cvss-suite 1.2.1 → 1.2.2

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 792fd7bf771ac83da4c5a4ee81cfce2e5ce42edf32d3a8d84ecdccdb8df1f555
-  data.tar.gz: 6bc9148983a577d0e26ed5b19407ba6a366070e46166aae1a0b440c2328a59e4
+  metadata.gz: eba339bafe4db99aa85aadd132b2e10faeddc2cc5abc37b9554e5e14caaf9dd4
+  data.tar.gz: fbe718029edb8a08b0da04944bfac0b29b8e813dbb621b51b914bb3d644d832a
 SHA512:
-  metadata.gz: ce3abc3c7f0c6eeaa02b3739da79e61445936bc8ee2e0c066252c06477022ec1aaf752ca18400727aac8f81f3627f96cb89fd932df261168d156f000da860db6
-  data.tar.gz: c0ef0261fec46ae6340bf52f04e1739ffd92915b76039027fb98cf06db9ecd5e99472d31b54068c49618607ebdef6fd98e1b8a70bd2a7a097799d2321c17fe21
+  metadata.gz: 7576066639774a2e6ab36d716c657ff4e794f93d9eeda6565287772a5c097478877ba56a9fcf891b5c247fb15698bace28e92f4c2ea86e802f5c4a08e1046da2
+  data.tar.gz: 4c6f90f5431563ef303f9804f12375eb64f2b423e1e078dec2b62184b4f609fbcc0140e6bbcd483945014e1d681c820863efcc824f6b56816acc63ba16f32c51

data/.rubocop.yml

@@ -2,6 +2,39 @@ inherit_from: .rubocop_todo.yml
 
 Metrics/LineLength:
   Max: 120
+  Exclude:
+    - 'lib/cvss_suite/cvss3/cvss3_environmental.rb'
+    - 'lib/cvss_suite/cvss31/cvss31_environmental.rb'
+
+Metrics/ClassLength:
+  Exclude:
+    - 'lib/cvss_suite/cvss3/cvss3_environmental.rb'
+    - 'lib/cvss_suite/cvss31/cvss31_environmental.rb'
+
+Metrics/MethodLength:
+  Exclude:
+    - 'lib/cvss_suite/cvss3/cvss3_environmental.rb'
+    - 'lib/cvss_suite/cvss31/cvss31_environmental.rb'
+
+Metrics/BlockLength:
+  Exclude:
+    - 'spec/cvss3/cvss3_spec.rb'
+    - 'spec/cvss31/cvss31_spec.rb'
+
+Style/IfUnlessModifier:
+  Exclude:
+    - 'lib/cvss_suite/cvss3/cvss3_environmental.rb'
+    - 'lib/cvss_suite/cvss31/cvss31_environmental.rb'
+
+Style/GuardClause:
+  Exclude:
+    - 'lib/cvss_suite/cvss3/cvss3_environmental.rb'
+    - 'lib/cvss_suite/cvss31/cvss31_environmental.rb'
+
+Style/ConditionalAssignment:
+  Exclude:
+    - 'lib/cvss_suite/cvss3/cvss3_environmental.rb'
+    - 'lib/cvss_suite/cvss31/cvss31_environmental.rb'
 
 Style/FrozenStringLiteralComment:
   Enabled: false

data/CHANGES.md

@@ -2,6 +2,11 @@
 All notable changes to this project will be documented in this file.
 This project adheres to [Semantic Versioning](http://semver.org/).
 
+## [1.2.2] - 2020-07-19
+
+### Fixes
+Fixed an error that resulted in incorrect environmental score if modified attributes were not defined.
+
 ## [1.2.1] - 2020-05-10
 
 ### Improvements

data/README.md

@@ -100,8 +100,6 @@ Properties (Access Vector, Remediation Level, etc) do have a position attribute,
 
 Currently it is not possible to leave an attribute blank instead of ND/X. If you don't have a value for an attribute, please use ND/X instead.
 
-Because the documentation isn't clear on how to calculate the score if Modified Scope (CVSS 3.0 Environmental) is not defined, Modified Scope has to have a valid value (S/U).
-
 There is a possibility of implementations generating different scores (+/- 0,1) due to small floating-point inaccuracies. This can happen due to differences in floating point arithmetic between different languages and hardware platforms.
 
 ## Changelog

data/lib/cvss_suite/cvss3/cvss3.rb

@@ -46,7 +46,7 @@ module CvssSuite
     def environmental_score
       return temporal_score unless @environmental.valid?
 
-      Cvss3Helper.round_up(@environmental.score(@temporal.score))
+      Cvss3Helper.round_up(@environmental.score(@base, @temporal))
     end
 
     private

data/lib/cvss_suite/cvss3/cvss3_environmental.rb

@@ -28,8 +28,20 @@ module CvssSuite
     ##
     # Returns score of this metric
 
-    def score(temporal_score)
-      privilege_score = Cvss3Helper.privileges_required_score(@modified_privileges_required, @modified_scope)
+    def score(base, temporal)
+      @base = base
+
+      merged_modified_privileges_required = @modified_privileges_required
+      if @modified_privileges_required.selected_choice[:name] == 'Not Defined'
+        merged_modified_privileges_required = @base.privileges_required
+      end
+
+      merged_modified_scope = @modified_scope
+      if @modified_scope.selected_choice[:name] == 'Not Defined'
+        merged_modified_scope = @base.scope
+      end
+
+      privilege_score = Cvss3Helper.privileges_required_score(merged_modified_privileges_required, merged_modified_scope)
 
       modified_exploitability_sub_score = modified_exploitability_sub(privilege_score)
 
@@ -37,7 +49,7 @@ module CvssSuite
 
       return 0 if modified_impact_sub_score <= 0
 
-      calculate_score(modified_impact_sub_score, modified_exploitability_sub_score, temporal_score)
+      calculate_score modified_impact_sub_score, modified_exploitability_sub_score, temporal.score
     end
 
     private
@@ -88,7 +100,8 @@ module CvssSuite
       @properties.push(@modified_scope =
                          CvssProperty.new(name: 'Modified Scope', abbreviation: 'MS', position: [15, 18],
                                           choices: [{ name: 'Changed', abbreviation: 'C' },
-                                                    { name: 'Unchanged', abbreviation: 'U' }]))
+                                                    { name: 'Unchanged', abbreviation: 'U' },
+                                                    { name: 'Not Defined', abbreviation: 'X' }]))
       @properties.push(@modified_confidentiality =
                          CvssProperty.new(name: 'Modified Confidentiality', abbreviation: 'MC', position: [16, 19],
                                           choices: [{ name: 'None', abbreviation: 'N', weight: 0 },
@@ -110,6 +123,14 @@ module CvssSuite
     end
 
     def modified_impact_sub(isc_modified)
+      if @modified_scope.selected_choice[:name] == 'Not Defined'
+        if @base.scope.selected_choice[:name] == 'Changed'
+          return 7.52 * (isc_modified - 0.029) - 3.25 * (isc_modified - 0.02)**15
+        else
+          return 6.42 * isc_modified
+        end
+      end
+
       if @modified_scope.selected_choice[:name] == 'Changed'
         7.52 * (isc_modified - 0.029) - 3.25 * (isc_modified - 0.02)**15
       else
@@ -118,20 +139,54 @@ module CvssSuite
     end
 
     def isc_modified
-      confidentiality_score = 1 - @modified_confidentiality.score * @confidentiality_requirement.score
-      integrity_score = 1 - @modified_integrity.score * @integrity_requirement.score
-      availability_score = 1 - @modified_availability.score * @availability_requirement.score
+      merged_modified_confidentiality = @modified_confidentiality
+      if @modified_confidentiality.selected_choice[:name] == 'Not Defined'
+        merged_modified_confidentiality = @base.confidentiality
+      end
+
+      merged_modified_integrity = @modified_integrity
+      if @modified_integrity.selected_choice[:name] == 'Not Defined'
+        merged_modified_integrity = @base.integrity
+      end
+
+      merged_modified_availability = @modified_availability
+      if @modified_availability.selected_choice[:name] == 'Not Defined'
+        merged_modified_availability = @base.availability
+      end
+
+      confidentiality_score = 1 - merged_modified_confidentiality.score * @confidentiality_requirement.score
+      integrity_score = 1 - merged_modified_integrity.score * @integrity_requirement.score
+      availability_score = 1 - merged_modified_availability.score * @availability_requirement.score
 
       [0.915, (1 - confidentiality_score * integrity_score * availability_score)].min
     end
 
     def modified_exploitability_sub(privilege_score)
-      8.22 * @modified_attack_vector.score * @modified_attack_complexity.score *
-        privilege_score * @modified_user_interaction.score
+      merged_modified_attack_vector = @modified_attack_vector
+      if @modified_attack_vector.selected_choice[:name] == 'Not Defined'
+        merged_modified_attack_vector = @base.attack_vector
+      end
+
+      merged_modified_attack_complexity = @modified_attack_complexity
+      if @modified_attack_complexity.selected_choice[:name] == 'Not Defined'
+        merged_modified_attack_complexity = @base.attack_complexity
+      end
+
+      merged_modified_user_interaction = @modified_user_interaction
+      if @modified_user_interaction.selected_choice[:name] == 'Not Defined'
+        merged_modified_user_interaction = @base.user_interaction
+      end
+
+      8.22 * merged_modified_attack_vector.score * merged_modified_attack_complexity.score *
+        privilege_score * merged_modified_user_interaction.score
     end
 
     def calculate_score(modified_impact_sub_score, modified_exploitability_sub_score, temporal_score)
-      factor = @modified_scope.selected_choice[:name] == 'Changed' ? 1.08 : 1.0
+      if @modified_scope.selected_choice[:name] == 'Not Defined'
+        factor = @base.scope.selected_choice[:name] == 'Changed' ? 1.08 : 1.0
+      else
+        factor = @modified_scope.selected_choice[:name] == 'Changed' ? 1.08 : 1.0
+      end
 
       Cvss3Helper.round_up(
         [factor * (modified_impact_sub_score + modified_exploitability_sub_score), 10].min

data/lib/cvss_suite/cvss31/cvss31.rb

@@ -47,7 +47,7 @@ module CvssSuite
     def environmental_score
       return temporal_score unless @environmental.valid?
 
-      Cvss31Helper.round_up(@environmental.score(@temporal.score))
+      Cvss31Helper.round_up(@environmental.score(@base, @temporal))
     end
 
     private

data/lib/cvss_suite/cvss31/cvss31_environmental.rb

@@ -28,9 +28,20 @@ module CvssSuite
 
     ##
     # Returns score of this metric
+    def score(base, temporal)
+      @base = base
 
-    def score(temporal_score)
-      privilege_score = Cvss3Helper.privileges_required_score(@modified_privileges_required, @modified_scope)
+      merged_modified_privileges_required = @modified_privileges_required
+      if @modified_privileges_required.selected_choice[:name] == 'Not Defined'
+        merged_modified_privileges_required = @base.privileges_required
+      end
+
+      merged_modified_scope = @modified_scope
+      if @modified_scope.selected_choice[:name] == 'Not Defined'
+        merged_modified_scope = @base.scope
+      end
+
+      privilege_score = Cvss3Helper.privileges_required_score(merged_modified_privileges_required, merged_modified_scope)
 
       modified_exploitability_sub_score = modified_exploitability_sub(privilege_score)
 
@@ -38,7 +49,7 @@ module CvssSuite
 
       return 0 if modified_impact_sub_score <= 0
 
-      calculate_score modified_impact_sub_score, modified_exploitability_sub_score, temporal_score
+      calculate_score modified_impact_sub_score, modified_exploitability_sub_score, temporal.score
     end
 
     private
@@ -89,7 +100,8 @@ module CvssSuite
       @properties.push(@modified_scope =
                          CvssProperty.new(name: 'Modified Scope', abbreviation: 'MS', position: [15, 18],
                                           choices: [{ name: 'Changed', abbreviation: 'C' },
-                                                    { name: 'Unchanged', abbreviation: 'U' }]))
+                                                    { name: 'Unchanged', abbreviation: 'U' },
+                                                    { name: 'Not Defined', abbreviation: 'X' }]))
       @properties.push(@modified_confidentiality =
                          CvssProperty.new(name: 'Modified Confidentiality', abbreviation: 'MC', position: [16, 19],
                                           choices: [{ name: 'None', abbreviation: 'N', weight: 0 },
@@ -111,6 +123,14 @@ module CvssSuite
     end
 
     def modified_impact_sub(isc_modified)
+      if @modified_scope.selected_choice[:name] == 'Not Defined'
+        if @base.scope.selected_choice[:name] == 'Changed'
+          return 7.52 * (isc_modified - 0.029) - 3.25 * (isc_modified * 0.9731 - 0.02)**13
+        else
+          return 6.42 * isc_modified
+        end
+      end
+
       if @modified_scope.selected_choice[:name] == 'Changed'
         7.52 * (isc_modified - 0.029) - 3.25 * (isc_modified * 0.9731 - 0.02)**13
       else
@@ -119,20 +139,54 @@ module CvssSuite
     end
 
     def isc_modified
-      confidentiality_score = 1 - @modified_confidentiality.score * @confidentiality_requirement.score
-      integrity_score = 1 - @modified_integrity.score * @integrity_requirement.score
-      availability_score = 1 - @modified_availability.score * @availability_requirement.score
+      merged_modified_confidentiality = @modified_confidentiality
+      if @modified_confidentiality.selected_choice[:name] == 'Not Defined'
+        merged_modified_confidentiality = @base.confidentiality
+      end
+
+      merged_modified_integrity = @modified_integrity
+      if @modified_integrity.selected_choice[:name] == 'Not Defined'
+        merged_modified_integrity = @base.integrity
+      end
+
+      merged_modified_availability = @modified_availability
+      if @modified_availability.selected_choice[:name] == 'Not Defined'
+        merged_modified_availability = @base.availability
+      end
+
+      confidentiality_score = 1 - merged_modified_confidentiality.score * @confidentiality_requirement.score
+      integrity_score = 1 - merged_modified_integrity.score * @integrity_requirement.score
+      availability_score = 1 - merged_modified_availability.score * @availability_requirement.score
 
       [0.915, (1 - confidentiality_score * integrity_score * availability_score)].min
     end
 
     def modified_exploitability_sub(privilege_score)
-      8.22 * @modified_attack_vector.score * @modified_attack_complexity.score *
-        privilege_score * @modified_user_interaction.score
+      merged_modified_attack_vector = @modified_attack_vector
+      if @modified_attack_vector.selected_choice[:name] == 'Not Defined'
+        merged_modified_attack_vector = @base.attack_vector
+      end
+
+      merged_modified_attack_complexity = @modified_attack_complexity
+      if @modified_attack_complexity.selected_choice[:name] == 'Not Defined'
+        merged_modified_attack_complexity = @base.attack_complexity
+      end
+
+      merged_modified_user_interaction = @modified_user_interaction
+      if @modified_user_interaction.selected_choice[:name] == 'Not Defined'
+        merged_modified_user_interaction = @base.user_interaction
+      end
+
+      8.22 * merged_modified_attack_vector.score * merged_modified_attack_complexity.score *
+        privilege_score * merged_modified_user_interaction.score
     end
 
     def calculate_score(modified_impact_sub_score, modified_exploitability_sub_score, temporal_score)
-      factor = @modified_scope.selected_choice[:name] == 'Changed' ? 1.08 : 1.0
+      if @modified_scope.selected_choice[:name] == 'Not Defined'
+        factor = @base.scope.selected_choice[:name] == 'Changed' ? 1.08 : 1.0
+      else
+        factor = @modified_scope.selected_choice[:name] == 'Changed' ? 1.08 : 1.0
+      end
 
       Cvss31Helper.round_up(
         [factor * (modified_impact_sub_score + modified_exploitability_sub_score), 10].min

data/lib/cvss_suite/version.rb

@@ -9,5 +9,5 @@
 # See the LICENSE.md file in the top-level directory.
 
 module CvssSuite
-  VERSION = '1.2.1'
+  VERSION = '1.2.2'
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: cvss-suite
 version: !ruby/object:Gem::Version
-  version: 1.2.1
+  version: 1.2.2
 platform: ruby
 authors:
 - Oliver Hamboerger
 autorequire: 
 bindir: exe
 cert_chain: []
-date: 2020-05-10 00:00:00.000000000 Z
+date: 2020-07-19 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: bundler