cvss-suite 1.2.0 → 3.1.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/.github/workflows/rspec.yml +23 -0
- data/.github/workflows/rubocop.yml +22 -0
- data/.rubocop.yml +47 -1
- data/.rubocop_todo.yml +59 -0
- data/CHANGES.md +61 -1
- data/CNAME +1 -0
- data/CODE_OF_CONDUCT.md +3 -2
- data/Gemfile +3 -2
- data/LICENSE.md +2 -1
- data/README.md +21 -18
- data/_config.yml +1 -0
- data/bin/console +3 -3
- data/cvss_suite.gemspec +23 -16
- data/lib/cvss_suite/cvss.rb +77 -98
- data/lib/cvss_suite/cvss2/cvss2.rb +53 -30
- data/lib/cvss_suite/cvss2/cvss2_base.rb +72 -77
- data/lib/cvss_suite/cvss2/cvss2_environmental.rb +55 -56
- data/lib/cvss_suite/cvss2/cvss2_temporal.rb +43 -43
- data/lib/cvss_suite/cvss3/cvss3.rb +42 -38
- data/lib/cvss_suite/cvss3/cvss3_base.rb +75 -77
- data/lib/cvss_suite/cvss3/cvss3_environmental.rb +162 -111
- data/lib/cvss_suite/cvss3/cvss3_temporal.rb +44 -44
- data/lib/cvss_suite/cvss31/cvss31.rb +39 -30
- data/lib/cvss_suite/cvss31/cvss31_base.rb +69 -70
- data/lib/cvss_suite/cvss31/cvss31_environmental.rb +162 -111
- data/lib/cvss_suite/cvss31/cvss31_temporal.rb +44 -44
- data/lib/cvss_suite/cvss_metric.rb +37 -38
- data/lib/cvss_suite/cvss_property.rb +69 -57
- data/lib/cvss_suite/errors.rb +4 -1
- data/lib/cvss_suite/helpers/cvss31_helper.rb +28 -0
- data/lib/cvss_suite/helpers/cvss3_helper.rb +24 -17
- data/lib/cvss_suite/invalid_cvss.rb +42 -47
- data/lib/cvss_suite/version.rb +4 -3
- data/lib/cvss_suite.rb +46 -15
- metadata +23 -29
- data/.travis.yml +0 -4
- data/lib/cvss_suite/helpers/extensions.rb +0 -56
|
@@ -1,52 +1,75 @@
|
|
|
1
1
|
# CVSS-Suite, a Ruby gem to manage the CVSS vector
|
|
2
2
|
#
|
|
3
|
-
# Copyright (c) Siemens AG
|
|
3
|
+
# Copyright (c) 2016-2022 Siemens AG
|
|
4
|
+
# Copyright (c) 2022 0llirocks
|
|
4
5
|
#
|
|
5
6
|
# Authors:
|
|
6
|
-
#
|
|
7
|
+
# 0llirocks <http://0lli.rocks>
|
|
7
8
|
#
|
|
8
9
|
# This work is licensed under the terms of the MIT license.
|
|
9
10
|
# See the LICENSE.md file in the top-level directory.
|
|
10
11
|
|
|
11
|
-
require_relative '
|
|
12
|
+
require_relative '../cvss'
|
|
12
13
|
require_relative 'cvss2_base'
|
|
13
14
|
require_relative 'cvss2_temporal'
|
|
14
15
|
require_relative 'cvss2_environmental'
|
|
15
16
|
|
|
16
|
-
|
|
17
|
-
|
|
17
|
+
module CvssSuite
|
|
18
|
+
##
|
|
19
|
+
# This class represents a CVSS vector in version 2.
|
|
20
|
+
class Cvss2 < Cvss
|
|
21
|
+
##
|
|
22
|
+
# Returns the Version of the CVSS vector.
|
|
23
|
+
def version
|
|
24
|
+
2
|
|
25
|
+
end
|
|
18
26
|
|
|
19
|
-
|
|
27
|
+
# Returns the severity of the CVSSv2 vector.
|
|
28
|
+
# https://nvd.nist.gov/vuln-metrics/cvss
|
|
29
|
+
def severity
|
|
30
|
+
check_validity
|
|
20
31
|
|
|
21
|
-
|
|
22
|
-
# Returns the Base Score of the CVSS vector.
|
|
32
|
+
score = overall_score
|
|
23
33
|
|
|
24
|
-
|
|
25
|
-
|
|
26
|
-
|
|
27
|
-
|
|
34
|
+
case score
|
|
35
|
+
when 0.0..3.9
|
|
36
|
+
'Low'
|
|
37
|
+
when 4.0..6.9
|
|
38
|
+
'Medium'
|
|
39
|
+
when 7.0..10.0
|
|
40
|
+
'High'
|
|
41
|
+
else
|
|
42
|
+
'None'
|
|
43
|
+
end
|
|
44
|
+
end
|
|
28
45
|
|
|
29
|
-
|
|
30
|
-
|
|
46
|
+
##
|
|
47
|
+
# Returns the Base Score of the CVSS vector.
|
|
48
|
+
def base_score
|
|
49
|
+
check_validity
|
|
50
|
+
@base.score.round(1)
|
|
51
|
+
end
|
|
31
52
|
|
|
32
|
-
|
|
33
|
-
|
|
34
|
-
|
|
53
|
+
##
|
|
54
|
+
# Returns the Temporal Score of the CVSS vector.
|
|
55
|
+
def temporal_score
|
|
56
|
+
(base_score * @temporal.score).round(1)
|
|
57
|
+
end
|
|
35
58
|
|
|
36
|
-
|
|
37
|
-
|
|
59
|
+
##
|
|
60
|
+
# Returns the Environmental Score of the CVSS vector.
|
|
61
|
+
def environmental_score
|
|
62
|
+
return temporal_score unless @environmental.valid?
|
|
38
63
|
|
|
39
|
-
|
|
40
|
-
|
|
41
|
-
(@environmental.score @base, @temporal.score).round(1)
|
|
42
|
-
end
|
|
64
|
+
(@environmental.score @base, @temporal.score).round(1)
|
|
65
|
+
end
|
|
43
66
|
|
|
44
|
-
|
|
67
|
+
private
|
|
45
68
|
|
|
46
|
-
|
|
47
|
-
|
|
48
|
-
|
|
49
|
-
|
|
69
|
+
def init_metrics
|
|
70
|
+
@base = Cvss2Base.new(@properties)
|
|
71
|
+
@temporal = Cvss2Temporal.new(@properties)
|
|
72
|
+
@environmental = Cvss2Environmental.new(@properties)
|
|
73
|
+
end
|
|
50
74
|
end
|
|
51
|
-
|
|
52
|
-
end
|
|
75
|
+
end
|
|
@@ -1,9 +1,10 @@
|
|
|
1
1
|
# CVSS-Suite, a Ruby gem to manage the CVSS vector
|
|
2
2
|
#
|
|
3
|
-
# Copyright (c) Siemens AG
|
|
3
|
+
# Copyright (c) 2016-2022 Siemens AG
|
|
4
|
+
# Copyright (c) 2022 0llirocks
|
|
4
5
|
#
|
|
5
6
|
# Authors:
|
|
6
|
-
#
|
|
7
|
+
# 0llirocks <http://0lli.rocks>
|
|
7
8
|
#
|
|
8
9
|
# This work is licensed under the terms of the MIT license.
|
|
9
10
|
# See the LICENSE.md file in the top-level directory.
|
|
@@ -11,81 +12,75 @@
|
|
|
11
12
|
require_relative '../cvss_property'
|
|
12
13
|
require_relative '../cvss_metric'
|
|
13
14
|
|
|
14
|
-
|
|
15
|
-
# This class represents a CVSS Base metric in version 2.
|
|
16
|
-
|
|
17
|
-
class Cvss2Base < CvssMetric
|
|
18
|
-
|
|
19
|
-
##
|
|
20
|
-
# Property of this metric
|
|
21
|
-
|
|
22
|
-
attr_reader :access_vector, :access_complexity, :authentication,
|
|
23
|
-
:confidentiality_impact, :integrity_impact, :availability_impact
|
|
24
|
-
|
|
15
|
+
module CvssSuite
|
|
25
16
|
##
|
|
26
|
-
#
|
|
27
|
-
|
|
28
|
-
|
|
29
|
-
|
|
30
|
-
|
|
31
|
-
|
|
32
|
-
|
|
33
|
-
|
|
34
|
-
|
|
35
|
-
|
|
36
|
-
|
|
37
|
-
|
|
38
|
-
|
|
39
|
-
|
|
40
|
-
|
|
17
|
+
# This class represents a CVSS Base metric in version 2.
|
|
18
|
+
class Cvss2Base < CvssMetric
|
|
19
|
+
##
|
|
20
|
+
# Property of this metric
|
|
21
|
+
attr_reader :access_vector, :access_complexity, :authentication,
|
|
22
|
+
:confidentiality_impact, :integrity_impact, :availability_impact
|
|
23
|
+
|
|
24
|
+
##
|
|
25
|
+
# Returns the base score of the CVSS vector. The calculation is based on formula version 2.10 .
|
|
26
|
+
# See CVSS documentation for further information https://www.first.org/cvss/v2/guide#i3.2.1 .
|
|
27
|
+
#
|
|
28
|
+
# Takes +Security+ +Requirement+ +Impacts+ for calculating environmental score.
|
|
29
|
+
def score(sr_cr_score = 1, sr_ir_score = 1, sr_ar_score = 1)
|
|
30
|
+
impact = calc_impact(sr_cr_score, sr_ir_score, sr_ar_score)
|
|
31
|
+
|
|
32
|
+
exploitability = calc_exploitability
|
|
33
|
+
|
|
34
|
+
additional_impact = (impact.zero? ? 0 : 1.176)
|
|
35
|
+
|
|
36
|
+
((0.6 * impact) + (0.4 * exploitability) - 1.5) * additional_impact
|
|
37
|
+
end
|
|
38
|
+
|
|
39
|
+
private
|
|
40
|
+
|
|
41
|
+
def init_properties
|
|
42
|
+
@properties.push(@access_vector =
|
|
43
|
+
CvssProperty.new(name: 'Access Vector', abbreviation: 'AV', position: [0],
|
|
44
|
+
values: [{ name: 'Network', abbreviation: 'N', weight: 1.0 },
|
|
45
|
+
{ name: 'Adjacent Network', abbreviation: 'A', weight: 0.646 },
|
|
46
|
+
{ name: 'Local', abbreviation: 'L', weight: 0.395 }]))
|
|
47
|
+
@properties.push(@access_complexity =
|
|
48
|
+
CvssProperty.new(name: 'Access Complexity', abbreviation: 'AC', position: [1],
|
|
49
|
+
values: [{ name: 'Low', abbreviation: 'L', weight: 0.71 },
|
|
50
|
+
{ name: 'Medium', abbreviation: 'M', weight: 0.61 },
|
|
51
|
+
{ name: 'High', abbreviation: 'H', weight: 0.35 }]))
|
|
52
|
+
@properties.push(@authentication =
|
|
53
|
+
CvssProperty.new(name: 'Authentication', abbreviation: 'Au', position: [2],
|
|
54
|
+
values: [{ name: 'None', abbreviation: 'N', weight: 0.704 },
|
|
55
|
+
{ name: 'Single', abbreviation: 'S', weight: 0.56 },
|
|
56
|
+
{ name: 'Multiple', abbreviation: 'M', weight: 0.45 }]))
|
|
57
|
+
@properties.push(@confidentiality_impact =
|
|
58
|
+
CvssProperty.new(name: 'Confidentiality Impact', abbreviation: 'C', position: [3],
|
|
59
|
+
values: [{ name: 'None', abbreviation: 'N', weight: 0.0 },
|
|
60
|
+
{ name: 'Partial', abbreviation: 'P', weight: 0.275 },
|
|
61
|
+
{ name: 'Complete', abbreviation: 'C', weight: 0.66 }]))
|
|
62
|
+
@properties.push(@integrity_impact =
|
|
63
|
+
CvssProperty.new(name: 'Integrity Impact', abbreviation: 'I', position: [4],
|
|
64
|
+
values: [{ name: 'None', abbreviation: 'N', weight: 0.0 },
|
|
65
|
+
{ name: 'Partial', abbreviation: 'P', weight: 0.275 },
|
|
66
|
+
{ name: 'Complete', abbreviation: 'C', weight: 0.66 }]))
|
|
67
|
+
@properties.push(@availability_impact =
|
|
68
|
+
CvssProperty.new(name: 'Availability Impact', abbreviation: 'A', position: [5],
|
|
69
|
+
values: [{ name: 'None', abbreviation: 'N', weight: 0.0 },
|
|
70
|
+
{ name: 'Partial', abbreviation: 'P', weight: 0.275 },
|
|
71
|
+
{ name: 'Complete', abbreviation: 'C', weight: 0.66 }]))
|
|
72
|
+
end
|
|
73
|
+
|
|
74
|
+
def calc_impact(sr_cr_score, sr_ir_score, sr_ar_score)
|
|
75
|
+
confidentiality_score = 1 - @confidentiality_impact.score * sr_cr_score
|
|
76
|
+
integrity_score = 1 - @integrity_impact.score * sr_ir_score
|
|
77
|
+
availability_score = 1 - @availability_impact.score * sr_ar_score
|
|
78
|
+
|
|
79
|
+
[10, 10.41 * (1 - confidentiality_score * integrity_score * availability_score)].min
|
|
80
|
+
end
|
|
81
|
+
|
|
82
|
+
def calc_exploitability
|
|
83
|
+
20 * @access_vector.score * @access_complexity.score * @authentication.score
|
|
84
|
+
end
|
|
41
85
|
end
|
|
42
|
-
|
|
43
|
-
private
|
|
44
|
-
|
|
45
|
-
def init_properties
|
|
46
|
-
@properties.push(@access_vector =
|
|
47
|
-
CvssProperty.new(name: 'Access Vector', abbreviation: 'AV', position: [0],
|
|
48
|
-
choices: [{ name: 'Network', abbreviation: 'N', weight: 1.0 },
|
|
49
|
-
{ name: 'Adjacent Network', abbreviation: 'A', weight: 0.646 },
|
|
50
|
-
{ name: 'Local', abbreviation: 'L', weight: 0.395 }]))
|
|
51
|
-
@properties.push(@access_complexity =
|
|
52
|
-
CvssProperty.new(name: 'Access Complexity', abbreviation: 'AC', position: [1],
|
|
53
|
-
choices: [{ name: 'Low', abbreviation: 'L', weight: 0.71 },
|
|
54
|
-
{ name: 'Medium', abbreviation: 'M', weight: 0.61 },
|
|
55
|
-
{ name: 'High', abbreviation: 'H', weight: 0.35 }]))
|
|
56
|
-
@properties.push(@authentication =
|
|
57
|
-
CvssProperty.new(name: 'Authentication', abbreviation: 'Au', position: [2],
|
|
58
|
-
choices: [{ name: 'None', abbreviation: 'N', weight: 0.704 },
|
|
59
|
-
{ name: 'Single', abbreviation: 'S', weight: 0.56 },
|
|
60
|
-
{ name: 'Multiple', abbreviation: 'M', weight: 0.45 }]))
|
|
61
|
-
@properties.push(@confidentiality_impact =
|
|
62
|
-
CvssProperty.new(name: 'Confidentiality Impact', abbreviation: 'C', position: [3],
|
|
63
|
-
choices: [{ name: 'None', abbreviation: 'N', weight: 0.0 },
|
|
64
|
-
{ name: 'Partial', abbreviation: 'P', weight: 0.275 },
|
|
65
|
-
{ name: 'Complete', abbreviation: 'C', weight: 0.66 }]))
|
|
66
|
-
@properties.push(@integrity_impact =
|
|
67
|
-
CvssProperty.new(name: 'Integrity Impact', abbreviation: 'I', position: [4],
|
|
68
|
-
choices: [{ name: 'None', abbreviation: 'N', weight: 0.0 },
|
|
69
|
-
{ name: 'Partial', abbreviation: 'P', weight: 0.275 },
|
|
70
|
-
{ name: 'Complete', abbreviation: 'C', weight: 0.66 }]))
|
|
71
|
-
@properties.push(@availability_impact =
|
|
72
|
-
CvssProperty.new(name: 'Availability Impact', abbreviation: 'A', position: [5],
|
|
73
|
-
choices: [{ name: 'None', abbreviation: 'N', weight: 0.0},
|
|
74
|
-
{ name: 'Partial', abbreviation: 'P', weight: 0.275},
|
|
75
|
-
{ name: 'Complete', abbreviation: 'C', weight: 0.66}]))
|
|
76
|
-
end
|
|
77
|
-
|
|
78
|
-
def calc_impact(sr_cr_score, sr_ir_score, sr_ar_score)
|
|
79
|
-
confidentiality_score = 1 - @confidentiality_impact.score * sr_cr_score
|
|
80
|
-
integrity_score = 1 - @integrity_impact.score * sr_ir_score
|
|
81
|
-
availability_score = 1 - @availability_impact.score * sr_ar_score
|
|
82
|
-
|
|
83
|
-
[10, 10.41 * (1-confidentiality_score*integrity_score*availability_score)].min
|
|
84
|
-
end
|
|
85
|
-
|
|
86
|
-
def calc_exploitability
|
|
87
|
-
20 * @access_vector.score * @access_complexity.score * @authentication.score
|
|
88
|
-
end
|
|
89
|
-
|
|
90
86
|
end
|
|
91
|
-
|
|
@@ -1,9 +1,10 @@
|
|
|
1
1
|
# CVSS-Suite, a Ruby gem to manage the CVSS vector
|
|
2
2
|
#
|
|
3
|
-
# Copyright (c) Siemens AG
|
|
3
|
+
# Copyright (c) 2016-2022 Siemens AG
|
|
4
|
+
# Copyright (c) 2022 0llirocks
|
|
4
5
|
#
|
|
5
6
|
# Authors:
|
|
6
|
-
#
|
|
7
|
+
# 0llirocks <http://0lli.rocks>
|
|
7
8
|
#
|
|
8
9
|
# This work is licensed under the terms of the MIT license.
|
|
9
10
|
# See the LICENSE.md file in the top-level directory.
|
|
@@ -11,64 +12,62 @@
|
|
|
11
12
|
require_relative '../cvss_property'
|
|
12
13
|
require_relative '../cvss_metric'
|
|
13
14
|
|
|
14
|
-
|
|
15
|
-
# This class represents a CVSS Environmental metric in version 2.
|
|
16
|
-
|
|
17
|
-
class Cvss2Environmental < CvssMetric
|
|
18
|
-
|
|
19
|
-
##
|
|
20
|
-
# Property of this metric
|
|
21
|
-
|
|
22
|
-
attr_reader :collateral_damage_potential, :target_distribution, :security_requirements_cr,
|
|
23
|
-
:security_requirements_ir, :security_requirements_ar
|
|
24
|
-
|
|
15
|
+
module CvssSuite
|
|
25
16
|
##
|
|
26
|
-
#
|
|
27
|
-
|
|
28
|
-
|
|
29
|
-
|
|
17
|
+
# This class represents a CVSS Environmental metric in version 2.
|
|
18
|
+
class Cvss2Environmental < CvssMetric
|
|
19
|
+
##
|
|
20
|
+
# Property of this metric
|
|
21
|
+
attr_reader :collateral_damage_potential, :target_distribution, :security_requirements_cr,
|
|
22
|
+
:security_requirements_ir, :security_requirements_ar
|
|
30
23
|
|
|
31
|
-
|
|
32
|
-
|
|
24
|
+
##
|
|
25
|
+
# Returns score of this metric
|
|
26
|
+
def score(base, temporal_score)
|
|
27
|
+
base_score = base.score(@security_requirements_cr.score,
|
|
28
|
+
@security_requirements_ir.score,
|
|
29
|
+
@security_requirements_ar.score).round(1)
|
|
33
30
|
|
|
34
|
-
|
|
31
|
+
adjusted_temporal = (base_score * temporal_score).round(1)
|
|
32
|
+
(adjusted_temporal + (10 - adjusted_temporal) * @collateral_damage_potential.score) * @target_distribution.score
|
|
33
|
+
end
|
|
35
34
|
|
|
36
|
-
|
|
35
|
+
private
|
|
37
36
|
|
|
38
|
-
|
|
39
|
-
|
|
40
|
-
|
|
41
|
-
|
|
42
|
-
|
|
43
|
-
|
|
44
|
-
|
|
45
|
-
|
|
46
|
-
|
|
47
|
-
|
|
48
|
-
|
|
49
|
-
|
|
50
|
-
|
|
51
|
-
|
|
52
|
-
|
|
53
|
-
|
|
54
|
-
|
|
55
|
-
|
|
56
|
-
|
|
57
|
-
|
|
58
|
-
|
|
59
|
-
|
|
60
|
-
|
|
61
|
-
|
|
62
|
-
|
|
63
|
-
|
|
64
|
-
|
|
65
|
-
|
|
66
|
-
|
|
67
|
-
|
|
68
|
-
|
|
69
|
-
|
|
70
|
-
|
|
71
|
-
|
|
37
|
+
def init_properties
|
|
38
|
+
@properties.push(@collateral_damage_potential =
|
|
39
|
+
CvssProperty.new(name: 'Collateral Damage Potential', abbreviation: 'CDP', position: [6, 9],
|
|
40
|
+
values: [{ name: 'None', abbreviation: 'N', weight: 0.0 },
|
|
41
|
+
{ name: 'Low', abbreviation: 'L', weight: 0.1 },
|
|
42
|
+
{ name: 'Low-Medium', abbreviation: 'LM', weight: 0.3 },
|
|
43
|
+
{ name: 'Medium-High', abbreviation: 'MH', weight: 0.4 },
|
|
44
|
+
{ name: 'High', abbreviation: 'H', weight: 0.5 },
|
|
45
|
+
{ name: 'Not Defined', abbreviation: 'ND', weight: 0.0 }]))
|
|
46
|
+
@properties.push(@target_distribution =
|
|
47
|
+
CvssProperty.new(name: 'Target Distribution', abbreviation: 'TD', position: [7, 10],
|
|
48
|
+
values: [{ name: 'None', abbreviation: 'N', weight: 0.0 },
|
|
49
|
+
{ name: 'Low', abbreviation: 'L', weight: 0.25 },
|
|
50
|
+
{ name: 'Medium', abbreviation: 'M', weight: 0.75 },
|
|
51
|
+
{ name: 'High', abbreviation: 'H', weight: 1.0 },
|
|
52
|
+
{ name: 'Not Defined', abbreviation: 'ND', weight: 1.0 }]))
|
|
53
|
+
@properties.push(@security_requirements_cr =
|
|
54
|
+
CvssProperty.new(name: 'Confidentiality Requirement', abbreviation: 'CR', position: [8, 11],
|
|
55
|
+
values: [{ name: 'Low', abbreviation: 'L', weight: 0.5 },
|
|
56
|
+
{ name: 'Medium', abbreviation: 'M', weight: 1.0 },
|
|
57
|
+
{ name: 'High', abbreviation: 'H', weight: 1.51 },
|
|
58
|
+
{ name: 'Not Defined', abbreviation: 'ND', weight: 1.0 }]))
|
|
59
|
+
@properties.push(@security_requirements_ir =
|
|
60
|
+
CvssProperty.new(name: 'Integrity Requirement', abbreviation: 'IR', position: [9, 12],
|
|
61
|
+
values: [{ name: 'Low', abbreviation: 'L', weight: 0.5 },
|
|
62
|
+
{ name: 'Medium', abbreviation: 'M', weight: 1.0 },
|
|
63
|
+
{ name: 'High', abbreviation: 'H', weight: 1.51 },
|
|
64
|
+
{ name: 'Not Defined', abbreviation: 'ND', weight: 1.0 }]))
|
|
65
|
+
@properties.push(@security_requirements_ar =
|
|
66
|
+
CvssProperty.new(name: 'Availability Requirement', abbreviation: 'AR', position: [10, 13],
|
|
67
|
+
values: [{ name: 'Low', abbreviation: 'L', weight: 0.5 },
|
|
68
|
+
{ name: 'Medium', abbreviation: 'M', weight: 1.0 },
|
|
69
|
+
{ name: 'High', abbreviation: 'H', weight: 1.51 },
|
|
70
|
+
{ name: 'Not Defined', abbreviation: 'ND', weight: 1.0 }]))
|
|
71
|
+
end
|
|
72
72
|
end
|
|
73
73
|
end
|
|
74
|
-
|
|
@@ -1,9 +1,10 @@
|
|
|
1
1
|
# CVSS-Suite, a Ruby gem to manage the CVSS vector
|
|
2
2
|
#
|
|
3
|
-
# Copyright (c) Siemens AG
|
|
3
|
+
# Copyright (c) 2016-2022 Siemens AG
|
|
4
|
+
# Copyright (c) 2022 0llirocks
|
|
4
5
|
#
|
|
5
6
|
# Authors:
|
|
6
|
-
#
|
|
7
|
+
# 0llirocks <http://0lli.rocks>
|
|
7
8
|
#
|
|
8
9
|
# This work is licensed under the terms of the MIT license.
|
|
9
10
|
# See the LICENSE.md file in the top-level directory.
|
|
@@ -11,47 +12,46 @@
|
|
|
11
12
|
require_relative '../cvss_property'
|
|
12
13
|
require_relative '../cvss_metric'
|
|
13
14
|
|
|
14
|
-
|
|
15
|
-
# This class represents a CVSS Temporal metric in version 2.
|
|
16
|
-
|
|
17
|
-
class Cvss2Temporal < CvssMetric
|
|
18
|
-
|
|
19
|
-
##
|
|
20
|
-
# Property of this metric
|
|
21
|
-
|
|
22
|
-
attr_reader :exploitability, :remediation_level, :report_confidence
|
|
23
|
-
|
|
15
|
+
module CvssSuite
|
|
24
16
|
##
|
|
25
|
-
#
|
|
26
|
-
|
|
27
|
-
|
|
28
|
-
|
|
29
|
-
|
|
30
|
-
|
|
31
|
-
|
|
32
|
-
|
|
33
|
-
|
|
34
|
-
|
|
35
|
-
|
|
36
|
-
|
|
37
|
-
|
|
38
|
-
|
|
39
|
-
|
|
40
|
-
|
|
41
|
-
|
|
42
|
-
|
|
43
|
-
|
|
44
|
-
|
|
45
|
-
|
|
46
|
-
|
|
47
|
-
|
|
48
|
-
|
|
49
|
-
|
|
50
|
-
|
|
51
|
-
|
|
52
|
-
|
|
53
|
-
|
|
54
|
-
|
|
55
|
-
|
|
17
|
+
# This class represents a CVSS Temporal metric in version 2.
|
|
18
|
+
class Cvss2Temporal < CvssMetric
|
|
19
|
+
##
|
|
20
|
+
# Property of this metric
|
|
21
|
+
attr_reader :exploitability, :remediation_level, :report_confidence
|
|
22
|
+
|
|
23
|
+
##
|
|
24
|
+
# Returns score of this metric
|
|
25
|
+
def score
|
|
26
|
+
return 1 unless valid?
|
|
27
|
+
|
|
28
|
+
@exploitability.score * @remediation_level.score * @report_confidence.score
|
|
29
|
+
end
|
|
30
|
+
|
|
31
|
+
private
|
|
32
|
+
|
|
33
|
+
def init_properties
|
|
34
|
+
@properties.push(@exploitability =
|
|
35
|
+
CvssProperty.new(name: 'Exploitability', abbreviation: 'E', position: [6],
|
|
36
|
+
values: [{ name: 'Not Defined', abbreviation: 'ND', weight: 1 },
|
|
37
|
+
{ name: 'Unproven', abbreviation: 'U', weight: 0.85 },
|
|
38
|
+
{ name: 'Proof-of-Concept', abbreviation: 'POC', weight: 0.9 },
|
|
39
|
+
{ name: 'Functional', abbreviation: 'F', weight: 0.95 },
|
|
40
|
+
{ name: 'High', abbreviation: 'H', weight: 1 }]))
|
|
41
|
+
@properties.push(@remediation_level =
|
|
42
|
+
CvssProperty.new(name: 'Remediation Level', abbreviation: 'RL', position: [7],
|
|
43
|
+
values: [{ name: 'Not Defined', abbreviation: 'ND', weight: 1 },
|
|
44
|
+
{ name: 'Official Fix', abbreviation: 'OF', weight: 0.87 },
|
|
45
|
+
{ name: 'Temporary Fix', abbreviation: 'TF', weight: 0.9 },
|
|
46
|
+
{ name: 'Workaround', abbreviation: 'W', weight: 0.95 },
|
|
47
|
+
{ name: 'Unavailable', abbreviation: 'U', weight: 1 }]))
|
|
48
|
+
|
|
49
|
+
@properties.push(@report_confidence =
|
|
50
|
+
CvssProperty.new(name: 'Report Confidence', abbreviation: 'RC', position: [8],
|
|
51
|
+
values: [{ name: 'Not Defined', abbreviation: 'ND', weight: 1 },
|
|
52
|
+
{ name: 'Unconfirmed', abbreviation: 'UC', weight: 0.9 },
|
|
53
|
+
{ name: 'Uncorroborated', abbreviation: 'UR', weight: 0.95 },
|
|
54
|
+
{ name: 'Confirmed', abbreviation: 'C', weight: 1 }]))
|
|
55
|
+
end
|
|
56
56
|
end
|
|
57
57
|
end
|
|
@@ -1,52 +1,56 @@
|
|
|
1
1
|
# CVSS-Suite, a Ruby gem to manage the CVSS vector
|
|
2
2
|
#
|
|
3
|
-
# Copyright (c) Siemens AG
|
|
3
|
+
# Copyright (c) 2016-2022 Siemens AG
|
|
4
|
+
# Copyright (c) 2022 0llirocks
|
|
4
5
|
#
|
|
5
6
|
# Authors:
|
|
6
|
-
#
|
|
7
|
+
# 0llirocks <http://0lli.rocks>
|
|
7
8
|
#
|
|
8
9
|
# This work is licensed under the terms of the MIT license.
|
|
9
10
|
# See the LICENSE.md file in the top-level directory.
|
|
10
11
|
|
|
11
|
-
require_relative '
|
|
12
|
+
require_relative '../cvss'
|
|
12
13
|
require_relative 'cvss3_base'
|
|
13
14
|
require_relative 'cvss3_temporal'
|
|
14
15
|
require_relative 'cvss3_environmental'
|
|
15
16
|
|
|
16
|
-
|
|
17
|
-
# This class represents a CVSS vector in version 3.0.
|
|
18
|
-
|
|
19
|
-
class Cvss3 < Cvss
|
|
20
|
-
|
|
21
|
-
##
|
|
22
|
-
# Returns the Base Score of the CVSS vector.
|
|
23
|
-
|
|
24
|
-
def base_score
|
|
25
|
-
check_validity
|
|
26
|
-
@base.score.round_up(1)
|
|
27
|
-
end
|
|
28
|
-
|
|
17
|
+
module CvssSuite
|
|
29
18
|
##
|
|
30
|
-
#
|
|
31
|
-
|
|
32
|
-
|
|
33
|
-
|
|
19
|
+
# This class represents a CVSS vector in version 3.0.
|
|
20
|
+
class Cvss3 < Cvss
|
|
21
|
+
##
|
|
22
|
+
# Returns the Version of the CVSS vector.
|
|
23
|
+
def version
|
|
24
|
+
3.0
|
|
25
|
+
end
|
|
26
|
+
|
|
27
|
+
##
|
|
28
|
+
# Returns the Base Score of the CVSS vector.
|
|
29
|
+
def base_score
|
|
30
|
+
check_validity
|
|
31
|
+
Cvss3Helper.round_up(@base.score)
|
|
32
|
+
end
|
|
33
|
+
|
|
34
|
+
##
|
|
35
|
+
# Returns the Temporal Score of the CVSS vector.
|
|
36
|
+
def temporal_score
|
|
37
|
+
Cvss3Helper.round_up(Cvss3Helper.round_up(@base.score) * @temporal.score)
|
|
38
|
+
end
|
|
39
|
+
|
|
40
|
+
##
|
|
41
|
+
# Returns the Environmental Score of the CVSS vector.
|
|
42
|
+
def environmental_score
|
|
43
|
+
return temporal_score unless @environmental.valid?
|
|
44
|
+
|
|
45
|
+
Cvss3Helper.round_up(@environmental.score(@base, @temporal))
|
|
46
|
+
end
|
|
47
|
+
|
|
48
|
+
private
|
|
49
|
+
|
|
50
|
+
def init_metrics
|
|
51
|
+
@base = Cvss3Base.new(@properties)
|
|
52
|
+
@temporal = Cvss3Temporal.new(@properties)
|
|
53
|
+
@environmental = Cvss3Environmental.new(@properties)
|
|
54
|
+
end
|
|
34
55
|
end
|
|
35
|
-
|
|
36
|
-
##
|
|
37
|
-
# Returns the Environmental Score of the CVSS vector.
|
|
38
|
-
|
|
39
|
-
def environmental_score
|
|
40
|
-
return temporal_score unless @environmental.valid?
|
|
41
|
-
(@environmental.score @temporal.score).round_up(1)
|
|
42
|
-
end
|
|
43
|
-
|
|
44
|
-
private
|
|
45
|
-
|
|
46
|
-
def init_metrics
|
|
47
|
-
@base = Cvss3Base.new(@properties)
|
|
48
|
-
@temporal = Cvss3Temporal.new(@properties)
|
|
49
|
-
@environmental = Cvss3Environmental.new(@properties)
|
|
50
|
-
end
|
|
51
|
-
|
|
52
|
-
end
|
|
56
|
+
end
|