cvss-suite 1.2.0 → 3.1.0
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/.github/workflows/rspec.yml +23 -0
- data/.github/workflows/rubocop.yml +22 -0
- data/.rubocop.yml +47 -1
- data/.rubocop_todo.yml +59 -0
- data/CHANGES.md +61 -1
- data/CNAME +1 -0
- data/CODE_OF_CONDUCT.md +3 -2
- data/Gemfile +3 -2
- data/LICENSE.md +2 -1
- data/README.md +21 -18
- data/_config.yml +1 -0
- data/bin/console +3 -3
- data/cvss_suite.gemspec +23 -16
- data/lib/cvss_suite/cvss.rb +77 -98
- data/lib/cvss_suite/cvss2/cvss2.rb +53 -30
- data/lib/cvss_suite/cvss2/cvss2_base.rb +72 -77
- data/lib/cvss_suite/cvss2/cvss2_environmental.rb +55 -56
- data/lib/cvss_suite/cvss2/cvss2_temporal.rb +43 -43
- data/lib/cvss_suite/cvss3/cvss3.rb +42 -38
- data/lib/cvss_suite/cvss3/cvss3_base.rb +75 -77
- data/lib/cvss_suite/cvss3/cvss3_environmental.rb +162 -111
- data/lib/cvss_suite/cvss3/cvss3_temporal.rb +44 -44
- data/lib/cvss_suite/cvss31/cvss31.rb +39 -30
- data/lib/cvss_suite/cvss31/cvss31_base.rb +69 -70
- data/lib/cvss_suite/cvss31/cvss31_environmental.rb +162 -111
- data/lib/cvss_suite/cvss31/cvss31_temporal.rb +44 -44
- data/lib/cvss_suite/cvss_metric.rb +37 -38
- data/lib/cvss_suite/cvss_property.rb +69 -57
- data/lib/cvss_suite/errors.rb +4 -1
- data/lib/cvss_suite/helpers/cvss31_helper.rb +28 -0
- data/lib/cvss_suite/helpers/cvss3_helper.rb +24 -17
- data/lib/cvss_suite/invalid_cvss.rb +42 -47
- data/lib/cvss_suite/version.rb +4 -3
- data/lib/cvss_suite.rb +46 -15
- metadata +23 -29
- data/.travis.yml +0 -4
- data/lib/cvss_suite/helpers/extensions.rb +0 -56
@@ -1,52 +1,75 @@
|
|
1
1
|
# CVSS-Suite, a Ruby gem to manage the CVSS vector
|
2
2
|
#
|
3
|
-
# Copyright (c) Siemens AG
|
3
|
+
# Copyright (c) 2016-2022 Siemens AG
|
4
|
+
# Copyright (c) 2022 0llirocks
|
4
5
|
#
|
5
6
|
# Authors:
|
6
|
-
#
|
7
|
+
# 0llirocks <http://0lli.rocks>
|
7
8
|
#
|
8
9
|
# This work is licensed under the terms of the MIT license.
|
9
10
|
# See the LICENSE.md file in the top-level directory.
|
10
11
|
|
11
|
-
require_relative '
|
12
|
+
require_relative '../cvss'
|
12
13
|
require_relative 'cvss2_base'
|
13
14
|
require_relative 'cvss2_temporal'
|
14
15
|
require_relative 'cvss2_environmental'
|
15
16
|
|
16
|
-
|
17
|
-
|
17
|
+
module CvssSuite
|
18
|
+
##
|
19
|
+
# This class represents a CVSS vector in version 2.
|
20
|
+
class Cvss2 < Cvss
|
21
|
+
##
|
22
|
+
# Returns the Version of the CVSS vector.
|
23
|
+
def version
|
24
|
+
2
|
25
|
+
end
|
18
26
|
|
19
|
-
|
27
|
+
# Returns the severity of the CVSSv2 vector.
|
28
|
+
# https://nvd.nist.gov/vuln-metrics/cvss
|
29
|
+
def severity
|
30
|
+
check_validity
|
20
31
|
|
21
|
-
|
22
|
-
# Returns the Base Score of the CVSS vector.
|
32
|
+
score = overall_score
|
23
33
|
|
24
|
-
|
25
|
-
|
26
|
-
|
27
|
-
|
34
|
+
case score
|
35
|
+
when 0.0..3.9
|
36
|
+
'Low'
|
37
|
+
when 4.0..6.9
|
38
|
+
'Medium'
|
39
|
+
when 7.0..10.0
|
40
|
+
'High'
|
41
|
+
else
|
42
|
+
'None'
|
43
|
+
end
|
44
|
+
end
|
28
45
|
|
29
|
-
|
30
|
-
|
46
|
+
##
|
47
|
+
# Returns the Base Score of the CVSS vector.
|
48
|
+
def base_score
|
49
|
+
check_validity
|
50
|
+
@base.score.round(1)
|
51
|
+
end
|
31
52
|
|
32
|
-
|
33
|
-
|
34
|
-
|
53
|
+
##
|
54
|
+
# Returns the Temporal Score of the CVSS vector.
|
55
|
+
def temporal_score
|
56
|
+
(base_score * @temporal.score).round(1)
|
57
|
+
end
|
35
58
|
|
36
|
-
|
37
|
-
|
59
|
+
##
|
60
|
+
# Returns the Environmental Score of the CVSS vector.
|
61
|
+
def environmental_score
|
62
|
+
return temporal_score unless @environmental.valid?
|
38
63
|
|
39
|
-
|
40
|
-
|
41
|
-
(@environmental.score @base, @temporal.score).round(1)
|
42
|
-
end
|
64
|
+
(@environmental.score @base, @temporal.score).round(1)
|
65
|
+
end
|
43
66
|
|
44
|
-
|
67
|
+
private
|
45
68
|
|
46
|
-
|
47
|
-
|
48
|
-
|
49
|
-
|
69
|
+
def init_metrics
|
70
|
+
@base = Cvss2Base.new(@properties)
|
71
|
+
@temporal = Cvss2Temporal.new(@properties)
|
72
|
+
@environmental = Cvss2Environmental.new(@properties)
|
73
|
+
end
|
50
74
|
end
|
51
|
-
|
52
|
-
end
|
75
|
+
end
|
@@ -1,9 +1,10 @@
|
|
1
1
|
# CVSS-Suite, a Ruby gem to manage the CVSS vector
|
2
2
|
#
|
3
|
-
# Copyright (c) Siemens AG
|
3
|
+
# Copyright (c) 2016-2022 Siemens AG
|
4
|
+
# Copyright (c) 2022 0llirocks
|
4
5
|
#
|
5
6
|
# Authors:
|
6
|
-
#
|
7
|
+
# 0llirocks <http://0lli.rocks>
|
7
8
|
#
|
8
9
|
# This work is licensed under the terms of the MIT license.
|
9
10
|
# See the LICENSE.md file in the top-level directory.
|
@@ -11,81 +12,75 @@
|
|
11
12
|
require_relative '../cvss_property'
|
12
13
|
require_relative '../cvss_metric'
|
13
14
|
|
14
|
-
|
15
|
-
# This class represents a CVSS Base metric in version 2.
|
16
|
-
|
17
|
-
class Cvss2Base < CvssMetric
|
18
|
-
|
19
|
-
##
|
20
|
-
# Property of this metric
|
21
|
-
|
22
|
-
attr_reader :access_vector, :access_complexity, :authentication,
|
23
|
-
:confidentiality_impact, :integrity_impact, :availability_impact
|
24
|
-
|
15
|
+
module CvssSuite
|
25
16
|
##
|
26
|
-
#
|
27
|
-
|
28
|
-
|
29
|
-
|
30
|
-
|
31
|
-
|
32
|
-
|
33
|
-
|
34
|
-
|
35
|
-
|
36
|
-
|
37
|
-
|
38
|
-
|
39
|
-
|
40
|
-
|
17
|
+
# This class represents a CVSS Base metric in version 2.
|
18
|
+
class Cvss2Base < CvssMetric
|
19
|
+
##
|
20
|
+
# Property of this metric
|
21
|
+
attr_reader :access_vector, :access_complexity, :authentication,
|
22
|
+
:confidentiality_impact, :integrity_impact, :availability_impact
|
23
|
+
|
24
|
+
##
|
25
|
+
# Returns the base score of the CVSS vector. The calculation is based on formula version 2.10 .
|
26
|
+
# See CVSS documentation for further information https://www.first.org/cvss/v2/guide#i3.2.1 .
|
27
|
+
#
|
28
|
+
# Takes +Security+ +Requirement+ +Impacts+ for calculating environmental score.
|
29
|
+
def score(sr_cr_score = 1, sr_ir_score = 1, sr_ar_score = 1)
|
30
|
+
impact = calc_impact(sr_cr_score, sr_ir_score, sr_ar_score)
|
31
|
+
|
32
|
+
exploitability = calc_exploitability
|
33
|
+
|
34
|
+
additional_impact = (impact.zero? ? 0 : 1.176)
|
35
|
+
|
36
|
+
((0.6 * impact) + (0.4 * exploitability) - 1.5) * additional_impact
|
37
|
+
end
|
38
|
+
|
39
|
+
private
|
40
|
+
|
41
|
+
def init_properties
|
42
|
+
@properties.push(@access_vector =
|
43
|
+
CvssProperty.new(name: 'Access Vector', abbreviation: 'AV', position: [0],
|
44
|
+
values: [{ name: 'Network', abbreviation: 'N', weight: 1.0 },
|
45
|
+
{ name: 'Adjacent Network', abbreviation: 'A', weight: 0.646 },
|
46
|
+
{ name: 'Local', abbreviation: 'L', weight: 0.395 }]))
|
47
|
+
@properties.push(@access_complexity =
|
48
|
+
CvssProperty.new(name: 'Access Complexity', abbreviation: 'AC', position: [1],
|
49
|
+
values: [{ name: 'Low', abbreviation: 'L', weight: 0.71 },
|
50
|
+
{ name: 'Medium', abbreviation: 'M', weight: 0.61 },
|
51
|
+
{ name: 'High', abbreviation: 'H', weight: 0.35 }]))
|
52
|
+
@properties.push(@authentication =
|
53
|
+
CvssProperty.new(name: 'Authentication', abbreviation: 'Au', position: [2],
|
54
|
+
values: [{ name: 'None', abbreviation: 'N', weight: 0.704 },
|
55
|
+
{ name: 'Single', abbreviation: 'S', weight: 0.56 },
|
56
|
+
{ name: 'Multiple', abbreviation: 'M', weight: 0.45 }]))
|
57
|
+
@properties.push(@confidentiality_impact =
|
58
|
+
CvssProperty.new(name: 'Confidentiality Impact', abbreviation: 'C', position: [3],
|
59
|
+
values: [{ name: 'None', abbreviation: 'N', weight: 0.0 },
|
60
|
+
{ name: 'Partial', abbreviation: 'P', weight: 0.275 },
|
61
|
+
{ name: 'Complete', abbreviation: 'C', weight: 0.66 }]))
|
62
|
+
@properties.push(@integrity_impact =
|
63
|
+
CvssProperty.new(name: 'Integrity Impact', abbreviation: 'I', position: [4],
|
64
|
+
values: [{ name: 'None', abbreviation: 'N', weight: 0.0 },
|
65
|
+
{ name: 'Partial', abbreviation: 'P', weight: 0.275 },
|
66
|
+
{ name: 'Complete', abbreviation: 'C', weight: 0.66 }]))
|
67
|
+
@properties.push(@availability_impact =
|
68
|
+
CvssProperty.new(name: 'Availability Impact', abbreviation: 'A', position: [5],
|
69
|
+
values: [{ name: 'None', abbreviation: 'N', weight: 0.0 },
|
70
|
+
{ name: 'Partial', abbreviation: 'P', weight: 0.275 },
|
71
|
+
{ name: 'Complete', abbreviation: 'C', weight: 0.66 }]))
|
72
|
+
end
|
73
|
+
|
74
|
+
def calc_impact(sr_cr_score, sr_ir_score, sr_ar_score)
|
75
|
+
confidentiality_score = 1 - @confidentiality_impact.score * sr_cr_score
|
76
|
+
integrity_score = 1 - @integrity_impact.score * sr_ir_score
|
77
|
+
availability_score = 1 - @availability_impact.score * sr_ar_score
|
78
|
+
|
79
|
+
[10, 10.41 * (1 - confidentiality_score * integrity_score * availability_score)].min
|
80
|
+
end
|
81
|
+
|
82
|
+
def calc_exploitability
|
83
|
+
20 * @access_vector.score * @access_complexity.score * @authentication.score
|
84
|
+
end
|
41
85
|
end
|
42
|
-
|
43
|
-
private
|
44
|
-
|
45
|
-
def init_properties
|
46
|
-
@properties.push(@access_vector =
|
47
|
-
CvssProperty.new(name: 'Access Vector', abbreviation: 'AV', position: [0],
|
48
|
-
choices: [{ name: 'Network', abbreviation: 'N', weight: 1.0 },
|
49
|
-
{ name: 'Adjacent Network', abbreviation: 'A', weight: 0.646 },
|
50
|
-
{ name: 'Local', abbreviation: 'L', weight: 0.395 }]))
|
51
|
-
@properties.push(@access_complexity =
|
52
|
-
CvssProperty.new(name: 'Access Complexity', abbreviation: 'AC', position: [1],
|
53
|
-
choices: [{ name: 'Low', abbreviation: 'L', weight: 0.71 },
|
54
|
-
{ name: 'Medium', abbreviation: 'M', weight: 0.61 },
|
55
|
-
{ name: 'High', abbreviation: 'H', weight: 0.35 }]))
|
56
|
-
@properties.push(@authentication =
|
57
|
-
CvssProperty.new(name: 'Authentication', abbreviation: 'Au', position: [2],
|
58
|
-
choices: [{ name: 'None', abbreviation: 'N', weight: 0.704 },
|
59
|
-
{ name: 'Single', abbreviation: 'S', weight: 0.56 },
|
60
|
-
{ name: 'Multiple', abbreviation: 'M', weight: 0.45 }]))
|
61
|
-
@properties.push(@confidentiality_impact =
|
62
|
-
CvssProperty.new(name: 'Confidentiality Impact', abbreviation: 'C', position: [3],
|
63
|
-
choices: [{ name: 'None', abbreviation: 'N', weight: 0.0 },
|
64
|
-
{ name: 'Partial', abbreviation: 'P', weight: 0.275 },
|
65
|
-
{ name: 'Complete', abbreviation: 'C', weight: 0.66 }]))
|
66
|
-
@properties.push(@integrity_impact =
|
67
|
-
CvssProperty.new(name: 'Integrity Impact', abbreviation: 'I', position: [4],
|
68
|
-
choices: [{ name: 'None', abbreviation: 'N', weight: 0.0 },
|
69
|
-
{ name: 'Partial', abbreviation: 'P', weight: 0.275 },
|
70
|
-
{ name: 'Complete', abbreviation: 'C', weight: 0.66 }]))
|
71
|
-
@properties.push(@availability_impact =
|
72
|
-
CvssProperty.new(name: 'Availability Impact', abbreviation: 'A', position: [5],
|
73
|
-
choices: [{ name: 'None', abbreviation: 'N', weight: 0.0},
|
74
|
-
{ name: 'Partial', abbreviation: 'P', weight: 0.275},
|
75
|
-
{ name: 'Complete', abbreviation: 'C', weight: 0.66}]))
|
76
|
-
end
|
77
|
-
|
78
|
-
def calc_impact(sr_cr_score, sr_ir_score, sr_ar_score)
|
79
|
-
confidentiality_score = 1 - @confidentiality_impact.score * sr_cr_score
|
80
|
-
integrity_score = 1 - @integrity_impact.score * sr_ir_score
|
81
|
-
availability_score = 1 - @availability_impact.score * sr_ar_score
|
82
|
-
|
83
|
-
[10, 10.41 * (1-confidentiality_score*integrity_score*availability_score)].min
|
84
|
-
end
|
85
|
-
|
86
|
-
def calc_exploitability
|
87
|
-
20 * @access_vector.score * @access_complexity.score * @authentication.score
|
88
|
-
end
|
89
|
-
|
90
86
|
end
|
91
|
-
|
@@ -1,9 +1,10 @@
|
|
1
1
|
# CVSS-Suite, a Ruby gem to manage the CVSS vector
|
2
2
|
#
|
3
|
-
# Copyright (c) Siemens AG
|
3
|
+
# Copyright (c) 2016-2022 Siemens AG
|
4
|
+
# Copyright (c) 2022 0llirocks
|
4
5
|
#
|
5
6
|
# Authors:
|
6
|
-
#
|
7
|
+
# 0llirocks <http://0lli.rocks>
|
7
8
|
#
|
8
9
|
# This work is licensed under the terms of the MIT license.
|
9
10
|
# See the LICENSE.md file in the top-level directory.
|
@@ -11,64 +12,62 @@
|
|
11
12
|
require_relative '../cvss_property'
|
12
13
|
require_relative '../cvss_metric'
|
13
14
|
|
14
|
-
|
15
|
-
# This class represents a CVSS Environmental metric in version 2.
|
16
|
-
|
17
|
-
class Cvss2Environmental < CvssMetric
|
18
|
-
|
19
|
-
##
|
20
|
-
# Property of this metric
|
21
|
-
|
22
|
-
attr_reader :collateral_damage_potential, :target_distribution, :security_requirements_cr,
|
23
|
-
:security_requirements_ir, :security_requirements_ar
|
24
|
-
|
15
|
+
module CvssSuite
|
25
16
|
##
|
26
|
-
#
|
27
|
-
|
28
|
-
|
29
|
-
|
17
|
+
# This class represents a CVSS Environmental metric in version 2.
|
18
|
+
class Cvss2Environmental < CvssMetric
|
19
|
+
##
|
20
|
+
# Property of this metric
|
21
|
+
attr_reader :collateral_damage_potential, :target_distribution, :security_requirements_cr,
|
22
|
+
:security_requirements_ir, :security_requirements_ar
|
30
23
|
|
31
|
-
|
32
|
-
|
24
|
+
##
|
25
|
+
# Returns score of this metric
|
26
|
+
def score(base, temporal_score)
|
27
|
+
base_score = base.score(@security_requirements_cr.score,
|
28
|
+
@security_requirements_ir.score,
|
29
|
+
@security_requirements_ar.score).round(1)
|
33
30
|
|
34
|
-
|
31
|
+
adjusted_temporal = (base_score * temporal_score).round(1)
|
32
|
+
(adjusted_temporal + (10 - adjusted_temporal) * @collateral_damage_potential.score) * @target_distribution.score
|
33
|
+
end
|
35
34
|
|
36
|
-
|
35
|
+
private
|
37
36
|
|
38
|
-
|
39
|
-
|
40
|
-
|
41
|
-
|
42
|
-
|
43
|
-
|
44
|
-
|
45
|
-
|
46
|
-
|
47
|
-
|
48
|
-
|
49
|
-
|
50
|
-
|
51
|
-
|
52
|
-
|
53
|
-
|
54
|
-
|
55
|
-
|
56
|
-
|
57
|
-
|
58
|
-
|
59
|
-
|
60
|
-
|
61
|
-
|
62
|
-
|
63
|
-
|
64
|
-
|
65
|
-
|
66
|
-
|
67
|
-
|
68
|
-
|
69
|
-
|
70
|
-
|
71
|
-
|
37
|
+
def init_properties
|
38
|
+
@properties.push(@collateral_damage_potential =
|
39
|
+
CvssProperty.new(name: 'Collateral Damage Potential', abbreviation: 'CDP', position: [6, 9],
|
40
|
+
values: [{ name: 'None', abbreviation: 'N', weight: 0.0 },
|
41
|
+
{ name: 'Low', abbreviation: 'L', weight: 0.1 },
|
42
|
+
{ name: 'Low-Medium', abbreviation: 'LM', weight: 0.3 },
|
43
|
+
{ name: 'Medium-High', abbreviation: 'MH', weight: 0.4 },
|
44
|
+
{ name: 'High', abbreviation: 'H', weight: 0.5 },
|
45
|
+
{ name: 'Not Defined', abbreviation: 'ND', weight: 0.0 }]))
|
46
|
+
@properties.push(@target_distribution =
|
47
|
+
CvssProperty.new(name: 'Target Distribution', abbreviation: 'TD', position: [7, 10],
|
48
|
+
values: [{ name: 'None', abbreviation: 'N', weight: 0.0 },
|
49
|
+
{ name: 'Low', abbreviation: 'L', weight: 0.25 },
|
50
|
+
{ name: 'Medium', abbreviation: 'M', weight: 0.75 },
|
51
|
+
{ name: 'High', abbreviation: 'H', weight: 1.0 },
|
52
|
+
{ name: 'Not Defined', abbreviation: 'ND', weight: 1.0 }]))
|
53
|
+
@properties.push(@security_requirements_cr =
|
54
|
+
CvssProperty.new(name: 'Confidentiality Requirement', abbreviation: 'CR', position: [8, 11],
|
55
|
+
values: [{ name: 'Low', abbreviation: 'L', weight: 0.5 },
|
56
|
+
{ name: 'Medium', abbreviation: 'M', weight: 1.0 },
|
57
|
+
{ name: 'High', abbreviation: 'H', weight: 1.51 },
|
58
|
+
{ name: 'Not Defined', abbreviation: 'ND', weight: 1.0 }]))
|
59
|
+
@properties.push(@security_requirements_ir =
|
60
|
+
CvssProperty.new(name: 'Integrity Requirement', abbreviation: 'IR', position: [9, 12],
|
61
|
+
values: [{ name: 'Low', abbreviation: 'L', weight: 0.5 },
|
62
|
+
{ name: 'Medium', abbreviation: 'M', weight: 1.0 },
|
63
|
+
{ name: 'High', abbreviation: 'H', weight: 1.51 },
|
64
|
+
{ name: 'Not Defined', abbreviation: 'ND', weight: 1.0 }]))
|
65
|
+
@properties.push(@security_requirements_ar =
|
66
|
+
CvssProperty.new(name: 'Availability Requirement', abbreviation: 'AR', position: [10, 13],
|
67
|
+
values: [{ name: 'Low', abbreviation: 'L', weight: 0.5 },
|
68
|
+
{ name: 'Medium', abbreviation: 'M', weight: 1.0 },
|
69
|
+
{ name: 'High', abbreviation: 'H', weight: 1.51 },
|
70
|
+
{ name: 'Not Defined', abbreviation: 'ND', weight: 1.0 }]))
|
71
|
+
end
|
72
72
|
end
|
73
73
|
end
|
74
|
-
|
@@ -1,9 +1,10 @@
|
|
1
1
|
# CVSS-Suite, a Ruby gem to manage the CVSS vector
|
2
2
|
#
|
3
|
-
# Copyright (c) Siemens AG
|
3
|
+
# Copyright (c) 2016-2022 Siemens AG
|
4
|
+
# Copyright (c) 2022 0llirocks
|
4
5
|
#
|
5
6
|
# Authors:
|
6
|
-
#
|
7
|
+
# 0llirocks <http://0lli.rocks>
|
7
8
|
#
|
8
9
|
# This work is licensed under the terms of the MIT license.
|
9
10
|
# See the LICENSE.md file in the top-level directory.
|
@@ -11,47 +12,46 @@
|
|
11
12
|
require_relative '../cvss_property'
|
12
13
|
require_relative '../cvss_metric'
|
13
14
|
|
14
|
-
|
15
|
-
# This class represents a CVSS Temporal metric in version 2.
|
16
|
-
|
17
|
-
class Cvss2Temporal < CvssMetric
|
18
|
-
|
19
|
-
##
|
20
|
-
# Property of this metric
|
21
|
-
|
22
|
-
attr_reader :exploitability, :remediation_level, :report_confidence
|
23
|
-
|
15
|
+
module CvssSuite
|
24
16
|
##
|
25
|
-
#
|
26
|
-
|
27
|
-
|
28
|
-
|
29
|
-
|
30
|
-
|
31
|
-
|
32
|
-
|
33
|
-
|
34
|
-
|
35
|
-
|
36
|
-
|
37
|
-
|
38
|
-
|
39
|
-
|
40
|
-
|
41
|
-
|
42
|
-
|
43
|
-
|
44
|
-
|
45
|
-
|
46
|
-
|
47
|
-
|
48
|
-
|
49
|
-
|
50
|
-
|
51
|
-
|
52
|
-
|
53
|
-
|
54
|
-
|
55
|
-
|
17
|
+
# This class represents a CVSS Temporal metric in version 2.
|
18
|
+
class Cvss2Temporal < CvssMetric
|
19
|
+
##
|
20
|
+
# Property of this metric
|
21
|
+
attr_reader :exploitability, :remediation_level, :report_confidence
|
22
|
+
|
23
|
+
##
|
24
|
+
# Returns score of this metric
|
25
|
+
def score
|
26
|
+
return 1 unless valid?
|
27
|
+
|
28
|
+
@exploitability.score * @remediation_level.score * @report_confidence.score
|
29
|
+
end
|
30
|
+
|
31
|
+
private
|
32
|
+
|
33
|
+
def init_properties
|
34
|
+
@properties.push(@exploitability =
|
35
|
+
CvssProperty.new(name: 'Exploitability', abbreviation: 'E', position: [6],
|
36
|
+
values: [{ name: 'Not Defined', abbreviation: 'ND', weight: 1 },
|
37
|
+
{ name: 'Unproven', abbreviation: 'U', weight: 0.85 },
|
38
|
+
{ name: 'Proof-of-Concept', abbreviation: 'POC', weight: 0.9 },
|
39
|
+
{ name: 'Functional', abbreviation: 'F', weight: 0.95 },
|
40
|
+
{ name: 'High', abbreviation: 'H', weight: 1 }]))
|
41
|
+
@properties.push(@remediation_level =
|
42
|
+
CvssProperty.new(name: 'Remediation Level', abbreviation: 'RL', position: [7],
|
43
|
+
values: [{ name: 'Not Defined', abbreviation: 'ND', weight: 1 },
|
44
|
+
{ name: 'Official Fix', abbreviation: 'OF', weight: 0.87 },
|
45
|
+
{ name: 'Temporary Fix', abbreviation: 'TF', weight: 0.9 },
|
46
|
+
{ name: 'Workaround', abbreviation: 'W', weight: 0.95 },
|
47
|
+
{ name: 'Unavailable', abbreviation: 'U', weight: 1 }]))
|
48
|
+
|
49
|
+
@properties.push(@report_confidence =
|
50
|
+
CvssProperty.new(name: 'Report Confidence', abbreviation: 'RC', position: [8],
|
51
|
+
values: [{ name: 'Not Defined', abbreviation: 'ND', weight: 1 },
|
52
|
+
{ name: 'Unconfirmed', abbreviation: 'UC', weight: 0.9 },
|
53
|
+
{ name: 'Uncorroborated', abbreviation: 'UR', weight: 0.95 },
|
54
|
+
{ name: 'Confirmed', abbreviation: 'C', weight: 1 }]))
|
55
|
+
end
|
56
56
|
end
|
57
57
|
end
|
@@ -1,52 +1,56 @@
|
|
1
1
|
# CVSS-Suite, a Ruby gem to manage the CVSS vector
|
2
2
|
#
|
3
|
-
# Copyright (c) Siemens AG
|
3
|
+
# Copyright (c) 2016-2022 Siemens AG
|
4
|
+
# Copyright (c) 2022 0llirocks
|
4
5
|
#
|
5
6
|
# Authors:
|
6
|
-
#
|
7
|
+
# 0llirocks <http://0lli.rocks>
|
7
8
|
#
|
8
9
|
# This work is licensed under the terms of the MIT license.
|
9
10
|
# See the LICENSE.md file in the top-level directory.
|
10
11
|
|
11
|
-
require_relative '
|
12
|
+
require_relative '../cvss'
|
12
13
|
require_relative 'cvss3_base'
|
13
14
|
require_relative 'cvss3_temporal'
|
14
15
|
require_relative 'cvss3_environmental'
|
15
16
|
|
16
|
-
|
17
|
-
# This class represents a CVSS vector in version 3.0.
|
18
|
-
|
19
|
-
class Cvss3 < Cvss
|
20
|
-
|
21
|
-
##
|
22
|
-
# Returns the Base Score of the CVSS vector.
|
23
|
-
|
24
|
-
def base_score
|
25
|
-
check_validity
|
26
|
-
@base.score.round_up(1)
|
27
|
-
end
|
28
|
-
|
17
|
+
module CvssSuite
|
29
18
|
##
|
30
|
-
#
|
31
|
-
|
32
|
-
|
33
|
-
|
19
|
+
# This class represents a CVSS vector in version 3.0.
|
20
|
+
class Cvss3 < Cvss
|
21
|
+
##
|
22
|
+
# Returns the Version of the CVSS vector.
|
23
|
+
def version
|
24
|
+
3.0
|
25
|
+
end
|
26
|
+
|
27
|
+
##
|
28
|
+
# Returns the Base Score of the CVSS vector.
|
29
|
+
def base_score
|
30
|
+
check_validity
|
31
|
+
Cvss3Helper.round_up(@base.score)
|
32
|
+
end
|
33
|
+
|
34
|
+
##
|
35
|
+
# Returns the Temporal Score of the CVSS vector.
|
36
|
+
def temporal_score
|
37
|
+
Cvss3Helper.round_up(Cvss3Helper.round_up(@base.score) * @temporal.score)
|
38
|
+
end
|
39
|
+
|
40
|
+
##
|
41
|
+
# Returns the Environmental Score of the CVSS vector.
|
42
|
+
def environmental_score
|
43
|
+
return temporal_score unless @environmental.valid?
|
44
|
+
|
45
|
+
Cvss3Helper.round_up(@environmental.score(@base, @temporal))
|
46
|
+
end
|
47
|
+
|
48
|
+
private
|
49
|
+
|
50
|
+
def init_metrics
|
51
|
+
@base = Cvss3Base.new(@properties)
|
52
|
+
@temporal = Cvss3Temporal.new(@properties)
|
53
|
+
@environmental = Cvss3Environmental.new(@properties)
|
54
|
+
end
|
34
55
|
end
|
35
|
-
|
36
|
-
##
|
37
|
-
# Returns the Environmental Score of the CVSS vector.
|
38
|
-
|
39
|
-
def environmental_score
|
40
|
-
return temporal_score unless @environmental.valid?
|
41
|
-
(@environmental.score @temporal.score).round_up(1)
|
42
|
-
end
|
43
|
-
|
44
|
-
private
|
45
|
-
|
46
|
-
def init_metrics
|
47
|
-
@base = Cvss3Base.new(@properties)
|
48
|
-
@temporal = Cvss3Temporal.new(@properties)
|
49
|
-
@environmental = Cvss3Environmental.new(@properties)
|
50
|
-
end
|
51
|
-
|
52
|
-
end
|
56
|
+
end
|