cvss-suite 3.1.0 → 3.2.0
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/.github/workflows/rspec.yml +4 -4
- data/.github/workflows/rubocop.yml +3 -4
- data/.rubocop.yml +20 -0
- data/.rubocop_todo.yml +2 -2
- data/CHANGES.md +13 -0
- data/CODE_OF_CONDUCT.md +9 -2
- data/Gemfile +0 -6
- data/LICENSE.md +10 -1
- data/README.md +20 -5
- data/cvss_suite.gemspec +7 -10
- data/lib/cvss_suite/cvss.rb +4 -32
- data/lib/cvss_suite/cvss2/cvss2.rb +2 -8
- data/lib/cvss_suite/cvss2/cvss2_base.rb +0 -6
- data/lib/cvss_suite/cvss2/cvss2_environmental.rb +0 -6
- data/lib/cvss_suite/cvss2/cvss2_temporal.rb +0 -6
- data/lib/cvss_suite/cvss3/cvss3.rb +8 -8
- data/lib/cvss_suite/cvss3/cvss3_base.rb +0 -6
- data/lib/cvss_suite/cvss3/cvss3_environmental.rb +0 -6
- data/lib/cvss_suite/cvss3/cvss3_temporal.rb +0 -6
- data/lib/cvss_suite/cvss31/cvss31.rb +8 -8
- data/lib/cvss_suite/cvss31/cvss31_base.rb +0 -6
- data/lib/cvss_suite/cvss31/cvss31_environmental.rb +0 -6
- data/lib/cvss_suite/cvss31/cvss31_temporal.rb +0 -6
- data/lib/cvss_suite/cvss40/cvss40.rb +43 -0
- data/lib/cvss_suite/cvss40/cvss40_all_up.rb +40 -0
- data/lib/cvss_suite/cvss40/cvss40_base.rb +86 -0
- data/lib/cvss_suite/cvss40/cvss40_calc_helper.rb +389 -0
- data/lib/cvss_suite/cvss40/cvss40_constants_levels.rb +26 -0
- data/lib/cvss_suite/cvss40/cvss40_constants_macro_vector_lookup.rb +278 -0
- data/lib/cvss_suite/cvss40/cvss40_constants_max_composed.rb +41 -0
- data/lib/cvss_suite/cvss40/cvss40_constants_max_severity.rb +31 -0
- data/lib/cvss_suite/cvss40/cvss40_environmental.rb +105 -0
- data/lib/cvss_suite/cvss40/cvss40_environmental_security.rb +47 -0
- data/lib/cvss_suite/cvss40/cvss40_supplemental.rb +66 -0
- data/lib/cvss_suite/cvss40/cvss40_threat.rb +34 -0
- data/lib/cvss_suite/cvss_31_and_before.rb +50 -0
- data/lib/cvss_suite/cvss_40_and_later.rb +45 -0
- data/lib/cvss_suite/cvss_metric.rb +4 -6
- data/lib/cvss_suite/cvss_property.rb +0 -6
- data/lib/cvss_suite/errors.rb +0 -6
- data/lib/cvss_suite/extensions/string.rb +8 -0
- data/lib/cvss_suite/helpers/cvss31_helper.rb +0 -6
- data/lib/cvss_suite/helpers/cvss3_helper.rb +0 -6
- data/lib/cvss_suite/invalid_cvss.rb +0 -6
- data/lib/cvss_suite/version.rb +1 -7
- data/lib/cvss_suite.rb +6 -7
- metadata +41 -12
@@ -0,0 +1,278 @@
|
|
1
|
+
module CvssSuite
|
2
|
+
module Cvss40Constants
|
3
|
+
# These constants were almost directly ported from the CVSS 4.0 calculator code found at https://github.com/FIRSTdotorg/cvss-v4-calculator/blob/ac71416d935ad2ac87cd107ff87024561ea954a7/cvss_lookup.js#L1
|
4
|
+
|
5
|
+
LOOKUP = {
|
6
|
+
'000000' => 10,
|
7
|
+
'000001' => 9.9,
|
8
|
+
'000010' => 9.8,
|
9
|
+
'000011' => 9.5,
|
10
|
+
'000020' => 9.5,
|
11
|
+
'000021' => 9.2,
|
12
|
+
'000100' => 10,
|
13
|
+
'000101' => 9.6,
|
14
|
+
'000110' => 9.3,
|
15
|
+
'000111' => 8.7,
|
16
|
+
'000120' => 9.1,
|
17
|
+
'000121' => 8.1,
|
18
|
+
'000200' => 9.3,
|
19
|
+
'000201' => 9,
|
20
|
+
'000210' => 8.9,
|
21
|
+
'000211' => 8,
|
22
|
+
'000220' => 8.1,
|
23
|
+
'000221' => 6.8,
|
24
|
+
'001000' => 9.8,
|
25
|
+
'001001' => 9.5,
|
26
|
+
'001010' => 9.5,
|
27
|
+
'001011' => 9.2,
|
28
|
+
'001020' => 9,
|
29
|
+
'001021' => 8.4,
|
30
|
+
'001100' => 9.3,
|
31
|
+
'001101' => 9.2,
|
32
|
+
'001110' => 8.9,
|
33
|
+
'001111' => 8.1,
|
34
|
+
'001120' => 8.1,
|
35
|
+
'001121' => 6.5,
|
36
|
+
'001200' => 8.8,
|
37
|
+
'001201' => 8,
|
38
|
+
'001210' => 7.8,
|
39
|
+
'001211' => 7,
|
40
|
+
'001220' => 6.9,
|
41
|
+
'001221' => 4.8,
|
42
|
+
'002001' => 9.2,
|
43
|
+
'002011' => 8.2,
|
44
|
+
'002021' => 7.2,
|
45
|
+
'002101' => 7.9,
|
46
|
+
'002111' => 6.9,
|
47
|
+
'002121' => 5,
|
48
|
+
'002201' => 6.9,
|
49
|
+
'002211' => 5.5,
|
50
|
+
'002221' => 2.7,
|
51
|
+
'010000' => 9.9,
|
52
|
+
'010001' => 9.7,
|
53
|
+
'010010' => 9.5,
|
54
|
+
'010011' => 9.2,
|
55
|
+
'010020' => 9.2,
|
56
|
+
'010021' => 8.5,
|
57
|
+
'010100' => 9.5,
|
58
|
+
'010101' => 9.1,
|
59
|
+
'010110' => 9,
|
60
|
+
'010111' => 8.3,
|
61
|
+
'010120' => 8.4,
|
62
|
+
'010121' => 7.1,
|
63
|
+
'010200' => 9.2,
|
64
|
+
'010201' => 8.1,
|
65
|
+
'010210' => 8.2,
|
66
|
+
'010211' => 7.1,
|
67
|
+
'010220' => 7.2,
|
68
|
+
'010221' => 5.3,
|
69
|
+
'011000' => 9.5,
|
70
|
+
'011001' => 9.3,
|
71
|
+
'011010' => 9.2,
|
72
|
+
'011011' => 8.5,
|
73
|
+
'011020' => 8.5,
|
74
|
+
'011021' => 7.3,
|
75
|
+
'011100' => 9.2,
|
76
|
+
'011101' => 8.2,
|
77
|
+
'011110' => 8,
|
78
|
+
'011111' => 7.2,
|
79
|
+
'011120' => 7,
|
80
|
+
'011121' => 5.9,
|
81
|
+
'011200' => 8.4,
|
82
|
+
'011201' => 7,
|
83
|
+
'011210' => 7.1,
|
84
|
+
'011211' => 5.2,
|
85
|
+
'011220' => 5,
|
86
|
+
'011221' => 3,
|
87
|
+
'012001' => 8.6,
|
88
|
+
'012011' => 7.5,
|
89
|
+
'012021' => 5.2,
|
90
|
+
'012101' => 7.1,
|
91
|
+
'012111' => 5.2,
|
92
|
+
'012121' => 2.9,
|
93
|
+
'012201' => 6.3,
|
94
|
+
'012211' => 2.9,
|
95
|
+
'012221' => 1.7,
|
96
|
+
'100000' => 9.8,
|
97
|
+
'100001' => 9.5,
|
98
|
+
'100010' => 9.4,
|
99
|
+
'100011' => 8.7,
|
100
|
+
'100020' => 9.1,
|
101
|
+
'100021' => 8.1,
|
102
|
+
'100100' => 9.4,
|
103
|
+
'100101' => 8.9,
|
104
|
+
'100110' => 8.6,
|
105
|
+
'100111' => 7.4,
|
106
|
+
'100120' => 7.7,
|
107
|
+
'100121' => 6.4,
|
108
|
+
'100200' => 8.7,
|
109
|
+
'100201' => 7.5,
|
110
|
+
'100210' => 7.4,
|
111
|
+
'100211' => 6.3,
|
112
|
+
'100220' => 6.3,
|
113
|
+
'100221' => 4.9,
|
114
|
+
'101000' => 9.4,
|
115
|
+
'101001' => 8.9,
|
116
|
+
'101010' => 8.8,
|
117
|
+
'101011' => 7.7,
|
118
|
+
'101020' => 7.6,
|
119
|
+
'101021' => 6.7,
|
120
|
+
'101100' => 8.6,
|
121
|
+
'101101' => 7.6,
|
122
|
+
'101110' => 7.4,
|
123
|
+
'101111' => 5.8,
|
124
|
+
'101120' => 5.9,
|
125
|
+
'101121' => 5,
|
126
|
+
'101200' => 7.2,
|
127
|
+
'101201' => 5.7,
|
128
|
+
'101210' => 5.7,
|
129
|
+
'101211' => 5.2,
|
130
|
+
'101220' => 5.2,
|
131
|
+
'101221' => 2.5,
|
132
|
+
'102001' => 8.3,
|
133
|
+
'102011' => 7,
|
134
|
+
'102021' => 5.4,
|
135
|
+
'102101' => 6.5,
|
136
|
+
'102111' => 5.8,
|
137
|
+
'102121' => 2.6,
|
138
|
+
'102201' => 5.3,
|
139
|
+
'102211' => 2.1,
|
140
|
+
'102221' => 1.3,
|
141
|
+
'110000' => 9.5,
|
142
|
+
'110001' => 9,
|
143
|
+
'110010' => 8.8,
|
144
|
+
'110011' => 7.6,
|
145
|
+
'110020' => 7.6,
|
146
|
+
'110021' => 7,
|
147
|
+
'110100' => 9,
|
148
|
+
'110101' => 7.7,
|
149
|
+
'110110' => 7.5,
|
150
|
+
'110111' => 6.2,
|
151
|
+
'110120' => 6.1,
|
152
|
+
'110121' => 5.3,
|
153
|
+
'110200' => 7.7,
|
154
|
+
'110201' => 6.6,
|
155
|
+
'110210' => 6.8,
|
156
|
+
'110211' => 5.9,
|
157
|
+
'110220' => 5.2,
|
158
|
+
'110221' => 3,
|
159
|
+
'111000' => 8.9,
|
160
|
+
'111001' => 7.8,
|
161
|
+
'111010' => 7.6,
|
162
|
+
'111011' => 6.7,
|
163
|
+
'111020' => 6.2,
|
164
|
+
'111021' => 5.8,
|
165
|
+
'111100' => 7.4,
|
166
|
+
'111101' => 5.9,
|
167
|
+
'111110' => 5.7,
|
168
|
+
'111111' => 5.7,
|
169
|
+
'111120' => 4.7,
|
170
|
+
'111121' => 2.3,
|
171
|
+
'111200' => 6.1,
|
172
|
+
'111201' => 5.2,
|
173
|
+
'111210' => 5.7,
|
174
|
+
'111211' => 2.9,
|
175
|
+
'111220' => 2.4,
|
176
|
+
'111221' => 1.6,
|
177
|
+
'112001' => 7.1,
|
178
|
+
'112011' => 5.9,
|
179
|
+
'112021' => 3,
|
180
|
+
'112101' => 5.8,
|
181
|
+
'112111' => 2.6,
|
182
|
+
'112121' => 1.5,
|
183
|
+
'112201' => 2.3,
|
184
|
+
'112211' => 1.3,
|
185
|
+
'112221' => 0.6,
|
186
|
+
'200000' => 9.3,
|
187
|
+
'200001' => 8.7,
|
188
|
+
'200010' => 8.6,
|
189
|
+
'200011' => 7.2,
|
190
|
+
'200020' => 7.5,
|
191
|
+
'200021' => 5.8,
|
192
|
+
'200100' => 8.6,
|
193
|
+
'200101' => 7.4,
|
194
|
+
'200110' => 7.4,
|
195
|
+
'200111' => 6.1,
|
196
|
+
'200120' => 5.6,
|
197
|
+
'200121' => 3.4,
|
198
|
+
'200200' => 7,
|
199
|
+
'200201' => 5.4,
|
200
|
+
'200210' => 5.2,
|
201
|
+
'200211' => 4,
|
202
|
+
'200220' => 4,
|
203
|
+
'200221' => 2.2,
|
204
|
+
'201000' => 8.5,
|
205
|
+
'201001' => 7.5,
|
206
|
+
'201010' => 7.4,
|
207
|
+
'201011' => 5.5,
|
208
|
+
'201020' => 6.2,
|
209
|
+
'201021' => 5.1,
|
210
|
+
'201100' => 7.2,
|
211
|
+
'201101' => 5.7,
|
212
|
+
'201110' => 5.5,
|
213
|
+
'201111' => 4.1,
|
214
|
+
'201120' => 4.6,
|
215
|
+
'201121' => 1.9,
|
216
|
+
'201200' => 5.3,
|
217
|
+
'201201' => 3.6,
|
218
|
+
'201210' => 3.4,
|
219
|
+
'201211' => 1.9,
|
220
|
+
'201220' => 1.9,
|
221
|
+
'201221' => 0.8,
|
222
|
+
'202001' => 6.4,
|
223
|
+
'202011' => 5.1,
|
224
|
+
'202021' => 2,
|
225
|
+
'202101' => 4.7,
|
226
|
+
'202111' => 2.1,
|
227
|
+
'202121' => 1.1,
|
228
|
+
'202201' => 2.4,
|
229
|
+
'202211' => 0.9,
|
230
|
+
'202221' => 0.4,
|
231
|
+
'210000' => 8.8,
|
232
|
+
'210001' => 7.5,
|
233
|
+
'210010' => 7.3,
|
234
|
+
'210011' => 5.3,
|
235
|
+
'210020' => 6,
|
236
|
+
'210021' => 5,
|
237
|
+
'210100' => 7.3,
|
238
|
+
'210101' => 5.5,
|
239
|
+
'210110' => 5.9,
|
240
|
+
'210111' => 4,
|
241
|
+
'210120' => 4.1,
|
242
|
+
'210121' => 2,
|
243
|
+
'210200' => 5.4,
|
244
|
+
'210201' => 4.3,
|
245
|
+
'210210' => 4.5,
|
246
|
+
'210211' => 2.2,
|
247
|
+
'210220' => 2,
|
248
|
+
'210221' => 1.1,
|
249
|
+
'211000' => 7.5,
|
250
|
+
'211001' => 5.5,
|
251
|
+
'211010' => 5.8,
|
252
|
+
'211011' => 4.5,
|
253
|
+
'211020' => 4,
|
254
|
+
'211021' => 2.1,
|
255
|
+
'211100' => 6.1,
|
256
|
+
'211101' => 5.1,
|
257
|
+
'211110' => 4.8,
|
258
|
+
'211111' => 1.8,
|
259
|
+
'211120' => 2,
|
260
|
+
'211121' => 0.9,
|
261
|
+
'211200' => 4.6,
|
262
|
+
'211201' => 1.8,
|
263
|
+
'211210' => 1.7,
|
264
|
+
'211211' => 0.7,
|
265
|
+
'211220' => 0.8,
|
266
|
+
'211221' => 0.2,
|
267
|
+
'212001' => 5.3,
|
268
|
+
'212011' => 2.4,
|
269
|
+
'212021' => 1.4,
|
270
|
+
'212101' => 2.4,
|
271
|
+
'212111' => 1.2,
|
272
|
+
'212121' => 0.5,
|
273
|
+
'212201' => 1,
|
274
|
+
'212211' => 0.3,
|
275
|
+
'212221' => 0.1
|
276
|
+
}.freeze
|
277
|
+
end
|
278
|
+
end
|
@@ -0,0 +1,41 @@
|
|
1
|
+
module CvssSuite
|
2
|
+
module Cvss40Constants
|
3
|
+
# These constants were almost directly ported from the CVSS 4.0 calculator code found at https://github.com/FIRSTdotorg/cvss-v4-calculator/blob/ac71416d935ad2ac87cd107ff87024561ea954a7/max_composed.js#L4
|
4
|
+
|
5
|
+
MAX_COMPOSED = {
|
6
|
+
# // EQ1
|
7
|
+
'eq1' => {
|
8
|
+
'0' => ['AV:N/PR:N/UI:N/'],
|
9
|
+
'1' => ['AV:A/PR:N/UI:N/', 'AV:N/PR:L/UI:N/', 'AV:N/PR:N/UI:P/'],
|
10
|
+
'2' => ['AV:P/PR:N/UI:N/', 'AV:A/PR:L/UI:P/']
|
11
|
+
},
|
12
|
+
# // EQ2
|
13
|
+
'eq2' => {
|
14
|
+
'0' => ['AC:L/AT:N/'],
|
15
|
+
'1' => ['AC:H/AT:N/', 'AC:L/AT:P/']
|
16
|
+
},
|
17
|
+
# // EQ3+EQ6
|
18
|
+
'eq3' => {
|
19
|
+
'0' => { '0' => ['VC:H/VI:H/VA:H/CR:H/IR:H/AR:H/'],
|
20
|
+
'1' => ['VC:H/VI:H/VA:L/CR:M/IR:M/AR:H/', 'VC:H/VI:H/VA:H/CR:M/IR:M/AR:M/'] },
|
21
|
+
'1' => { '0' => ['VC:L/VI:H/VA:H/CR:H/IR:H/AR:H/', 'VC:H/VI:L/VA:H/CR:H/IR:H/AR:H/'],
|
22
|
+
'1' => ['VC:L/VI:H/VA:L/CR:H/IR:M/AR:H/', 'VC:L/VI:H/VA:H/CR:H/IR:M/AR:M/',
|
23
|
+
'VC:H/VI:L/VA:H/CR:M/IR:H/AR:M/', 'VC:H/VI:L/VA:L/CR:M/IR:H/AR:H/',
|
24
|
+
'VC:L/VI:L/VA:H/CR:H/IR:H/AR:M/'] },
|
25
|
+
'2' => { '1' => ['VC:L/VI:L/VA:L/CR:H/IR:H/AR:H/'] }
|
26
|
+
},
|
27
|
+
# // EQ4
|
28
|
+
'eq4' => {
|
29
|
+
'0' => ['SC:H/SI:S/SA:S/'],
|
30
|
+
'1' => ['SC:H/SI:H/SA:H/'],
|
31
|
+
'2' => ['SC:L/SI:L/SA:L/']
|
32
|
+
},
|
33
|
+
# // EQ5
|
34
|
+
'eq5' => {
|
35
|
+
'0' => ['E:A/'],
|
36
|
+
'1' => ['E:P/'],
|
37
|
+
'2' => ['E:U/']
|
38
|
+
}
|
39
|
+
}.freeze
|
40
|
+
end
|
41
|
+
end
|
@@ -0,0 +1,31 @@
|
|
1
|
+
module CvssSuite
|
2
|
+
module Cvss40Constants
|
3
|
+
# These constants were almost directly ported from the CVSS 4.0 calculator code found at https://github.com/FIRSTdotorg/cvss-v4-calculator/blob/ac71416d935ad2ac87cd107ff87024561ea954a7/max_severity.js#L1
|
4
|
+
MAX_SEVERITY = {
|
5
|
+
'eq1' => {
|
6
|
+
0 => 1,
|
7
|
+
1 => 4,
|
8
|
+
2 => 5
|
9
|
+
},
|
10
|
+
'eq2' => {
|
11
|
+
0 => 1,
|
12
|
+
1 => 2
|
13
|
+
},
|
14
|
+
'eq3eq6' => {
|
15
|
+
0 => { 0 => 7, 1 => 6 },
|
16
|
+
1 => { 0 => 8, 1 => 8 },
|
17
|
+
2 => { 1 => 10 }
|
18
|
+
},
|
19
|
+
'eq4' => {
|
20
|
+
0 => 6,
|
21
|
+
1 => 5,
|
22
|
+
2 => 4
|
23
|
+
},
|
24
|
+
'eq5' => {
|
25
|
+
0 => 1,
|
26
|
+
1 => 1,
|
27
|
+
2 => 1
|
28
|
+
}
|
29
|
+
}.freeze
|
30
|
+
end
|
31
|
+
end
|
@@ -0,0 +1,105 @@
|
|
1
|
+
# CVSS-Suite, a Ruby gem to manage the CVSS vector
|
2
|
+
#
|
3
|
+
# This work is licensed under the terms of the MIT license.
|
4
|
+
# See the LICENSE.md file in the top-level directory.
|
5
|
+
|
6
|
+
require_relative '../cvss_property'
|
7
|
+
require_relative '../cvss_metric'
|
8
|
+
|
9
|
+
module CvssSuite
|
10
|
+
##
|
11
|
+
# This class represents a CVSS Threat metric in version 4.0.
|
12
|
+
class Cvss40Environmental < CvssMetric
|
13
|
+
##
|
14
|
+
# Property of this metric
|
15
|
+
attr_reader :modified_attack_vector, :modified_attack_complexity, :modified_attack_requirements,
|
16
|
+
:modified_privileges_required, :modified_user_interaction, :modified_vulnerable_system_confidentiality,
|
17
|
+
:modified_vulnerable_system_integrity, :modified_vulnerable_system_availability,
|
18
|
+
:modified_subsequent_system_confidentiality, :modified_subsequent_system_integrity,
|
19
|
+
:modified_subsequent_system_availability
|
20
|
+
|
21
|
+
##
|
22
|
+
# Returns score of this metric
|
23
|
+
def score
|
24
|
+
Cvss40CalcHelper.new(@properties.map { |p| [p.abbreviation, p.selected_value[:abbreviation]] }.to_h).score
|
25
|
+
end
|
26
|
+
|
27
|
+
private
|
28
|
+
|
29
|
+
def init_properties
|
30
|
+
@properties.push(@modified_attack_vector =
|
31
|
+
CvssProperty.new(name: 'Modified Attack Vector', abbreviation: 'MAV',
|
32
|
+
values: [{ name: 'Network', abbreviation: 'N' },
|
33
|
+
{ name: 'Adjacent', abbreviation: 'A' },
|
34
|
+
{ name: 'Local', abbreviation: 'L' },
|
35
|
+
{ name: 'Physical', abbreviation: 'P' },
|
36
|
+
{ name: 'Not Defined', abbreviation: 'X' }]))
|
37
|
+
@properties.push(@modified_attack_complexity =
|
38
|
+
CvssProperty.new(name: 'Modified Attack Complexity', abbreviation: 'MAC',
|
39
|
+
values: [{ name: 'Low', abbreviation: 'L' },
|
40
|
+
{ name: 'High', abbreviation: 'H' },
|
41
|
+
{ name: 'Not Defined', abbreviation: 'X' }]))
|
42
|
+
@properties.push(@modified_attack_requirements =
|
43
|
+
CvssProperty.new(name: 'Modified Attack Requirements', abbreviation: 'MAT',
|
44
|
+
values: [{ name: 'None', abbreviation: 'N' },
|
45
|
+
{ name: 'Present', abbreviation: 'P' },
|
46
|
+
{ name: 'Not Defined', abbreviation: 'X' }]))
|
47
|
+
@properties.push(@modified_privileges_required =
|
48
|
+
CvssProperty.new(name: 'Modified Privileges Required', abbreviation: 'MPR',
|
49
|
+
values: [{ name: 'None', abbreviation: 'N' },
|
50
|
+
{ name: 'Low', abbreviation: 'L' },
|
51
|
+
{ name: 'High', abbreviation: 'H' },
|
52
|
+
{ name: 'Not Defined', abbreviation: 'X' }]))
|
53
|
+
@properties.push(@modified_user_interaction =
|
54
|
+
CvssProperty.new(name: 'Modified User Interaction', abbreviation: 'MUI',
|
55
|
+
values: [{ name: 'None', abbreviation: 'N' },
|
56
|
+
{ name: 'Passive', abbreviation: 'P' },
|
57
|
+
{ name: 'Active', abbreviation: 'A' },
|
58
|
+
{ name: 'Not Defined', abbreviation: 'X' }]))
|
59
|
+
@properties.push(@vulnerable_system_confidentiality =
|
60
|
+
CvssProperty.new(name: 'Modified Vulnerable System Confidentiality Impact',
|
61
|
+
abbreviation: 'MVC',
|
62
|
+
values: [{ name: 'None', abbreviation: 'N' },
|
63
|
+
{ name: 'Low', abbreviation: 'L' },
|
64
|
+
{ name: 'High', abbreviation: 'H' },
|
65
|
+
{ name: 'Not Defined', abbreviation: 'X' }]))
|
66
|
+
@properties.push(@modified_vulnerable_system_integrity =
|
67
|
+
CvssProperty.new(name: 'Modified Vulnerable System Integrity Impact',
|
68
|
+
abbreviation: 'MVI',
|
69
|
+
values: [{ name: 'None', abbreviation: 'N' },
|
70
|
+
{ name: 'Low', abbreviation: 'L' },
|
71
|
+
{ name: 'High', abbreviation: 'H' },
|
72
|
+
{ name: 'Not Defined', abbreviation: 'X' }]))
|
73
|
+
@properties.push(@modified_vulnerable_system_availability =
|
74
|
+
CvssProperty.new(name: 'Modified Vulnerable System Availability Impact',
|
75
|
+
abbreviation: 'MVA',
|
76
|
+
values: [{ name: 'None', abbreviation: 'N' },
|
77
|
+
{ name: 'Low', abbreviation: 'L' },
|
78
|
+
{ name: 'High', abbreviation: 'H' },
|
79
|
+
{ name: 'Not Defined', abbreviation: 'X' }]))
|
80
|
+
@properties.push(@modified_subsequent_system_confidentiality =
|
81
|
+
CvssProperty.new(name: 'Modified Subsequent System Confidentiality Impact',
|
82
|
+
abbreviation: 'MSC',
|
83
|
+
values: [{ name: 'None', abbreviation: 'N' },
|
84
|
+
{ name: 'Low', abbreviation: 'L' },
|
85
|
+
{ name: 'High', abbreviation: 'H' },
|
86
|
+
{ name: 'Not Defined', abbreviation: 'X' }]))
|
87
|
+
@properties.push(@modified_subsequent_system_integrity =
|
88
|
+
CvssProperty.new(name: 'Modified Subsequent System Integrity Impact',
|
89
|
+
abbreviation: 'MSI',
|
90
|
+
values: [{ name: 'None', abbreviation: 'N' },
|
91
|
+
{ name: 'Safety', abbreviation: 'S' },
|
92
|
+
{ name: 'Low', abbreviation: 'L' },
|
93
|
+
{ name: 'High', abbreviation: 'H' },
|
94
|
+
{ name: 'Not Defined', abbreviation: 'X' }]))
|
95
|
+
@properties.push(@modified_subsequent_system_availability =
|
96
|
+
CvssProperty.new(name: 'Modified Subsequent System Availability Impact',
|
97
|
+
abbreviation: 'MSA',
|
98
|
+
values: [{ name: 'None', abbreviation: 'N' },
|
99
|
+
{ name: 'Safety', abbreviation: 'S' },
|
100
|
+
{ name: 'Low', abbreviation: 'L' },
|
101
|
+
{ name: 'High', abbreviation: 'H' },
|
102
|
+
{ name: 'Not Defined', abbreviation: 'X' }]))
|
103
|
+
end
|
104
|
+
end
|
105
|
+
end
|
@@ -0,0 +1,47 @@
|
|
1
|
+
# CVSS-Suite, a Ruby gem to manage the CVSS vector
|
2
|
+
#
|
3
|
+
# This work is licensed under the terms of the MIT license.
|
4
|
+
# See the LICENSE.md file in the top-level directory.
|
5
|
+
|
6
|
+
require_relative '../cvss_property'
|
7
|
+
require_relative '../cvss_metric'
|
8
|
+
|
9
|
+
module CvssSuite
|
10
|
+
##
|
11
|
+
# This class represents a CVSS Environmental Security metric in version 4.0.
|
12
|
+
class Cvss40EnvironmentalSecurity < CvssMetric
|
13
|
+
##
|
14
|
+
# Property of this metric
|
15
|
+
attr_reader :confidentiality_requirements, :integrity_requirements, :availability_requirements
|
16
|
+
|
17
|
+
##
|
18
|
+
# Returns score of this metric
|
19
|
+
def score
|
20
|
+
Cvss40CalcHelper.new(@properties.map { |p| [p.abbreviation, p.selected_value[:abbreviation]] }.to_h).score
|
21
|
+
end
|
22
|
+
|
23
|
+
private
|
24
|
+
|
25
|
+
def init_properties
|
26
|
+
@properties.push(@confidentiality_requirements =
|
27
|
+
CvssProperty.new(name: 'Confidentiality Requirements', abbreviation: 'CR',
|
28
|
+
values: [{ name: 'Not Defined', abbreviation: 'X' },
|
29
|
+
{ name: 'Low', abbreviation: 'L' },
|
30
|
+
{ name: 'Medium', abbreviation: 'M' },
|
31
|
+
{ name: 'High', abbreviation: 'H' }]))
|
32
|
+
@properties.push(@integrity_requirements =
|
33
|
+
CvssProperty.new(name: 'Integrity Requirements', abbreviation: 'IR',
|
34
|
+
values: [{ name: 'Not Defined', abbreviation: 'X' },
|
35
|
+
{ name: 'Low', abbreviation: 'L' },
|
36
|
+
{ name: 'Medium', abbreviation: 'M' },
|
37
|
+
{ name: 'High', abbreviation: 'H' }]))
|
38
|
+
@properties.push(@availability_requirements =
|
39
|
+
CvssProperty.new(name: 'Availability Requirements', abbreviation: 'AR',
|
40
|
+
values: [{ name: 'Not Defined', abbreviation: 'X' },
|
41
|
+
{ name: 'Low', abbreviation: 'L' },
|
42
|
+
{ name: 'Medium', abbreviation: 'M' },
|
43
|
+
{ name: 'High',
|
44
|
+
abbreviation: 'H' }]))
|
45
|
+
end
|
46
|
+
end
|
47
|
+
end
|
@@ -0,0 +1,66 @@
|
|
1
|
+
# CVSS-Suite, a Ruby gem to manage the CVSS vector
|
2
|
+
#
|
3
|
+
# This work is licensed under the terms of the MIT license.
|
4
|
+
# See the LICENSE.md file in the top-level directory.
|
5
|
+
|
6
|
+
require_relative '../cvss_property'
|
7
|
+
require_relative '../cvss_metric'
|
8
|
+
|
9
|
+
module CvssSuite
|
10
|
+
##
|
11
|
+
# This class represents a CVSS Temporal metric in version 3.1.
|
12
|
+
class Cvss40Supplemental < CvssMetric
|
13
|
+
##
|
14
|
+
# Property of this metric
|
15
|
+
attr_reader :safety, :automatable, :recovery, :value_density,
|
16
|
+
:vulnerability_response_effort, :provider_urgency
|
17
|
+
|
18
|
+
##
|
19
|
+
# Returns score of this metric
|
20
|
+
def score
|
21
|
+
return 1.0 unless valid?
|
22
|
+
|
23
|
+
@exploit_code_maturity.score * @remediation_level.score * @report_confidence.score
|
24
|
+
end
|
25
|
+
|
26
|
+
private
|
27
|
+
|
28
|
+
def init_properties
|
29
|
+
@properties.push(@safety =
|
30
|
+
CvssProperty.new(name: 'Safety', abbreviation: 'S',
|
31
|
+
values: [{ name: 'Not Defined', abbreviation: 'X', weight: 1.0 },
|
32
|
+
{ name: 'Negligible', abbreviation: 'N', weight: 0.91 },
|
33
|
+
{ name: 'Present', abbreviation: 'P', weight: 0.94 }]))
|
34
|
+
@properties.push(@automatable =
|
35
|
+
CvssProperty.new(name: 'Automatable', abbreviation: 'AU',
|
36
|
+
values: [{ name: 'Not Defined', abbreviation: 'X', weight: 1.0 },
|
37
|
+
{ name: 'No', abbreviation: 'N', weight: 0.95 },
|
38
|
+
{ name: 'Yes', abbreviation: 'Y', weight: 0.96 }]))
|
39
|
+
|
40
|
+
@properties.push(@recovery =
|
41
|
+
CvssProperty.new(name: 'Recovery', abbreviation: 'R',
|
42
|
+
values: [{ name: 'Not Defined', abbreviation: 'X', weight: 1.0 },
|
43
|
+
{ name: 'Automatic', abbreviation: 'A', weight: 0.92 },
|
44
|
+
{ name: 'User', abbreviation: 'U', weight: 0.96 },
|
45
|
+
{ name: 'Irrecoverable', abbreviation: 'I', weight: 1.0 }]))
|
46
|
+
@properties.push(@value_density =
|
47
|
+
CvssProperty.new(name: 'Value Density', abbreviation: 'V',
|
48
|
+
values: [{ name: 'Not Defined', abbreviation: 'X', weight: 1.0 },
|
49
|
+
{ name: 'Diffuse', abbreviation: 'D', weight: 0.91 },
|
50
|
+
{ name: 'Concentrated', abbreviation: 'C', weight: 0.94 }]))
|
51
|
+
@properties.push(@vulnerability_response_effort =
|
52
|
+
CvssProperty.new(name: 'Vulnerability Response Effort', abbreviation: 'RE',
|
53
|
+
values: [{ name: 'Not Defined', abbreviation: 'X', weight: 1.0 },
|
54
|
+
{ name: 'Low', abbreviation: 'L', weight: 0.91 },
|
55
|
+
{ name: 'Moderate', abbreviation: 'M', weight: 0.91 },
|
56
|
+
{ name: 'High', abbreviation: 'H', weight: 0.94 }]))
|
57
|
+
@properties.push(@provider_urgency =
|
58
|
+
CvssProperty.new(name: 'Provider Urgency', abbreviation: 'U',
|
59
|
+
values: [{ name: 'Not Defined', abbreviation: 'X', weight: 1.0 },
|
60
|
+
{ name: 'Clear', abbreviation: 'Clear', weight: 0.91 },
|
61
|
+
{ name: 'Green', abbreviation: 'Green', weight: 0.91 },
|
62
|
+
{ name: 'Amber', abbreviation: 'Amber', weight: 0.91 },
|
63
|
+
{ name: 'Red', abbreviation: 'Red', weight: 0.94 }]))
|
64
|
+
end
|
65
|
+
end
|
66
|
+
end
|
@@ -0,0 +1,34 @@
|
|
1
|
+
# CVSS-Suite, a Ruby gem to manage the CVSS vector
|
2
|
+
#
|
3
|
+
# This work is licensed under the terms of the MIT license.
|
4
|
+
# See the LICENSE.md file in the top-level directory.
|
5
|
+
|
6
|
+
require_relative '../cvss_property'
|
7
|
+
require_relative '../cvss_metric'
|
8
|
+
|
9
|
+
module CvssSuite
|
10
|
+
##
|
11
|
+
# This class represents a CVSS Threat metric in version 3.1.
|
12
|
+
class Cvss40Threat < CvssMetric
|
13
|
+
##
|
14
|
+
# Property of this metric
|
15
|
+
attr_reader :exploit_maturity
|
16
|
+
|
17
|
+
##
|
18
|
+
# Returns score of this metric
|
19
|
+
def score
|
20
|
+
Cvss40CalcHelper.new(@properties.map { |p| [p.abbreviation, p.selected_value[:abbreviation]] }.to_h).score
|
21
|
+
end
|
22
|
+
|
23
|
+
private
|
24
|
+
|
25
|
+
def init_properties
|
26
|
+
@properties.push(@exploit_maturity =
|
27
|
+
CvssProperty.new(name: 'Exploit Maturity', abbreviation: 'E',
|
28
|
+
values: [{ name: 'Not Defined', abbreviation: 'X' },
|
29
|
+
{ name: 'Attacked', abbreviation: 'A' },
|
30
|
+
{ name: 'Proof-of-Concept', abbreviation: 'P' },
|
31
|
+
{ name: 'Unreported', abbreviation: 'U' }]))
|
32
|
+
end
|
33
|
+
end
|
34
|
+
end
|
@@ -0,0 +1,50 @@
|
|
1
|
+
# CVSS-Suite, a Ruby gem to manage the CVSS vector
|
2
|
+
#
|
3
|
+
# This work is licensed under the terms of the MIT license.
|
4
|
+
# See the LICENSE.md file in the top-level directory.
|
5
|
+
|
6
|
+
require_relative 'cvss'
|
7
|
+
|
8
|
+
module CvssSuite
|
9
|
+
##
|
10
|
+
# This class represents any CVSS vector. Do not instantiate this class!
|
11
|
+
class Cvss31AndBefore < Cvss
|
12
|
+
##
|
13
|
+
# Metric of a CVSS vector for CVSS 2, 3, 3.1.
|
14
|
+
attr_reader :temporal, :environmental
|
15
|
+
|
16
|
+
##
|
17
|
+
# Creates a new CVSS vector by a +vector+, for all CVSS versions through 3.1.
|
18
|
+
#
|
19
|
+
# Raises an exception if it is called on Cvss31AndBefore class.
|
20
|
+
def initialize(vector)
|
21
|
+
raise CvssSuite::Errors::InvalidParentClass, 'Do not instantiate this class!' if instance_of? Cvss31AndBefore
|
22
|
+
|
23
|
+
super
|
24
|
+
end
|
25
|
+
|
26
|
+
##
|
27
|
+
# Returns if CVSS vector is valid.
|
28
|
+
def valid?
|
29
|
+
if @amount_of_properties >= required_amount_of_properties
|
30
|
+
base = @base.valid?
|
31
|
+
temporal = @base.valid? && @temporal&.valid?
|
32
|
+
environmental = @base.valid? && @environmental&.valid?
|
33
|
+
full = @base.valid? && @temporal&.valid? && @environmental&.valid?
|
34
|
+
base || temporal || environmental || full
|
35
|
+
else
|
36
|
+
false
|
37
|
+
end
|
38
|
+
end
|
39
|
+
|
40
|
+
##
|
41
|
+
# Returns the Overall Score of the CVSS vector.
|
42
|
+
def overall_score
|
43
|
+
check_validity
|
44
|
+
return temporal_score if @temporal.valid? && !@environmental.valid?
|
45
|
+
return environmental_score if @environmental.valid?
|
46
|
+
|
47
|
+
base_score
|
48
|
+
end
|
49
|
+
end
|
50
|
+
end
|