cvss-suite 3.0.1 → 3.3.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/.github/workflows/rspec.yml +4 -4
- data/.github/workflows/rubocop.yml +3 -4
- data/.rspec +1 -0
- data/.rubocop.yml +20 -0
- data/.rubocop_todo.yml +2 -2
- data/CHANGES.md +34 -0
- data/CODE_OF_CONDUCT.md +0 -5
- data/Gemfile +0 -6
- data/LICENSE.md +12 -2
- data/README.md +20 -11
- data/cvss_suite.gemspec +12 -14
- data/lib/cvss_suite/cvss.rb +7 -55
- data/lib/cvss_suite/cvss2/cvss2.rb +2 -8
- data/lib/cvss_suite/cvss2/cvss2_base.rb +0 -6
- data/lib/cvss_suite/cvss2/cvss2_environmental.rb +0 -6
- data/lib/cvss_suite/cvss2/cvss2_temporal.rb +0 -6
- data/lib/cvss_suite/cvss3/cvss3.rb +8 -8
- data/lib/cvss_suite/cvss3/cvss3_base.rb +8 -14
- data/lib/cvss_suite/cvss3/cvss3_environmental.rb +11 -17
- data/lib/cvss_suite/cvss3/cvss3_temporal.rb +3 -9
- data/lib/cvss_suite/cvss31/cvss31.rb +8 -8
- data/lib/cvss_suite/cvss31/cvss31_base.rb +8 -14
- data/lib/cvss_suite/cvss31/cvss31_environmental.rb +11 -17
- data/lib/cvss_suite/cvss31/cvss31_temporal.rb +3 -9
- data/lib/cvss_suite/cvss40/cvss40.rb +43 -0
- data/lib/cvss_suite/cvss40/cvss40_all_up.rb +40 -0
- data/lib/cvss_suite/cvss40/cvss40_base.rb +86 -0
- data/lib/cvss_suite/cvss40/cvss40_calc_helper.rb +397 -0
- data/lib/cvss_suite/cvss40/cvss40_constants_levels.rb +26 -0
- data/lib/cvss_suite/cvss40/cvss40_constants_macro_vector_lookup.rb +278 -0
- data/lib/cvss_suite/cvss40/cvss40_constants_max_composed.rb +41 -0
- data/lib/cvss_suite/cvss40/cvss40_constants_max_severity.rb +31 -0
- data/lib/cvss_suite/cvss40/cvss40_environmental.rb +105 -0
- data/lib/cvss_suite/cvss40/cvss40_environmental_security.rb +47 -0
- data/lib/cvss_suite/cvss40/cvss40_supplemental.rb +66 -0
- data/lib/cvss_suite/cvss40/cvss40_threat.rb +34 -0
- data/lib/cvss_suite/cvss_31_and_before.rb +61 -0
- data/lib/cvss_suite/cvss_40_and_later.rb +51 -0
- data/lib/cvss_suite/cvss_metric.rb +7 -7
- data/lib/cvss_suite/cvss_property.rb +23 -8
- data/lib/cvss_suite/errors.rb +0 -6
- data/lib/cvss_suite/helpers/cvss31_helper.rb +0 -6
- data/lib/cvss_suite/helpers/cvss3_helper.rb +0 -6
- data/lib/cvss_suite/invalid_cvss.rb +0 -6
- data/lib/cvss_suite/version.rb +1 -7
- data/lib/cvss_suite.rb +48 -11
- metadata +40 -11
@@ -0,0 +1,278 @@
|
|
1
|
+
module CvssSuite
|
2
|
+
module Cvss40Constants
|
3
|
+
# These constants were almost directly ported from the CVSS 4.0 calculator code found at https://github.com/FIRSTdotorg/cvss-v4-calculator/blob/ac71416d935ad2ac87cd107ff87024561ea954a7/cvss_lookup.js#L1
|
4
|
+
|
5
|
+
LOOKUP = {
|
6
|
+
'000000' => 10,
|
7
|
+
'000001' => 9.9,
|
8
|
+
'000010' => 9.8,
|
9
|
+
'000011' => 9.5,
|
10
|
+
'000020' => 9.5,
|
11
|
+
'000021' => 9.2,
|
12
|
+
'000100' => 10,
|
13
|
+
'000101' => 9.6,
|
14
|
+
'000110' => 9.3,
|
15
|
+
'000111' => 8.7,
|
16
|
+
'000120' => 9.1,
|
17
|
+
'000121' => 8.1,
|
18
|
+
'000200' => 9.3,
|
19
|
+
'000201' => 9,
|
20
|
+
'000210' => 8.9,
|
21
|
+
'000211' => 8,
|
22
|
+
'000220' => 8.1,
|
23
|
+
'000221' => 6.8,
|
24
|
+
'001000' => 9.8,
|
25
|
+
'001001' => 9.5,
|
26
|
+
'001010' => 9.5,
|
27
|
+
'001011' => 9.2,
|
28
|
+
'001020' => 9,
|
29
|
+
'001021' => 8.4,
|
30
|
+
'001100' => 9.3,
|
31
|
+
'001101' => 9.2,
|
32
|
+
'001110' => 8.9,
|
33
|
+
'001111' => 8.1,
|
34
|
+
'001120' => 8.1,
|
35
|
+
'001121' => 6.5,
|
36
|
+
'001200' => 8.8,
|
37
|
+
'001201' => 8,
|
38
|
+
'001210' => 7.8,
|
39
|
+
'001211' => 7,
|
40
|
+
'001220' => 6.9,
|
41
|
+
'001221' => 4.8,
|
42
|
+
'002001' => 9.2,
|
43
|
+
'002011' => 8.2,
|
44
|
+
'002021' => 7.2,
|
45
|
+
'002101' => 7.9,
|
46
|
+
'002111' => 6.9,
|
47
|
+
'002121' => 5,
|
48
|
+
'002201' => 6.9,
|
49
|
+
'002211' => 5.5,
|
50
|
+
'002221' => 2.7,
|
51
|
+
'010000' => 9.9,
|
52
|
+
'010001' => 9.7,
|
53
|
+
'010010' => 9.5,
|
54
|
+
'010011' => 9.2,
|
55
|
+
'010020' => 9.2,
|
56
|
+
'010021' => 8.5,
|
57
|
+
'010100' => 9.5,
|
58
|
+
'010101' => 9.1,
|
59
|
+
'010110' => 9,
|
60
|
+
'010111' => 8.3,
|
61
|
+
'010120' => 8.4,
|
62
|
+
'010121' => 7.1,
|
63
|
+
'010200' => 9.2,
|
64
|
+
'010201' => 8.1,
|
65
|
+
'010210' => 8.2,
|
66
|
+
'010211' => 7.1,
|
67
|
+
'010220' => 7.2,
|
68
|
+
'010221' => 5.3,
|
69
|
+
'011000' => 9.5,
|
70
|
+
'011001' => 9.3,
|
71
|
+
'011010' => 9.2,
|
72
|
+
'011011' => 8.5,
|
73
|
+
'011020' => 8.5,
|
74
|
+
'011021' => 7.3,
|
75
|
+
'011100' => 9.2,
|
76
|
+
'011101' => 8.2,
|
77
|
+
'011110' => 8,
|
78
|
+
'011111' => 7.2,
|
79
|
+
'011120' => 7,
|
80
|
+
'011121' => 5.9,
|
81
|
+
'011200' => 8.4,
|
82
|
+
'011201' => 7,
|
83
|
+
'011210' => 7.1,
|
84
|
+
'011211' => 5.2,
|
85
|
+
'011220' => 5,
|
86
|
+
'011221' => 3,
|
87
|
+
'012001' => 8.6,
|
88
|
+
'012011' => 7.5,
|
89
|
+
'012021' => 5.2,
|
90
|
+
'012101' => 7.1,
|
91
|
+
'012111' => 5.2,
|
92
|
+
'012121' => 2.9,
|
93
|
+
'012201' => 6.3,
|
94
|
+
'012211' => 2.9,
|
95
|
+
'012221' => 1.7,
|
96
|
+
'100000' => 9.8,
|
97
|
+
'100001' => 9.5,
|
98
|
+
'100010' => 9.4,
|
99
|
+
'100011' => 8.7,
|
100
|
+
'100020' => 9.1,
|
101
|
+
'100021' => 8.1,
|
102
|
+
'100100' => 9.4,
|
103
|
+
'100101' => 8.9,
|
104
|
+
'100110' => 8.6,
|
105
|
+
'100111' => 7.4,
|
106
|
+
'100120' => 7.7,
|
107
|
+
'100121' => 6.4,
|
108
|
+
'100200' => 8.7,
|
109
|
+
'100201' => 7.5,
|
110
|
+
'100210' => 7.4,
|
111
|
+
'100211' => 6.3,
|
112
|
+
'100220' => 6.3,
|
113
|
+
'100221' => 4.9,
|
114
|
+
'101000' => 9.4,
|
115
|
+
'101001' => 8.9,
|
116
|
+
'101010' => 8.8,
|
117
|
+
'101011' => 7.7,
|
118
|
+
'101020' => 7.6,
|
119
|
+
'101021' => 6.7,
|
120
|
+
'101100' => 8.6,
|
121
|
+
'101101' => 7.6,
|
122
|
+
'101110' => 7.4,
|
123
|
+
'101111' => 5.8,
|
124
|
+
'101120' => 5.9,
|
125
|
+
'101121' => 5,
|
126
|
+
'101200' => 7.2,
|
127
|
+
'101201' => 5.7,
|
128
|
+
'101210' => 5.7,
|
129
|
+
'101211' => 5.2,
|
130
|
+
'101220' => 5.2,
|
131
|
+
'101221' => 2.5,
|
132
|
+
'102001' => 8.3,
|
133
|
+
'102011' => 7,
|
134
|
+
'102021' => 5.4,
|
135
|
+
'102101' => 6.5,
|
136
|
+
'102111' => 5.8,
|
137
|
+
'102121' => 2.6,
|
138
|
+
'102201' => 5.3,
|
139
|
+
'102211' => 2.1,
|
140
|
+
'102221' => 1.3,
|
141
|
+
'110000' => 9.5,
|
142
|
+
'110001' => 9,
|
143
|
+
'110010' => 8.8,
|
144
|
+
'110011' => 7.6,
|
145
|
+
'110020' => 7.6,
|
146
|
+
'110021' => 7,
|
147
|
+
'110100' => 9,
|
148
|
+
'110101' => 7.7,
|
149
|
+
'110110' => 7.5,
|
150
|
+
'110111' => 6.2,
|
151
|
+
'110120' => 6.1,
|
152
|
+
'110121' => 5.3,
|
153
|
+
'110200' => 7.7,
|
154
|
+
'110201' => 6.6,
|
155
|
+
'110210' => 6.8,
|
156
|
+
'110211' => 5.9,
|
157
|
+
'110220' => 5.2,
|
158
|
+
'110221' => 3,
|
159
|
+
'111000' => 8.9,
|
160
|
+
'111001' => 7.8,
|
161
|
+
'111010' => 7.6,
|
162
|
+
'111011' => 6.7,
|
163
|
+
'111020' => 6.2,
|
164
|
+
'111021' => 5.8,
|
165
|
+
'111100' => 7.4,
|
166
|
+
'111101' => 5.9,
|
167
|
+
'111110' => 5.7,
|
168
|
+
'111111' => 5.7,
|
169
|
+
'111120' => 4.7,
|
170
|
+
'111121' => 2.3,
|
171
|
+
'111200' => 6.1,
|
172
|
+
'111201' => 5.2,
|
173
|
+
'111210' => 5.7,
|
174
|
+
'111211' => 2.9,
|
175
|
+
'111220' => 2.4,
|
176
|
+
'111221' => 1.6,
|
177
|
+
'112001' => 7.1,
|
178
|
+
'112011' => 5.9,
|
179
|
+
'112021' => 3,
|
180
|
+
'112101' => 5.8,
|
181
|
+
'112111' => 2.6,
|
182
|
+
'112121' => 1.5,
|
183
|
+
'112201' => 2.3,
|
184
|
+
'112211' => 1.3,
|
185
|
+
'112221' => 0.6,
|
186
|
+
'200000' => 9.3,
|
187
|
+
'200001' => 8.7,
|
188
|
+
'200010' => 8.6,
|
189
|
+
'200011' => 7.2,
|
190
|
+
'200020' => 7.5,
|
191
|
+
'200021' => 5.8,
|
192
|
+
'200100' => 8.6,
|
193
|
+
'200101' => 7.4,
|
194
|
+
'200110' => 7.4,
|
195
|
+
'200111' => 6.1,
|
196
|
+
'200120' => 5.6,
|
197
|
+
'200121' => 3.4,
|
198
|
+
'200200' => 7,
|
199
|
+
'200201' => 5.4,
|
200
|
+
'200210' => 5.2,
|
201
|
+
'200211' => 4,
|
202
|
+
'200220' => 4,
|
203
|
+
'200221' => 2.2,
|
204
|
+
'201000' => 8.5,
|
205
|
+
'201001' => 7.5,
|
206
|
+
'201010' => 7.4,
|
207
|
+
'201011' => 5.5,
|
208
|
+
'201020' => 6.2,
|
209
|
+
'201021' => 5.1,
|
210
|
+
'201100' => 7.2,
|
211
|
+
'201101' => 5.7,
|
212
|
+
'201110' => 5.5,
|
213
|
+
'201111' => 4.1,
|
214
|
+
'201120' => 4.6,
|
215
|
+
'201121' => 1.9,
|
216
|
+
'201200' => 5.3,
|
217
|
+
'201201' => 3.6,
|
218
|
+
'201210' => 3.4,
|
219
|
+
'201211' => 1.9,
|
220
|
+
'201220' => 1.9,
|
221
|
+
'201221' => 0.8,
|
222
|
+
'202001' => 6.4,
|
223
|
+
'202011' => 5.1,
|
224
|
+
'202021' => 2,
|
225
|
+
'202101' => 4.7,
|
226
|
+
'202111' => 2.1,
|
227
|
+
'202121' => 1.1,
|
228
|
+
'202201' => 2.4,
|
229
|
+
'202211' => 0.9,
|
230
|
+
'202221' => 0.4,
|
231
|
+
'210000' => 8.8,
|
232
|
+
'210001' => 7.5,
|
233
|
+
'210010' => 7.3,
|
234
|
+
'210011' => 5.3,
|
235
|
+
'210020' => 6,
|
236
|
+
'210021' => 5,
|
237
|
+
'210100' => 7.3,
|
238
|
+
'210101' => 5.5,
|
239
|
+
'210110' => 5.9,
|
240
|
+
'210111' => 4,
|
241
|
+
'210120' => 4.1,
|
242
|
+
'210121' => 2,
|
243
|
+
'210200' => 5.4,
|
244
|
+
'210201' => 4.3,
|
245
|
+
'210210' => 4.5,
|
246
|
+
'210211' => 2.2,
|
247
|
+
'210220' => 2,
|
248
|
+
'210221' => 1.1,
|
249
|
+
'211000' => 7.5,
|
250
|
+
'211001' => 5.5,
|
251
|
+
'211010' => 5.8,
|
252
|
+
'211011' => 4.5,
|
253
|
+
'211020' => 4,
|
254
|
+
'211021' => 2.1,
|
255
|
+
'211100' => 6.1,
|
256
|
+
'211101' => 5.1,
|
257
|
+
'211110' => 4.8,
|
258
|
+
'211111' => 1.8,
|
259
|
+
'211120' => 2,
|
260
|
+
'211121' => 0.9,
|
261
|
+
'211200' => 4.6,
|
262
|
+
'211201' => 1.8,
|
263
|
+
'211210' => 1.7,
|
264
|
+
'211211' => 0.7,
|
265
|
+
'211220' => 0.8,
|
266
|
+
'211221' => 0.2,
|
267
|
+
'212001' => 5.3,
|
268
|
+
'212011' => 2.4,
|
269
|
+
'212021' => 1.4,
|
270
|
+
'212101' => 2.4,
|
271
|
+
'212111' => 1.2,
|
272
|
+
'212121' => 0.5,
|
273
|
+
'212201' => 1,
|
274
|
+
'212211' => 0.3,
|
275
|
+
'212221' => 0.1
|
276
|
+
}.freeze
|
277
|
+
end
|
278
|
+
end
|
@@ -0,0 +1,41 @@
|
|
1
|
+
module CvssSuite
|
2
|
+
module Cvss40Constants
|
3
|
+
# These constants were almost directly ported from the CVSS 4.0 calculator code found at https://github.com/FIRSTdotorg/cvss-v4-calculator/blob/ac71416d935ad2ac87cd107ff87024561ea954a7/max_composed.js#L4
|
4
|
+
|
5
|
+
MAX_COMPOSED = {
|
6
|
+
# // EQ1
|
7
|
+
'eq1' => {
|
8
|
+
'0' => ['AV:N/PR:N/UI:N/'],
|
9
|
+
'1' => ['AV:A/PR:N/UI:N/', 'AV:N/PR:L/UI:N/', 'AV:N/PR:N/UI:P/'],
|
10
|
+
'2' => ['AV:P/PR:N/UI:N/', 'AV:A/PR:L/UI:P/']
|
11
|
+
},
|
12
|
+
# // EQ2
|
13
|
+
'eq2' => {
|
14
|
+
'0' => ['AC:L/AT:N/'],
|
15
|
+
'1' => ['AC:H/AT:N/', 'AC:L/AT:P/']
|
16
|
+
},
|
17
|
+
# // EQ3+EQ6
|
18
|
+
'eq3' => {
|
19
|
+
'0' => { '0' => ['VC:H/VI:H/VA:H/CR:H/IR:H/AR:H/'],
|
20
|
+
'1' => ['VC:H/VI:H/VA:L/CR:M/IR:M/AR:H/', 'VC:H/VI:H/VA:H/CR:M/IR:M/AR:M/'] },
|
21
|
+
'1' => { '0' => ['VC:L/VI:H/VA:H/CR:H/IR:H/AR:H/', 'VC:H/VI:L/VA:H/CR:H/IR:H/AR:H/'],
|
22
|
+
'1' => ['VC:L/VI:H/VA:L/CR:H/IR:M/AR:H/', 'VC:L/VI:H/VA:H/CR:H/IR:M/AR:M/',
|
23
|
+
'VC:H/VI:L/VA:H/CR:M/IR:H/AR:M/', 'VC:H/VI:L/VA:L/CR:M/IR:H/AR:H/',
|
24
|
+
'VC:L/VI:L/VA:H/CR:H/IR:H/AR:M/'] },
|
25
|
+
'2' => { '1' => ['VC:L/VI:L/VA:L/CR:H/IR:H/AR:H/'] }
|
26
|
+
},
|
27
|
+
# // EQ4
|
28
|
+
'eq4' => {
|
29
|
+
'0' => ['SC:H/SI:S/SA:S/'],
|
30
|
+
'1' => ['SC:H/SI:H/SA:H/'],
|
31
|
+
'2' => ['SC:L/SI:L/SA:L/']
|
32
|
+
},
|
33
|
+
# // EQ5
|
34
|
+
'eq5' => {
|
35
|
+
'0' => ['E:A/'],
|
36
|
+
'1' => ['E:P/'],
|
37
|
+
'2' => ['E:U/']
|
38
|
+
}
|
39
|
+
}.freeze
|
40
|
+
end
|
41
|
+
end
|
@@ -0,0 +1,31 @@
|
|
1
|
+
module CvssSuite
|
2
|
+
module Cvss40Constants
|
3
|
+
# These constants were almost directly ported from the CVSS 4.0 calculator code found at https://github.com/FIRSTdotorg/cvss-v4-calculator/blob/ac71416d935ad2ac87cd107ff87024561ea954a7/max_severity.js#L1
|
4
|
+
MAX_SEVERITY = {
|
5
|
+
'eq1' => {
|
6
|
+
0 => 1,
|
7
|
+
1 => 4,
|
8
|
+
2 => 5
|
9
|
+
},
|
10
|
+
'eq2' => {
|
11
|
+
0 => 1,
|
12
|
+
1 => 2
|
13
|
+
},
|
14
|
+
'eq3eq6' => {
|
15
|
+
0 => { 0 => 7, 1 => 6 },
|
16
|
+
1 => { 0 => 8, 1 => 8 },
|
17
|
+
2 => { 1 => 10 }
|
18
|
+
},
|
19
|
+
'eq4' => {
|
20
|
+
0 => 6,
|
21
|
+
1 => 5,
|
22
|
+
2 => 4
|
23
|
+
},
|
24
|
+
'eq5' => {
|
25
|
+
0 => 1,
|
26
|
+
1 => 1,
|
27
|
+
2 => 1
|
28
|
+
}
|
29
|
+
}.freeze
|
30
|
+
end
|
31
|
+
end
|
@@ -0,0 +1,105 @@
|
|
1
|
+
# CVSS-Suite, a Ruby gem to manage the CVSS vector
|
2
|
+
#
|
3
|
+
# This work is licensed under the terms of the MIT license.
|
4
|
+
# See the LICENSE.md file in the top-level directory.
|
5
|
+
|
6
|
+
require_relative '../cvss_property'
|
7
|
+
require_relative '../cvss_metric'
|
8
|
+
|
9
|
+
module CvssSuite
|
10
|
+
##
|
11
|
+
# This class represents a CVSS Threat metric in version 4.0.
|
12
|
+
class Cvss40Environmental < CvssMetric
|
13
|
+
##
|
14
|
+
# Property of this metric
|
15
|
+
attr_reader :modified_attack_vector, :modified_attack_complexity, :modified_attack_requirements,
|
16
|
+
:modified_privileges_required, :modified_user_interaction, :modified_vulnerable_system_confidentiality,
|
17
|
+
:modified_vulnerable_system_integrity, :modified_vulnerable_system_availability,
|
18
|
+
:modified_subsequent_system_confidentiality, :modified_subsequent_system_integrity,
|
19
|
+
:modified_subsequent_system_availability
|
20
|
+
|
21
|
+
##
|
22
|
+
# Returns score of this metric
|
23
|
+
def score
|
24
|
+
Cvss40CalcHelper.new(@properties.map { |p| [p.abbreviation, p.selected_value[:abbreviation]] }.to_h).score
|
25
|
+
end
|
26
|
+
|
27
|
+
private
|
28
|
+
|
29
|
+
def init_properties
|
30
|
+
@properties.push(@modified_attack_vector =
|
31
|
+
CvssProperty.new(name: 'Modified Attack Vector', abbreviation: 'MAV',
|
32
|
+
values: [{ name: 'Network', abbreviation: 'N' },
|
33
|
+
{ name: 'Adjacent', abbreviation: 'A' },
|
34
|
+
{ name: 'Local', abbreviation: 'L' },
|
35
|
+
{ name: 'Physical', abbreviation: 'P' },
|
36
|
+
{ name: 'Not Defined', abbreviation: 'X' }]))
|
37
|
+
@properties.push(@modified_attack_complexity =
|
38
|
+
CvssProperty.new(name: 'Modified Attack Complexity', abbreviation: 'MAC',
|
39
|
+
values: [{ name: 'Low', abbreviation: 'L' },
|
40
|
+
{ name: 'High', abbreviation: 'H' },
|
41
|
+
{ name: 'Not Defined', abbreviation: 'X' }]))
|
42
|
+
@properties.push(@modified_attack_requirements =
|
43
|
+
CvssProperty.new(name: 'Modified Attack Requirements', abbreviation: 'MAT',
|
44
|
+
values: [{ name: 'None', abbreviation: 'N' },
|
45
|
+
{ name: 'Present', abbreviation: 'P' },
|
46
|
+
{ name: 'Not Defined', abbreviation: 'X' }]))
|
47
|
+
@properties.push(@modified_privileges_required =
|
48
|
+
CvssProperty.new(name: 'Modified Privileges Required', abbreviation: 'MPR',
|
49
|
+
values: [{ name: 'None', abbreviation: 'N' },
|
50
|
+
{ name: 'Low', abbreviation: 'L' },
|
51
|
+
{ name: 'High', abbreviation: 'H' },
|
52
|
+
{ name: 'Not Defined', abbreviation: 'X' }]))
|
53
|
+
@properties.push(@modified_user_interaction =
|
54
|
+
CvssProperty.new(name: 'Modified User Interaction', abbreviation: 'MUI',
|
55
|
+
values: [{ name: 'None', abbreviation: 'N' },
|
56
|
+
{ name: 'Passive', abbreviation: 'P' },
|
57
|
+
{ name: 'Active', abbreviation: 'A' },
|
58
|
+
{ name: 'Not Defined', abbreviation: 'X' }]))
|
59
|
+
@properties.push(@vulnerable_system_confidentiality =
|
60
|
+
CvssProperty.new(name: 'Modified Vulnerable System Confidentiality Impact',
|
61
|
+
abbreviation: 'MVC',
|
62
|
+
values: [{ name: 'None', abbreviation: 'N' },
|
63
|
+
{ name: 'Low', abbreviation: 'L' },
|
64
|
+
{ name: 'High', abbreviation: 'H' },
|
65
|
+
{ name: 'Not Defined', abbreviation: 'X' }]))
|
66
|
+
@properties.push(@modified_vulnerable_system_integrity =
|
67
|
+
CvssProperty.new(name: 'Modified Vulnerable System Integrity Impact',
|
68
|
+
abbreviation: 'MVI',
|
69
|
+
values: [{ name: 'None', abbreviation: 'N' },
|
70
|
+
{ name: 'Low', abbreviation: 'L' },
|
71
|
+
{ name: 'High', abbreviation: 'H' },
|
72
|
+
{ name: 'Not Defined', abbreviation: 'X' }]))
|
73
|
+
@properties.push(@modified_vulnerable_system_availability =
|
74
|
+
CvssProperty.new(name: 'Modified Vulnerable System Availability Impact',
|
75
|
+
abbreviation: 'MVA',
|
76
|
+
values: [{ name: 'None', abbreviation: 'N' },
|
77
|
+
{ name: 'Low', abbreviation: 'L' },
|
78
|
+
{ name: 'High', abbreviation: 'H' },
|
79
|
+
{ name: 'Not Defined', abbreviation: 'X' }]))
|
80
|
+
@properties.push(@modified_subsequent_system_confidentiality =
|
81
|
+
CvssProperty.new(name: 'Modified Subsequent System Confidentiality Impact',
|
82
|
+
abbreviation: 'MSC',
|
83
|
+
values: [{ name: 'None', abbreviation: 'N' },
|
84
|
+
{ name: 'Low', abbreviation: 'L' },
|
85
|
+
{ name: 'High', abbreviation: 'H' },
|
86
|
+
{ name: 'Not Defined', abbreviation: 'X' }]))
|
87
|
+
@properties.push(@modified_subsequent_system_integrity =
|
88
|
+
CvssProperty.new(name: 'Modified Subsequent System Integrity Impact',
|
89
|
+
abbreviation: 'MSI',
|
90
|
+
values: [{ name: 'None', abbreviation: 'N' },
|
91
|
+
{ name: 'Safety', abbreviation: 'S' },
|
92
|
+
{ name: 'Low', abbreviation: 'L' },
|
93
|
+
{ name: 'High', abbreviation: 'H' },
|
94
|
+
{ name: 'Not Defined', abbreviation: 'X' }]))
|
95
|
+
@properties.push(@modified_subsequent_system_availability =
|
96
|
+
CvssProperty.new(name: 'Modified Subsequent System Availability Impact',
|
97
|
+
abbreviation: 'MSA',
|
98
|
+
values: [{ name: 'None', abbreviation: 'N' },
|
99
|
+
{ name: 'Safety', abbreviation: 'S' },
|
100
|
+
{ name: 'Low', abbreviation: 'L' },
|
101
|
+
{ name: 'High', abbreviation: 'H' },
|
102
|
+
{ name: 'Not Defined', abbreviation: 'X' }]))
|
103
|
+
end
|
104
|
+
end
|
105
|
+
end
|
@@ -0,0 +1,47 @@
|
|
1
|
+
# CVSS-Suite, a Ruby gem to manage the CVSS vector
|
2
|
+
#
|
3
|
+
# This work is licensed under the terms of the MIT license.
|
4
|
+
# See the LICENSE.md file in the top-level directory.
|
5
|
+
|
6
|
+
require_relative '../cvss_property'
|
7
|
+
require_relative '../cvss_metric'
|
8
|
+
|
9
|
+
module CvssSuite
|
10
|
+
##
|
11
|
+
# This class represents a CVSS Environmental Security metric in version 4.0.
|
12
|
+
class Cvss40EnvironmentalSecurity < CvssMetric
|
13
|
+
##
|
14
|
+
# Property of this metric
|
15
|
+
attr_reader :confidentiality_requirements, :integrity_requirements, :availability_requirements
|
16
|
+
|
17
|
+
##
|
18
|
+
# Returns score of this metric
|
19
|
+
def score
|
20
|
+
Cvss40CalcHelper.new(@properties.map { |p| [p.abbreviation, p.selected_value[:abbreviation]] }.to_h).score
|
21
|
+
end
|
22
|
+
|
23
|
+
private
|
24
|
+
|
25
|
+
def init_properties
|
26
|
+
@properties.push(@confidentiality_requirements =
|
27
|
+
CvssProperty.new(name: 'Confidentiality Requirements', abbreviation: 'CR',
|
28
|
+
values: [{ name: 'Not Defined', abbreviation: 'X' },
|
29
|
+
{ name: 'Low', abbreviation: 'L' },
|
30
|
+
{ name: 'Medium', abbreviation: 'M' },
|
31
|
+
{ name: 'High', abbreviation: 'H' }]))
|
32
|
+
@properties.push(@integrity_requirements =
|
33
|
+
CvssProperty.new(name: 'Integrity Requirements', abbreviation: 'IR',
|
34
|
+
values: [{ name: 'Not Defined', abbreviation: 'X' },
|
35
|
+
{ name: 'Low', abbreviation: 'L' },
|
36
|
+
{ name: 'Medium', abbreviation: 'M' },
|
37
|
+
{ name: 'High', abbreviation: 'H' }]))
|
38
|
+
@properties.push(@availability_requirements =
|
39
|
+
CvssProperty.new(name: 'Availability Requirements', abbreviation: 'AR',
|
40
|
+
values: [{ name: 'Not Defined', abbreviation: 'X' },
|
41
|
+
{ name: 'Low', abbreviation: 'L' },
|
42
|
+
{ name: 'Medium', abbreviation: 'M' },
|
43
|
+
{ name: 'High',
|
44
|
+
abbreviation: 'H' }]))
|
45
|
+
end
|
46
|
+
end
|
47
|
+
end
|
@@ -0,0 +1,66 @@
|
|
1
|
+
# CVSS-Suite, a Ruby gem to manage the CVSS vector
|
2
|
+
#
|
3
|
+
# This work is licensed under the terms of the MIT license.
|
4
|
+
# See the LICENSE.md file in the top-level directory.
|
5
|
+
|
6
|
+
require_relative '../cvss_property'
|
7
|
+
require_relative '../cvss_metric'
|
8
|
+
|
9
|
+
module CvssSuite
|
10
|
+
##
|
11
|
+
# This class represents a CVSS Temporal metric in version 3.1.
|
12
|
+
class Cvss40Supplemental < CvssMetric
|
13
|
+
##
|
14
|
+
# Property of this metric
|
15
|
+
attr_reader :safety, :automatable, :recovery, :value_density,
|
16
|
+
:vulnerability_response_effort, :provider_urgency
|
17
|
+
|
18
|
+
##
|
19
|
+
# Returns score of this metric
|
20
|
+
def score
|
21
|
+
return 1.0 unless valid?
|
22
|
+
|
23
|
+
@exploit_code_maturity.score * @remediation_level.score * @report_confidence.score
|
24
|
+
end
|
25
|
+
|
26
|
+
private
|
27
|
+
|
28
|
+
def init_properties
|
29
|
+
@properties.push(@safety =
|
30
|
+
CvssProperty.new(name: 'Safety', abbreviation: 'S',
|
31
|
+
values: [{ name: 'Not Defined', abbreviation: 'X', weight: 1.0 },
|
32
|
+
{ name: 'Negligible', abbreviation: 'N', weight: 0.91 },
|
33
|
+
{ name: 'Present', abbreviation: 'P', weight: 0.94 }]))
|
34
|
+
@properties.push(@automatable =
|
35
|
+
CvssProperty.new(name: 'Automatable', abbreviation: 'AU',
|
36
|
+
values: [{ name: 'Not Defined', abbreviation: 'X', weight: 1.0 },
|
37
|
+
{ name: 'No', abbreviation: 'N', weight: 0.95 },
|
38
|
+
{ name: 'Yes', abbreviation: 'Y', weight: 0.96 }]))
|
39
|
+
|
40
|
+
@properties.push(@recovery =
|
41
|
+
CvssProperty.new(name: 'Recovery', abbreviation: 'R',
|
42
|
+
values: [{ name: 'Not Defined', abbreviation: 'X', weight: 1.0 },
|
43
|
+
{ name: 'Automatic', abbreviation: 'A', weight: 0.92 },
|
44
|
+
{ name: 'User', abbreviation: 'U', weight: 0.96 },
|
45
|
+
{ name: 'Irrecoverable', abbreviation: 'I', weight: 1.0 }]))
|
46
|
+
@properties.push(@value_density =
|
47
|
+
CvssProperty.new(name: 'Value Density', abbreviation: 'V',
|
48
|
+
values: [{ name: 'Not Defined', abbreviation: 'X', weight: 1.0 },
|
49
|
+
{ name: 'Diffuse', abbreviation: 'D', weight: 0.91 },
|
50
|
+
{ name: 'Concentrated', abbreviation: 'C', weight: 0.94 }]))
|
51
|
+
@properties.push(@vulnerability_response_effort =
|
52
|
+
CvssProperty.new(name: 'Vulnerability Response Effort', abbreviation: 'RE',
|
53
|
+
values: [{ name: 'Not Defined', abbreviation: 'X', weight: 1.0 },
|
54
|
+
{ name: 'Low', abbreviation: 'L', weight: 0.91 },
|
55
|
+
{ name: 'Moderate', abbreviation: 'M', weight: 0.91 },
|
56
|
+
{ name: 'High', abbreviation: 'H', weight: 0.94 }]))
|
57
|
+
@properties.push(@provider_urgency =
|
58
|
+
CvssProperty.new(name: 'Provider Urgency', abbreviation: 'U',
|
59
|
+
values: [{ name: 'Not Defined', abbreviation: 'X', weight: 1.0 },
|
60
|
+
{ name: 'Clear', abbreviation: 'Clear', weight: 0.91 },
|
61
|
+
{ name: 'Green', abbreviation: 'Green', weight: 0.91 },
|
62
|
+
{ name: 'Amber', abbreviation: 'Amber', weight: 0.91 },
|
63
|
+
{ name: 'Red', abbreviation: 'Red', weight: 0.94 }]))
|
64
|
+
end
|
65
|
+
end
|
66
|
+
end
|
@@ -0,0 +1,34 @@
|
|
1
|
+
# CVSS-Suite, a Ruby gem to manage the CVSS vector
|
2
|
+
#
|
3
|
+
# This work is licensed under the terms of the MIT license.
|
4
|
+
# See the LICENSE.md file in the top-level directory.
|
5
|
+
|
6
|
+
require_relative '../cvss_property'
|
7
|
+
require_relative '../cvss_metric'
|
8
|
+
|
9
|
+
module CvssSuite
|
10
|
+
##
|
11
|
+
# This class represents a CVSS Threat metric in version 3.1.
|
12
|
+
class Cvss40Threat < CvssMetric
|
13
|
+
##
|
14
|
+
# Property of this metric
|
15
|
+
attr_reader :exploit_maturity
|
16
|
+
|
17
|
+
##
|
18
|
+
# Returns score of this metric
|
19
|
+
def score
|
20
|
+
Cvss40CalcHelper.new(@properties.map { |p| [p.abbreviation, p.selected_value[:abbreviation]] }.to_h).score
|
21
|
+
end
|
22
|
+
|
23
|
+
private
|
24
|
+
|
25
|
+
def init_properties
|
26
|
+
@properties.push(@exploit_maturity =
|
27
|
+
CvssProperty.new(name: 'Exploit Maturity', abbreviation: 'E',
|
28
|
+
values: [{ name: 'Not Defined', abbreviation: 'X' },
|
29
|
+
{ name: 'Attacked', abbreviation: 'A' },
|
30
|
+
{ name: 'Proof-of-Concept', abbreviation: 'P' },
|
31
|
+
{ name: 'Unreported', abbreviation: 'U' }]))
|
32
|
+
end
|
33
|
+
end
|
34
|
+
end
|
@@ -0,0 +1,61 @@
|
|
1
|
+
# CVSS-Suite, a Ruby gem to manage the CVSS vector
|
2
|
+
#
|
3
|
+
# This work is licensed under the terms of the MIT license.
|
4
|
+
# See the LICENSE.md file in the top-level directory.
|
5
|
+
|
6
|
+
require_relative 'cvss'
|
7
|
+
|
8
|
+
module CvssSuite
|
9
|
+
##
|
10
|
+
# This class represents any CVSS vector. Do not instantiate this class!
|
11
|
+
class Cvss31AndBefore < Cvss
|
12
|
+
##
|
13
|
+
# Metric of a CVSS vector for CVSS 2, 3, 3.1.
|
14
|
+
attr_reader :temporal, :environmental
|
15
|
+
|
16
|
+
##
|
17
|
+
# Creates a new CVSS vector by a +vector+, for all CVSS versions through 3.1.
|
18
|
+
#
|
19
|
+
# Raises an exception if it is called on Cvss31AndBefore class.
|
20
|
+
def initialize(vector)
|
21
|
+
raise CvssSuite::Errors::InvalidParentClass, 'Do not instantiate this class!' if instance_of? Cvss31AndBefore
|
22
|
+
|
23
|
+
super
|
24
|
+
end
|
25
|
+
|
26
|
+
##
|
27
|
+
# Returns if CVSS vector is valid.
|
28
|
+
def valid?
|
29
|
+
if @amount_of_properties >= required_amount_of_properties
|
30
|
+
entered_keys = @properties.collect { |p| p[:name] }
|
31
|
+
return false if (entered_keys - allowed_abbreviations).size.positive?
|
32
|
+
|
33
|
+
check_metrics_validity
|
34
|
+
else
|
35
|
+
false
|
36
|
+
end
|
37
|
+
end
|
38
|
+
|
39
|
+
##
|
40
|
+
# Returns the Overall Score of the CVSS vector.
|
41
|
+
def overall_score
|
42
|
+
check_validity
|
43
|
+
return temporal_score if @temporal.valid? && !@environmental.valid?
|
44
|
+
return environmental_score if @environmental.valid?
|
45
|
+
|
46
|
+
base_score
|
47
|
+
end
|
48
|
+
|
49
|
+
private
|
50
|
+
|
51
|
+
def allowed_abbreviations
|
52
|
+
@base.properties.collect(&:abbreviation) +
|
53
|
+
@temporal.properties.collect(&:abbreviation) +
|
54
|
+
@environmental.properties.collect(&:abbreviation)
|
55
|
+
end
|
56
|
+
|
57
|
+
def check_metrics_validity
|
58
|
+
@base.valid? && @temporal&.valid? && @environmental&.valid?
|
59
|
+
end
|
60
|
+
end
|
61
|
+
end
|