 2
+# Configuration parameters: CountComments.
+Metrics/ClassLength:
+  Max: 101
+
+# Offense count: 1
+# Configuration parameters: IgnoredMethods.
+Metrics/CyclomaticComplexity:
+  Max: 9
+
+# Offense count: 13
+# Configuration parameters: CountComments, ExcludedMethods.
+Metrics/MethodLength:
+  Max: 63
+
+# Offense count: 1
+# Configuration parameters: CountKeywordArgs.
+Metrics/ParameterLists:
+  Max: 6
+
+# Offense count: 1
+# Configuration parameters: IgnoredMethods.
+Metrics/PerceivedComplexity:
+  Max: 10
+
+# Offense count: 1
+Naming/AccessorMethodName:
+  Exclude:
+    - 'lib/cvss_suite/cvss_property.rb'

data/CHANGES.md

@@ -2,6 +2,66 @@
 All notable changes to this project will be documented in this file.
 This project adheres to [Semantic Versioning](http://semver.org/).
 
+## [3.1.0] - 2022-09-27
+
+### Fixes
+* Metrics are no longer order-dependent. Fixes [#30](https://github.com/0llirocks/cvss-suite/issues/30)
+
+### Improvements
+* Temporal and Environmental metrics can now be partly omitted instead of setting them to X.
+
+## [3.0.1] - 2022-03-13
+
+### Notes
+* Updated specification reference due to [Removing the edit linkset form](https://blog.rubygems.org/2019/03/08/and-then-there-was-one-metadata-links.html) and [Unable to edit gem online](https://github.com/rubygems/rubygems.org/issues/1899)
+
+## [3.0.0] - 2022-03-13
+
+### Breaking Changes
+* Ruby >= 2.6 is now required
+
+### Notes
+* Moved repository to its new home
+
+## [2.0.2] - 2020-12-05
+
+### Fixes
+* CVSS v2 now returns the correct severity values based on NVD recommendation
+* CVSS v2 now supports vectors which are enclosed in parenthesis e.g. (AV:N/AC:L/Au:N/C:P/I:P/A:P)
+
+## [2.0.1] - 2020-07-19
+
+### Fixes
+Fixed an error that resulted in incorrect environmental score if modified attributes were not defined.
+
+## [2.0.0] - 2020-05-10
+
+### Breaking Changes
+* Ruby >= 2.4 is now required
+* Renamed choice/choices to value/values
+
+### Improvements
+* Added CvssSuite module to every class (thanks to @fwininger)
+* Removed override for integer and float (thanks to @fwininger)
+* Added rubocop to development environment (thanks to @fwininger)
+
+### Notes
+Adding CvssSuite module everywhere means it’s no longer possible to access a class without it. Since this only affects the undocumented and ‚internal‘ classes this should not affect you. If you’re using them, stop it.
+
+Still works:
+
+```ruby
+cvss = CvssSuite.new('string')
+```
+
+Won’t work anymore (without any code change):
+
+```ruby
+cvss = Cvss31.new('string')
+```
+
+This would need to be CvssSuite::Cvss31.new('string') to work. Or you could include the whole namespace.
+
 ## [1.2.0] - 2019-07-02
 
 ### Notes
@@ -71,4 +131,4 @@ Tried to fix an error. It turned out to be a local problem. Due to this I increa
 
 ## [1.0.0] - 2016-04-15
 ### Initial release
-First release of this gem.
+First release of this gem.

data/CNAME

@@ -0,0 +1 @@
+cvss-suite.0lli.rocks

data/CODE_OF_CONDUCT.md

@@ -1,8 +1,9 @@
 CVSS-Suite, a Ruby gem to manage the CVSS vector
 
-Copyright (c) Siemens AG, 2016
+Copyright (c) 2016-2022 Siemens AG
+Copyright (c) 2022 0llirocks
 
-Authors: Oliver Hambörger <oliver.hamboerger@siemens.com>
+Authors: 0llirocks <http://0lli.rocks>
 
 This work is licensed under the terms of the MIT license.
 See the LICENSE.md file in the top-level directory.

data/Gemfile

@@ -1,9 +1,10 @@
 # CVSS-Suite, a Ruby gem to manage the CVSS vector
 #
-# Copyright (c) Siemens AG, 2016
+# Copyright (c) 2016-2022 Siemens AG
+# Copyright (c) 2022 0llirocks
 #
 # Authors:
-#   Oliver Hambörger <oliver.hamboerger@siemens.com>
+#   0llirocks <http://0lli.rocks>
 #
 # This work is licensed under the terms of the MIT license.
 # See the LICENSE.md file in the top-level directory.

data/LICENSE.md

@@ -1,6 +1,7 @@
 The MIT License (MIT)
 
-Copyright (c) 2016 Siemens AG
+Copyright (c) 2016-2022 Siemens AG
+Copyright (c) 2022 0llirocks
 
 Permission is hereby granted, free of charge, to any person obtaining a copy of
 this software and associated documentation files (the "Software"), to deal in

data/README.md

@@ -1,10 +1,11 @@
-# CvssSuite
+# CvssSuite for Ruby
 
 [![Gem Version](http://img.shields.io/gem/v/cvss-suite.svg)](https://rubygems.org/gems/cvss-suite)
-[![Ruby Version](https://img.shields.io/badge/Ruby-2.x-brightgreen.svg)](https://rubygems.org/gems/cvss-suite)
+[![Ruby Version](https://img.shields.io/badge/Ruby-2.6-brightgreen.svg)](https://rubygems.org/gems/cvss-suite)
 [![Cvss Support](https://img.shields.io/badge/CVSS-v2-brightgreen.svg)](https://www.first.org/cvss/v2/guide)
 [![Cvss Support](https://img.shields.io/badge/CVSS-v3.0-brightgreen.svg)](https://www.first.org/cvss/v3.0/user-guide)
 [![Cvss Support](https://img.shields.io/badge/CVSS-v3.1-brightgreen.svg)](https://www.first.org/cvss/v3.1/user-guide)
+[![RSpec](https://github.com/0llirocks/cvss-suite/workflows/RSpec/badge.svg)](https://github.com/0llirocks/cvss-suite/actions)
 
 This Ruby gem helps you to process the vector of the [**Common Vulnerability Scoring System**](https://www.first.org/cvss/specification-document).
 Besides calculating the Base, Temporal and Environmental Score, you are able to extract the selected option.
@@ -25,6 +26,14 @@ Or install it yourself as:
 
     $ gem install cvss-suite
 
+## Version 2.x
+
+If you are still using CvssSuite 2.x please refer to the [specific branch](https://github.com/0llirocks/cvss-suite/tree/2.x) for documentation and changelog.
+    
+## Version 1.x
+
+If you are still using CvssSuite 1.x please refer to the [specific branch](https://github.com/0llirocks/cvss-suite/tree/1.x) for documentation and changelog.
+
 ## Usage
 
 ```ruby
@@ -61,15 +70,15 @@ overall_score = cvss.overall_score                  # 3.2
 access_vector = cvss.base.access_vector.name                # 'Access Vector'
 remediation_level = cvss.temporal.remediation_level.name    # 'Remediation Level'
 
-access_vector.choices.each do |choice|
-    choice[:name]           # 'Local', 'Adjacent Network', 'Network'
-    choice[:abbreviation]   # 'L', 'A', 'N'
-    choice[:selected]       # false, true, false
+access_vector.values.each do |value|
+    value[:name]           # 'Local', 'Adjacent Network', 'Network'
+    value[:abbreviation]   # 'L', 'A', 'N'
+    value[:selected]       # false, true, false
 end
 
 # Selected options
-cvss.base.access_vector.selected_choice[:name]          # Adjacent Network
-cvss.temporal.remediation_level.selected_choice[:name]  # Temporary Fix
+cvss.base.access_vector.selected_value[:name]          # Adjacent Network
+cvss.temporal.remediation_level.selected_value[:name]  # Temporary Fix
 
 # Exceptions
 
@@ -91,23 +100,17 @@ valid = cvss.valid?     # false
 cvss.base_score         # will throw CvssSuite::Errors::InvalidVector: Vector is not valid!
 ```
 
-## Notable Features
-
-Properties (Access Vector, Remediation Level, etc) do have a position attribute, with this they can be ordered the same way they appear in the vector.
-
 ## Known Issues
 
-Currently it is not possible to leave an attribute blank instead of ND/X. If you don't have a value for an attribute, please use ND/X instead.
-
-Because the documentation isn't clear on how to calculate the score if Modified Scope (CVSS 3.0 Environmental) is not defined, Modified Scope has to have a valid value (S/U).
-
 There is a possibility of implementations generating different scores (+/- 0,1) due to small floating-point inaccuracies. This can happen due to differences in floating point arithmetic between different languages and hardware platforms.
 
 ## Changelog
 
-[Click here to see all changes.](https://raw.githubusercontent.com/siemens/cvss-suite/master/CHANGES.md)
+[Click here to see all changes.](https://github.com/0llirocks/cvss-suite/blob/master/CHANGES.md)
 
 ## Contributing
 
-Bug reports and pull requests are welcome on GitHub at https://github.com/siemens/cvss-suite. This project is intended to be a safe, welcoming space for collaboration.
+Bug reports and pull requests are welcome on GitHub at https://github.com/0llirocks/cvss-suite. This project is intended to be a safe, welcoming space for collaboration.
 
+## References
+[CvssSuite for .NET](https://cvsssuite.0lli.rocks)

data/_config.yml

@@ -0,0 +1 @@
+theme: jekyll-theme-cayman

data/bin/console

@@ -1,7 +1,7 @@
 #!/usr/bin/env ruby
 
-require "bundler/setup"
-require "cvss_suite"
+require 'bundler/setup'
+require 'cvss_suite'
 
 # You can add fixtures and/or initialization code here to make experimenting
 # with your gem easier. You can also use a different console, if you like.
@@ -10,5 +10,5 @@ require "cvss_suite"
 # require "pry"
 # Pry.start
 
-require "irb"
+require 'irb'
 IRB.start

data/cvss_suite.gemspec

@@ -1,15 +1,17 @@
 # CVSS-Suite, a Ruby gem to manage the CVSS vector
 #
-# Copyright (c) Siemens AG, 2016
+# Copyright (c) 2016-2022 Siemens AG
+# Copyright (c) 2022 0llirocks
 #
 # Authors:
-#   Oliver Hambörger <oliver.hamboerger@siemens.com>
+#   0llirocks <http://0lli.rocks>
 #
 # This work is licensed under the terms of the MIT license.
 # See the LICENSE.md file in the top-level directory.
 
 # coding: utf-8
-lib = File.expand_path('../lib', __FILE__)
+
+lib = File.expand_path('lib', __dir__)
 $LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
 require 'cvss_suite/version'
 
@@ -17,24 +19,29 @@ Gem::Specification.new do |spec|
   spec.name          = 'cvss-suite'
   spec.version       = CvssSuite::VERSION
   spec.license       = 'MIT'
-  spec.authors       = ["Oliver Hamboerger"]
-  spec.email         = ["oliver.hamboerger@siemens.com"]
+  spec.authors       = ['0llirocks']
+
+  spec.summary       = 'Ruby gem for processing cvss vectors.'
+  spec.description   = 'This Ruby gem helps you to process the vector of the Common Vulnerability Scoring System (https://www.first.org/cvss/specification-document).
+Besides calculating the Base, Temporal and Environmental Score, you are able to extract the selected option.'
 
-  spec.summary       = %q{Ruby gem for processing cvss vectors.}
-  spec.description   = %q{This Ruby gem helps you to process the vector of the Common Vulnerability Scoring System (https://www.first.org/cvss/specification-document).
-Besides calculating the Base, Temporal and Environmental Score, you are able to extract the selected option.}
-  spec.homepage      = "https://siemens.github.io/cvss-suite/"
+  spec.metadata = {
+    'bug_tracker_uri' => 'https://github.com/0llirocks/cvss-suite/issues',
+    'changelog_uri' => 'https://github.com/0llirocks/cvss-suite/blob/master/CHANGES.md',
+    'documentation_uri' => "https://www.rubydoc.info/gems/cvss-suite/#{CvssSuite::VERSION}",
+    'homepage_uri' => 'https://cvss-suite.0lli.rocks',
+    'source_code_uri' => 'https://github.com/0llirocks/cvss-suite'
+  }
 
-  spec.required_ruby_version = '>= 2.0.0'
+  spec.required_ruby_version = '>= 2.6.0'
   spec.files         = `git ls-files -z`.split("\x0").reject { |f| f.match(%r{^(test|spec|features)/}) }
   spec.bindir        = 'exe'
   spec.executables   = spec.files.grep(%r{^exe/}) { |f| File.basename(f) }
   spec.test_files    = spec.files.grep(%r{^(test|spec|features)/})
-  spec.require_paths = ["lib"]
+  spec.require_paths = ['lib']
 
-  spec.add_development_dependency "bundler", "~> 1.10"
-  spec.add_development_dependency "rspec", "~> 3.4"
-  spec.add_development_dependency "rspec-its", "~> 1.2"
-  spec.add_development_dependency "rdoc", "~> 4.2"
-  spec.add_development_dependency "simplecov", "~> 0.11.2"
+  spec.add_development_dependency 'bundler', '>= 1.10'
+  spec.add_development_dependency 'rspec', '~> 3.4'
+  spec.add_development_dependency 'rspec-its', '~> 1.2'
+  spec.add_development_dependency 'simplecov', '~> 0.18'
 end

data/lib/cvss_suite/cvss.rb

@@ -1,125 +1,104 @@
 # CVSS-Suite, a Ruby gem to manage the CVSS vector
 #
-# Copyright (c) Siemens AG, 2016
+# Copyright (c) 2016-2022 Siemens AG
+# Copyright (c) 2022 0llirocks
 #
 # Authors:
-#   Oliver Hambörger <oliver.hamboerger@siemens.com>
+#   0llirocks <http://0lli.rocks>
 #
 # This work is licensed under the terms of the MIT license.
 # See the LICENSE.md file in the top-level directory.
 
-##
-# This class represents any CVSS vector. Do not instantiate this class!
-
-class Cvss
-
-  ##
-  # Metric of a CVSS vector.
-
-  attr_reader :base, :temporal, :environmental
-
-  ##
-  # Returns version of current CVSS vector.
-
-  attr_reader :version
-
+module CvssSuite
   ##
-  # Returns the vector itself.
-
-  attr_reader :vector
-
-  ##
-  # Creates a new CVSS vector by a +vector+ and a +version+.
-  #
-  # Raises an exception if it is called on Cvss class.
-
-  def initialize(vector, version)
-    raise CvssSuite::Errors::InvalidParentClass, 'Do not instantiate this class!' if self.class == Cvss
-    @version = version
-    @vector = vector
-    @properties = []
-    extract_metrics
-    init_metrics
-  end
-
-  ##
-  # Returns if CVSS vector is valid.
+  # This class represents any CVSS vector. Do not instantiate this class!
+  class Cvss
+    ##
+    # Metric of a CVSS vector.
+    attr_reader :base, :temporal, :environmental
+
+    ##
+    # Returns the vector itself.
+    attr_reader :vector
+
+    ##
+    # Creates a new CVSS vector by a +vector+.
+    #
+    # Raises an exception if it is called on Cvss class.
+    def initialize(vector)
+      raise CvssSuite::Errors::InvalidParentClass, 'Do not instantiate this class!' if instance_of? Cvss
+
+      @vector = vector
+      @properties = []
+      extract_metrics
+      init_metrics
+    end
 
-  def valid?
-    if @amount_of_properties == required_amount_of_properties
+    ##
+    # Returns if CVSS vector is valid.
+    def valid?
+      if @amount_of_properties >= required_amount_of_properties
         base = @base.valid?
         temporal = @base.valid? && @temporal.valid?
         environmental = @base.valid? && @environmental.valid?
         full = @base.valid? && @temporal.valid? && @environmental.valid?
         base || temporal || environmental || full
-    else
-      false
+      else
+        false
+      end
     end
-  end
-
-  ##
-  # Returns the severity of the CVSS vector.
-
-  def severity
-    check_validity
-    
-    score = overall_score
 
-    if 0.0 == score
-      "None"
-    elsif (0.1..3.9).include? score
-     "Low"
-    elsif (4.0..6.9).include? score
-     "Medium"
-    elsif (7.0..8.9).include? score
-     "High"
-    elsif (9.0..10.0).include? score
-     "Critical"
-    else
-     "None"
+    ##
+    # Returns the severity of the CVSS vector.
+    def severity
+      check_validity
+
+      score = overall_score
+
+      if score <= 0.0
+        'None'
+      elsif (0.1..3.9).cover? score
+        'Low'
+      elsif (4.0..6.9).cover? score
+        'Medium'
+      elsif (7.0..8.9).cover? score
+        'High'
+      elsif (9.0..10.0).cover? score
+        'Critical'
+      else
+        'None'
+      end
     end
-  end
-
-  ##
-  # Returns the Overall Score of the CVSS vector.
 
-  def overall_score
-    check_validity
-    return temporal_score if @temporal.valid? && !@environmental.valid?
-    return environmental_score if @environmental.valid?
-    base_score
-  end
+    ##
+    # Returns the Overall Score of the CVSS vector.
+    def overall_score
+      check_validity
+      return temporal_score if @temporal.valid? && !@environmental.valid?
+      return environmental_score if @environmental.valid?
 
-  private
-
-  def extract_metrics
-    properties = prepared_vector.split('/')
-    @amount_of_properties = properties.size
-    properties.each_with_index do |property, index|
-      property = property.split(':')
-      @properties.push({ name: property[0], selected: property[1], position: index })
+      base_score
     end
-  end
 
-  def check_validity
-    raise CvssSuite::Errors::InvalidVector, 'Vector is not valid!' unless valid?
-  end
+    private
 
-  def prepared_vector
-    start_of_vector = @vector.index('AV')
+    def extract_metrics
+      properties = @vector.split('/')
+      @amount_of_properties = properties.size
+      properties.each_with_index do |property, index|
+        property = property.split(':')
+        @properties.push({ name: property[0], selected: property[1], position: index })
+      end
+      @properties = [] if @properties.group_by { |p| p[:name] }.select { |_k, v| v.size > 1 }.length.positive?
+    end
 
-    if start_of_vector.nil?
-      String.new
-    else
-      @vector[start_of_vector..-1]
+    def check_validity
+      raise CvssSuite::Errors::InvalidVector, 'Vector is not valid!' unless valid?
     end
-  end
 
-  def required_amount_of_properties
-    total = @base.count if @base.valid?
-    total += @temporal.count if @temporal.valid?
-    total += @environmental.count if @environmental.valid?
-    total ||= 0
+    def required_amount_of_properties
+      total = @base.count
+      total || 0
+    end
   end
-
-end
+end