cvss-suite 3.3.0 → 4.1.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/.github/workflows/rspec.yml +1 -1
- data/CHANGES.md +16 -0
- data/LICENSE.md +2 -0
- data/README.md +4 -0
- data/lib/cvss_suite/cvss2/cvss2_base.rb +9 -1
- data/lib/cvss_suite/cvss3/cvss3_base.rb +27 -12
- data/lib/cvss_suite/cvss31/cvss31_base.rb +27 -12
- data/lib/cvss_suite/cvss40/cvss40_all_up.rb +1 -1
- data/lib/cvss_suite/cvss40/cvss40_base.rb +0 -6
- data/lib/cvss_suite/cvss40/cvss40_environmental.rb +0 -6
- data/lib/cvss_suite/cvss40/cvss40_environmental_security.rb +0 -6
- data/lib/cvss_suite/cvss40/cvss40_supplemental.rb +0 -8
- data/lib/cvss_suite/cvss40/cvss40_threat.rb +0 -6
- data/lib/cvss_suite/cvss_40_and_later.rb +2 -2
- data/lib/cvss_suite/version.rb +1 -1
- metadata +4 -8
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: 615e1ce401360d6127ec8a397b0d919b581588cbebe00d48fa1a8354d51397bc
|
|
4
|
+
data.tar.gz: e8a8615c60983eae67971a2b86d465afc79be4ae5b0c0c099504b676f1a1e74c
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: f68645079416546c5bb80e0a2ec0688a58e6889f9d334621130d563c882e90b735a9d2cad8bdf00c7e92c79b5d233e4bbca645d81347715dbacb25448addde30
|
|
7
|
+
data.tar.gz: e4bf4cd7073062cc9a2504d6f4cda6485d7b187c22ec9928740b9af89a2a990baa220f54b3843931cb43d27b5851290ad18c2f4ddbfc350990c425a7b7c0df6a
|
data/.github/workflows/rspec.yml
CHANGED
data/CHANGES.md
CHANGED
|
@@ -2,6 +2,22 @@
|
|
|
2
2
|
All notable changes to this project will be documented in this file.
|
|
3
3
|
This project adheres to [Semantic Versioning](http://semver.org/).
|
|
4
4
|
|
|
5
|
+
## [4.1.0] - 2025-04-27
|
|
6
|
+
|
|
7
|
+
### Improvements
|
|
8
|
+
* Expose impact and exploitability sub-scores. (@jgarber-cisco)
|
|
9
|
+
|
|
10
|
+
## [4.0.0] - 2024-08-31
|
|
11
|
+
|
|
12
|
+
### Breaking Changes
|
|
13
|
+
* Removed score method for all CVSS 4.0 metrics. Since CVSS 4.0 only has one score, it doesn't make sense for each metric to return a separate score. See [#46](https://github.com/0llirocks/cvss-suite/issues/46) for more information.
|
|
14
|
+
|
|
15
|
+
## [3.3.0] - 2024-08-31
|
|
16
|
+
|
|
17
|
+
### Improvements
|
|
18
|
+
* Prepare support for ruby 3.4. Closes [#44](https://github.com/0llirocks/cvss-suite/issues/44). Many thanks to @HParker for adding this feature.
|
|
19
|
+
* Add score method for CVSS 4.0 and later as an alias for overall_score.
|
|
20
|
+
|
|
5
21
|
## [3.2.2] - 2024-08-04
|
|
6
22
|
|
|
7
23
|
### Fixes
|
data/LICENSE.md
CHANGED
|
@@ -12,6 +12,8 @@ Contributors:
|
|
|
12
12
|
- joePedantic <https://github.com/joePedantic>
|
|
13
13
|
- Brandyn Phelps <https://github.com/brphelps>
|
|
14
14
|
- Karim ElGhandour <https://github.com/kghandour>
|
|
15
|
+
- Adam Hess <https://github.com/HParker>
|
|
16
|
+
- Jason Garber <https://github.com/jgarber>
|
|
15
17
|
|
|
16
18
|
Permission is hereby granted, free of charge, to any person obtaining a copy of
|
|
17
19
|
this software and associated documentation files (the "Software"), to deal in
|
data/README.md
CHANGED
|
@@ -33,6 +33,10 @@ Or install it yourself as:
|
|
|
33
33
|
|
|
34
34
|
$ gem install cvss-suite
|
|
35
35
|
|
|
36
|
+
## Version 3.x
|
|
37
|
+
|
|
38
|
+
If you are still using CvssSuite 3.x please refer to the [specific branch](https://github.com/0llirocks/cvss-suite/tree/3.x) for documentation and changelog.
|
|
39
|
+
|
|
36
40
|
## Version 2.x
|
|
37
41
|
|
|
38
42
|
If you are still using CvssSuite 2.x please refer to the [specific branch](https://github.com/0llirocks/cvss-suite/tree/2.x) for documentation and changelog.
|
|
@@ -30,6 +30,14 @@ module CvssSuite
|
|
|
30
30
|
((0.6 * impact) + (0.4 * exploitability) - 1.5) * additional_impact
|
|
31
31
|
end
|
|
32
32
|
|
|
33
|
+
def impact_subscore
|
|
34
|
+
calc_impact.round(1)
|
|
35
|
+
end
|
|
36
|
+
|
|
37
|
+
def exploitability_subscore
|
|
38
|
+
calc_exploitability.round(1)
|
|
39
|
+
end
|
|
40
|
+
|
|
33
41
|
private
|
|
34
42
|
|
|
35
43
|
def init_properties
|
|
@@ -65,7 +73,7 @@ module CvssSuite
|
|
|
65
73
|
{ name: 'Complete', abbreviation: 'C', weight: 0.66 }]))
|
|
66
74
|
end
|
|
67
75
|
|
|
68
|
-
def calc_impact(sr_cr_score, sr_ir_score, sr_ar_score)
|
|
76
|
+
def calc_impact(sr_cr_score = 1, sr_ir_score = 1, sr_ar_score = 1)
|
|
69
77
|
confidentiality_score = 1 - @confidentiality_impact.score * sr_cr_score
|
|
70
78
|
integrity_score = 1 - @integrity_impact.score * sr_ir_score
|
|
71
79
|
availability_score = 1 - @availability_impact.score * sr_ar_score
|
|
@@ -19,18 +19,8 @@ module CvssSuite
|
|
|
19
19
|
##
|
|
20
20
|
# Returns score of this metric
|
|
21
21
|
def score
|
|
22
|
-
|
|
23
|
-
|
|
24
|
-
exploitability = 8.22 * @attack_vector.score * @attack_complexity.score *
|
|
25
|
-
privilege_score * @user_interaction.score
|
|
26
|
-
|
|
27
|
-
isc_base = 1 - ((1 - @confidentiality.score) * (1 - @integrity.score) * (1 - @availability.score))
|
|
28
|
-
|
|
29
|
-
impact_sub_score = if @scope.selected_value[:name] == 'Changed'
|
|
30
|
-
7.52 * (isc_base - 0.029) - 3.25 * (isc_base - 0.02)**15
|
|
31
|
-
else
|
|
32
|
-
6.42 * isc_base
|
|
33
|
-
end
|
|
22
|
+
exploitability = calc_exploitability
|
|
23
|
+
impact_sub_score = calc_impact
|
|
34
24
|
|
|
35
25
|
return 0 if impact_sub_score <= 0
|
|
36
26
|
|
|
@@ -41,6 +31,14 @@ module CvssSuite
|
|
|
41
31
|
end
|
|
42
32
|
end
|
|
43
33
|
|
|
34
|
+
def impact_subscore
|
|
35
|
+
calc_impact.round(1)
|
|
36
|
+
end
|
|
37
|
+
|
|
38
|
+
def exploitability_subscore
|
|
39
|
+
calc_exploitability.round(1)
|
|
40
|
+
end
|
|
41
|
+
|
|
44
42
|
private
|
|
45
43
|
|
|
46
44
|
def init_properties
|
|
@@ -83,5 +81,22 @@ module CvssSuite
|
|
|
83
81
|
{ name: 'Low', abbreviation: 'L', weight: 0.22 },
|
|
84
82
|
{ name: 'High', abbreviation: 'H', weight: 0.56 }]))
|
|
85
83
|
end
|
|
84
|
+
|
|
85
|
+
def calc_exploitability
|
|
86
|
+
privilege_score = Cvss3Helper.privileges_required_score @privileges_required, @scope
|
|
87
|
+
|
|
88
|
+
8.22 * @attack_vector.score * @attack_complexity.score *
|
|
89
|
+
privilege_score * @user_interaction.score
|
|
90
|
+
end
|
|
91
|
+
|
|
92
|
+
def calc_impact
|
|
93
|
+
isc_base = 1 - ((1 - @confidentiality.score) * (1 - @integrity.score) * (1 - @availability.score))
|
|
94
|
+
|
|
95
|
+
if @scope.selected_value[:name] == 'Changed'
|
|
96
|
+
7.52 * (isc_base - 0.029) - 3.25 * (isc_base - 0.02)**15
|
|
97
|
+
else
|
|
98
|
+
6.42 * isc_base
|
|
99
|
+
end
|
|
100
|
+
end
|
|
86
101
|
end
|
|
87
102
|
end
|
|
@@ -20,18 +20,8 @@ module CvssSuite
|
|
|
20
20
|
##
|
|
21
21
|
# Returns score of this metric
|
|
22
22
|
def score
|
|
23
|
-
|
|
24
|
-
|
|
25
|
-
exploitability = 8.22 * @attack_vector.score * @attack_complexity.score *
|
|
26
|
-
privilege_score * @user_interaction.score
|
|
27
|
-
|
|
28
|
-
isc_base = 1 - ((1 - @confidentiality.score) * (1 - @integrity.score) * (1 - @availability.score))
|
|
29
|
-
|
|
30
|
-
impact_sub_score = if @scope.selected_value[:name] == 'Changed'
|
|
31
|
-
7.52 * (isc_base - 0.029) - 3.25 * (isc_base - 0.02)**15
|
|
32
|
-
else
|
|
33
|
-
6.42 * isc_base
|
|
34
|
-
end
|
|
23
|
+
exploitability = calc_exploitability
|
|
24
|
+
impact_sub_score = calc_impact
|
|
35
25
|
|
|
36
26
|
return 0 if impact_sub_score <= 0
|
|
37
27
|
|
|
@@ -42,6 +32,14 @@ module CvssSuite
|
|
|
42
32
|
end
|
|
43
33
|
end
|
|
44
34
|
|
|
35
|
+
def impact_subscore
|
|
36
|
+
calc_impact.round(1)
|
|
37
|
+
end
|
|
38
|
+
|
|
39
|
+
def exploitability_subscore
|
|
40
|
+
calc_exploitability.round(1)
|
|
41
|
+
end
|
|
42
|
+
|
|
45
43
|
private
|
|
46
44
|
|
|
47
45
|
def init_properties
|
|
@@ -84,5 +82,22 @@ module CvssSuite
|
|
|
84
82
|
{ name: 'Low', abbreviation: 'L', weight: 0.22 },
|
|
85
83
|
{ name: 'High', abbreviation: 'H', weight: 0.56 }]))
|
|
86
84
|
end
|
|
85
|
+
|
|
86
|
+
def calc_exploitability
|
|
87
|
+
privilege_score = Cvss3Helper.privileges_required_score(@privileges_required, @scope)
|
|
88
|
+
|
|
89
|
+
8.22 * @attack_vector.score * @attack_complexity.score *
|
|
90
|
+
privilege_score * @user_interaction.score
|
|
91
|
+
end
|
|
92
|
+
|
|
93
|
+
def calc_impact
|
|
94
|
+
isc_base = 1 - ((1 - @confidentiality.score) * (1 - @integrity.score) * (1 - @availability.score))
|
|
95
|
+
|
|
96
|
+
if @scope.selected_value[:name] == 'Changed'
|
|
97
|
+
7.52 * (isc_base - 0.029) - 3.25 * (isc_base - 0.02)**15
|
|
98
|
+
else
|
|
99
|
+
6.42 * isc_base
|
|
100
|
+
end
|
|
101
|
+
end
|
|
87
102
|
end
|
|
88
103
|
end
|
|
@@ -10,7 +10,7 @@ require_relative 'cvss40_threat'
|
|
|
10
10
|
|
|
11
11
|
module CvssSuite
|
|
12
12
|
##
|
|
13
|
-
# This class represents
|
|
13
|
+
# This class represents all CVSS metrics combined in version 4.0.
|
|
14
14
|
class Cvss40AllUp < CvssMetric
|
|
15
15
|
##
|
|
16
16
|
# Returns score of this metric
|
|
@@ -18,12 +18,6 @@ module CvssSuite
|
|
|
18
18
|
:vulnerable_system_confidentiality, :vulnerable_system_integrity, :vulnerable_system_availability,
|
|
19
19
|
:subsequent_system_confidentiality, :subsequent_system_integrity, :subsequent_system_availability
|
|
20
20
|
|
|
21
|
-
##
|
|
22
|
-
# Returns score of this metric
|
|
23
|
-
def score
|
|
24
|
-
Cvss40CalcHelper.new(@properties.map { |p| [p.abbreviation, p.selected_value[:abbreviation]] }.to_h).score
|
|
25
|
-
end
|
|
26
|
-
|
|
27
21
|
private
|
|
28
22
|
|
|
29
23
|
def init_properties
|
|
@@ -18,12 +18,6 @@ module CvssSuite
|
|
|
18
18
|
:modified_subsequent_system_confidentiality, :modified_subsequent_system_integrity,
|
|
19
19
|
:modified_subsequent_system_availability
|
|
20
20
|
|
|
21
|
-
##
|
|
22
|
-
# Returns score of this metric
|
|
23
|
-
def score
|
|
24
|
-
Cvss40CalcHelper.new(@properties.map { |p| [p.abbreviation, p.selected_value[:abbreviation]] }.to_h).score
|
|
25
|
-
end
|
|
26
|
-
|
|
27
21
|
private
|
|
28
22
|
|
|
29
23
|
def init_properties
|
|
@@ -14,12 +14,6 @@ module CvssSuite
|
|
|
14
14
|
# Property of this metric
|
|
15
15
|
attr_reader :confidentiality_requirements, :integrity_requirements, :availability_requirements
|
|
16
16
|
|
|
17
|
-
##
|
|
18
|
-
# Returns score of this metric
|
|
19
|
-
def score
|
|
20
|
-
Cvss40CalcHelper.new(@properties.map { |p| [p.abbreviation, p.selected_value[:abbreviation]] }.to_h).score
|
|
21
|
-
end
|
|
22
|
-
|
|
23
17
|
private
|
|
24
18
|
|
|
25
19
|
def init_properties
|
|
@@ -15,14 +15,6 @@ module CvssSuite
|
|
|
15
15
|
attr_reader :safety, :automatable, :recovery, :value_density,
|
|
16
16
|
:vulnerability_response_effort, :provider_urgency
|
|
17
17
|
|
|
18
|
-
##
|
|
19
|
-
# Returns score of this metric
|
|
20
|
-
def score
|
|
21
|
-
return 1.0 unless valid?
|
|
22
|
-
|
|
23
|
-
@exploit_code_maturity.score * @remediation_level.score * @report_confidence.score
|
|
24
|
-
end
|
|
25
|
-
|
|
26
18
|
private
|
|
27
19
|
|
|
28
20
|
def init_properties
|
|
@@ -14,12 +14,6 @@ module CvssSuite
|
|
|
14
14
|
# Property of this metric
|
|
15
15
|
attr_reader :exploit_maturity
|
|
16
16
|
|
|
17
|
-
##
|
|
18
|
-
# Returns score of this metric
|
|
19
|
-
def score
|
|
20
|
-
Cvss40CalcHelper.new(@properties.map { |p| [p.abbreviation, p.selected_value[:abbreviation]] }.to_h).score
|
|
21
|
-
end
|
|
22
|
-
|
|
23
17
|
private
|
|
24
18
|
|
|
25
19
|
def init_properties
|
|
@@ -10,8 +10,8 @@ module CvssSuite
|
|
|
10
10
|
# This class represents any CVSS vector. Do not instantiate this class!
|
|
11
11
|
class Cvss40AndLater < Cvss
|
|
12
12
|
##
|
|
13
|
-
# Metric of a CVSS vector for CVSS
|
|
14
|
-
attr_reader :
|
|
13
|
+
# Metric of a CVSS vector for CVSS 4.0.
|
|
14
|
+
attr_reader :supplemental, :environmental, :environmental_security, :threat
|
|
15
15
|
|
|
16
16
|
##
|
|
17
17
|
# Creates a new CVSS vector by a +vector+, for all CVSS versions from 4.0.
|
data/lib/cvss_suite/version.rb
CHANGED
metadata
CHANGED
|
@@ -1,14 +1,13 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: cvss-suite
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version:
|
|
4
|
+
version: 4.1.0
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- 0llirocks
|
|
8
|
-
autorequire:
|
|
9
8
|
bindir: exe
|
|
10
9
|
cert_chain: []
|
|
11
|
-
date:
|
|
10
|
+
date: 2025-04-27 00:00:00.000000000 Z
|
|
12
11
|
dependencies:
|
|
13
12
|
- !ruby/object:Gem::Dependency
|
|
14
13
|
name: bundler
|
|
@@ -84,7 +83,6 @@ description: |-
|
|
|
84
83
|
This Ruby gem calculates the score based on the vector of the
|
|
85
84
|
Common Vulnerability Scoring System (https://www.first.org/cvss/specification-document)
|
|
86
85
|
in version 4.0, 3.1, 3.0 and 2.
|
|
87
|
-
email:
|
|
88
86
|
executables: []
|
|
89
87
|
extensions: []
|
|
90
88
|
extra_rdoc_files: []
|
|
@@ -150,10 +148,9 @@ licenses:
|
|
|
150
148
|
metadata:
|
|
151
149
|
bug_tracker_uri: https://github.com/0llirocks/cvss-suite/issues
|
|
152
150
|
changelog_uri: https://github.com/0llirocks/cvss-suite/blob/master/CHANGES.md
|
|
153
|
-
documentation_uri: https://www.rubydoc.info/gems/cvss-suite/
|
|
151
|
+
documentation_uri: https://www.rubydoc.info/gems/cvss-suite/4.1.0
|
|
154
152
|
homepage_uri: https://cvss-suite.0lli.rocks
|
|
155
153
|
source_code_uri: https://github.com/0llirocks/cvss-suite
|
|
156
|
-
post_install_message:
|
|
157
154
|
rdoc_options: []
|
|
158
155
|
require_paths:
|
|
159
156
|
- lib
|
|
@@ -168,8 +165,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
|
|
|
168
165
|
- !ruby/object:Gem::Version
|
|
169
166
|
version: '0'
|
|
170
167
|
requirements: []
|
|
171
|
-
rubygems_version: 3.0.
|
|
172
|
-
signing_key:
|
|
168
|
+
rubygems_version: 3.6.0.dev
|
|
173
169
|
specification_version: 4
|
|
174
170
|
summary: Ruby gem for processing cvss vectors.
|
|
175
171
|
test_files: []
|