cvss-suite 1.2.0 → 3.1.0

data/lib/cvss_suite/cvss31/cvss31_temporal.rb

@@ -1,9 +1,10 @@
 # CVSS-Suite, a Ruby gem to manage the CVSS vector
 #
-# Copyright (c) Siemens AG, 2019
+# Copyright (c) 2019-2022 Siemens AG
+# Copyright (c) 2022 0llirocks
 #
 # Authors:
-#   Oliver Hambörger <oliver.hamboerger@siemens.com>
+#   0llirocks <http://0lli.rocks>
 #
 # This work is licensed under the terms of the MIT license.
 # See the LICENSE.md file in the top-level directory.
@@ -11,47 +12,46 @@
 require_relative '../cvss_property'
 require_relative '../cvss_metric'
 
-##
-# This class represents a CVSS Temporal metric in version 3.1.
-
-class Cvss31Temporal < CvssMetric
-
-  ##
-  # Property of this metric
-
-  attr_reader :exploit_code_maturity, :remediation_level, :report_confidence
-
+module CvssSuite
   ##
-  # Returns score of this metric
-
-  def score
-    return 1.0 unless valid?
-    @exploit_code_maturity.score * @remediation_level.score * @report_confidence.score
-  end
-
-  private
-
-  def init_properties
-    @properties.push(@exploit_code_maturity =
-                      CvssProperty.new(name: 'Exploit Code Maturity', abbreviation: 'E', position: [8],
-                                       choices: [{ name: 'Not Defined', abbreviation: 'X', weight: 1.0 },
-                                                 { name: 'Unproven', abbreviation: 'U', weight: 0.91 },
-                                                 { name: 'Proof-of-Concept', abbreviation: 'P', weight: 0.94 },
-                                                 { name: 'Functional', abbreviation: 'F', weight: 0.97 },
-                                                 { name: 'High', abbreviation: 'H', weight: 1.0 }]))
-    @properties.push(@remediation_level =
-                      CvssProperty.new(name: 'Remediation Level', abbreviation: 'RL', position: [9],
-                                       choices: [{ name: 'Not Defined', abbreviation: 'X', weight: 1.0 },
-                                                 { name: 'Official Fix', abbreviation: 'O', weight: 0.95 },
-                                                 { name: 'Temporary Fix', abbreviation: 'T', weight: 0.96 },
-                                                 { name: 'Workaround', abbreviation: 'W', weight: 0.97 },
-                                                 { name: 'Unavailable', abbreviation: 'U', weight: 1.0 }]))
-
-    @properties.push(@report_confidence =
-                      CvssProperty.new(name: 'Report Confidence', abbreviation: 'RC', position: [10],
-                                       choices: [{ name: 'Not Defined', abbreviation: 'X', weight: 1.0 },
-                                                 { name: 'Unknown', abbreviation: 'U', weight: 0.92 },
-                                                 { name: 'Reasonable', abbreviation: 'R', weight: 0.96 },
-                                                 { name: 'Confirmed', abbreviation: 'C', weight: 1.0 }]))
+  # This class represents a CVSS Temporal metric in version 3.1.
+  class Cvss31Temporal < CvssMetric
+    ##
+    # Property of this metric
+    attr_reader :exploit_code_maturity, :remediation_level, :report_confidence
+
+    ##
+    # Returns score of this metric
+    def score
+      return 1.0 unless valid?
+
+      @exploit_code_maturity.score * @remediation_level.score * @report_confidence.score
+    end
+
+    private
+
+    def init_properties
+      @properties.push(@exploit_code_maturity =
+                         CvssProperty.new(name: 'Exploit Code Maturity', abbreviation: 'E',
+                                          values: [{ name: 'Not Defined', abbreviation: 'X', weight: 1.0 },
+                                                   { name: 'Unproven', abbreviation: 'U', weight: 0.91 },
+                                                   { name: 'Proof-of-Concept', abbreviation: 'P', weight: 0.94 },
+                                                   { name: 'Functional', abbreviation: 'F', weight: 0.97 },
+                                                   { name: 'High', abbreviation: 'H', weight: 1.0 }]))
+      @properties.push(@remediation_level =
+                         CvssProperty.new(name: 'Remediation Level', abbreviation: 'RL',
+                                          values: [{ name: 'Not Defined', abbreviation: 'X', weight: 1.0 },
+                                                   { name: 'Official Fix', abbreviation: 'O', weight: 0.95 },
+                                                   { name: 'Temporary Fix', abbreviation: 'T', weight: 0.96 },
+                                                   { name: 'Workaround', abbreviation: 'W', weight: 0.97 },
+                                                   { name: 'Unavailable', abbreviation: 'U', weight: 1.0 }]))
+
+      @properties.push(@report_confidence =
+                         CvssProperty.new(name: 'Report Confidence', abbreviation: 'RC',
+                                          values: [{ name: 'Not Defined', abbreviation: 'X', weight: 1.0 },
+                                                   { name: 'Unknown', abbreviation: 'U', weight: 0.92 },
+                                                   { name: 'Reasonable', abbreviation: 'R', weight: 0.96 },
+                                                   { name: 'Confirmed', abbreviation: 'C', weight: 1.0 }]))
+    end
   end
-end
+end

data/lib/cvss_suite/cvss_metric.rb

@@ -1,53 +1,52 @@
 # CVSS-Suite, a Ruby gem to manage the CVSS vector
 #
-# Copyright (c) Siemens AG, 2016
+# Copyright (c) 2016-2022 Siemens AG
+# Copyright (c) 2022 0llirocks
 #
 # Authors:
-#   Oliver Hambörger <oliver.hamboerger@siemens.com>
+#   0llirocks <http://0lli.rocks>
 #
 # This work is licensed under the terms of the MIT license.
 # See the LICENSE.md file in the top-level directory.
 
-##
-# This class represents any CVSS metric.
-
-class CvssMetric
-
+module CvssSuite
   ##
-  # Creates a new CVSS metric by +properties+
-
-  def initialize(selected_properties)
-    @properties = []
-    init_properties
-    extract_selected_choices_from selected_properties
-  end
-
-  ##
-  # Returns if the metric is valid.
-
-  def valid?
-    @properties.each do |property|
-      return false unless property.valid?
+  # This class represents any CVSS metric.
+  class CvssMetric
+    ##
+    # Creates a new CVSS metric by +properties+
+    def initialize(selected_properties)
+      @properties = []
+      init_properties
+      extract_selected_values_from selected_properties
     end
-    true
-  end
-
-  ##
-  # Returns number of properties for this metric.
 
-  def count
-    @properties.count
-  end
+    ##
+    # Returns if the metric is valid.
+    def valid?
+      @properties.each do |property|
+        return false unless property.valid?
+      end
+      true
+    end
 
-  private
+    ##
+    # Returns number of properties for this metric.
+    def count
+      @properties.count
+    end
 
-  def extract_selected_choices_from(selected_properties)
-    selected_properties.each do |selected_property|
-      property = @properties.detect {
-          |p| p.abbreviation == selected_property[:name] && p.position.include?(selected_property[:position])
-      }
-      property.set_selected_choice selected_property[:selected] unless property.nil?
+    private
+
+    def extract_selected_values_from(selected_properties)
+      selected_properties.each do |selected_property|
+        property = @properties.detect do |p|
+          p.abbreviation == selected_property[:name] &&
+            (p.position&.include?(selected_property[:position]) || p.position.nil?)
+        end
+        property&.set_selected_value selected_property[:selected]
+      end
+      @properties.reject(&:valid?).each(&:set_default_value)
     end
   end
-
-end
+end

data/lib/cvss_suite/cvss_property.rb

@@ -1,85 +1,97 @@
 # CVSS-Suite, a Ruby gem to manage the CVSS vector
 #
-# Copyright (c) Siemens AG, 2016
+# Copyright (c) 2016-2022 Siemens AG
+# Copyright (c) 2022 0llirocks
 #
 # Authors:
-#   Oliver Hambörger <oliver.hamboerger@siemens.com>
+#   0llirocks <http://0lli.rocks>
 #
 # This work is licensed under the terms of the MIT license.
 # See the LICENSE.md file in the top-level directory.
 
-##
-# This class represents a CVSS property of a CVSS metric.
+module CvssSuite
+  ##
+  # This class represents a CVSS property of a CVSS metric.
+  class CvssProperty
+    ##
+    # Creates a new CVSS property by a +property+.
+    #
+    # +Property+ needs to consist of a name, a abbreviation,
+    # the possible positions in the CVSS vector, a weight, and the
+    # available values for the property.
+
+    def initialize(property)
+      @property = property
+      @property[:default_value] ||= 'Not Defined'
+    end
 
-class CvssProperty
+    ##
+    # Returns the full name of the property.
 
-  ##
-  # Creates a new CVSS property by a +property+.
-  #
-  # +Property+ needs to consist of a name, a abbreviation, the possible positions in the CVSS vector, a weight, and the
-  # available choices for the property.
-
-  def initialize(property)
-    @property = property
-    @property[:default_choice] ||= 'Not Available'
-  end
+    def name
+      @property[:name]
+    end
 
-  ##
-  # Returns the full name of the property.
+    ##
+    # Returns the abbreviation of the property.
 
-  def name
-    @property[:name]
-  end
+    def abbreviation
+      @property[:abbreviation]
+    end
 
-  ##
-  # Returns the abbreviation of the property.
+    ##
+    # Returns all available values of the property.
 
-  def abbreviation
-    @property[:abbreviation]
-  end
+    def values
+      @property[:values]
+    end
 
-  ##
-  # Returns all available choices of the property.
+    ##
+    # Returns the possible positions in the CVSS vector of the property.
 
-  def choices
-    @property[:choices]
-  end
+    def position
+      @property[:position]
+    end
 
-  ##
-  # Returns the possible positions in the CVSS vector of the property.
+    ##
+    # Returns the selected value of the property.
 
-  def position
-    @property[:position]
-  end
+    def selected_value
+      @selected_value || @property[:default_value]
+    end
 
-  ##
-  # Returns the selected choice of the property.
+    ##
+    # Returns true if the property is valid.
 
-  def selected_choice
-    @selected_choice || @property[:default_choice]
-  end
+    def valid?
+      !@selected_value.nil?
+    end
 
-  ##
-  # Returns true if the property is valid.
+    ##
+    # Returns the score of the selected value.
 
-  def valid?
-    !@selected_choice.nil?
-  end
+    def score
+      @selected_value[:weight]
+    end
 
-  ##
-  # Returns the score of the selected choice.
+    ##
+    # Sets the selected value by a +value+.
 
-  def score
-    @selected_choice[:weight]
-  end
+    def set_selected_value(selected_value)
+      values.each do |value|
+        value[:selected] = selected_value.eql?(value[:abbreviation])
+      end
+      @selected_value = values.detect { |value| value[:selected] }
+    end
 
-  ##
-  # Sets the selected choice by a +choice+.
+    ##
+    # Sets the default value.
 
-  def set_selected_choice(selected_choice)
-    choices.each do |choice|
-      choice[:selected] = selected_choice.eql?(choice[:abbreviation])
+    def set_default_value
+      values.each do |value|
+        value[:selected] = value[:abbreviation].eql?('X')
+      end
+      @selected_value = values.detect { |value| value[:selected] }
     end
-    @selected_choice = choices.detect { |choice| choice[:selected] }
   end
-end
+end

data/lib/cvss_suite/errors.rb

@@ -1,6 +1,7 @@
 # CVSS-Suite, a Ruby gem to manage the CVSS vector
 #
-# Copyright (c) Siemens AG, 2016
+# Copyright (c) 2016-2022 Siemens AG
+# Copyright (c) 2022 0llirocks
 #
 # Authors:
 #   Adam David <adamrdavid@gmail.com>
@@ -19,10 +20,12 @@ module CvssSuite
 
       def initialize(message)
         @message = message
+        super
       end
     end
 
     class InvalidVector < RuntimeError; end
+
     class InvalidParentClass < ArgumentError; end
   end
 end

data/lib/cvss_suite/helpers/cvss31_helper.rb

@@ -0,0 +1,28 @@
+# CVSS-Suite, a Ruby gem to manage the CVSS vector
+#
+# Copyright (c) 2016-2022 Siemens AG
+# Copyright (c) 2022 0llirocks
+#
+# Authors:
+#   0llirocks <http://0lli.rocks>
+#
+# This work is licensed under the terms of the MIT license.
+# See the LICENSE.md file in the top-level directory.
+
+module CvssSuite
+  ##
+  # This module includes methods which are used by the CVSS 3 classes.
+  module Cvss31Helper
+    ##
+    # Since CVSS 3 all float values are rounded up, therefore this method is used
+    # instead of the mathematically correct method round().
+    def self.round_up(float)
+      output = (float * 100_000).round
+      if (output % 10_000).zero?
+        output / 100_000.0
+      else
+        ((output / 10_000).floor + 1) / 10.0
+      end
+    end
+  end
+end

data/lib/cvss_suite/helpers/cvss3_helper.rb

@@ -1,29 +1,36 @@
 # CVSS-Suite, a Ruby gem to manage the CVSS vector
 #
-# Copyright (c) Siemens AG, 2016
+# Copyright (c) 2016-2022 Siemens AG
+# Copyright (c) 2022 0llirocks
 #
 # Authors:
-#   Oliver Hambörger <oliver.hamboerger@siemens.com>
+#   0llirocks <http://0lli.rocks>
 #
 # This work is licensed under the terms of the MIT license.
 # See the LICENSE.md file in the top-level directory.
 
-##
-# This module includes methods which are used by the CVSS 3 classes.
-
-module Cvss3Helper
-
+module CvssSuite
   ##
-  # Since CVSS 3 the Privilege Required score depends on the selected choice of the Scope metric.
-  # This method takes a +Privilege+ +Required+ and a +Scope+ metric and returns the newly calculated score.
+  # This module includes methods which are used by the CVSS 3 classes.
+  module Cvss3Helper
+    ##
+    # Since CVSS 3 all float values are rounded up, therefore this method is used
+    # instead of the mathematically correct method round().
+    def self.round_up(float)
+      float.ceil(1).to_f
+    end
 
-  def self.privileges_required_score(privileges_required, scope)
-    changed =  scope.selected_choice[:name] == 'Changed'
-    privilege_score = privileges_required.score
-    if changed
-      privilege_score = 0.68 if privileges_required.selected_choice[:name] == 'Low'
-      privilege_score = 0.50 if privileges_required.selected_choice[:name] == 'High'
+    ##
+    # Since CVSS 3 the Privilege Required score depends on the selected value of the Scope metric.
+    # This method takes a +Privilege+ +Required+ and a +Scope+ metric and returns the newly calculated score.
+    def self.privileges_required_score(privileges_required, scope)
+      changed = scope.selected_value[:name] == 'Changed'
+      privilege_score = privileges_required.score
+      if changed
+        privilege_score = 0.68 if privileges_required.selected_value[:name] == 'Low'
+        privilege_score = 0.50 if privileges_required.selected_value[:name] == 'High'
+      end
+      privilege_score
     end
-    privilege_score
   end
-end
+end

data/lib/cvss_suite/invalid_cvss.rb

@@ -1,57 +1,52 @@
 # CVSS-Suite, a Ruby gem to manage the CVSS vector
 #
-# Copyright (c) Siemens AG, 2018
+# Copyright (c) 2018-2022 Siemens AG
+# Copyright (c) 2022 0llirocks
 #
 # Authors:
-#   Oliver Hambörger <oliver.hamboerger@siemens.com>
+#   0llirocks <http://0lli.rocks>
 #
 # This work is licensed under the terms of the MIT license.
 # See the LICENSE.md file in the top-level directory.
 
-# ##
-# # This class represents a invalid CVSS vector.
-
-class InvalidCvss < Cvss
-
-  ##
-  # Creates a new invalid CVSS vector.
-
-  def initialize
-  end
-
-  ##
-  # Since this is an invalid CVSS vector, it always returns false.
-
-  def valid?
-    false
-  end
-
-  ##
-  # Since this is an invalid CVSS vector, it always throws an exception.
-
-  def version
-    check_validity
-  end
-
-  ##
-  # Since this is an invalid CVSS vector, it always throws an exception.
-
-  def base_score
-    check_validity
-  end
-
+module CvssSuite
   ##
-  # Since this is an invalid CVSS vector, it always throws an exception.
-
-  def temporal_score
-    check_validity
-  end
-
-  ##
-  # Since this is an invalid CVSS vector, it always throws an exception.
-
-  def environmental_score
-    check_validity
+  # This class represents a invalid CVSS vector.
+  class InvalidCvss < Cvss
+    # rubocop:disable Lint/MissingSuper
+    ##
+    # Creates a new invalid CVSS vector.
+    def initialize; end
+    # rubocop:enable Lint/MissingSuper
+
+    ##
+    # Since this is an invalid CVSS vector, it always returns false.
+    def valid?
+      false
+    end
+
+    ##
+    # Since this is an invalid CVSS vector, it always throws an exception.
+    def version
+      check_validity
+    end
+
+    ##
+    # Since this is an invalid CVSS vector, it always throws an exception.
+    def base_score
+      check_validity
+    end
+
+    ##
+    # Since this is an invalid CVSS vector, it always throws an exception.
+    def temporal_score
+      check_validity
+    end
+
+    ##
+    # Since this is an invalid CVSS vector, it always throws an exception.
+    def environmental_score
+      check_validity
+    end
   end
-
-end
+end

data/lib/cvss_suite/version.rb

@@ -1,13 +1,14 @@
 # CVSS-Suite, a Ruby gem to manage the CVSS vector
 #
-# Copyright (c) Siemens AG, 2019
+# Copyright (c) 2016-2022 Siemens AG
+# Copyright (c) 2022 0llirocks
 #
 # Authors:
-#   Oliver Hambörger <oliver.hamboerger@siemens.com>
+#   0llirocks <http://0lli.rocks>
 #
 # This work is licensed under the terms of the MIT license.
 # See the LICENSE.md file in the top-level directory.
 
 module CvssSuite
-  VERSION = "1.2.0"
+  VERSION = '3.1.0'.freeze
 end

data/lib/cvss_suite.rb

@@ -1,9 +1,10 @@
 # CVSS-Suite, a Ruby gem to manage the CVSS vector
 #
-# Copyright (c) Siemens AG, 2016
+# Copyright (c) 2016-2022 Siemens AG
+# Copyright (c) 2022 0llirocks
 #
 # Authors:
-#   Oliver Hambörger <oliver.hamboerger@siemens.com>
+#   0llirocks <http://0lli.rocks>
 #
 # This work is licensed under the terms of the MIT license.
 # See the LICENSE.md file in the top-level directory.
@@ -12,33 +13,32 @@ require 'cvss_suite/cvss2/cvss2'
 require 'cvss_suite/cvss3/cvss3'
 require 'cvss_suite/cvss31/cvss31'
 require 'cvss_suite/version'
-require 'cvss_suite/helpers/extensions'
 require 'cvss_suite/errors'
 require 'cvss_suite/invalid_cvss'
 
 ##
 # Module of this gem.
-
 module CvssSuite
   CVSS_VECTOR_BEGINNINGS = [
-    {:string => 'AV:', :version => 2}, 
-    {:string => 'CVSS:3.0/', :version => 3.0},
-    {:string => 'CVSS:3.1/', :version => 3.1}
-  ]
+    { string: 'AV:', version: 2 },
+    { string: '(AV:', version: 2 },
+    { string: 'CVSS:3.0/', version: 3.0 },
+    { string: 'CVSS:3.1/', version: 3.1 }
+  ].freeze
 
   ##
   # Returns a CVSS class by a +vector+.
-
   def self.new(vector)
     return InvalidCvss.new unless vector.is_a? String
+
     @vector_string = vector
     case version
     when 2
-      Cvss2.new(@vector_string, version)
+      Cvss2.new(prepare_vector(@vector_string))
     when 3.0
-      Cvss3.new(@vector_string, version)
+      Cvss3.new(prepare_vector(@vector_string))
     when 3.1
-      Cvss31.new(@vector_string, version)
+      Cvss31.new(prepare_vector(@vector_string))
     else
       InvalidCvss.new
     end
@@ -48,10 +48,41 @@ module CvssSuite
 
   def self.version
     CVSS_VECTOR_BEGINNINGS.each do |beginning|
-      if @vector_string.start_with? beginning[:string]
-        return beginning[:version]
-      end
+      return beginning[:version] if @vector_string.start_with? beginning[:string]
+    end
+  end
+
+  def self.prepare_vector(vector)
+    vector = vector.clone
+
+    return prepare_cvss2_vector(vector) if version == 2
+
+    version_string = CVSS_VECTOR_BEGINNINGS.detect { |v| v[:version] == version } [:string]
+    start_of_vector = vector.index(version_string)
+
+    if start_of_vector.nil?
+      ''
+    else
+      vector[version_string.length..]
     end
   end
 
+  def self.prepare_cvss2_vector(vector)
+    start_of_vector = vector.index('AV')
+
+    if start_of_vector.nil?
+      ''
+    elsif start_of_vector == 1
+      match_array = vector.scan(/\((?>[^)(]+|\g<0>)*\)/)
+      if match_array.length == 1 && match_array[0] == vector
+        vector.slice!(0)
+        vector.slice!(vector.length - 1)
+        vector
+      else
+        ''
+      end
+    else
+      vector[start_of_vector..]
+    end
+  end
 end