cvss_rating 0.2.2 → 0.5.3

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 18833ffe0a2110713321717882552cbd95baa964
-  data.tar.gz: c9517ce89d7c9a16ec78f6e915b4c4ad24f57d2b
+  metadata.gz: ba239c3a20044c1f0bdec1bf20040f292fc58a0a
+  data.tar.gz: dd3f4a378df8d13d73240ba8ec36dcb4a20c0a63
 SHA512:
-  metadata.gz: 67676bd99e61cb6d0946f490c358013a7956b71b44cb8033da4dfe8231364b74c9488d3e0d3da7d381e82dfd03858132507ed1951cccd9460f5eac444066fdb5
-  data.tar.gz: 6ebbd458fdbd4a627ff5198e6909e537d87c410a3aaf1a64aea7e82e28617bf625c257f5324a27de35734f630d185c6a7ed10e8d37f042dbde327a3b36991283
+  metadata.gz: 7c09e29ab6844f87a3279fec34da5ec3bbdc7c68b9dd2f583745f214feeffab34e6d35c70c3ac99b2a67dd2b760ce3bed39da5c0689f37f0d21a36a50bf7325d
+  data.tar.gz: 80391b4cc42fa467640cacc70dd06af7ee5a413abefa1410d234a0ce81ab9093e6c9914ac33f26aa0bc733760c3a20c637aad19d79dce1e74da2bc2cfd9c8478

data/README.md

@@ -2,7 +2,9 @@
 
 [![Build Status](https://travis-ci.org/mort666/cvss_rating.svg)](https://travis-ci.org/mort666/cvss_rating)
 
-Implements CVSS Risk Rating version 2.0
+Implements vulnerability scoring system CVSS versions 2.0 and 3.0.
+
+More information on the standard is available at [https://www.first.org/cvss](https://www.first.org/cvss)
 
 ## Installation
 
@@ -20,10 +22,37 @@ Or install it yourself as:
 
 ## Usage
 
-Check out the unit tests for examples of usage.
+The following is basic usage to handle a CVSS 2.0 vector:
+
+	cvs = Cvss2::Rating.new
+	cvss.parse("AV:N/AC:M/Au:N/C:P/I:P/A:P")
+	
+	# Calculate overallscore
+	cvss.overallscore
+	
+The following is basic usage to handle a CVSS 3.0 vector:
+
+	cvss = Cvss3::Rating.new
+	cvss.parse("AV:P/AC:H/PR:H/UI:R/S:C/C:H/I:L/A:N/E:U/RL:O/RC:U/CR:L/IR:L/AR:L")
+
+	# Calculate Base Score (returns array of score and risk level)
+	cvss.cvss_base_score
+	
+	# Calculate Temporal Score (returns array of score and risk level)
+	cvss.cvss_temporal_score
+	
+	# Calculate Environmental Score (returns array of score and risk level)
+	cvss.cvss_environmental_score
+
+Check out the unit tests for more examples of usage.
 
 ## TODO
 
-* CVSS 3.0 Support
 * Code and API clean up
 * More Unit Tests
+
+## License
+
+Copyright (c) Stephen Kapp 2015.
+
+Released under the MIT License

data/cvss_rating.gemspec

@@ -9,7 +9,7 @@ Gem::Specification.new do |spec|
   spec.authors       = ["Stephen Kapp"]
   spec.email         = ["mort666@virus.org"]
   spec.summary       = %q{CVSS Risk Rating Calculation and Vector parsing}
-  spec.description   = %q{CVSS Risk Rating Calculation and Vector parsing, implements CVSS 2.0 rating}
+  spec.description   = %q{CVSS Risk Rating Calculation and Vector parsing, implements CVSS 2.0 & 3.0 rating}
   spec.homepage      = "https://github.com/mort666/cvss_rating"
   spec.license       = "MIT"
 

data/lib/cvss3_rating.rb

@@ -0,0 +1,106 @@
+# @author Stephen Kapp
+
+require "cvss_rating/version"
+require "cvss_rating/cvss3_formulas"
+require "cvss_rating/cvss3_metrics"
+require "cvss_rating/cvss3_vectors"
+
+module Cvss3
+	class Rating
+		attr_accessor :exploitability, :base, :impact, :temporal, :environmental
+
+		include Cvss3Vectors
+
+		#
+		# Initialize the object, creates a clean initialized Cvss3::Rating object
+		#
+		# @param list [Hash] list of CVSS 3.0 attributes to be used during initialization
+		#
+
+		def initialize(attributes = {})   
+			init
+
+	    	attributes.each do |name, value|
+	      		send("#{name}=", value)
+	    	end
+	 	end
+
+	 	
+	 	#
+	 	# Takes score and determines risk level from None to Critical
+	 	#
+	 	# @param score [Float] risk score to be converted to risk level
+	 	# @return [String] risk level based on score
+
+	 	def risk_score(score)
+	 		risk_score = case score
+	 			when 0.0
+	 				"None"
+	 			when 0.1..3.9
+	 				"Low"
+	 			when 4.0..6.9
+	 				"Medium"
+	 			when 7.0..8.9
+	 				"High"
+	 			when 9.0..10.0
+	 				"Critical"
+	 			else
+	 				nil
+	 			end
+	 	end
+
+	 
+	 	#
+	 	# Calculate the CVSS 3.0 Base Score
+	 	#
+	 	# @return [Array] the CVSS 3.0 Base score with its risk level
+
+	 	def cvss_base_score
+	 		@exploitability = ::Cvss3::Formulas.new.exploitability_sub_score(@av, @ac, @pr, @ui)
+
+			@impact = ::Cvss3::Formulas.new.impact_sub_score_base(@ai, @ci, @ii)	 	
+
+			@base = ::Cvss3::Formulas.new.cvss_base_formula(@impact, @sc, @exploitability)
+
+			@base_level = risk_score(@base)	
+
+			return @base, @base_level
+	 	end
+
+	 	##
+	 	#
+	 	# Calculate the CVSS 3.0 Temporal Score
+	 	#
+	 	# @return [Array] the CVSS 3.0 Temporal score with its risk level
+
+	 	def cvss_temporal_score
+	 		@temporal = ::Cvss3::Formulas.new.cvss_temporal_formula(@base, @ex, @rl, @rc)
+
+	 		@temporal_level = risk_score(@temporal)
+
+	 		return @temporal, @temporal_level
+	 	end
+
+	 	##
+	 	#
+	 	# Calculate the CVSS 3.0 Temporal Score
+	 	#
+	 	# @return [Array] the CVSS 3.0 Temporal score with its risk level
+
+	 	def cvss_environmental_score
+	 		exploitability_sub_score_value_modified = ::Cvss3::Formulas.new.exploitability_sub_score_modified(self.mav(true), 
+	 			self.mac(true), self.mpr(true), self.mui(true))
+
+	 		impact_sub_score_value_modified = ::Cvss3::Formulas.new.impact_sub_score_modified_base(self.ma(true), self.mc(true), 
+	 			self.mi(true), @cr, @ir, @ar)
+
+	 		@environmental = ::Cvss3::Formulas.new.cvss_environmental_formula(impact_sub_score_value_modified, 
+	 			exploitability_sub_score_value_modified,
+	 			@ex, @rl, @rc, self.ms(true))
+
+	 		@environmental_level = risk_score(@environmental)
+
+	 		return @environmental, @environmental_level
+	 	end
+	end
+end

data/lib/cvss_rating/cvss3_formulas.rb

@@ -0,0 +1,103 @@
+module Cvss3
+	class Formulas
+		EXPLOITABILITY_COEFFICIENT = 8.22
+		IMPACT_COEFFICIENT = 6.42
+		IMPACT_MOD_COEFFICIENT = 7.52
+
+		def exploitability_sub_score(attack_vector_value, attack_complexity_value, privileges_required_value, user_interaction_value)
+			
+			exploitability_sub_score_value = EXPLOITABILITY_COEFFICIENT * attack_vector_value * attack_complexity_value * privileges_required_value * user_interaction_value
+
+			return exploitability_sub_score_value
+		end
+
+		def exploitability_sub_score_modified(attack_vector_value_modified, attack_complexity_value_modified, 
+			privileges_required_value_modified, user_interaction_value_modified)
+			
+			exploitability_sub_score_value_modified = EXPLOITABILITY_COEFFICIENT * attack_vector_value_modified * attack_complexity_value_modified * privileges_required_value_modified * user_interaction_value_modified
+    		
+    		return exploitability_sub_score_value_modified
+		end
+
+		def impact_sub_score_base(availability_value, confidentiality_value, integrity_value)
+			
+			impact_sub_score_value = 1 - ((1 - confidentiality_value) * (1 - integrity_value) * (1 - availability_value))
+    		
+    		return impact_sub_score_value
+		end
+
+		def impact_sub_score_modified_base(availability_value_modified, confidentiality_value_modified, integrity_value_modified,
+			confidentiality_requirement_value, integrity_requirement_value, availability_requirement_value)
+
+			impact_sub_score_value_modified = min(0.915, 1 - (1 - confidentiality_value_modified * confidentiality_requirement_value) * (1 - integrity_value_modified * integrity_requirement_value) * (1 - availability_value_modified * availability_requirement_value))
+			
+			return impact_sub_score_value_modified
+		end
+
+		def cvss_base_formula(impact_sub_score_value, scope_value, exploitability_sub_score_value)
+		
+			if scope_value == "unchanged"
+        		impact_value = IMPACT_COEFFICIENT * impact_sub_score_value
+        		cvss_base_value = min(10, impact_value + exploitability_sub_score_value)
+    		elsif scope_value == "changed"
+        		impact_value = IMPACT_MOD_COEFFICIENT * (impact_sub_score_value - 0.029) - 3.25 * ((impact_sub_score_value - 0.02) ** 15)
+        		cvss_base_value = min(10, 1.08 * (impact_value + exploitability_sub_score_value))
+        	end
+
+		    if impact_sub_score_value <= 0
+				cvss_base_value = 0.0
+		    else
+				cvss_base_value = cvss_base_value.ceil2(1)
+			end
+
+    		return cvss_base_value
+		end
+
+		def cvss_temporal_formula(cvss_base_value, exploit_code_maturity_value, remediation_level_value, report_confidence_value)
+			
+			cvss_temporal_value = cvss_base_value * exploit_code_maturity_value * remediation_level_value * \
+				report_confidence_value
+    		
+    		cvss_temporal_value = cvss_temporal_value.ceil2(1)
+			
+			return cvss_temporal_value
+		end
+
+		def cvss_environmental_formula(impact_sub_score_value_modified, exploitability_sub_score_value_modified,
+			exploit_code_maturity_value, remediation_level_value, report_confidence_value, scope_value_modified)
+
+			if scope_value_modified == "unchanged"
+				impact_value_modified = IMPACT_COEFFICIENT * impact_sub_score_value_modified
+				temp_score = min(10, impact_value_modified + exploitability_sub_score_value_modified)
+				temp_score2 = temp_score.ceil2(1)
+				temp_score3 = temp_score2 * exploit_code_maturity_value * remediation_level_value * report_confidence_value
+			elsif scope_value_modified == "changed"
+		        impact_value_modified = IMPACT_MOD_COEFFICIENT * (impact_sub_score_value_modified - 0.029) - 3.25 * ((impact_sub_score_value_modified - 0.02) ** 15)
+		        temp_score = min(10, 1.08 * (impact_value_modified + exploitability_sub_score_value_modified))
+		        temp_score2 = temp_score.ceil2(1)
+		        temp_score3 = temp_score2 * exploit_code_maturity_value * remediation_level_value * report_confidence_value
+		    end
+
+    		if impact_sub_score_value_modified <= 0
+        		cvss_environmental_value = 0.0
+        	else
+        		cvss_environmental_value = temp_score3.ceil2(1)
+        	end
+
+        	return cvss_environmental_value
+		end
+
+
+		def min(*values)
+			values.min
+		end
+	end
+end
+
+
+class Float
+  		def ceil2(exp = 0)
+   			multiplier = 10 ** exp
+   			((self * multiplier).ceil).to_f/multiplier.to_f
+  		end
+end

data/lib/cvss_rating/cvss3_metrics.rb

@@ -0,0 +1,52 @@
+module Cvss3
+	class Metrics
+		# Base Metrics
+		ATTACK_VECTOR = { :physical => 0.2, :local => 0.55, :adjacent_network => 0.62, :network => 0.85, :not_defined => 0.85 }
+	  	ATTACK_COMPLEXITY = { :high => 0.44, :low => 0.77, :not_defined => 0.77 }
+	  	
+	  	PRIVILEGE_REQUIRED = { :not_defined => 0.85, :none => 0.85, :low => 0.62, :high => 0.27 }
+	  	PRIVILEGE_REQUIRED_CHANGED = { :not_defined => 0.85, :none => 0.85, :low => 0.68, :high => 0.50 }
+	  
+	  	USER_INTERACTION = {:not_defined => 0.85, :none => 0.85, :required => 0.62 }
+
+	  	CIA_IMPACT = { :none => 0.0, :low => 0.22, :high => 0.56, :not_defined => 0.56 }
+	  
+	  	# Environmental Metrics
+	  	CIA_REQUIREMENT = { :low => 0.5, :medium => 1.0, :high => 1.50, :not_defined => 1.0 }
+
+	  	# Temporal Metrics
+	  	EXPLOITABILITY = { :unproven => 0.91, :poc => 0.94, :functional =>  0.97, :high => 1.0, :not_defined => 1.0 }
+
+	  	REMEDIATION_LEVEL = { :official => 0.95, :temporary => 0.96, :workaround =>  0.97, :unavailable => 1.0, :not_defined => 1.0 }
+	  	
+	  	REPORT_CONFIDENCE = { :unknown => 0.92, :reasonable => 0.96, :confirmed => 1.0, :not_defined => 1.0 }
+	  
+	  	# Key Lookup values
+
+	  	ATTACK_VECTOR_KEY = { :physical => 'P', :local => 'L', :adjacent_network => 'A', :network => 'N' }
+	  	ATTACK_COMPLEXITY_KEY = { :high => 'H', :low => 'L' }
+	  	PRIVILEGE_REQUIRED_KEY = { :none => 'N', :low => 'L', :high => 'H' }
+	  	PRIVILEGE_REQUIRED_CHANGED_KEY = { :none => 'N', :low => 'L', :high => 'H' }
+	  	USER_INTERACTION_KEY = { :none => 'N', :required => 'R' }
+
+	  	SCOPE_KEY = { :changed => 'C', :unchanged => 'U' }
+	  
+	  	CIA_IMPACT_KEY = { :none => 'N', :low => 'L', :high => 'H' }
+	  
+	  	CIA_REQUIREMENT_KEY = { :low => 'L', :medium => 'M', :high => 'H', :notdefined => 'ND' }
+	  
+	  	EXPLOITABILITY_KEY = { :unproven => 'U', :poc => 'P', :functional => 'F', :high => 'H', :not_defined => 'ND' }
+	  	REMEDIATION_LEVEL_KEY = { :official => 'O', :temporary => "T", :workaround =>  'W', :unavailable => 'U', :not_defined => 'ND' }
+	  	REPORT_CONFIDENCE_KEY = { :unknown => 'U', :reasonable => 'R', :confirmed => 'C', :not_defined => 'ND' }
+
+	  	MODIFIED_ATTACK_VECTOR_KEY = { :physical => 'P', :local => 'L', :adjacent_network => 'A', :network => 'N' }
+	  	MODIFIED_ATTACK_COMPLEXITY_KEY = { :high => 'H', :low => 'L' }
+	  	MODIFIED_PRIVILEGE_REQUIRED_KEY = { :none => 'N', :low => 'L', :high => 'H' }
+	  	MODIFIED_PRIVILEGE_REQUIRED_CHANGED_KEY = { :none => 'N', :low => 'L', :high => 'H' }
+	  	MODIFIED_USER_INTERACTION_KEY = { :none => 'N', :required => 'R' }
+
+	  	MODIFIED_SCOPE_KEY = { :changed => 'C', :unchanged => 'U' }
+	  
+	  	MODIFIED_CIA_IMPACT_KEY = { :none => 'N', :low => 'L', :high => 'H' }
+	end
+end

data/lib/cvss_rating/cvss3_vectors.rb

@@ -0,0 +1,551 @@
+module Cvss3Vectors
+	attr_reader :av, :ac, :ui, :sc, :ci, :ai, :ii, :ex, :rl, :rc, :pr, :td, :cr, :ir
+
+	VECTORS = {
+		"cvss" => "cvss3=",
+	    "av" => "av=",
+	    "ac" => "ac=",
+	    "ui" => "ui=",
+	    "s" => "sc=",
+	    "c" => "ci=",
+	    "i" => "ii=",
+	    "a" => "ai=",
+	    "e" => "ex=",
+	    "rl" => "rl=",
+	    "rc" => "rc=",
+	    "pr" => "pr=",
+	    "cr" => "cr=",
+	    "ir" => "ir=",
+	    "ar" => "ar=",
+	    "mav" => "mav=",
+	    "mac" => "mac=",
+	    "ms" => "ms=",
+	    "mpr" => "mpr=",
+	    "mui" => "mui=",
+	    "mc" => "mc=",
+	    "mi" => "mi=",
+	    "ma" => "ma="
+	}
+
+	def parse(vector)
+		string = vector.split("/")
+	    len = string.length
+
+	    init
+
+	    @originalkey = vector
+	    
+	    string.each do |section|
+	      tmp = section.split(":")
+	      send(VECTORS[tmp[0].downcase].to_sym, tmp[1])     
+	    end
+	end
+
+	def set_key
+		@key = "AV:%s/AC:%s/PR:%s/UI:%s/C:%s/I:%s/A:%s" % [ self.av,
+	        self.ac, self.pr, self.ui, 
+	        self.ci, self.ii, self.ai]
+
+	    @key += "/E:%s" % self.ex if !@ex.nil?
+	    @key += "/RL:%s" % self.rl if !@rl.nil?
+	    @key += "/RC:%s" % self.rc if !@rc.nil?
+
+	    @key += "/CR:%s" % self.cr if !@cr.nil?
+	    @key += "/IR:%s" % self.ir if !@ir.nil?
+	    @key += "/AR:%s" % self.ar if !@ar.nil?
+
+	    @key += "/MAV:%s" % self.mav if !@mav.nil?
+	    @key += "/MAC:%s" % self.mac if !@mac.nil?
+	    @key += "/MPR:%s" % self.mpr if !@mpr.nil?
+	    @key += "/MUI:%s" % self.mui if !@mui.nil?
+	    @key += "/MS:%s" % self.ms if !@ms.nil?
+
+	    @key += "/MC:%s" % self.mc if !@mc.nil?
+	    @key += "/MI:%s" % self.mi if !@mi.nil?
+	    @key += "/MA:%s" % self.ma if !@ma.nil?
+
+	end
+
+	def key
+	  	self.set_key
+	  	return @key
+	end
+
+	def get_key(vector, value)
+		get_key = eval("::Cvss3::Metrics::" + vector + "_KEY")[(eval("::Cvss3::Metrics::" + vector).select { |k,v| v == value }).keys[0]]
+	end
+
+	def cvss3=(cvss3)
+		if cvss3 != "3.0"
+			raise "Bad CVSS 3.0 Vector String"
+		end
+	end
+
+	def av=(av)
+		@av = case av
+		when "physical", "P"
+			::Cvss3::Metrics::ATTACK_VECTOR[:physical]
+	    when "local", "L"
+	    	::Cvss3::Metrics::ATTACK_VECTOR[:local]
+	    when "adjacent network", "A"
+	    	::Cvss3::Metrics::ATTACK_VECTOR[:adjacent_network]
+	    when "network", "N"
+	    	::Cvss3::Metrics::ATTACK_VECTOR[:network]
+	    else 
+	      raise "Bad Argument"
+	    end
+	end
+
+	def av
+	    av = get_key("ATTACK_VECTOR", @av) if !@av.nil?
+	end
+
+	def ac=(ac)
+		@ac = case ac
+		when "high", "H"
+			::Cvss3::Metrics::ATTACK_COMPLEXITY[:high]
+	    when "low", "L"
+	    	::Cvss3::Metrics::ATTACK_COMPLEXITY[:low]
+	    else 
+	      raise "Bad Argument"
+	    end
+	end
+
+	def ac
+	    ac = get_key("ATTACK_COMPLEXITY", @ac) if !@ac.nil?
+	end
+
+	def ui=(ui)
+		@ui = case ui
+		when "none", "N"
+			::Cvss3::Metrics::USER_INTERACTION[:none]
+	    when "required", "R" 
+	    	::Cvss3::Metrics::USER_INTERACTION[:required]
+	    else 
+	      raise "Bad Argument"
+	    end
+	end
+
+	def ui
+	    ui = get_key("USER_INTERACTION", @ui) if !@ui.nil?
+	end
+
+	def pr=(pr)
+		@pr = case pr
+		when "none", "N"
+			::Cvss3::Metrics::PRIVILEGE_REQUIRED[:none]
+	    when "low", "L" 
+	    	::Cvss3::Metrics::PRIVILEGE_REQUIRED[:low]
+	    when "high", "H" 
+	     	::Cvss3::Metrics::PRIVILEGE_REQUIRED[:high]
+	    else 
+	      raise "Bad Argument" 
+	    end
+	end
+
+	def pr
+		if @sc == "changed"
+			pr = get_key("PRIVILEGE_REQUIRED_CHANGED", @pr) if !@pr.nil?
+	    else
+	    	pr = get_key("PRIVILEGE_REQUIRED", @pr) if !@pr.nil?
+	    end
+	end
+
+	def sc=(sc)
+		@sc = case sc
+		when "changed", "C"
+			"changed"
+	    when "unchanged", "U"
+	    	"unchanged"
+	    else 
+	      raise "Bad Argument"
+	    end
+
+	    if @sc == "changed"
+	    	@pr = case get_key("PRIVILEGE_REQUIRED", @pr).nil? ? get_key("PRIVILEGE_REQUIRED_CHANGED", @pr) : get_key("PRIVILEGE_REQUIRED", @pr)
+			when "none", "N",
+				::Cvss3::Metrics::PRIVILEGE_REQUIRED_CHANGED[:none]
+		    when "low", "L"
+		     	::Cvss3::Metrics::PRIVILEGE_REQUIRED_CHANGED[:low]
+		    when "high", "H" 
+		    	::Cvss3::Metrics::PRIVILEGE_REQUIRED_CHANGED[:high]
+		    else 
+		      raise "Bad Argument"
+		    end
+		else
+			self.pr = get_key("PRIVILEGE_REQUIRED", @pr).nil? ? get_key("PRIVILEGE_REQUIRED_CHANGED", @pr) : get_key("PRIVILEGE_REQUIRED", @pr)
+		end
+	end
+
+	def sc
+	    sc = ::Cvss3::Metrics::SCOPE_KEY[@sc.to_sym] if !@sc.nil?
+	end	
+
+	def ci=(ci)
+		@ci = case ci
+		when "none", "N"
+			::Cvss3::Metrics::CIA_IMPACT[:none]
+	    when "low", "L" 
+	    	::Cvss3::Metrics::CIA_IMPACT[:low]
+	   	when "high", "H" 
+	    	::Cvss3::Metrics::CIA_IMPACT[:high]
+	    else 
+	      raise "Bad Argument"
+	    end
+	end
+
+	def ci
+	    ci = get_key("CIA_IMPACT", @ci) if !@ci.nil?
+	end
+
+	def ii=(ii)
+		@ii = case ii
+		when "none", "N"
+			::Cvss3::Metrics::CIA_IMPACT[:none]
+	    when "low", "L" 
+	    	::Cvss3::Metrics::CIA_IMPACT[:low]
+	   	when "high", "H" 
+	    	::Cvss3::Metrics::CIA_IMPACT[:high]
+	    else 
+	      raise "Bad Argument"
+	    end
+	end
+
+	def ii
+	    ii = get_key("CIA_IMPACT", @ii) if !@ii.nil?
+	end
+
+	def ai=(ai)
+		@ai = case ai
+		when "none", "N"
+			::Cvss3::Metrics::CIA_IMPACT[:none]
+	    when "low", "L" 
+	    	::Cvss3::Metrics::CIA_IMPACT[:low]
+	   	when "high", "H" 
+	    	::Cvss3::Metrics::CIA_IMPACT[:high]
+	    else 
+	      raise "Bad Argument"
+	    end
+	end
+
+	def ai
+	    ai = get_key("CIA_IMPACT", @ai) if !@ai.nil?
+	end
+
+	def mav=(mav)
+		@mav = case mav
+		when "physical", "P"
+			::Cvss3::Metrics::ATTACK_VECTOR[:physical]
+	    when "local", "L"
+	    	::Cvss3::Metrics::ATTACK_VECTOR[:local]
+	    when "adjacent network", "A"
+	    	::Cvss3::Metrics::ATTACK_VECTOR[:adjacent_network]
+	    when "network", "N"
+	    	::Cvss3::Metrics::ATTACK_VECTOR[:network]
+	    when "not_defined", "ND"
+	    	nil
+	    else 
+	      raise "Bad Argument"
+	    end
+	end
+
+	def mav(raw=false)
+		if raw 
+			@mav ||= @av
+		else
+	    	mav = get_key("ATTACK_VECTOR", @mav) if !@mav.nil?
+	    end
+	end
+
+	def mac=(mac)
+		@mac = case mac
+		when "high", "H"
+			::Cvss3::Metrics::ATTACK_COMPLEXITY[:high]
+	    when "low", "L"
+	    	::Cvss3::Metrics::ATTACK_COMPLEXITY[:low]
+	    when "not_defined", "ND"
+	    	nil
+	    else 
+	      raise "Bad Argument"
+	    end
+	end
+
+	def mac(raw=false)
+		if raw 
+			@mac ||= @ac
+		else
+	   		mac = get_key("ATTACK_COMPLEXITY", @mac) if !@mac.nil?
+	   	end
+	end
+
+	def mui=(mui)
+		@mui = case mui
+		when "none", "N"
+			::Cvss3::Metrics::USER_INTERACTION[:none]
+	    when "required", "R" 
+	    	::Cvss3::Metrics::USER_INTERACTION[:required]
+	    when "not_defined", "ND"
+	    	nil
+	    else 
+	      raise "Bad Argument"
+	    end
+	end
+
+	def mui(raw=false)
+		if raw 
+			@mui ||= @ui
+		else
+	    	mui = get_key("USER_INTERACTION", @mui) if !@mui.nil?
+	    end
+	end
+
+	def mpr=(mpr)
+		@mpr = case mpr
+		when "none", "N"
+			::Cvss3::Metrics::PRIVILEGE_REQUIRED[:none]
+	    when "low", "L" 
+	    	::Cvss3::Metrics::PRIVILEGE_REQUIRED[:low]
+	    when "high", "H" 
+	     	::Cvss3::Metrics::PRIVILEGE_REQUIRED[:high]
+	    when "not_defined", "ND"
+	    	nil
+	    else 
+	      raise "Bad Argument" 
+	    end
+	end
+
+	def mpr(raw=false)
+		if raw 
+			@mpr ||= @pr
+		else
+			if @ms == "changed"
+				mpr = get_key("PRIVILEGE_REQUIRED_CHANGED", @mpr) if !@mpr.nil?
+	    	else
+	    		mpr = get_key("PRIVILEGE_REQUIRED", @mpr) if !@mpr.nil?
+	    	end
+	    end
+	end
+
+	def ms=(ms)
+		@ms = case ms
+		when "changed", "C"
+			"changed"
+	    when "unchanged", "U"
+	    	"unchanged"
+	    when "not_defined", "ND"
+	    	nil
+	    else 
+	      raise "Bad Argument"
+	    end
+
+	    if @ms == "changed"
+	    	@mpr = case get_key("PRIVILEGE_REQUIRED", self.mpr(true)).nil? ? get_key("PRIVILEGE_REQUIRED_CHANGED", self.mpr(true)) : get_key("PRIVILEGE_REQUIRED", self.mpr(true))
+			when "none", "N",
+				::Cvss3::Metrics::PRIVILEGE_REQUIRED_CHANGED[:none]
+		    when "low", "L"
+		     	::Cvss3::Metrics::PRIVILEGE_REQUIRED_CHANGED[:low]
+		    when "high", "H" 
+		    	::Cvss3::Metrics::PRIVILEGE_REQUIRED_CHANGED[:high]
+		    else 
+		      raise "Bad Argument"
+		    end
+		else
+			self.mpr = get_key("PRIVILEGE_REQUIRED", self.mpr(true)).nil? ? get_key("PRIVILEGE_REQUIRED_CHANGED", self.mpr(true)) : get_key("PRIVILEGE_REQUIRED", self.mpr(true))
+		end
+	end
+
+	def ms(raw=false)
+		if raw
+			@ms ||= @sc
+		else
+			if @ms.nil?
+				ms = ::Cvss3::Metrics::SCOPE_KEY[@sc.to_sym] if !@sc.nil?
+			else
+				ms = ::Cvss3::Metrics::SCOPE_KEY[@ms.to_sym] if !@ms.nil?
+			end
+		end	
+	end	
+
+	def mc=(mc)
+		@mc = case mc
+		when "none", "N"
+			::Cvss3::Metrics::CIA_IMPACT[:none]
+	    when "low", "L" 
+	    	::Cvss3::Metrics::CIA_IMPACT[:low]
+	   	when "high", "H" 
+	    	::Cvss3::Metrics::CIA_IMPACT[:high]
+	    when "not_defined", "ND"
+	    	nil
+	    else 
+	      raise "Bad Argument"
+	    end
+	end
+
+	def mc(raw=false)
+		if raw 
+			@mv ||= @ci
+		else
+	    	mc = get_key("CIA_IMPACT", @mc) if !@mc.nil?
+	    end
+	end
+
+	def mi=(mi)
+		@mi = case mi
+		when "none", "N"
+			::Cvss3::Metrics::CIA_IMPACT[:none]
+	    when "low", "L" 
+	    	::Cvss3::Metrics::CIA_IMPACT[:low]
+	   	when "high", "H" 
+	    	::Cvss3::Metrics::CIA_IMPACT[:high]
+	    when "not_defined", "ND"
+	    	nil
+	    else 
+	      raise "Bad Argument"
+	    end
+	end
+
+	def mi(raw=false)
+		if raw 
+			@mi ||= @ii
+		else
+	    	mi = get_key("CIA_IMPACT", @mi) if !@mi.nil?
+	    end
+	end
+
+	def ma=(ma)
+		@ma = case ma
+		when "none", "N"
+			::Cvss3::Metrics::CIA_IMPACT[:none]
+	    when "low", "L" 
+	    	::Cvss3::Metrics::CIA_IMPACT[:low]
+	   	when "high", "H" 
+	    	::Cvss3::Metrics::CIA_IMPACT[:high]
+	    when "not_defined", "ND"
+	    	nil
+	    else 
+	      raise "Bad Argument"
+	    end
+	end
+
+	def ma(raw=false)
+		if raw 
+			@ma ||= @ai
+		else
+	    	ma = get_key("CIA_IMPACT", @ma) if !@ma.nil?
+	    end
+	end
+
+	def ex=(ex)
+		@ex = case ex
+		when "unproven", "U" then ::Cvss3::Metrics::EXPLOITABILITY[:unproven]
+		when "proof-of-concept", "P", "POC" then ::Cvss3::Metrics::EXPLOITABILITY[:poc]
+		when "functional", "F" then ::Cvss3::Metrics::EXPLOITABILITY[:functional]
+		when "high", "H" then ::Cvss3::Metrics::EXPLOITABILITY[:high]      
+		when "not defined", "ND", "X" then ::Cvss3::Metrics::EXPLOITABILITY[:not_defined]
+		else 
+		  raise "Bad Argument"
+		end
+	end
+	
+	def ex
+	  	ex = get_key("EXPLOITABILITY", @ex) if !@ex.nil?
+	end
+	
+	def rl=(rl)
+		@rl = case rl
+		when "official-fix", "O" then ::Cvss3::Metrics::REMEDIATION_LEVEL[:official]
+		when "temporary-fix", "T", "TF" then ::Cvss3::Metrics::REMEDIATION_LEVEL[:temporary]
+		when "workaround", "W" then ::Cvss3::Metrics::REMEDIATION_LEVEL[:workaround]
+		when "unavailable", "U" then ::Cvss3::Metrics::REMEDIATION_LEVEL[:unavailable]      
+		when "not defined", "ND", "X" then ::Cvss3::Metrics::REMEDIATION_LEVEL[:not_defined]
+		else 
+		  raise "Bad Argument"
+		end
+	end
+	
+	def rl
+	  	rl = get_key("REMEDIATION_LEVEL", @rl) if !@rl.nil?
+	end
+	
+	def rc=(rc)
+		@rc = case rc
+		when "unknown", "U" then ::Cvss3::Metrics::REPORT_CONFIDENCE[:unknown]
+		when "reasonable", "R" then ::Cvss3::Metrics::REPORT_CONFIDENCE[:reasonable]
+		when "confirmed", "C" then ::Cvss3::Metrics::REPORT_CONFIDENCE[:confirmed]    
+		when "not defined", "ND", "X" then ::Cvss3::Metrics::REPORT_CONFIDENCE[:not_defined]
+		else 
+		  raise "Bad Argument"
+		end
+	 end
+	
+	def rc
+	  	rc = get_key("REPORT_CONFIDENCE", @rc) if !@av.nil?
+	end	
+
+	def cr=(cr)
+	    @cr = case cr
+	    when "low", "L" then ::Cvss3::Metrics::CIA_REQUIREMENT[:low]
+	    when "medium", "M" then ::Cvss3::Metrics::CIA_REQUIREMENT[:medium]
+	    when "high", "H" then ::Cvss3::Metrics::CIA_REQUIREMENT[:high]      
+	    when "not defined", "ND", "X" then ::Cvss3::Metrics::CIA_REQUIREMENT[:not_defined]
+	    else 
+	      raise "Bad Argument"
+	    end
+	end
+	  
+	def cr
+	    cr = get_key("CIA_REQUIREMENT", @cr) if !@cr.nil?
+	end
+	  
+	def ir=(ir)
+	    @ir = case ir
+	    when "low", "L" then ::Cvss3::Metrics::CIA_REQUIREMENT[:low]
+	    when "medium", "M" then ::Cvss3::Metrics::CIA_REQUIREMENT[:medium]
+	    when "high", "H" then ::Cvss3::Metrics::CIA_REQUIREMENT[:high]      
+	    when "not defined", "ND", "X" then ::Cvss3::Metrics::CIA_REQUIREMENT[:not_defined]
+	    else 
+	      raise "Bad Argument"
+	    end
+	end
+	  
+	def ir
+	    ir = get_key("CIA_REQUIREMENT", @ir) if !@ir.nil?
+	end
+	  
+	def ar=(ar)
+	    @ar = case ar
+	    when "low", "L" then ::Cvss3::Metrics::CIA_REQUIREMENT[:low]
+	    when "medium", "M" then ::Cvss3::Metrics::CIA_REQUIREMENT[:medium]
+	    when "high", "H" then ::Cvss3::Metrics::CIA_REQUIREMENT[:high]      
+	    when "not defined", "ND", "X" then ::Cvss3::Metrics::CIA_REQUIREMENT[:not_defined]
+	    else 
+	      raise "Bad Argument"
+	    end
+	end
+	  
+	def ar
+	    ar = get_key("CIA_REQUIREMENT", @ar) if !@ar.nil?
+	end
+
+
+	def init(ex = "ND", rl = "ND", rc = "ND", cd = "ND", td = "ND", cr = "ND", ir = "ND", ar = "ND", 
+			mav = "ND", mac = "ND", mpv = "ND", mui = "ND", mc = "ND", mi = "ND", ma = "ND")
+	    self.ex = ex
+	    self.rl = rl
+	    self.rc = rc
+
+		self.cr = cr
+		self.ir = ir
+	    self.ar = ar
+
+	    self.mav = mav
+	    self.mac = mac
+	    self.mpr = mpv
+	    self.mui = mui
+
+	    self.mc = mc
+	    self.mi = mi
+	    self.ma = ma	
+	end
+
+end

data/lib/cvss_rating/version.rb

@@ -1,5 +1,5 @@
 module Cvss2
 	class Rating
-  		VERSION = "0.2.2"
+  		VERSION = "0.5.3"
   	end
 end

data/test/cvss2_rating_test.rb

@@ -2,7 +2,7 @@ require 'minitest/autorun'
 require 'active_support'
 require 'cvss2_rating'
 
-class CvssRatingTest < MiniTest::Unit::TestCase
+class CvssRatingTest < MiniTest::Test
 	def setup
 		@cvss = Cvss2::Rating.new
 		@cvss.av = "N"

data/test/cvss3_rating_test.rb

@@ -0,0 +1,235 @@
+require 'minitest/autorun'
+require 'active_support'
+require 'cvss3_rating'
+
+class Cvss3RatingTest < MiniTest::Test
+	def setup
+		@cvss = Cvss3::Rating.new
+		@cvss.av = "P"
+		@cvss.ac = "H"
+		@cvss.ui = "R"
+		@cvss.pr = "L"
+		@cvss.sc = "C"
+		@cvss.ci = "H"
+		@cvss.ii = "low"
+		@cvss.ai = "N"
+
+		@cvss_2 = Cvss3::Rating.new
+		@cvss_2.av = "P"
+		@cvss_2.ac = "H"
+		@cvss_2.ui = "R"
+		@cvss_2.pr = "H"
+		@cvss_2.sc = "C"
+		@cvss_2.ci = "H"
+		@cvss_2.ii = "low"
+		@cvss_2.ai = "N"
+		@cvss_2.ex = "U"
+		@cvss_2.rl = "O"
+		@cvss_2.rc = "U"
+		@cvss_2.cr = "L"
+		@cvss_2.ir = "L"
+		@cvss_2.ar = "L"
+	end
+
+	def test_cvss_rating_from_vector
+		cvss = Cvss3::Rating.new
+		cvss.parse("AV:P/AC:H/PR:L/UI:R/S:C/C:H/I:L/A:N")
+
+		assert_equal @cvss.ai, cvss.ai
+
+		assert_equal @cvss.ii, cvss.ii
+
+		assert_equal @cvss.av, cvss.av
+
+		assert_equal @cvss.ui, cvss.ui
+
+		assert_equal @cvss.key, cvss.key
+
+		cvss = Cvss3::Rating.new
+		cvss.parse("AV:P/AC:H/PR:H/UI:R/S:C/C:H/I:L/A:N/E:U/RL:O/RC:U/CR:L/IR:L/AR:L")
+
+		assert_equal @cvss_2.ai, cvss.ai
+
+		assert_equal @cvss_2.ii, cvss.ii
+
+		assert_equal @cvss_2.av, cvss.av
+
+		assert_equal @cvss_2.key, cvss.key
+	end
+
+	def test_valid_vector
+		cvss = Cvss3::Rating.new
+
+		err = assert_raises RuntimeError do
+			cvss.parse("AV:P/AC:H/PR:L/UI:R/S:U/C:H/I:X/A:N")
+		end
+
+		assert_match /Bad Argument/, err.message
+
+		err = assert_raises RuntimeError do
+			cvss.parse("CVSS:9.9/AV:P/AC:H/PR:L/UI:R/S:U/C:H/I:L/A:N")
+		end
+
+		assert_match /Bad CVSS 3.0 Vector String/, err.message
+	end
+
+	def test_cvss_rating_parameters
+		cvss = Cvss3::Rating.new
+
+		cvss.av = "physical"
+
+		assert_equal @cvss.av, cvss.av
+
+		cvss.pr = 'low'
+
+		assert_equal @cvss.pr, cvss.pr
+
+		cvss.ci = 'high'
+
+		assert_equal @cvss.ci, cvss.ci
+
+		cvss.ai = 'none'
+
+		assert_equal @cvss.ai, cvss.ai
+
+	end
+
+	def test_cvss_risk_rating
+		cvss = Cvss3::Rating.new
+
+		assert_equal "None", cvss.risk_score(0.0)
+
+		assert_equal "Low", cvss.risk_score(2.0)
+		
+		assert_equal "Medium", cvss.risk_score(5.1)
+		
+		assert_equal "High", cvss.risk_score(7.1)
+		
+		assert_equal "Critical", cvss.risk_score(10.0)
+		
+		assert_equal nil, cvss.risk_score(11.0)
+	end
+
+	def test_base_score
+		cvss = Cvss3::Rating.new
+		cvss.parse("AV:P/AC:H/PR:L/UI:R/S:U/C:H/I:N/A:N")
+
+		score = cvss.cvss_base_score
+
+		assert_equal 3.9, score[0]
+
+		assert_equal "Low", score[1]
+
+		cvss = Cvss3::Rating.new
+		cvss.parse("AV:P/AC:H/PR:H/UI:R/S:C/C:H/I:L/A:N/E:U/RL:O/RC:U/CR:L/IR:L/AR:L")
+
+		score = cvss.cvss_base_score
+
+		assert_equal 5.4, score[0]
+
+		assert_equal "Medium", score[1]
+
+	end
+
+	def test_temporal_score
+		cvss = Cvss3::Rating.new
+		cvss.parse("AV:P/AC:H/PR:L/UI:R/S:U/C:H/I:N/A:N")
+
+		cvss.cvss_base_score
+
+		score = cvss.cvss_temporal_score
+
+		assert_equal 3.9, score[0]
+
+		assert_equal "Low", score[1]
+
+		cvss = Cvss3::Rating.new
+		cvss.parse("AV:P/AC:H/PR:H/UI:R/S:C/C:H/I:L/A:N/E:U/RL:O/RC:U/CR:L/IR:L/AR:L")
+
+		cvss.cvss_base_score
+		
+		score = cvss.cvss_temporal_score
+
+		assert_equal 4.3, score[0]
+
+		assert_equal "Medium", score[1]
+	end
+
+	def test_environmental_score
+		cvss = Cvss3::Rating.new
+		cvss.parse("AV:P/AC:H/PR:L/UI:R/S:U/C:H/I:N/A:N")
+
+		cvss.cvss_base_score
+
+		score = cvss.cvss_environmental_score
+
+		assert_equal 3.9, score[0]
+
+		assert_equal "Low", score[1]
+
+		cvss = Cvss3::Rating.new
+		cvss.parse("AV:P/AC:H/PR:H/UI:R/S:C/C:H/I:L/A:N/E:U/RL:O/RC:U/CR:L/IR:L/AR:L")
+
+		cvss.cvss_base_score
+		
+		score = cvss.cvss_environmental_score
+
+		assert_equal 2.4, score[0]
+
+		assert_equal "Low", score[1]
+
+		cvss = Cvss3::Rating.new
+		cvss.parse("AV:P/AC:H/PR:H/UI:R/S:C/C:H/I:L/A:N/E:U/RL:O/RC:U/IR:L/AR:L/MAV:A/MPR:N")
+
+		cvss.cvss_base_score
+		
+		score = cvss.cvss_environmental_score
+
+		assert_equal 4.8, score[0]
+
+		assert_equal "Medium", score[1]
+
+		cvss = Cvss3::Rating.new
+		cvss.parse("CVSS:3.0/AV:P/AC:H/PR:H/UI:R/S:C/C:H/I:L/A:N/E:U/RL:O/RC:U/MAV:N/MS:U")
+
+		cvss.cvss_base_score
+		
+		score = cvss.cvss_environmental_score
+
+		assert_equal 3.9, score[0]
+
+		assert_equal "Low", score[1]
+	end
+
+	def test_all_scores
+		cvss = Cvss3::Rating.new
+		cvss.parse("AV:P/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:N/E:X/RL:X/RC:X")
+
+		score = cvss.cvss_base_score
+
+		assert_equal 0.0, score[0]
+
+		score = cvss.cvss_temporal_score
+
+		assert_equal 0.0, score[0]
+
+		score = cvss.cvss_environmental_score
+
+		assert_equal 0.0, score[0]
+
+		cvss.parse("AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:N/A:H/E:H/RL:W/RC:U/CR:H/IR:H/AR:M/MAV:L/MAC:L/MPR:H/MUI:N/MS:C/MC:N/MI:H/MA:L")
+
+		score = cvss.cvss_base_score
+
+		assert_equal 5.8, score[0]
+
+		score = cvss.cvss_temporal_score
+
+		assert_equal 5.2, score[0]
+
+		score = cvss.cvss_environmental_score
+
+		assert_equal 7.4, score[0]
+	end
+
+end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: cvss_rating
 version: !ruby/object:Gem::Version
-  version: 0.2.2
+  version: 0.5.3
 platform: ruby
 authors:
 - Stephen Kapp
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2015-08-19 00:00:00.000000000 Z
+date: 2015-08-27 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: bundler
@@ -67,7 +67,7 @@ dependencies:
       - !ruby/object:Gem::Version
         version: '0'
 description: CVSS Risk Rating Calculation and Vector parsing, implements CVSS 2.0
-  rating
+  & 3.0 rating
 email:
 - mort666@virus.org
 executables: []
@@ -82,8 +82,13 @@ files:
 - Rakefile
 - cvss_rating.gemspec
 - lib/cvss2_rating.rb
+- lib/cvss3_rating.rb
+- lib/cvss_rating/cvss3_formulas.rb
+- lib/cvss_rating/cvss3_metrics.rb
+- lib/cvss_rating/cvss3_vectors.rb
 - lib/cvss_rating/version.rb
 - test/cvss2_rating_test.rb
+- test/cvss3_rating_test.rb
 homepage: https://github.com/mort666/cvss_rating
 licenses:
 - MIT
@@ -110,3 +115,4 @@ specification_version: 4
 summary: CVSS Risk Rating Calculation and Vector parsing
 test_files:
 - test/cvss2_rating_test.rb
+- test/cvss3_rating_test.rb