cvss-suite 3.0.1 → 3.3.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (48) hide show
  1. checksums.yaml +4 -4
  2. data/.github/workflows/rspec.yml +4 -4
  3. data/.github/workflows/rubocop.yml +3 -4
  4. data/.rspec +1 -0
  5. data/.rubocop.yml +20 -0
  6. data/.rubocop_todo.yml +2 -2
  7. data/CHANGES.md +34 -0
  8. data/CODE_OF_CONDUCT.md +0 -5
  9. data/Gemfile +0 -6
  10. data/LICENSE.md +12 -2
  11. data/README.md +20 -11
  12. data/cvss_suite.gemspec +12 -14
  13. data/lib/cvss_suite/cvss.rb +7 -55
  14. data/lib/cvss_suite/cvss2/cvss2.rb +2 -8
  15. data/lib/cvss_suite/cvss2/cvss2_base.rb +0 -6
  16. data/lib/cvss_suite/cvss2/cvss2_environmental.rb +0 -6
  17. data/lib/cvss_suite/cvss2/cvss2_temporal.rb +0 -6
  18. data/lib/cvss_suite/cvss3/cvss3.rb +8 -8
  19. data/lib/cvss_suite/cvss3/cvss3_base.rb +8 -14
  20. data/lib/cvss_suite/cvss3/cvss3_environmental.rb +11 -17
  21. data/lib/cvss_suite/cvss3/cvss3_temporal.rb +3 -9
  22. data/lib/cvss_suite/cvss31/cvss31.rb +8 -8
  23. data/lib/cvss_suite/cvss31/cvss31_base.rb +8 -14
  24. data/lib/cvss_suite/cvss31/cvss31_environmental.rb +11 -17
  25. data/lib/cvss_suite/cvss31/cvss31_temporal.rb +3 -9
  26. data/lib/cvss_suite/cvss40/cvss40.rb +43 -0
  27. data/lib/cvss_suite/cvss40/cvss40_all_up.rb +40 -0
  28. data/lib/cvss_suite/cvss40/cvss40_base.rb +86 -0
  29. data/lib/cvss_suite/cvss40/cvss40_calc_helper.rb +397 -0
  30. data/lib/cvss_suite/cvss40/cvss40_constants_levels.rb +26 -0
  31. data/lib/cvss_suite/cvss40/cvss40_constants_macro_vector_lookup.rb +278 -0
  32. data/lib/cvss_suite/cvss40/cvss40_constants_max_composed.rb +41 -0
  33. data/lib/cvss_suite/cvss40/cvss40_constants_max_severity.rb +31 -0
  34. data/lib/cvss_suite/cvss40/cvss40_environmental.rb +105 -0
  35. data/lib/cvss_suite/cvss40/cvss40_environmental_security.rb +47 -0
  36. data/lib/cvss_suite/cvss40/cvss40_supplemental.rb +66 -0
  37. data/lib/cvss_suite/cvss40/cvss40_threat.rb +34 -0
  38. data/lib/cvss_suite/cvss_31_and_before.rb +61 -0
  39. data/lib/cvss_suite/cvss_40_and_later.rb +51 -0
  40. data/lib/cvss_suite/cvss_metric.rb +7 -7
  41. data/lib/cvss_suite/cvss_property.rb +23 -8
  42. data/lib/cvss_suite/errors.rb +0 -6
  43. data/lib/cvss_suite/helpers/cvss31_helper.rb +0 -6
  44. data/lib/cvss_suite/helpers/cvss3_helper.rb +0 -6
  45. data/lib/cvss_suite/invalid_cvss.rb +0 -6
  46. data/lib/cvss_suite/version.rb +1 -7
  47. data/lib/cvss_suite.rb +48 -11
  48. metadata +40 -11
@@ -0,0 +1,278 @@
1
+ module CvssSuite
2
+ module Cvss40Constants
3
+ # These constants were almost directly ported from the CVSS 4.0 calculator code found at https://github.com/FIRSTdotorg/cvss-v4-calculator/blob/ac71416d935ad2ac87cd107ff87024561ea954a7/cvss_lookup.js#L1
4
+
5
+ LOOKUP = {
6
+ '000000' => 10,
7
+ '000001' => 9.9,
8
+ '000010' => 9.8,
9
+ '000011' => 9.5,
10
+ '000020' => 9.5,
11
+ '000021' => 9.2,
12
+ '000100' => 10,
13
+ '000101' => 9.6,
14
+ '000110' => 9.3,
15
+ '000111' => 8.7,
16
+ '000120' => 9.1,
17
+ '000121' => 8.1,
18
+ '000200' => 9.3,
19
+ '000201' => 9,
20
+ '000210' => 8.9,
21
+ '000211' => 8,
22
+ '000220' => 8.1,
23
+ '000221' => 6.8,
24
+ '001000' => 9.8,
25
+ '001001' => 9.5,
26
+ '001010' => 9.5,
27
+ '001011' => 9.2,
28
+ '001020' => 9,
29
+ '001021' => 8.4,
30
+ '001100' => 9.3,
31
+ '001101' => 9.2,
32
+ '001110' => 8.9,
33
+ '001111' => 8.1,
34
+ '001120' => 8.1,
35
+ '001121' => 6.5,
36
+ '001200' => 8.8,
37
+ '001201' => 8,
38
+ '001210' => 7.8,
39
+ '001211' => 7,
40
+ '001220' => 6.9,
41
+ '001221' => 4.8,
42
+ '002001' => 9.2,
43
+ '002011' => 8.2,
44
+ '002021' => 7.2,
45
+ '002101' => 7.9,
46
+ '002111' => 6.9,
47
+ '002121' => 5,
48
+ '002201' => 6.9,
49
+ '002211' => 5.5,
50
+ '002221' => 2.7,
51
+ '010000' => 9.9,
52
+ '010001' => 9.7,
53
+ '010010' => 9.5,
54
+ '010011' => 9.2,
55
+ '010020' => 9.2,
56
+ '010021' => 8.5,
57
+ '010100' => 9.5,
58
+ '010101' => 9.1,
59
+ '010110' => 9,
60
+ '010111' => 8.3,
61
+ '010120' => 8.4,
62
+ '010121' => 7.1,
63
+ '010200' => 9.2,
64
+ '010201' => 8.1,
65
+ '010210' => 8.2,
66
+ '010211' => 7.1,
67
+ '010220' => 7.2,
68
+ '010221' => 5.3,
69
+ '011000' => 9.5,
70
+ '011001' => 9.3,
71
+ '011010' => 9.2,
72
+ '011011' => 8.5,
73
+ '011020' => 8.5,
74
+ '011021' => 7.3,
75
+ '011100' => 9.2,
76
+ '011101' => 8.2,
77
+ '011110' => 8,
78
+ '011111' => 7.2,
79
+ '011120' => 7,
80
+ '011121' => 5.9,
81
+ '011200' => 8.4,
82
+ '011201' => 7,
83
+ '011210' => 7.1,
84
+ '011211' => 5.2,
85
+ '011220' => 5,
86
+ '011221' => 3,
87
+ '012001' => 8.6,
88
+ '012011' => 7.5,
89
+ '012021' => 5.2,
90
+ '012101' => 7.1,
91
+ '012111' => 5.2,
92
+ '012121' => 2.9,
93
+ '012201' => 6.3,
94
+ '012211' => 2.9,
95
+ '012221' => 1.7,
96
+ '100000' => 9.8,
97
+ '100001' => 9.5,
98
+ '100010' => 9.4,
99
+ '100011' => 8.7,
100
+ '100020' => 9.1,
101
+ '100021' => 8.1,
102
+ '100100' => 9.4,
103
+ '100101' => 8.9,
104
+ '100110' => 8.6,
105
+ '100111' => 7.4,
106
+ '100120' => 7.7,
107
+ '100121' => 6.4,
108
+ '100200' => 8.7,
109
+ '100201' => 7.5,
110
+ '100210' => 7.4,
111
+ '100211' => 6.3,
112
+ '100220' => 6.3,
113
+ '100221' => 4.9,
114
+ '101000' => 9.4,
115
+ '101001' => 8.9,
116
+ '101010' => 8.8,
117
+ '101011' => 7.7,
118
+ '101020' => 7.6,
119
+ '101021' => 6.7,
120
+ '101100' => 8.6,
121
+ '101101' => 7.6,
122
+ '101110' => 7.4,
123
+ '101111' => 5.8,
124
+ '101120' => 5.9,
125
+ '101121' => 5,
126
+ '101200' => 7.2,
127
+ '101201' => 5.7,
128
+ '101210' => 5.7,
129
+ '101211' => 5.2,
130
+ '101220' => 5.2,
131
+ '101221' => 2.5,
132
+ '102001' => 8.3,
133
+ '102011' => 7,
134
+ '102021' => 5.4,
135
+ '102101' => 6.5,
136
+ '102111' => 5.8,
137
+ '102121' => 2.6,
138
+ '102201' => 5.3,
139
+ '102211' => 2.1,
140
+ '102221' => 1.3,
141
+ '110000' => 9.5,
142
+ '110001' => 9,
143
+ '110010' => 8.8,
144
+ '110011' => 7.6,
145
+ '110020' => 7.6,
146
+ '110021' => 7,
147
+ '110100' => 9,
148
+ '110101' => 7.7,
149
+ '110110' => 7.5,
150
+ '110111' => 6.2,
151
+ '110120' => 6.1,
152
+ '110121' => 5.3,
153
+ '110200' => 7.7,
154
+ '110201' => 6.6,
155
+ '110210' => 6.8,
156
+ '110211' => 5.9,
157
+ '110220' => 5.2,
158
+ '110221' => 3,
159
+ '111000' => 8.9,
160
+ '111001' => 7.8,
161
+ '111010' => 7.6,
162
+ '111011' => 6.7,
163
+ '111020' => 6.2,
164
+ '111021' => 5.8,
165
+ '111100' => 7.4,
166
+ '111101' => 5.9,
167
+ '111110' => 5.7,
168
+ '111111' => 5.7,
169
+ '111120' => 4.7,
170
+ '111121' => 2.3,
171
+ '111200' => 6.1,
172
+ '111201' => 5.2,
173
+ '111210' => 5.7,
174
+ '111211' => 2.9,
175
+ '111220' => 2.4,
176
+ '111221' => 1.6,
177
+ '112001' => 7.1,
178
+ '112011' => 5.9,
179
+ '112021' => 3,
180
+ '112101' => 5.8,
181
+ '112111' => 2.6,
182
+ '112121' => 1.5,
183
+ '112201' => 2.3,
184
+ '112211' => 1.3,
185
+ '112221' => 0.6,
186
+ '200000' => 9.3,
187
+ '200001' => 8.7,
188
+ '200010' => 8.6,
189
+ '200011' => 7.2,
190
+ '200020' => 7.5,
191
+ '200021' => 5.8,
192
+ '200100' => 8.6,
193
+ '200101' => 7.4,
194
+ '200110' => 7.4,
195
+ '200111' => 6.1,
196
+ '200120' => 5.6,
197
+ '200121' => 3.4,
198
+ '200200' => 7,
199
+ '200201' => 5.4,
200
+ '200210' => 5.2,
201
+ '200211' => 4,
202
+ '200220' => 4,
203
+ '200221' => 2.2,
204
+ '201000' => 8.5,
205
+ '201001' => 7.5,
206
+ '201010' => 7.4,
207
+ '201011' => 5.5,
208
+ '201020' => 6.2,
209
+ '201021' => 5.1,
210
+ '201100' => 7.2,
211
+ '201101' => 5.7,
212
+ '201110' => 5.5,
213
+ '201111' => 4.1,
214
+ '201120' => 4.6,
215
+ '201121' => 1.9,
216
+ '201200' => 5.3,
217
+ '201201' => 3.6,
218
+ '201210' => 3.4,
219
+ '201211' => 1.9,
220
+ '201220' => 1.9,
221
+ '201221' => 0.8,
222
+ '202001' => 6.4,
223
+ '202011' => 5.1,
224
+ '202021' => 2,
225
+ '202101' => 4.7,
226
+ '202111' => 2.1,
227
+ '202121' => 1.1,
228
+ '202201' => 2.4,
229
+ '202211' => 0.9,
230
+ '202221' => 0.4,
231
+ '210000' => 8.8,
232
+ '210001' => 7.5,
233
+ '210010' => 7.3,
234
+ '210011' => 5.3,
235
+ '210020' => 6,
236
+ '210021' => 5,
237
+ '210100' => 7.3,
238
+ '210101' => 5.5,
239
+ '210110' => 5.9,
240
+ '210111' => 4,
241
+ '210120' => 4.1,
242
+ '210121' => 2,
243
+ '210200' => 5.4,
244
+ '210201' => 4.3,
245
+ '210210' => 4.5,
246
+ '210211' => 2.2,
247
+ '210220' => 2,
248
+ '210221' => 1.1,
249
+ '211000' => 7.5,
250
+ '211001' => 5.5,
251
+ '211010' => 5.8,
252
+ '211011' => 4.5,
253
+ '211020' => 4,
254
+ '211021' => 2.1,
255
+ '211100' => 6.1,
256
+ '211101' => 5.1,
257
+ '211110' => 4.8,
258
+ '211111' => 1.8,
259
+ '211120' => 2,
260
+ '211121' => 0.9,
261
+ '211200' => 4.6,
262
+ '211201' => 1.8,
263
+ '211210' => 1.7,
264
+ '211211' => 0.7,
265
+ '211220' => 0.8,
266
+ '211221' => 0.2,
267
+ '212001' => 5.3,
268
+ '212011' => 2.4,
269
+ '212021' => 1.4,
270
+ '212101' => 2.4,
271
+ '212111' => 1.2,
272
+ '212121' => 0.5,
273
+ '212201' => 1,
274
+ '212211' => 0.3,
275
+ '212221' => 0.1
276
+ }.freeze
277
+ end
278
+ end
@@ -0,0 +1,41 @@
1
+ module CvssSuite
2
+ module Cvss40Constants
3
+ # These constants were almost directly ported from the CVSS 4.0 calculator code found at https://github.com/FIRSTdotorg/cvss-v4-calculator/blob/ac71416d935ad2ac87cd107ff87024561ea954a7/max_composed.js#L4
4
+
5
+ MAX_COMPOSED = {
6
+ # // EQ1
7
+ 'eq1' => {
8
+ '0' => ['AV:N/PR:N/UI:N/'],
9
+ '1' => ['AV:A/PR:N/UI:N/', 'AV:N/PR:L/UI:N/', 'AV:N/PR:N/UI:P/'],
10
+ '2' => ['AV:P/PR:N/UI:N/', 'AV:A/PR:L/UI:P/']
11
+ },
12
+ # // EQ2
13
+ 'eq2' => {
14
+ '0' => ['AC:L/AT:N/'],
15
+ '1' => ['AC:H/AT:N/', 'AC:L/AT:P/']
16
+ },
17
+ # // EQ3+EQ6
18
+ 'eq3' => {
19
+ '0' => { '0' => ['VC:H/VI:H/VA:H/CR:H/IR:H/AR:H/'],
20
+ '1' => ['VC:H/VI:H/VA:L/CR:M/IR:M/AR:H/', 'VC:H/VI:H/VA:H/CR:M/IR:M/AR:M/'] },
21
+ '1' => { '0' => ['VC:L/VI:H/VA:H/CR:H/IR:H/AR:H/', 'VC:H/VI:L/VA:H/CR:H/IR:H/AR:H/'],
22
+ '1' => ['VC:L/VI:H/VA:L/CR:H/IR:M/AR:H/', 'VC:L/VI:H/VA:H/CR:H/IR:M/AR:M/',
23
+ 'VC:H/VI:L/VA:H/CR:M/IR:H/AR:M/', 'VC:H/VI:L/VA:L/CR:M/IR:H/AR:H/',
24
+ 'VC:L/VI:L/VA:H/CR:H/IR:H/AR:M/'] },
25
+ '2' => { '1' => ['VC:L/VI:L/VA:L/CR:H/IR:H/AR:H/'] }
26
+ },
27
+ # // EQ4
28
+ 'eq4' => {
29
+ '0' => ['SC:H/SI:S/SA:S/'],
30
+ '1' => ['SC:H/SI:H/SA:H/'],
31
+ '2' => ['SC:L/SI:L/SA:L/']
32
+ },
33
+ # // EQ5
34
+ 'eq5' => {
35
+ '0' => ['E:A/'],
36
+ '1' => ['E:P/'],
37
+ '2' => ['E:U/']
38
+ }
39
+ }.freeze
40
+ end
41
+ end
@@ -0,0 +1,31 @@
1
+ module CvssSuite
2
+ module Cvss40Constants
3
+ # These constants were almost directly ported from the CVSS 4.0 calculator code found at https://github.com/FIRSTdotorg/cvss-v4-calculator/blob/ac71416d935ad2ac87cd107ff87024561ea954a7/max_severity.js#L1
4
+ MAX_SEVERITY = {
5
+ 'eq1' => {
6
+ 0 => 1,
7
+ 1 => 4,
8
+ 2 => 5
9
+ },
10
+ 'eq2' => {
11
+ 0 => 1,
12
+ 1 => 2
13
+ },
14
+ 'eq3eq6' => {
15
+ 0 => { 0 => 7, 1 => 6 },
16
+ 1 => { 0 => 8, 1 => 8 },
17
+ 2 => { 1 => 10 }
18
+ },
19
+ 'eq4' => {
20
+ 0 => 6,
21
+ 1 => 5,
22
+ 2 => 4
23
+ },
24
+ 'eq5' => {
25
+ 0 => 1,
26
+ 1 => 1,
27
+ 2 => 1
28
+ }
29
+ }.freeze
30
+ end
31
+ end
@@ -0,0 +1,105 @@
1
+ # CVSS-Suite, a Ruby gem to manage the CVSS vector
2
+ #
3
+ # This work is licensed under the terms of the MIT license.
4
+ # See the LICENSE.md file in the top-level directory.
5
+
6
+ require_relative '../cvss_property'
7
+ require_relative '../cvss_metric'
8
+
9
+ module CvssSuite
10
+ ##
11
+ # This class represents a CVSS Threat metric in version 4.0.
12
+ class Cvss40Environmental < CvssMetric
13
+ ##
14
+ # Property of this metric
15
+ attr_reader :modified_attack_vector, :modified_attack_complexity, :modified_attack_requirements,
16
+ :modified_privileges_required, :modified_user_interaction, :modified_vulnerable_system_confidentiality,
17
+ :modified_vulnerable_system_integrity, :modified_vulnerable_system_availability,
18
+ :modified_subsequent_system_confidentiality, :modified_subsequent_system_integrity,
19
+ :modified_subsequent_system_availability
20
+
21
+ ##
22
+ # Returns score of this metric
23
+ def score
24
+ Cvss40CalcHelper.new(@properties.map { |p| [p.abbreviation, p.selected_value[:abbreviation]] }.to_h).score
25
+ end
26
+
27
+ private
28
+
29
+ def init_properties
30
+ @properties.push(@modified_attack_vector =
31
+ CvssProperty.new(name: 'Modified Attack Vector', abbreviation: 'MAV',
32
+ values: [{ name: 'Network', abbreviation: 'N' },
33
+ { name: 'Adjacent', abbreviation: 'A' },
34
+ { name: 'Local', abbreviation: 'L' },
35
+ { name: 'Physical', abbreviation: 'P' },
36
+ { name: 'Not Defined', abbreviation: 'X' }]))
37
+ @properties.push(@modified_attack_complexity =
38
+ CvssProperty.new(name: 'Modified Attack Complexity', abbreviation: 'MAC',
39
+ values: [{ name: 'Low', abbreviation: 'L' },
40
+ { name: 'High', abbreviation: 'H' },
41
+ { name: 'Not Defined', abbreviation: 'X' }]))
42
+ @properties.push(@modified_attack_requirements =
43
+ CvssProperty.new(name: 'Modified Attack Requirements', abbreviation: 'MAT',
44
+ values: [{ name: 'None', abbreviation: 'N' },
45
+ { name: 'Present', abbreviation: 'P' },
46
+ { name: 'Not Defined', abbreviation: 'X' }]))
47
+ @properties.push(@modified_privileges_required =
48
+ CvssProperty.new(name: 'Modified Privileges Required', abbreviation: 'MPR',
49
+ values: [{ name: 'None', abbreviation: 'N' },
50
+ { name: 'Low', abbreviation: 'L' },
51
+ { name: 'High', abbreviation: 'H' },
52
+ { name: 'Not Defined', abbreviation: 'X' }]))
53
+ @properties.push(@modified_user_interaction =
54
+ CvssProperty.new(name: 'Modified User Interaction', abbreviation: 'MUI',
55
+ values: [{ name: 'None', abbreviation: 'N' },
56
+ { name: 'Passive', abbreviation: 'P' },
57
+ { name: 'Active', abbreviation: 'A' },
58
+ { name: 'Not Defined', abbreviation: 'X' }]))
59
+ @properties.push(@vulnerable_system_confidentiality =
60
+ CvssProperty.new(name: 'Modified Vulnerable System Confidentiality Impact',
61
+ abbreviation: 'MVC',
62
+ values: [{ name: 'None', abbreviation: 'N' },
63
+ { name: 'Low', abbreviation: 'L' },
64
+ { name: 'High', abbreviation: 'H' },
65
+ { name: 'Not Defined', abbreviation: 'X' }]))
66
+ @properties.push(@modified_vulnerable_system_integrity =
67
+ CvssProperty.new(name: 'Modified Vulnerable System Integrity Impact',
68
+ abbreviation: 'MVI',
69
+ values: [{ name: 'None', abbreviation: 'N' },
70
+ { name: 'Low', abbreviation: 'L' },
71
+ { name: 'High', abbreviation: 'H' },
72
+ { name: 'Not Defined', abbreviation: 'X' }]))
73
+ @properties.push(@modified_vulnerable_system_availability =
74
+ CvssProperty.new(name: 'Modified Vulnerable System Availability Impact',
75
+ abbreviation: 'MVA',
76
+ values: [{ name: 'None', abbreviation: 'N' },
77
+ { name: 'Low', abbreviation: 'L' },
78
+ { name: 'High', abbreviation: 'H' },
79
+ { name: 'Not Defined', abbreviation: 'X' }]))
80
+ @properties.push(@modified_subsequent_system_confidentiality =
81
+ CvssProperty.new(name: 'Modified Subsequent System Confidentiality Impact',
82
+ abbreviation: 'MSC',
83
+ values: [{ name: 'None', abbreviation: 'N' },
84
+ { name: 'Low', abbreviation: 'L' },
85
+ { name: 'High', abbreviation: 'H' },
86
+ { name: 'Not Defined', abbreviation: 'X' }]))
87
+ @properties.push(@modified_subsequent_system_integrity =
88
+ CvssProperty.new(name: 'Modified Subsequent System Integrity Impact',
89
+ abbreviation: 'MSI',
90
+ values: [{ name: 'None', abbreviation: 'N' },
91
+ { name: 'Safety', abbreviation: 'S' },
92
+ { name: 'Low', abbreviation: 'L' },
93
+ { name: 'High', abbreviation: 'H' },
94
+ { name: 'Not Defined', abbreviation: 'X' }]))
95
+ @properties.push(@modified_subsequent_system_availability =
96
+ CvssProperty.new(name: 'Modified Subsequent System Availability Impact',
97
+ abbreviation: 'MSA',
98
+ values: [{ name: 'None', abbreviation: 'N' },
99
+ { name: 'Safety', abbreviation: 'S' },
100
+ { name: 'Low', abbreviation: 'L' },
101
+ { name: 'High', abbreviation: 'H' },
102
+ { name: 'Not Defined', abbreviation: 'X' }]))
103
+ end
104
+ end
105
+ end
@@ -0,0 +1,47 @@
1
+ # CVSS-Suite, a Ruby gem to manage the CVSS vector
2
+ #
3
+ # This work is licensed under the terms of the MIT license.
4
+ # See the LICENSE.md file in the top-level directory.
5
+
6
+ require_relative '../cvss_property'
7
+ require_relative '../cvss_metric'
8
+
9
+ module CvssSuite
10
+ ##
11
+ # This class represents a CVSS Environmental Security metric in version 4.0.
12
+ class Cvss40EnvironmentalSecurity < CvssMetric
13
+ ##
14
+ # Property of this metric
15
+ attr_reader :confidentiality_requirements, :integrity_requirements, :availability_requirements
16
+
17
+ ##
18
+ # Returns score of this metric
19
+ def score
20
+ Cvss40CalcHelper.new(@properties.map { |p| [p.abbreviation, p.selected_value[:abbreviation]] }.to_h).score
21
+ end
22
+
23
+ private
24
+
25
+ def init_properties
26
+ @properties.push(@confidentiality_requirements =
27
+ CvssProperty.new(name: 'Confidentiality Requirements', abbreviation: 'CR',
28
+ values: [{ name: 'Not Defined', abbreviation: 'X' },
29
+ { name: 'Low', abbreviation: 'L' },
30
+ { name: 'Medium', abbreviation: 'M' },
31
+ { name: 'High', abbreviation: 'H' }]))
32
+ @properties.push(@integrity_requirements =
33
+ CvssProperty.new(name: 'Integrity Requirements', abbreviation: 'IR',
34
+ values: [{ name: 'Not Defined', abbreviation: 'X' },
35
+ { name: 'Low', abbreviation: 'L' },
36
+ { name: 'Medium', abbreviation: 'M' },
37
+ { name: 'High', abbreviation: 'H' }]))
38
+ @properties.push(@availability_requirements =
39
+ CvssProperty.new(name: 'Availability Requirements', abbreviation: 'AR',
40
+ values: [{ name: 'Not Defined', abbreviation: 'X' },
41
+ { name: 'Low', abbreviation: 'L' },
42
+ { name: 'Medium', abbreviation: 'M' },
43
+ { name: 'High',
44
+ abbreviation: 'H' }]))
45
+ end
46
+ end
47
+ end
@@ -0,0 +1,66 @@
1
+ # CVSS-Suite, a Ruby gem to manage the CVSS vector
2
+ #
3
+ # This work is licensed under the terms of the MIT license.
4
+ # See the LICENSE.md file in the top-level directory.
5
+
6
+ require_relative '../cvss_property'
7
+ require_relative '../cvss_metric'
8
+
9
+ module CvssSuite
10
+ ##
11
+ # This class represents a CVSS Temporal metric in version 3.1.
12
+ class Cvss40Supplemental < CvssMetric
13
+ ##
14
+ # Property of this metric
15
+ attr_reader :safety, :automatable, :recovery, :value_density,
16
+ :vulnerability_response_effort, :provider_urgency
17
+
18
+ ##
19
+ # Returns score of this metric
20
+ def score
21
+ return 1.0 unless valid?
22
+
23
+ @exploit_code_maturity.score * @remediation_level.score * @report_confidence.score
24
+ end
25
+
26
+ private
27
+
28
+ def init_properties
29
+ @properties.push(@safety =
30
+ CvssProperty.new(name: 'Safety', abbreviation: 'S',
31
+ values: [{ name: 'Not Defined', abbreviation: 'X', weight: 1.0 },
32
+ { name: 'Negligible', abbreviation: 'N', weight: 0.91 },
33
+ { name: 'Present', abbreviation: 'P', weight: 0.94 }]))
34
+ @properties.push(@automatable =
35
+ CvssProperty.new(name: 'Automatable', abbreviation: 'AU',
36
+ values: [{ name: 'Not Defined', abbreviation: 'X', weight: 1.0 },
37
+ { name: 'No', abbreviation: 'N', weight: 0.95 },
38
+ { name: 'Yes', abbreviation: 'Y', weight: 0.96 }]))
39
+
40
+ @properties.push(@recovery =
41
+ CvssProperty.new(name: 'Recovery', abbreviation: 'R',
42
+ values: [{ name: 'Not Defined', abbreviation: 'X', weight: 1.0 },
43
+ { name: 'Automatic', abbreviation: 'A', weight: 0.92 },
44
+ { name: 'User', abbreviation: 'U', weight: 0.96 },
45
+ { name: 'Irrecoverable', abbreviation: 'I', weight: 1.0 }]))
46
+ @properties.push(@value_density =
47
+ CvssProperty.new(name: 'Value Density', abbreviation: 'V',
48
+ values: [{ name: 'Not Defined', abbreviation: 'X', weight: 1.0 },
49
+ { name: 'Diffuse', abbreviation: 'D', weight: 0.91 },
50
+ { name: 'Concentrated', abbreviation: 'C', weight: 0.94 }]))
51
+ @properties.push(@vulnerability_response_effort =
52
+ CvssProperty.new(name: 'Vulnerability Response Effort', abbreviation: 'RE',
53
+ values: [{ name: 'Not Defined', abbreviation: 'X', weight: 1.0 },
54
+ { name: 'Low', abbreviation: 'L', weight: 0.91 },
55
+ { name: 'Moderate', abbreviation: 'M', weight: 0.91 },
56
+ { name: 'High', abbreviation: 'H', weight: 0.94 }]))
57
+ @properties.push(@provider_urgency =
58
+ CvssProperty.new(name: 'Provider Urgency', abbreviation: 'U',
59
+ values: [{ name: 'Not Defined', abbreviation: 'X', weight: 1.0 },
60
+ { name: 'Clear', abbreviation: 'Clear', weight: 0.91 },
61
+ { name: 'Green', abbreviation: 'Green', weight: 0.91 },
62
+ { name: 'Amber', abbreviation: 'Amber', weight: 0.91 },
63
+ { name: 'Red', abbreviation: 'Red', weight: 0.94 }]))
64
+ end
65
+ end
66
+ end
@@ -0,0 +1,34 @@
1
+ # CVSS-Suite, a Ruby gem to manage the CVSS vector
2
+ #
3
+ # This work is licensed under the terms of the MIT license.
4
+ # See the LICENSE.md file in the top-level directory.
5
+
6
+ require_relative '../cvss_property'
7
+ require_relative '../cvss_metric'
8
+
9
+ module CvssSuite
10
+ ##
11
+ # This class represents a CVSS Threat metric in version 3.1.
12
+ class Cvss40Threat < CvssMetric
13
+ ##
14
+ # Property of this metric
15
+ attr_reader :exploit_maturity
16
+
17
+ ##
18
+ # Returns score of this metric
19
+ def score
20
+ Cvss40CalcHelper.new(@properties.map { |p| [p.abbreviation, p.selected_value[:abbreviation]] }.to_h).score
21
+ end
22
+
23
+ private
24
+
25
+ def init_properties
26
+ @properties.push(@exploit_maturity =
27
+ CvssProperty.new(name: 'Exploit Maturity', abbreviation: 'E',
28
+ values: [{ name: 'Not Defined', abbreviation: 'X' },
29
+ { name: 'Attacked', abbreviation: 'A' },
30
+ { name: 'Proof-of-Concept', abbreviation: 'P' },
31
+ { name: 'Unreported', abbreviation: 'U' }]))
32
+ end
33
+ end
34
+ end
@@ -0,0 +1,61 @@
1
+ # CVSS-Suite, a Ruby gem to manage the CVSS vector
2
+ #
3
+ # This work is licensed under the terms of the MIT license.
4
+ # See the LICENSE.md file in the top-level directory.
5
+
6
+ require_relative 'cvss'
7
+
8
+ module CvssSuite
9
+ ##
10
+ # This class represents any CVSS vector. Do not instantiate this class!
11
+ class Cvss31AndBefore < Cvss
12
+ ##
13
+ # Metric of a CVSS vector for CVSS 2, 3, 3.1.
14
+ attr_reader :temporal, :environmental
15
+
16
+ ##
17
+ # Creates a new CVSS vector by a +vector+, for all CVSS versions through 3.1.
18
+ #
19
+ # Raises an exception if it is called on Cvss31AndBefore class.
20
+ def initialize(vector)
21
+ raise CvssSuite::Errors::InvalidParentClass, 'Do not instantiate this class!' if instance_of? Cvss31AndBefore
22
+
23
+ super
24
+ end
25
+
26
+ ##
27
+ # Returns if CVSS vector is valid.
28
+ def valid?
29
+ if @amount_of_properties >= required_amount_of_properties
30
+ entered_keys = @properties.collect { |p| p[:name] }
31
+ return false if (entered_keys - allowed_abbreviations).size.positive?
32
+
33
+ check_metrics_validity
34
+ else
35
+ false
36
+ end
37
+ end
38
+
39
+ ##
40
+ # Returns the Overall Score of the CVSS vector.
41
+ def overall_score
42
+ check_validity
43
+ return temporal_score if @temporal.valid? && !@environmental.valid?
44
+ return environmental_score if @environmental.valid?
45
+
46
+ base_score
47
+ end
48
+
49
+ private
50
+
51
+ def allowed_abbreviations
52
+ @base.properties.collect(&:abbreviation) +
53
+ @temporal.properties.collect(&:abbreviation) +
54
+ @environmental.properties.collect(&:abbreviation)
55
+ end
56
+
57
+ def check_metrics_validity
58
+ @base.valid? && @temporal&.valid? && @environmental&.valid?
59
+ end
60
+ end
61
+ end