cvss-suite 4.0.0 → 4.1.1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/.github/workflows/rspec.yml +1 -1
- data/.gitignore +1 -0
- data/CHANGES.md +11 -0
- data/LICENSE.md +1 -0
- data/README.md +7 -0
- data/cvss_suite.gemspec +3 -0
- data/lib/cvss_suite/cvss2/cvss2.rb +5 -3
- data/lib/cvss_suite/cvss2/cvss2_base.rb +13 -2
- data/lib/cvss_suite/cvss2/cvss2_environmental.rb +3 -1
- data/lib/cvss_suite/cvss3/cvss3_base.rb +27 -12
- data/lib/cvss_suite/cvss31/cvss31_base.rb +27 -12
- data/lib/cvss_suite/cvss40/cvss40_calc_helper.rb +5 -3
- data/lib/cvss_suite/version.rb +1 -1
- metadata +31 -3
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: d8cf95b45495f191e7155aad10bebc43b092f5173fb65adcf4d7434b01bb9cd5
|
|
4
|
+
data.tar.gz: 7f3ffe1d5fc752d5f1da0b71bdb4211a0c538b8ce9f199328e93e83d640be594
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 6d8a171815a4b9037dcd791b557f4d225a93a7a82dd8d497d461ef74883e4d4c68243b746fac5da8a3db8aa7dafb92d821c34ccdba6d9b16386fe87f0e9c3d33
|
|
7
|
+
data.tar.gz: bc43b1151b310bbe245c09112e2911c344bffc8b62e3641be955139dcf4fb3021eb1093b008efad0f00b853959e521bd1c139c3ccd30947fe60899838386c7dd
|
data/.github/workflows/rspec.yml
CHANGED
data/.gitignore
CHANGED
data/CHANGES.md
CHANGED
|
@@ -2,6 +2,17 @@
|
|
|
2
2
|
All notable changes to this project will be documented in this file.
|
|
3
3
|
This project adheres to [Semantic Versioning](http://semver.org/).
|
|
4
4
|
|
|
5
|
+
## [4.1.1] - 2025-05-11
|
|
6
|
+
|
|
7
|
+
### Fixes
|
|
8
|
+
|
|
9
|
+
See [v4.1.1](https://github.com/0llirocks/cvss-suite/releases/tag/v4.1.1). (@jgarber-cisco)
|
|
10
|
+
|
|
11
|
+
## [4.1.0] - 2025-04-27
|
|
12
|
+
|
|
13
|
+
### Improvements
|
|
14
|
+
* Expose impact and exploitability sub-scores for CVSS 2 and CVSS 3.x. (@jgarber-cisco)
|
|
15
|
+
|
|
5
16
|
## [4.0.0] - 2024-08-31
|
|
6
17
|
|
|
7
18
|
### Breaking Changes
|
data/LICENSE.md
CHANGED
|
@@ -13,6 +13,7 @@ Contributors:
|
|
|
13
13
|
- Brandyn Phelps <https://github.com/brphelps>
|
|
14
14
|
- Karim ElGhandour <https://github.com/kghandour>
|
|
15
15
|
- Adam Hess <https://github.com/HParker>
|
|
16
|
+
- Jason Garber <https://github.com/jgarber>
|
|
16
17
|
|
|
17
18
|
Permission is hereby granted, free of charge, to any person obtaining a copy of
|
|
18
19
|
this software and associated documentation files (the "Software"), to deal in
|
data/README.md
CHANGED
|
@@ -11,6 +11,9 @@
|
|
|
11
11
|
This Ruby gem helps you to process the vector of the [**Common Vulnerability Scoring System**](https://www.first.org/cvss/specification-document).
|
|
12
12
|
Besides calculating the Base, Temporal and Environmental Score, you are able to extract the selected option.
|
|
13
13
|
|
|
14
|
+
> [!IMPORTANT]
|
|
15
|
+
> This project could need some new maintainer(s). I am having less time and motivation to support this gem. Support for v4 was only possible with the help of the community and I am sure I will not implement any v4.x or v5.x support by myself. Since this gem is used in some projects I will not step down without any kind of support. If you are interested in CVSS and ruby, feel free to work on upcoming issues and let me ([@Ollirocks](https://github.com/0llirocks)) know if you are willing to become a maintainer. As of today there are only a very few issues each year but each new version of CVSS results in quite a lot of work. I am fine with staying the owner of this project until someone is willing to take over completely. I will not vanish from GitHub once and or all :smile: The same applies to the ruby gems account, I am willing to push new versions to rubygems.org until someone trustworthy is found to take over.
|
|
16
|
+
|
|
14
17
|
## Installation
|
|
15
18
|
|
|
16
19
|
Add this line to your application's Gemfile:
|
|
@@ -33,6 +36,10 @@ Or install it yourself as:
|
|
|
33
36
|
|
|
34
37
|
$ gem install cvss-suite
|
|
35
38
|
|
|
39
|
+
## Version 3.x
|
|
40
|
+
|
|
41
|
+
If you are still using CvssSuite 3.x please refer to the [specific branch](https://github.com/0llirocks/cvss-suite/tree/3.x) for documentation and changelog.
|
|
42
|
+
|
|
36
43
|
## Version 2.x
|
|
37
44
|
|
|
38
45
|
If you are still using CvssSuite 2.x please refer to the [specific branch](https://github.com/0llirocks/cvss-suite/tree/2.x) for documentation and changelog.
|
data/cvss_suite.gemspec
CHANGED
|
@@ -37,7 +37,10 @@ in version 4.0, 3.1, 3.0 and 2.'
|
|
|
37
37
|
spec.test_files = spec.files.grep(%r{^(test|spec|features)/})
|
|
38
38
|
spec.require_paths = ['lib']
|
|
39
39
|
|
|
40
|
+
spec.add_dependency 'bigdecimal', '~> 3.1.8'
|
|
41
|
+
|
|
40
42
|
spec.add_development_dependency 'bundler', '2.4.22'
|
|
43
|
+
spec.add_development_dependency 'csv', '~> 3.3'
|
|
41
44
|
spec.add_development_dependency 'rspec', '~> 3.4'
|
|
42
45
|
spec.add_development_dependency 'rspec-its', '~> 1.2'
|
|
43
46
|
spec.add_development_dependency 'rubocop', '1.50.2'
|
|
@@ -3,6 +3,8 @@
|
|
|
3
3
|
# This work is licensed under the terms of the MIT license.
|
|
4
4
|
# See the LICENSE.md file in the top-level directory.
|
|
5
5
|
|
|
6
|
+
require 'bigdecimal/util'
|
|
7
|
+
|
|
6
8
|
require_relative '../cvss_31_and_before'
|
|
7
9
|
require_relative 'cvss2_base'
|
|
8
10
|
require_relative 'cvss2_temporal'
|
|
@@ -18,12 +20,12 @@ module CvssSuite
|
|
|
18
20
|
2
|
|
19
21
|
end
|
|
20
22
|
|
|
21
|
-
# Returns the severity of the CVSSv2
|
|
23
|
+
# Returns the severity of the CVSSv2 base score.
|
|
22
24
|
# https://nvd.nist.gov/vuln-metrics/cvss
|
|
23
25
|
def severity
|
|
24
26
|
check_validity
|
|
25
27
|
|
|
26
|
-
score =
|
|
28
|
+
score = base_score
|
|
27
29
|
|
|
28
30
|
case score
|
|
29
31
|
when 0.0..3.9
|
|
@@ -47,7 +49,7 @@ module CvssSuite
|
|
|
47
49
|
##
|
|
48
50
|
# Returns the Temporal Score of the CVSS vector.
|
|
49
51
|
def temporal_score
|
|
50
|
-
(base_score * @temporal.score).round(1)
|
|
52
|
+
(base_score * @temporal.score.to_d).round(1).to_f
|
|
51
53
|
end
|
|
52
54
|
|
|
53
55
|
##
|
|
@@ -30,6 +30,14 @@ module CvssSuite
|
|
|
30
30
|
((0.6 * impact) + (0.4 * exploitability) - 1.5) * additional_impact
|
|
31
31
|
end
|
|
32
32
|
|
|
33
|
+
def impact_subscore
|
|
34
|
+
calc_impact
|
|
35
|
+
end
|
|
36
|
+
|
|
37
|
+
def exploitability_subscore
|
|
38
|
+
calc_exploitability
|
|
39
|
+
end
|
|
40
|
+
|
|
33
41
|
private
|
|
34
42
|
|
|
35
43
|
def init_properties
|
|
@@ -65,12 +73,15 @@ module CvssSuite
|
|
|
65
73
|
{ name: 'Complete', abbreviation: 'C', weight: 0.66 }]))
|
|
66
74
|
end
|
|
67
75
|
|
|
68
|
-
def calc_impact(sr_cr_score, sr_ir_score, sr_ar_score)
|
|
76
|
+
def calc_impact(sr_cr_score = 1, sr_ir_score = 1, sr_ar_score = 1)
|
|
69
77
|
confidentiality_score = 1 - @confidentiality_impact.score * sr_cr_score
|
|
70
78
|
integrity_score = 1 - @integrity_impact.score * sr_ir_score
|
|
71
79
|
availability_score = 1 - @availability_impact.score * sr_ar_score
|
|
72
80
|
|
|
73
|
-
|
|
81
|
+
impact = 10.41 * (1 - confidentiality_score * integrity_score * availability_score)
|
|
82
|
+
return impact if sr_cr_score == 1 && sr_ir_score == 1 && sr_ar_score == 1
|
|
83
|
+
|
|
84
|
+
[10, impact].min
|
|
74
85
|
end
|
|
75
86
|
|
|
76
87
|
def calc_exploitability
|
|
@@ -3,6 +3,8 @@
|
|
|
3
3
|
# This work is licensed under the terms of the MIT license.
|
|
4
4
|
# See the LICENSE.md file in the top-level directory.
|
|
5
5
|
|
|
6
|
+
require 'bigdecimal/util'
|
|
7
|
+
|
|
6
8
|
require_relative '../cvss_property'
|
|
7
9
|
require_relative '../cvss_metric'
|
|
8
10
|
|
|
@@ -22,7 +24,7 @@ module CvssSuite
|
|
|
22
24
|
@security_requirements_ir.score,
|
|
23
25
|
@security_requirements_ar.score).round(1)
|
|
24
26
|
|
|
25
|
-
adjusted_temporal = (base_score * temporal_score).round(1)
|
|
27
|
+
adjusted_temporal = (base_score * temporal_score.to_d).round(1).to_f
|
|
26
28
|
(adjusted_temporal + (10 - adjusted_temporal) * @collateral_damage_potential.score) * @target_distribution.score
|
|
27
29
|
end
|
|
28
30
|
|
|
@@ -19,18 +19,8 @@ module CvssSuite
|
|
|
19
19
|
##
|
|
20
20
|
# Returns score of this metric
|
|
21
21
|
def score
|
|
22
|
-
|
|
23
|
-
|
|
24
|
-
exploitability = 8.22 * @attack_vector.score * @attack_complexity.score *
|
|
25
|
-
privilege_score * @user_interaction.score
|
|
26
|
-
|
|
27
|
-
isc_base = 1 - ((1 - @confidentiality.score) * (1 - @integrity.score) * (1 - @availability.score))
|
|
28
|
-
|
|
29
|
-
impact_sub_score = if @scope.selected_value[:name] == 'Changed'
|
|
30
|
-
7.52 * (isc_base - 0.029) - 3.25 * (isc_base - 0.02)**15
|
|
31
|
-
else
|
|
32
|
-
6.42 * isc_base
|
|
33
|
-
end
|
|
22
|
+
exploitability = calc_exploitability
|
|
23
|
+
impact_sub_score = calc_impact
|
|
34
24
|
|
|
35
25
|
return 0 if impact_sub_score <= 0
|
|
36
26
|
|
|
@@ -41,6 +31,14 @@ module CvssSuite
|
|
|
41
31
|
end
|
|
42
32
|
end
|
|
43
33
|
|
|
34
|
+
def impact_subscore
|
|
35
|
+
calc_impact
|
|
36
|
+
end
|
|
37
|
+
|
|
38
|
+
def exploitability_subscore
|
|
39
|
+
calc_exploitability
|
|
40
|
+
end
|
|
41
|
+
|
|
44
42
|
private
|
|
45
43
|
|
|
46
44
|
def init_properties
|
|
@@ -83,5 +81,22 @@ module CvssSuite
|
|
|
83
81
|
{ name: 'Low', abbreviation: 'L', weight: 0.22 },
|
|
84
82
|
{ name: 'High', abbreviation: 'H', weight: 0.56 }]))
|
|
85
83
|
end
|
|
84
|
+
|
|
85
|
+
def calc_exploitability
|
|
86
|
+
privilege_score = Cvss3Helper.privileges_required_score @privileges_required, @scope
|
|
87
|
+
|
|
88
|
+
8.22 * @attack_vector.score * @attack_complexity.score *
|
|
89
|
+
privilege_score * @user_interaction.score
|
|
90
|
+
end
|
|
91
|
+
|
|
92
|
+
def calc_impact
|
|
93
|
+
isc_base = 1 - ((1 - @confidentiality.score) * (1 - @integrity.score) * (1 - @availability.score))
|
|
94
|
+
|
|
95
|
+
if @scope.selected_value[:name] == 'Changed'
|
|
96
|
+
7.52 * (isc_base - 0.029) - 3.25 * (isc_base - 0.02)**15
|
|
97
|
+
else
|
|
98
|
+
6.42 * isc_base
|
|
99
|
+
end
|
|
100
|
+
end
|
|
86
101
|
end
|
|
87
102
|
end
|
|
@@ -20,18 +20,8 @@ module CvssSuite
|
|
|
20
20
|
##
|
|
21
21
|
# Returns score of this metric
|
|
22
22
|
def score
|
|
23
|
-
|
|
24
|
-
|
|
25
|
-
exploitability = 8.22 * @attack_vector.score * @attack_complexity.score *
|
|
26
|
-
privilege_score * @user_interaction.score
|
|
27
|
-
|
|
28
|
-
isc_base = 1 - ((1 - @confidentiality.score) * (1 - @integrity.score) * (1 - @availability.score))
|
|
29
|
-
|
|
30
|
-
impact_sub_score = if @scope.selected_value[:name] == 'Changed'
|
|
31
|
-
7.52 * (isc_base - 0.029) - 3.25 * (isc_base - 0.02)**15
|
|
32
|
-
else
|
|
33
|
-
6.42 * isc_base
|
|
34
|
-
end
|
|
23
|
+
exploitability = calc_exploitability
|
|
24
|
+
impact_sub_score = calc_impact
|
|
35
25
|
|
|
36
26
|
return 0 if impact_sub_score <= 0
|
|
37
27
|
|
|
@@ -42,6 +32,14 @@ module CvssSuite
|
|
|
42
32
|
end
|
|
43
33
|
end
|
|
44
34
|
|
|
35
|
+
def impact_subscore
|
|
36
|
+
calc_impact
|
|
37
|
+
end
|
|
38
|
+
|
|
39
|
+
def exploitability_subscore
|
|
40
|
+
calc_exploitability
|
|
41
|
+
end
|
|
42
|
+
|
|
45
43
|
private
|
|
46
44
|
|
|
47
45
|
def init_properties
|
|
@@ -84,5 +82,22 @@ module CvssSuite
|
|
|
84
82
|
{ name: 'Low', abbreviation: 'L', weight: 0.22 },
|
|
85
83
|
{ name: 'High', abbreviation: 'H', weight: 0.56 }]))
|
|
86
84
|
end
|
|
85
|
+
|
|
86
|
+
def calc_exploitability
|
|
87
|
+
privilege_score = Cvss3Helper.privileges_required_score(@privileges_required, @scope)
|
|
88
|
+
|
|
89
|
+
8.22 * @attack_vector.score * @attack_complexity.score *
|
|
90
|
+
privilege_score * @user_interaction.score
|
|
91
|
+
end
|
|
92
|
+
|
|
93
|
+
def calc_impact
|
|
94
|
+
isc_base = 1 - ((1 - @confidentiality.score) * (1 - @integrity.score) * (1 - @availability.score))
|
|
95
|
+
|
|
96
|
+
if @scope.selected_value[:name] == 'Changed'
|
|
97
|
+
7.52 * (isc_base - 0.029) - 3.25 * (isc_base - 0.02)**15
|
|
98
|
+
else
|
|
99
|
+
6.42 * isc_base
|
|
100
|
+
end
|
|
101
|
+
end
|
|
87
102
|
end
|
|
88
103
|
end
|
|
@@ -3,6 +3,8 @@ require_relative 'cvss40_constants_max_composed'
|
|
|
3
3
|
require_relative 'cvss40_constants_max_severity'
|
|
4
4
|
require_relative 'cvss40_constants_levels'
|
|
5
5
|
|
|
6
|
+
require 'bigdecimal/util'
|
|
7
|
+
|
|
6
8
|
module CvssSuite
|
|
7
9
|
# This class performs much of the score calculation logic for CVSS 4.0.
|
|
8
10
|
# It is heavily ported from the m and scoring methods in https://github.com/FIRSTdotorg/cvss-v4-calculator/blob/ac71416d935ad2ac87cd107ff87024561ea954a7/app.js#L121
|
|
@@ -132,7 +134,7 @@ module CvssSuite
|
|
|
132
134
|
# Exception for no impact on system (shortcut)
|
|
133
135
|
return 0.0 if %w[VC VI VA SC SI SA].all? { |metric| m(metric) == 'N' }
|
|
134
136
|
|
|
135
|
-
value = LOOKUP[macro_vector]
|
|
137
|
+
value = LOOKUP[macro_vector].to_d
|
|
136
138
|
|
|
137
139
|
# 1. For each of the EQs:
|
|
138
140
|
# a. The maximal scoring difference is determined as the difference
|
|
@@ -257,7 +259,7 @@ module CvssSuite
|
|
|
257
259
|
break
|
|
258
260
|
end
|
|
259
261
|
|
|
260
|
-
current_severity_distance_eq1 = severity_distance_av + severity_distance_pr + severity_distance_ui
|
|
262
|
+
current_severity_distance_eq1 = (severity_distance_av.to_d + severity_distance_pr + severity_distance_ui).to_f
|
|
261
263
|
current_severity_distance_eq2 = severity_distance_ac + severity_distance_at
|
|
262
264
|
current_severity_distance_eq3eq6 = sum_or_nil([severity_distance_vc, severity_distance_vi, severity_distance_va,
|
|
263
265
|
severity_distance_cr, severity_distance_ir, severity_distance_ar])
|
|
@@ -339,7 +341,7 @@ module CvssSuite
|
|
|
339
341
|
value -= mean_distance
|
|
340
342
|
value = 0.0 if value.negative?
|
|
341
343
|
value = 10.0 if value > 10
|
|
342
|
-
value.round(1)
|
|
344
|
+
value.round(1).to_f
|
|
343
345
|
end
|
|
344
346
|
|
|
345
347
|
def get_eq_maxes(lookup, eq_value)
|
data/lib/cvss_suite/version.rb
CHANGED
metadata
CHANGED
|
@@ -1,14 +1,28 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: cvss-suite
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 4.
|
|
4
|
+
version: 4.1.1
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- 0llirocks
|
|
8
8
|
bindir: exe
|
|
9
9
|
cert_chain: []
|
|
10
|
-
date:
|
|
10
|
+
date: 2025-05-11 00:00:00.000000000 Z
|
|
11
11
|
dependencies:
|
|
12
|
+
- !ruby/object:Gem::Dependency
|
|
13
|
+
name: bigdecimal
|
|
14
|
+
requirement: !ruby/object:Gem::Requirement
|
|
15
|
+
requirements:
|
|
16
|
+
- - "~>"
|
|
17
|
+
- !ruby/object:Gem::Version
|
|
18
|
+
version: 3.1.8
|
|
19
|
+
type: :runtime
|
|
20
|
+
prerelease: false
|
|
21
|
+
version_requirements: !ruby/object:Gem::Requirement
|
|
22
|
+
requirements:
|
|
23
|
+
- - "~>"
|
|
24
|
+
- !ruby/object:Gem::Version
|
|
25
|
+
version: 3.1.8
|
|
12
26
|
- !ruby/object:Gem::Dependency
|
|
13
27
|
name: bundler
|
|
14
28
|
requirement: !ruby/object:Gem::Requirement
|
|
@@ -23,6 +37,20 @@ dependencies:
|
|
|
23
37
|
- - '='
|
|
24
38
|
- !ruby/object:Gem::Version
|
|
25
39
|
version: 2.4.22
|
|
40
|
+
- !ruby/object:Gem::Dependency
|
|
41
|
+
name: csv
|
|
42
|
+
requirement: !ruby/object:Gem::Requirement
|
|
43
|
+
requirements:
|
|
44
|
+
- - "~>"
|
|
45
|
+
- !ruby/object:Gem::Version
|
|
46
|
+
version: '3.3'
|
|
47
|
+
type: :development
|
|
48
|
+
prerelease: false
|
|
49
|
+
version_requirements: !ruby/object:Gem::Requirement
|
|
50
|
+
requirements:
|
|
51
|
+
- - "~>"
|
|
52
|
+
- !ruby/object:Gem::Version
|
|
53
|
+
version: '3.3'
|
|
26
54
|
- !ruby/object:Gem::Dependency
|
|
27
55
|
name: rspec
|
|
28
56
|
requirement: !ruby/object:Gem::Requirement
|
|
@@ -148,7 +176,7 @@ licenses:
|
|
|
148
176
|
metadata:
|
|
149
177
|
bug_tracker_uri: https://github.com/0llirocks/cvss-suite/issues
|
|
150
178
|
changelog_uri: https://github.com/0llirocks/cvss-suite/blob/master/CHANGES.md
|
|
151
|
-
documentation_uri: https://www.rubydoc.info/gems/cvss-suite/4.
|
|
179
|
+
documentation_uri: https://www.rubydoc.info/gems/cvss-suite/4.1.1
|
|
152
180
|
homepage_uri: https://cvss-suite.0lli.rocks
|
|
153
181
|
source_code_uri: https://github.com/0llirocks/cvss-suite
|
|
154
182
|
rdoc_options: []
|