cvss-suite 1.2.3 → 2.0.0
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/.github/workflows/rubocop.yml +21 -0
- data/.rubocop.yml +6 -33
- data/.rubocop_todo.yml +2 -67
- data/CHANGES.md +5 -12
- data/README.md +15 -14
- data/cvss_suite.gemspec +1 -3
- data/lib/cvss_suite/cvss.rb +8 -26
- data/lib/cvss_suite/cvss2/cvss2.rb +2 -25
- data/lib/cvss_suite/cvss2/cvss2_base.rb +9 -12
- data/lib/cvss_suite/cvss2/cvss2_environmental.rb +10 -11
- data/lib/cvss_suite/cvss2/cvss2_temporal.rb +5 -8
- data/lib/cvss_suite/cvss3/cvss3.rb +3 -8
- data/lib/cvss_suite/cvss3/cvss3_base.rb +14 -16
- data/lib/cvss_suite/cvss3/cvss3_environmental.rb +24 -81
- data/lib/cvss_suite/cvss3/cvss3_temporal.rb +5 -8
- data/lib/cvss_suite/cvss31/cvss31.rb +3 -4
- data/lib/cvss_suite/cvss31/cvss31_base.rb +14 -15
- data/lib/cvss_suite/cvss31/cvss31_environmental.rb +24 -81
- data/lib/cvss_suite/cvss31/cvss31_temporal.rb +5 -8
- data/lib/cvss_suite/cvss_metric.rb +5 -9
- data/lib/cvss_suite/cvss_property.rb +18 -19
- data/lib/cvss_suite/helpers/cvss3_helper.rb +6 -7
- data/lib/cvss_suite/invalid_cvss.rb +2 -9
- data/lib/cvss_suite/version.rb +1 -1
- data/lib/cvss_suite.rb +2 -7
- metadata +5 -5
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA256:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: 5917987479ecee6f2a020076b59751dda816e259d984a540bd1b6c0fb40b6422
|
4
|
+
data.tar.gz: 5225e8afd1e553709590bc2bb1a60955c76462d62bbfe825bf2a2081d4647163
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: 6824cf5f7f04f2f8eb5ef5613e61fd86b275b36fd316c7f4d4d60af8f9422176b1485eefe24de482e9dc98c328291ed2a7bccafdec3f03d353fae505c43d988c
|
7
|
+
data.tar.gz: 2014e6368dea9deecd623d88a7f7b4d4c5367d1cb3a832ebdac3f6b47d5308b03e1129d157a11dad7e6ac93645ca971ad8dc4b8d85efdd83145f0f58883af6a4
|
@@ -0,0 +1,21 @@
|
|
1
|
+
name: Rubocop
|
2
|
+
|
3
|
+
on: [push,pull_request]
|
4
|
+
|
5
|
+
jobs:
|
6
|
+
build:
|
7
|
+
|
8
|
+
runs-on: ubuntu-latest
|
9
|
+
|
10
|
+
steps:
|
11
|
+
- uses: actions/checkout@v2
|
12
|
+
- name: Set up Ruby 2.7
|
13
|
+
uses: actions/setup-ruby@v1
|
14
|
+
with:
|
15
|
+
ruby-version: 2.7
|
16
|
+
- name: Build
|
17
|
+
run: |
|
18
|
+
gem install bundler -v "=> 1.10"
|
19
|
+
gem install rubocop
|
20
|
+
- name: Run tests
|
21
|
+
run: rubocop -F --fail-level C -f s
|
data/.rubocop.yml
CHANGED
@@ -1,40 +1,13 @@
|
|
1
1
|
inherit_from: .rubocop_todo.yml
|
2
2
|
|
3
|
+
AllCops:
|
4
|
+
TargetRubyVersion: 2.4
|
5
|
+
|
3
6
|
Metrics/LineLength:
|
4
7
|
Max: 120
|
5
|
-
Exclude:
|
6
|
-
- 'lib/cvss_suite/cvss3/cvss3_environmental.rb'
|
7
|
-
- 'lib/cvss_suite/cvss31/cvss31_environmental.rb'
|
8
|
-
|
9
|
-
Metrics/ClassLength:
|
10
|
-
Exclude:
|
11
|
-
- 'lib/cvss_suite/cvss3/cvss3_environmental.rb'
|
12
|
-
- 'lib/cvss_suite/cvss31/cvss31_environmental.rb'
|
13
|
-
|
14
|
-
Metrics/MethodLength:
|
15
|
-
Exclude:
|
16
|
-
- 'lib/cvss_suite/cvss3/cvss3_environmental.rb'
|
17
|
-
- 'lib/cvss_suite/cvss31/cvss31_environmental.rb'
|
18
|
-
|
19
|
-
Metrics/BlockLength:
|
20
|
-
Exclude:
|
21
|
-
- 'spec/cvss3/cvss3_spec.rb'
|
22
|
-
- 'spec/cvss31/cvss31_spec.rb'
|
23
|
-
|
24
|
-
Style/IfUnlessModifier:
|
25
|
-
Exclude:
|
26
|
-
- 'lib/cvss_suite/cvss3/cvss3_environmental.rb'
|
27
|
-
- 'lib/cvss_suite/cvss31/cvss31_environmental.rb'
|
28
|
-
|
29
|
-
Style/GuardClause:
|
30
|
-
Exclude:
|
31
|
-
- 'lib/cvss_suite/cvss3/cvss3_environmental.rb'
|
32
|
-
- 'lib/cvss_suite/cvss31/cvss31_environmental.rb'
|
33
|
-
|
34
|
-
Style/ConditionalAssignment:
|
35
|
-
Exclude:
|
36
|
-
- 'lib/cvss_suite/cvss3/cvss3_environmental.rb'
|
37
|
-
- 'lib/cvss_suite/cvss31/cvss31_environmental.rb'
|
38
8
|
|
39
9
|
Style/FrozenStringLiteralComment:
|
40
10
|
Enabled: false
|
11
|
+
|
12
|
+
Style/AsciiComments:
|
13
|
+
Enabled: false
|
data/.rubocop_todo.yml
CHANGED
@@ -1,3 +1,4 @@
|
|
1
|
+
# This configuration was generated by
|
1
2
|
# `rubocop --auto-gen-config`
|
2
3
|
# on 2020-05-05 17:47:10 +0200 using RuboCop version 0.82.0.
|
3
4
|
# The point is for the user to remove these configuration records
|
@@ -16,13 +17,6 @@ Lint/UselessAccessModifier:
|
|
16
17
|
Exclude:
|
17
18
|
- 'lib/cvss_suite.rb'
|
18
19
|
|
19
|
-
# Offense count: 3
|
20
|
-
Lint/UselessAssignment:
|
21
|
-
Exclude:
|
22
|
-
- 'lib/cvss_suite/cvss.rb'
|
23
|
-
- 'lib/cvss_suite/cvss3/cvss3_environmental.rb'
|
24
|
-
- 'lib/cvss_suite/cvss31/cvss31_environmental.rb'
|
25
|
-
|
26
20
|
# Offense count: 8
|
27
21
|
# Configuration parameters: IgnoredMethods.
|
28
22
|
Metrics/AbcSize:
|
@@ -32,12 +26,7 @@ Metrics/AbcSize:
|
|
32
26
|
# Configuration parameters: CountComments, ExcludedMethods.
|
33
27
|
# ExcludedMethods: refine
|
34
28
|
Metrics/BlockLength:
|
35
|
-
Max:
|
36
|
-
|
37
|
-
# Offense count: 2
|
38
|
-
# Configuration parameters: CountComments.
|
39
|
-
Metrics/ClassLength:
|
40
|
-
Max: 102
|
29
|
+
Max: 58
|
41
30
|
|
42
31
|
# Offense count: 2
|
43
32
|
# Configuration parameters: CountComments.
|
@@ -68,57 +57,3 @@ Metrics/PerceivedComplexity:
|
|
68
57
|
Naming/AccessorMethodName:
|
69
58
|
Exclude:
|
70
59
|
- 'lib/cvss_suite/cvss_property.rb'
|
71
|
-
|
72
|
-
# Offense count: 31
|
73
|
-
# Configuration parameters: AllowedChars.
|
74
|
-
Style/AsciiComments:
|
75
|
-
Enabled: false
|
76
|
-
|
77
|
-
# Offense count: 20
|
78
|
-
Style/Documentation:
|
79
|
-
Enabled: false
|
80
|
-
|
81
|
-
# Offense count: 2
|
82
|
-
# Configuration parameters: MinBodyLength.
|
83
|
-
Style/GuardClause:
|
84
|
-
Exclude:
|
85
|
-
- 'lib/cvss_suite/helpers/extensions.rb'
|
86
|
-
|
87
|
-
# Offense count: 1
|
88
|
-
# Cop supports --auto-correct.
|
89
|
-
Style/IfUnlessModifier:
|
90
|
-
Exclude:
|
91
|
-
- 'lib/cvss_suite.rb'
|
92
|
-
|
93
|
-
# Offense count: 2
|
94
|
-
# Cop supports --auto-correct.
|
95
|
-
# Configuration parameters: EnforcedStyle.
|
96
|
-
# SupportedStyles: literals, strict
|
97
|
-
Style/MutableConstant:
|
98
|
-
Exclude:
|
99
|
-
- 'lib/cvss_suite.rb'
|
100
|
-
- 'lib/cvss_suite/version.rb'
|
101
|
-
|
102
|
-
# Offense count: 8
|
103
|
-
# Cop supports --auto-correct.
|
104
|
-
# Configuration parameters: Strict.
|
105
|
-
Style/NumericLiterals:
|
106
|
-
MinDigits: 7
|
107
|
-
|
108
|
-
# Offense count: 3
|
109
|
-
# Cop supports --auto-correct.
|
110
|
-
# Configuration parameters: AutoCorrect, EnforcedStyle, IgnoredMethods.
|
111
|
-
# SupportedStyles: predicate, comparison
|
112
|
-
Style/NumericPredicate:
|
113
|
-
Exclude:
|
114
|
-
- 'spec/**/*'
|
115
|
-
- 'lib/cvss_suite/cvss2/cvss2_base.rb'
|
116
|
-
- 'lib/cvss_suite/helpers/extensions.rb'
|
117
|
-
|
118
|
-
# Offense count: 1
|
119
|
-
# Cop supports --auto-correct.
|
120
|
-
# Configuration parameters: ConvertCodeThatCanStartToReturnNil, AllowedMethods.
|
121
|
-
# AllowedMethods: present?, blank?, presence, try, try!
|
122
|
-
Style/SafeNavigation:
|
123
|
-
Exclude:
|
124
|
-
- 'lib/cvss_suite/cvss_metric.rb'
|
data/CHANGES.md
CHANGED
@@ -2,18 +2,11 @@
|
|
2
2
|
All notable changes to this project will be documented in this file.
|
3
3
|
This project adheres to [Semantic Versioning](http://semver.org/).
|
4
4
|
|
5
|
-
## [
|
5
|
+
## [2.0.0] - 2020-05-10
|
6
6
|
|
7
|
-
###
|
8
|
-
*
|
9
|
-
*
|
10
|
-
|
11
|
-
## [1.2.2] - 2020-07-19
|
12
|
-
|
13
|
-
### Fixes
|
14
|
-
Fixed an error that resulted in incorrect environmental score if modified attributes were not defined.
|
15
|
-
|
16
|
-
## [1.2.1] - 2020-05-10
|
7
|
+
### Breaking Changes
|
8
|
+
* Ruby >= 2.4 is now required
|
9
|
+
* Renamed choice/choices to value/values
|
17
10
|
|
18
11
|
### Improvements
|
19
12
|
* Added CvssSuite module to every class (thanks to @fwininger)
|
@@ -106,4 +99,4 @@ Tried to fix an error. It turned out to be a local problem. Due to this I increa
|
|
106
99
|
|
107
100
|
## [1.0.0] - 2016-04-15
|
108
101
|
### Initial release
|
109
|
-
First release of this gem.
|
102
|
+
First release of this gem.
|
data/README.md
CHANGED
@@ -1,20 +1,15 @@
|
|
1
1
|
# CvssSuite for Ruby
|
2
2
|
|
3
3
|
[![Gem Version](http://img.shields.io/gem/v/cvss-suite.svg)](https://rubygems.org/gems/cvss-suite)
|
4
|
-
[![Ruby Version](https://img.shields.io/badge/Ruby-2.
|
4
|
+
[![Ruby Version](https://img.shields.io/badge/Ruby-2.4-brightgreen.svg)](https://rubygems.org/gems/cvss-suite)
|
5
5
|
[![Cvss Support](https://img.shields.io/badge/CVSS-v2-brightgreen.svg)](https://www.first.org/cvss/v2/guide)
|
6
6
|
[![Cvss Support](https://img.shields.io/badge/CVSS-v3.0-brightgreen.svg)](https://www.first.org/cvss/v3.0/user-guide)
|
7
7
|
[![Cvss Support](https://img.shields.io/badge/CVSS-v3.1-brightgreen.svg)](https://www.first.org/cvss/v3.1/user-guide)
|
8
|
-
![RSpec](https://github.com/siemens/cvss-suite/workflows/RSpec/badge.svg)
|
8
|
+
[![RSpec](https://github.com/siemens/cvss-suite/workflows/RSpec/badge.svg)](https://github.com/siemens/cvss-suite/actions)
|
9
9
|
|
10
10
|
This Ruby gem helps you to process the vector of the [**Common Vulnerability Scoring System**](https://www.first.org/cvss/specification-document).
|
11
11
|
Besides calculating the Base, Temporal and Environmental Score, you are able to extract the selected option.
|
12
12
|
|
13
|
-
## :warning: End of life :warning:
|
14
|
-
|
15
|
-
This version of the gem is no longer supported, please update to a higher version.
|
16
|
-
Please read the [changelog of 2.0.0](https://github.com/siemens/cvss-suite/blob/master/CHANGES.md#200---2020-05-10) for breaking changes.
|
17
|
-
|
18
13
|
## Installation
|
19
14
|
|
20
15
|
Add this line to your application's Gemfile:
|
@@ -30,6 +25,10 @@ And then execute:
|
|
30
25
|
Or install it yourself as:
|
31
26
|
|
32
27
|
$ gem install cvss-suite
|
28
|
+
|
29
|
+
## Version 1.x
|
30
|
+
|
31
|
+
If your still using CvssSuite 1.x please refer to the [specific branch](https://github.com/siemens/cvss-suite/tree/1.x) for documentation and changelog.
|
33
32
|
|
34
33
|
## Usage
|
35
34
|
|
@@ -67,15 +66,15 @@ overall_score = cvss.overall_score # 3.2
|
|
67
66
|
access_vector = cvss.base.access_vector.name # 'Access Vector'
|
68
67
|
remediation_level = cvss.temporal.remediation_level.name # 'Remediation Level'
|
69
68
|
|
70
|
-
access_vector.
|
71
|
-
|
72
|
-
|
73
|
-
|
69
|
+
access_vector.values.each do |value|
|
70
|
+
value[:name] # 'Local', 'Adjacent Network', 'Network'
|
71
|
+
value[:abbreviation] # 'L', 'A', 'N'
|
72
|
+
value[:selected] # false, true, false
|
74
73
|
end
|
75
74
|
|
76
75
|
# Selected options
|
77
|
-
cvss.base.access_vector.
|
78
|
-
cvss.temporal.remediation_level.
|
76
|
+
cvss.base.access_vector.selected_value[:name] # Adjacent Network
|
77
|
+
cvss.temporal.remediation_level.selected_value[:name] # Temporary Fix
|
79
78
|
|
80
79
|
# Exceptions
|
81
80
|
|
@@ -105,11 +104,13 @@ Properties (Access Vector, Remediation Level, etc) do have a position attribute,
|
|
105
104
|
|
106
105
|
Currently it is not possible to leave an attribute blank instead of ND/X. If you don't have a value for an attribute, please use ND/X instead.
|
107
106
|
|
107
|
+
Because the documentation isn't clear on how to calculate the score if Modified Scope (CVSS 3.0 Environmental) is not defined, Modified Scope has to have a valid value (S/U).
|
108
|
+
|
108
109
|
There is a possibility of implementations generating different scores (+/- 0,1) due to small floating-point inaccuracies. This can happen due to differences in floating point arithmetic between different languages and hardware platforms.
|
109
110
|
|
110
111
|
## Changelog
|
111
112
|
|
112
|
-
[Click here to see all changes.](https://github.com/siemens/cvss-suite/blob/
|
113
|
+
[Click here to see all changes.](https://github.com/siemens/cvss-suite/blob/master/CHANGES.md)
|
113
114
|
|
114
115
|
## Contributing
|
115
116
|
|
data/cvss_suite.gemspec
CHANGED
@@ -26,9 +26,7 @@ Gem::Specification.new do |spec|
|
|
26
26
|
Besides calculating the Base, Temporal and Environmental Score, you are able to extract the selected option.'
|
27
27
|
spec.homepage = 'https://siemens.github.io/cvss-suite/'
|
28
28
|
|
29
|
-
spec.
|
30
|
-
|
31
|
-
spec.required_ruby_version = '>= 2.0.0'
|
29
|
+
spec.required_ruby_version = '>= 2.4.0'
|
32
30
|
spec.files = `git ls-files -z`.split("\x0").reject { |f| f.match(%r{^(test|spec|features)/}) }
|
33
31
|
spec.bindir = 'exe'
|
34
32
|
spec.executables = spec.files.grep(%r{^exe/}) { |f| File.basename(f) }
|
data/lib/cvss_suite/cvss.rb
CHANGED
@@ -8,26 +8,22 @@
|
|
8
8
|
# This work is licensed under the terms of the MIT license.
|
9
9
|
# See the LICENSE.md file in the top-level directory.
|
10
10
|
|
11
|
-
##
|
12
|
-
# This class represents any CVSS vector. Do not instantiate this class!
|
13
|
-
|
14
11
|
module CvssSuite
|
12
|
+
##
|
13
|
+
# This class represents any CVSS vector. Do not instantiate this class!
|
15
14
|
class Cvss
|
16
15
|
##
|
17
16
|
# Metric of a CVSS vector.
|
18
|
-
|
19
17
|
attr_reader :base, :temporal, :environmental
|
20
18
|
|
21
19
|
##
|
22
20
|
# Returns the vector itself.
|
23
|
-
|
24
21
|
attr_reader :vector
|
25
22
|
|
26
23
|
##
|
27
24
|
# Creates a new CVSS vector by a +vector+.
|
28
25
|
#
|
29
26
|
# Raises an exception if it is called on Cvss class.
|
30
|
-
|
31
27
|
def initialize(vector)
|
32
28
|
raise CvssSuite::Errors::InvalidParentClass, 'Do not instantiate this class!' if self.class == Cvss
|
33
29
|
|
@@ -39,7 +35,6 @@ module CvssSuite
|
|
39
35
|
|
40
36
|
##
|
41
37
|
# Returns if CVSS vector is valid.
|
42
|
-
|
43
38
|
def valid?
|
44
39
|
if @amount_of_properties == required_amount_of_properties
|
45
40
|
base = @base.valid?
|
@@ -54,7 +49,6 @@ module CvssSuite
|
|
54
49
|
|
55
50
|
##
|
56
51
|
# Returns the severity of the CVSS vector.
|
57
|
-
|
58
52
|
def severity
|
59
53
|
check_validity
|
60
54
|
|
@@ -62,13 +56,13 @@ module CvssSuite
|
|
62
56
|
|
63
57
|
if score == 0.0
|
64
58
|
'None'
|
65
|
-
elsif (0.1..3.9).
|
59
|
+
elsif (0.1..3.9).cover? score
|
66
60
|
'Low'
|
67
|
-
elsif (4.0..6.9).
|
61
|
+
elsif (4.0..6.9).cover? score
|
68
62
|
'Medium'
|
69
|
-
elsif (7.0..8.9).
|
63
|
+
elsif (7.0..8.9).cover? score
|
70
64
|
'High'
|
71
|
-
elsif (9.0..10.0).
|
65
|
+
elsif (9.0..10.0).cover? score
|
72
66
|
'Critical'
|
73
67
|
else
|
74
68
|
'None'
|
@@ -77,7 +71,6 @@ module CvssSuite
|
|
77
71
|
|
78
72
|
##
|
79
73
|
# Returns the Overall Score of the CVSS vector.
|
80
|
-
|
81
74
|
def overall_score
|
82
75
|
check_validity
|
83
76
|
return temporal_score if @temporal.valid? && !@environmental.valid?
|
@@ -107,18 +100,7 @@ module CvssSuite
|
|
107
100
|
if start_of_vector.nil?
|
108
101
|
''
|
109
102
|
else
|
110
|
-
|
111
|
-
matchArray = @vector.scan(/\((?>[^)(]+|\g<0>)*\)/)
|
112
|
-
if matchArray.length == 1 && matchArray[0] == @vector
|
113
|
-
@vector.slice!(0)
|
114
|
-
@vector.slice!(@vector.length - 1)
|
115
|
-
@vector
|
116
|
-
else
|
117
|
-
''
|
118
|
-
end
|
119
|
-
else
|
120
|
-
@vector[start_of_vector..-1]
|
121
|
-
end
|
103
|
+
@vector[start_of_vector..-1]
|
122
104
|
end
|
123
105
|
end
|
124
106
|
|
@@ -126,7 +108,7 @@ module CvssSuite
|
|
126
108
|
total = @base.count if @base.valid?
|
127
109
|
total += @temporal.count if @temporal.valid?
|
128
110
|
total += @environmental.count if @environmental.valid?
|
129
|
-
total
|
111
|
+
total || 0
|
130
112
|
end
|
131
113
|
end
|
132
114
|
end
|
@@ -13,39 +13,18 @@ require_relative 'cvss2_base'
|
|
13
13
|
require_relative 'cvss2_temporal'
|
14
14
|
require_relative 'cvss2_environmental'
|
15
15
|
|
16
|
-
##
|
17
|
-
# This class represents a CVSS vector in version 2.
|
18
|
-
|
19
16
|
module CvssSuite
|
17
|
+
##
|
18
|
+
# This class represents a CVSS vector in version 2.
|
20
19
|
class Cvss2 < Cvss
|
21
20
|
##
|
22
21
|
# Returns the Version of the CVSS vector.
|
23
|
-
|
24
22
|
def version
|
25
23
|
2
|
26
24
|
end
|
27
25
|
|
28
|
-
# Returns the severity of the CVSSv2 vector.
|
29
|
-
# https://nvd.nist.gov/vuln-metrics/cvss
|
30
|
-
def severity
|
31
|
-
check_validity
|
32
|
-
|
33
|
-
score = overall_score
|
34
|
-
|
35
|
-
if (0.0..3.9).include? score
|
36
|
-
'Low'
|
37
|
-
elsif (4.0..6.9).include? score
|
38
|
-
'Medium'
|
39
|
-
elsif (7.0..10.0).include? score
|
40
|
-
'High'
|
41
|
-
else
|
42
|
-
'None'
|
43
|
-
end
|
44
|
-
end
|
45
|
-
|
46
26
|
##
|
47
27
|
# Returns the Base Score of the CVSS vector.
|
48
|
-
|
49
28
|
def base_score
|
50
29
|
check_validity
|
51
30
|
@base.score.round(1)
|
@@ -53,14 +32,12 @@ module CvssSuite
|
|
53
32
|
|
54
33
|
##
|
55
34
|
# Returns the Temporal Score of the CVSS vector.
|
56
|
-
|
57
35
|
def temporal_score
|
58
36
|
(base_score * @temporal.score).round(1)
|
59
37
|
end
|
60
38
|
|
61
39
|
##
|
62
40
|
# Returns the Environmental Score of the CVSS vector.
|
63
|
-
|
64
41
|
def environmental_score
|
65
42
|
return temporal_score unless @environmental.valid?
|
66
43
|
|
@@ -11,14 +11,12 @@
|
|
11
11
|
require_relative '../cvss_property'
|
12
12
|
require_relative '../cvss_metric'
|
13
13
|
|
14
|
-
##
|
15
|
-
# This class represents a CVSS Base metric in version 2.
|
16
|
-
|
17
14
|
module CvssSuite
|
15
|
+
##
|
16
|
+
# This class represents a CVSS Base metric in version 2.
|
18
17
|
class Cvss2Base < CvssMetric
|
19
18
|
##
|
20
19
|
# Property of this metric
|
21
|
-
|
22
20
|
attr_reader :access_vector, :access_complexity, :authentication,
|
23
21
|
:confidentiality_impact, :integrity_impact, :availability_impact
|
24
22
|
|
@@ -27,13 +25,12 @@ module CvssSuite
|
|
27
25
|
# See CVSS documentation for further information https://www.first.org/cvss/v2/guide#i3.2.1 .
|
28
26
|
#
|
29
27
|
# Takes +Security+ +Requirement+ +Impacts+ for calculating environmental score.
|
30
|
-
|
31
28
|
def score(sr_cr_score = 1, sr_ir_score = 1, sr_ar_score = 1)
|
32
29
|
impact = calc_impact(sr_cr_score, sr_ir_score, sr_ar_score)
|
33
30
|
|
34
31
|
exploitability = calc_exploitability
|
35
32
|
|
36
|
-
additional_impact = (impact
|
33
|
+
additional_impact = (impact.zero? ? 0 : 1.176)
|
37
34
|
|
38
35
|
((0.6 * impact) + (0.4 * exploitability) - 1.5) * additional_impact
|
39
36
|
end
|
@@ -43,32 +40,32 @@ module CvssSuite
|
|
43
40
|
def init_properties
|
44
41
|
@properties.push(@access_vector =
|
45
42
|
CvssProperty.new(name: 'Access Vector', abbreviation: 'AV', position: [0],
|
46
|
-
|
43
|
+
values: [{ name: 'Network', abbreviation: 'N', weight: 1.0 },
|
47
44
|
{ name: 'Adjacent Network', abbreviation: 'A', weight: 0.646 },
|
48
45
|
{ name: 'Local', abbreviation: 'L', weight: 0.395 }]))
|
49
46
|
@properties.push(@access_complexity =
|
50
47
|
CvssProperty.new(name: 'Access Complexity', abbreviation: 'AC', position: [1],
|
51
|
-
|
48
|
+
values: [{ name: 'Low', abbreviation: 'L', weight: 0.71 },
|
52
49
|
{ name: 'Medium', abbreviation: 'M', weight: 0.61 },
|
53
50
|
{ name: 'High', abbreviation: 'H', weight: 0.35 }]))
|
54
51
|
@properties.push(@authentication =
|
55
52
|
CvssProperty.new(name: 'Authentication', abbreviation: 'Au', position: [2],
|
56
|
-
|
53
|
+
values: [{ name: 'None', abbreviation: 'N', weight: 0.704 },
|
57
54
|
{ name: 'Single', abbreviation: 'S', weight: 0.56 },
|
58
55
|
{ name: 'Multiple', abbreviation: 'M', weight: 0.45 }]))
|
59
56
|
@properties.push(@confidentiality_impact =
|
60
57
|
CvssProperty.new(name: 'Confidentiality Impact', abbreviation: 'C', position: [3],
|
61
|
-
|
58
|
+
values: [{ name: 'None', abbreviation: 'N', weight: 0.0 },
|
62
59
|
{ name: 'Partial', abbreviation: 'P', weight: 0.275 },
|
63
60
|
{ name: 'Complete', abbreviation: 'C', weight: 0.66 }]))
|
64
61
|
@properties.push(@integrity_impact =
|
65
62
|
CvssProperty.new(name: 'Integrity Impact', abbreviation: 'I', position: [4],
|
66
|
-
|
63
|
+
values: [{ name: 'None', abbreviation: 'N', weight: 0.0 },
|
67
64
|
{ name: 'Partial', abbreviation: 'P', weight: 0.275 },
|
68
65
|
{ name: 'Complete', abbreviation: 'C', weight: 0.66 }]))
|
69
66
|
@properties.push(@availability_impact =
|
70
67
|
CvssProperty.new(name: 'Availability Impact', abbreviation: 'A', position: [5],
|
71
|
-
|
68
|
+
values: [{ name: 'None', abbreviation: 'N', weight: 0.0 },
|
72
69
|
{ name: 'Partial', abbreviation: 'P', weight: 0.275 },
|
73
70
|
{ name: 'Complete', abbreviation: 'C', weight: 0.66 }]))
|
74
71
|
end
|
@@ -11,22 +11,21 @@
|
|
11
11
|
require_relative '../cvss_property'
|
12
12
|
require_relative '../cvss_metric'
|
13
13
|
|
14
|
-
##
|
15
|
-
# This class represents a CVSS Environmental metric in version 2.
|
16
|
-
|
17
14
|
module CvssSuite
|
15
|
+
##
|
16
|
+
# This class represents a CVSS Environmental metric in version 2.
|
18
17
|
class Cvss2Environmental < CvssMetric
|
19
18
|
##
|
20
19
|
# Property of this metric
|
21
|
-
|
22
20
|
attr_reader :collateral_damage_potential, :target_distribution, :security_requirements_cr,
|
23
21
|
:security_requirements_ir, :security_requirements_ar
|
24
22
|
|
25
23
|
##
|
26
24
|
# Returns score of this metric
|
27
|
-
|
28
25
|
def score(base, temporal_score)
|
29
|
-
base_score =
|
26
|
+
base_score = base.score(@security_requirements_cr.score,
|
27
|
+
@security_requirements_ir.score,
|
28
|
+
@security_requirements_ar.score).round(1)
|
30
29
|
|
31
30
|
adjusted_temporal = (base_score * temporal_score).round(1)
|
32
31
|
(adjusted_temporal + (10 - adjusted_temporal) * @collateral_damage_potential.score) * @target_distribution.score
|
@@ -37,7 +36,7 @@ module CvssSuite
|
|
37
36
|
def init_properties
|
38
37
|
@properties.push(@collateral_damage_potential =
|
39
38
|
CvssProperty.new(name: 'Collateral Damage Potential', abbreviation: 'CDP', position: [6, 9],
|
40
|
-
|
39
|
+
values: [{ name: 'None', abbreviation: 'N', weight: 0.0 },
|
41
40
|
{ name: 'Low', abbreviation: 'L', weight: 0.1 },
|
42
41
|
{ name: 'Low-Medium', abbreviation: 'LM', weight: 0.3 },
|
43
42
|
{ name: 'Medium-High', abbreviation: 'MH', weight: 0.4 },
|
@@ -45,26 +44,26 @@ module CvssSuite
|
|
45
44
|
{ name: 'Not Defined', abbreviation: 'ND', weight: 0.0 }]))
|
46
45
|
@properties.push(@target_distribution =
|
47
46
|
CvssProperty.new(name: 'Target Distribution', abbreviation: 'TD', position: [7, 10],
|
48
|
-
|
47
|
+
values: [{ name: 'None', abbreviation: 'N', weight: 0.0 },
|
49
48
|
{ name: 'Low', abbreviation: 'L', weight: 0.25 },
|
50
49
|
{ name: 'Medium', abbreviation: 'M', weight: 0.75 },
|
51
50
|
{ name: 'High', abbreviation: 'H', weight: 1.0 },
|
52
51
|
{ name: 'Not Defined', abbreviation: 'ND', weight: 1.0 }]))
|
53
52
|
@properties.push(@security_requirements_cr =
|
54
53
|
CvssProperty.new(name: 'Confidentiality Requirement', abbreviation: 'CR', position: [8, 11],
|
55
|
-
|
54
|
+
values: [{ name: 'Low', abbreviation: 'L', weight: 0.5 },
|
56
55
|
{ name: 'Medium', abbreviation: 'M', weight: 1.0 },
|
57
56
|
{ name: 'High', abbreviation: 'H', weight: 1.51 },
|
58
57
|
{ name: 'Not Defined', abbreviation: 'ND', weight: 1.0 }]))
|
59
58
|
@properties.push(@security_requirements_ir =
|
60
59
|
CvssProperty.new(name: 'Integrity Requirement', abbreviation: 'IR', position: [9, 12],
|
61
|
-
|
60
|
+
values: [{ name: 'Low', abbreviation: 'L', weight: 0.5 },
|
62
61
|
{ name: 'Medium', abbreviation: 'M', weight: 1.0 },
|
63
62
|
{ name: 'High', abbreviation: 'H', weight: 1.51 },
|
64
63
|
{ name: 'Not Defined', abbreviation: 'ND', weight: 1.0 }]))
|
65
64
|
@properties.push(@security_requirements_ar =
|
66
65
|
CvssProperty.new(name: 'Availability Requirement', abbreviation: 'AR', position: [10, 13],
|
67
|
-
|
66
|
+
values: [{ name: 'Low', abbreviation: 'L', weight: 0.5 },
|
68
67
|
{ name: 'Medium', abbreviation: 'M', weight: 1.0 },
|
69
68
|
{ name: 'High', abbreviation: 'H', weight: 1.51 },
|
70
69
|
{ name: 'Not Defined', abbreviation: 'ND', weight: 1.0 }]))
|
@@ -11,19 +11,16 @@
|
|
11
11
|
require_relative '../cvss_property'
|
12
12
|
require_relative '../cvss_metric'
|
13
13
|
|
14
|
-
##
|
15
|
-
# This class represents a CVSS Temporal metric in version 2.
|
16
|
-
|
17
14
|
module CvssSuite
|
15
|
+
##
|
16
|
+
# This class represents a CVSS Temporal metric in version 2.
|
18
17
|
class Cvss2Temporal < CvssMetric
|
19
18
|
##
|
20
19
|
# Property of this metric
|
21
|
-
|
22
20
|
attr_reader :exploitability, :remediation_level, :report_confidence
|
23
21
|
|
24
22
|
##
|
25
23
|
# Returns score of this metric
|
26
|
-
|
27
24
|
def score
|
28
25
|
return 1 unless valid?
|
29
26
|
|
@@ -35,14 +32,14 @@ module CvssSuite
|
|
35
32
|
def init_properties
|
36
33
|
@properties.push(@exploitability =
|
37
34
|
CvssProperty.new(name: 'Exploitability', abbreviation: 'E', position: [6],
|
38
|
-
|
35
|
+
values: [{ name: 'Not Defined', abbreviation: 'ND', weight: 1 },
|
39
36
|
{ name: 'Unproven', abbreviation: 'U', weight: 0.85 },
|
40
37
|
{ name: 'Proof-of-Concept', abbreviation: 'POC', weight: 0.9 },
|
41
38
|
{ name: 'Functional', abbreviation: 'F', weight: 0.95 },
|
42
39
|
{ name: 'High', abbreviation: 'H', weight: 1 }]))
|
43
40
|
@properties.push(@remediation_level =
|
44
41
|
CvssProperty.new(name: 'Remediation Level', abbreviation: 'RL', position: [7],
|
45
|
-
|
42
|
+
values: [{ name: 'Not Defined', abbreviation: 'ND', weight: 1 },
|
46
43
|
{ name: 'Official Fix', abbreviation: 'OF', weight: 0.87 },
|
47
44
|
{ name: 'Temporary Fix', abbreviation: 'TF', weight: 0.9 },
|
48
45
|
{ name: 'Workaround', abbreviation: 'W', weight: 0.95 },
|
@@ -50,7 +47,7 @@ module CvssSuite
|
|
50
47
|
|
51
48
|
@properties.push(@report_confidence =
|
52
49
|
CvssProperty.new(name: 'Report Confidence', abbreviation: 'RC', position: [8],
|
53
|
-
|
50
|
+
values: [{ name: 'Not Defined', abbreviation: 'ND', weight: 1 },
|
54
51
|
{ name: 'Unconfirmed', abbreviation: 'UC', weight: 0.9 },
|
55
52
|
{ name: 'Uncorroborated', abbreviation: 'UR', weight: 0.95 },
|
56
53
|
{ name: 'Confirmed', abbreviation: 'C', weight: 1 }]))
|