cvss-suite 4.1.0 → 4.1.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 615e1ce401360d6127ec8a397b0d919b581588cbebe00d48fa1a8354d51397bc
-  data.tar.gz: e8a8615c60983eae67971a2b86d465afc79be4ae5b0c0c099504b676f1a1e74c
+  metadata.gz: d8cf95b45495f191e7155aad10bebc43b092f5173fb65adcf4d7434b01bb9cd5
+  data.tar.gz: 7f3ffe1d5fc752d5f1da0b71bdb4211a0c538b8ce9f199328e93e83d640be594
 SHA512:
-  metadata.gz: f68645079416546c5bb80e0a2ec0688a58e6889f9d334621130d563c882e90b735a9d2cad8bdf00c7e92c79b5d233e4bbca645d81347715dbacb25448addde30
-  data.tar.gz: e4bf4cd7073062cc9a2504d6f4cda6485d7b187c22ec9928740b9af89a2a990baa220f54b3843931cb43d27b5851290ad18c2f4ddbfc350990c425a7b7c0df6a
+  metadata.gz: 6d8a171815a4b9037dcd791b557f4d225a93a7a82dd8d497d461ef74883e4d4c68243b746fac5da8a3db8aa7dafb92d821c34ccdba6d9b16386fe87f0e9c3d33
+  data.tar.gz: bc43b1151b310bbe245c09112e2911c344bffc8b62e3641be955139dcf4fb3021eb1093b008efad0f00b853959e521bd1c139c3ccd30947fe60899838386c7dd

data/.gitignore

@@ -11,3 +11,4 @@
 .idea/
 /*.gem
 .ruby-version
+.rspec_status

data/CHANGES.md

@@ -2,10 +2,16 @@
 All notable changes to this project will be documented in this file.
 This project adheres to [Semantic Versioning](http://semver.org/).
 
+## [4.1.1] - 2025-05-11
+
+### Fixes
+
+See [v4.1.1](https://github.com/0llirocks/cvss-suite/releases/tag/v4.1.1). (@jgarber-cisco)
+
 ## [4.1.0] - 2025-04-27
 
 ### Improvements
-* Expose impact and exploitability sub-scores. (@jgarber-cisco)
+* Expose impact and exploitability sub-scores for CVSS 2 and CVSS 3.x. (@jgarber-cisco)
 
 ## [4.0.0] - 2024-08-31
 

data/README.md

@@ -11,6 +11,9 @@
 This Ruby gem helps you to process the vector of the [**Common Vulnerability Scoring System**](https://www.first.org/cvss/specification-document).
 Besides calculating the Base, Temporal and Environmental Score, you are able to extract the selected option.
 
+> [!IMPORTANT]
+> This project could need some new maintainer(s). I am having less time and motivation to support this gem. Support for v4 was only possible with the help of the community and I am sure I will not implement any v4.x or v5.x support by myself. Since this gem is used in some projects I will not step down without any kind of support. If you are interested in CVSS and ruby, feel free to work on upcoming issues and let me ([@Ollirocks](https://github.com/0llirocks)) know if you are willing to become a maintainer. As of today there are only a very few issues each year but each new version of CVSS results in quite a lot of work. I am fine with staying the owner of this project until someone is willing to take over completely. I will not vanish from GitHub once and or all :smile: The same applies to the ruby gems account, I am willing to push new versions to rubygems.org until someone trustworthy is found to take over.
+
 ## Installation
 
 Add this line to your application's Gemfile:

data/cvss_suite.gemspec

@@ -37,7 +37,10 @@ in version 4.0, 3.1, 3.0 and 2.'
   spec.test_files    = spec.files.grep(%r{^(test|spec|features)/})
   spec.require_paths = ['lib']
 
+  spec.add_dependency 'bigdecimal', '~> 3.1.8'
+
   spec.add_development_dependency 'bundler', '2.4.22'
+  spec.add_development_dependency 'csv', '~> 3.3'
   spec.add_development_dependency 'rspec', '~> 3.4'
   spec.add_development_dependency 'rspec-its', '~> 1.2'
   spec.add_development_dependency 'rubocop', '1.50.2'

data/lib/cvss_suite/cvss2/cvss2.rb

@@ -3,6 +3,8 @@
 # This work is licensed under the terms of the MIT license.
 # See the LICENSE.md file in the top-level directory.
 
+require 'bigdecimal/util'
+
 require_relative '../cvss_31_and_before'
 require_relative 'cvss2_base'
 require_relative 'cvss2_temporal'
@@ -18,12 +20,12 @@ module CvssSuite
       2
     end
 
-    # Returns the severity of the CVSSv2 vector.
+    # Returns the severity of the CVSSv2 base score.
     # https://nvd.nist.gov/vuln-metrics/cvss
     def severity
       check_validity
 
-      score = overall_score
+      score = base_score
 
       case score
       when 0.0..3.9
@@ -47,7 +49,7 @@ module CvssSuite
     ##
     # Returns the Temporal Score of the CVSS vector.
     def temporal_score
-      (base_score * @temporal.score).round(1)
+      (base_score * @temporal.score.to_d).round(1).to_f
     end
 
     ##

data/lib/cvss_suite/cvss2/cvss2_base.rb

@@ -31,11 +31,11 @@ module CvssSuite
     end
 
     def impact_subscore
-      calc_impact.round(1)
+      calc_impact
     end
 
     def exploitability_subscore
-      calc_exploitability.round(1)
+      calc_exploitability
     end
 
     private
@@ -78,7 +78,10 @@ module CvssSuite
       integrity_score = 1 - @integrity_impact.score * sr_ir_score
       availability_score = 1 - @availability_impact.score * sr_ar_score
 
-      [10, 10.41 * (1 - confidentiality_score * integrity_score * availability_score)].min
+      impact = 10.41 * (1 - confidentiality_score * integrity_score * availability_score)
+      return impact if sr_cr_score == 1 && sr_ir_score == 1 && sr_ar_score == 1
+
+      [10, impact].min
     end
 
     def calc_exploitability

data/lib/cvss_suite/cvss2/cvss2_environmental.rb

@@ -3,6 +3,8 @@
 # This work is licensed under the terms of the MIT license.
 # See the LICENSE.md file in the top-level directory.
 
+require 'bigdecimal/util'
+
 require_relative '../cvss_property'
 require_relative '../cvss_metric'
 
@@ -22,7 +24,7 @@ module CvssSuite
                               @security_requirements_ir.score,
                               @security_requirements_ar.score).round(1)
 
-      adjusted_temporal = (base_score * temporal_score).round(1)
+      adjusted_temporal = (base_score * temporal_score.to_d).round(1).to_f
       (adjusted_temporal + (10 - adjusted_temporal) * @collateral_damage_potential.score) * @target_distribution.score
     end
 

data/lib/cvss_suite/cvss3/cvss3_base.rb

@@ -32,11 +32,11 @@ module CvssSuite
     end
 
     def impact_subscore
-      calc_impact.round(1)
+      calc_impact
     end
 
     def exploitability_subscore
-      calc_exploitability.round(1)
+      calc_exploitability
     end
 
     private

data/lib/cvss_suite/cvss31/cvss31_base.rb

@@ -33,11 +33,11 @@ module CvssSuite
     end
 
     def impact_subscore
-      calc_impact.round(1)
+      calc_impact
     end
 
     def exploitability_subscore
-      calc_exploitability.round(1)
+      calc_exploitability
     end
 
     private

data/lib/cvss_suite/cvss40/cvss40_calc_helper.rb

@@ -3,6 +3,8 @@ require_relative 'cvss40_constants_max_composed'
 require_relative 'cvss40_constants_max_severity'
 require_relative 'cvss40_constants_levels'
 
+require 'bigdecimal/util'
+
 module CvssSuite
   # This class performs much of the score calculation logic for CVSS 4.0.
   # It is heavily ported from the m and scoring methods in https://github.com/FIRSTdotorg/cvss-v4-calculator/blob/ac71416d935ad2ac87cd107ff87024561ea954a7/app.js#L121
@@ -132,7 +134,7 @@ module CvssSuite
       # Exception for no impact on system (shortcut)
       return 0.0 if %w[VC VI VA SC SI SA].all? { |metric| m(metric) == 'N' }
 
-      value = LOOKUP[macro_vector]
+      value = LOOKUP[macro_vector].to_d
 
       # 1. For each of the EQs:
       #   a. The maximal scoring difference is determined as the difference
@@ -257,7 +259,7 @@ module CvssSuite
         break
       end
 
-      current_severity_distance_eq1 = severity_distance_av + severity_distance_pr + severity_distance_ui
+      current_severity_distance_eq1 = (severity_distance_av.to_d + severity_distance_pr + severity_distance_ui).to_f
       current_severity_distance_eq2 = severity_distance_ac + severity_distance_at
       current_severity_distance_eq3eq6 = sum_or_nil([severity_distance_vc, severity_distance_vi, severity_distance_va,
                                                      severity_distance_cr, severity_distance_ir, severity_distance_ar])
@@ -339,7 +341,7 @@ module CvssSuite
       value -= mean_distance
       value = 0.0 if value.negative?
       value = 10.0 if value > 10
-      value.round(1)
+      value.round(1).to_f
     end
 
     def get_eq_maxes(lookup, eq_value)

data/lib/cvss_suite/version.rb

@@ -4,5 +4,5 @@
 # See the LICENSE.md file in the top-level directory.
 
 module CvssSuite
-  VERSION = '4.1.0'.freeze
+  VERSION = '4.1.1'.freeze
 end

metadata

@@ -1,14 +1,28 @@
 --- !ruby/object:Gem::Specification
 name: cvss-suite
 version: !ruby/object:Gem::Version
-  version: 4.1.0
+  version: 4.1.1
 platform: ruby
 authors:
 - 0llirocks
 bindir: exe
 cert_chain: []
-date: 2025-04-27 00:00:00.000000000 Z
+date: 2025-05-11 00:00:00.000000000 Z
 dependencies:
+- !ruby/object:Gem::Dependency
+  name: bigdecimal
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 3.1.8
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 3.1.8
 - !ruby/object:Gem::Dependency
   name: bundler
   requirement: !ruby/object:Gem::Requirement
@@ -23,6 +37,20 @@ dependencies:
     - - '='
       - !ruby/object:Gem::Version
         version: 2.4.22
+- !ruby/object:Gem::Dependency
+  name: csv
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.3'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.3'
 - !ruby/object:Gem::Dependency
   name: rspec
   requirement: !ruby/object:Gem::Requirement
@@ -148,7 +176,7 @@ licenses:
 metadata:
   bug_tracker_uri: https://github.com/0llirocks/cvss-suite/issues
   changelog_uri: https://github.com/0llirocks/cvss-suite/blob/master/CHANGES.md
-  documentation_uri: https://www.rubydoc.info/gems/cvss-suite/4.1.0
+  documentation_uri: https://www.rubydoc.info/gems/cvss-suite/4.1.1
   homepage_uri: https://cvss-suite.0lli.rocks
   source_code_uri: https://github.com/0llirocks/cvss-suite
 rdoc_options: []