RubyGems - dradis-calculator_cvss - Versions diffs - 4.10.0 → 4.12.0 - Mend

dradis-calculator_cvss 4.10.0 → 4.12.0

Files changed (47) hide show

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: cb1f2a2b5330bc60be4f63dfd7fbed29a14b9ea0b29dfc16ba03133fb2ca6649
-  data.tar.gz: 5b1fa4076ba2d47cf09bd65f900681408ceddb5f9e8f50df84c0faf9aed179b1
+  metadata.gz: ea68a10e94cb20e0854d84fa245cfbd8cbf26f6dd3ae9c9c30602667a216856f
+  data.tar.gz: 2883a651f2bd078b4c707a78fd5081dd7dde1294c91bd9ac90e1ff3e0af3495e
 SHA512:
-  metadata.gz: 2dfef75fdc527f62acb902c8d461acea6ef6e439600279024edc01065612e669a364319cce2c7bbb62e02f2134f8d736fe9892e196e65b0def5cd3ae46c0aec0
-  data.tar.gz: 4e5fc5ffa9409ea1e7727445974f3d815d4e82cb44758b7d550c57f783f97f80232727e6305ee9890286c7c21caad5cfdd694a9d4fd23763c858bc1c5ceaa64b
+  metadata.gz: 97bdfdfc740b2d81b59e5082a2c89e71d261ce40613ad1692484d643c92326bf28797c3dad3aa68cb6110f25493f1403482ade15fa44c081e00699f3dd13f15a
+  data.tar.gz: 3725740d1aa3c93d36d10931e14cd67b755e2c75c0bb974efc9d3684d591b65dd024e01c8666f2e6e60dd66c423c68779110db876dd8e7f55e39bdc9663aedad

data/.github/pull_request_template.md CHANGED Viewed

@@ -1,3 +1,5 @@
+Please review [CONTRIBUTING.md](https://github.com/dradis/dradis-ce/blob/develop/CONTRIBUTING.md) and remove this line.
 ### Summary
 Provide a general description of the code changes in your pull
@@ -6,6 +8,11 @@ these bugs have open GitHub issues, be sure to tag them here as well,
 to keep the conversation linked together.
+### Testing Steps
+Provide steps to test functionality, described in detail for someone not familiar with this part of the application / code base
 ### Other Information
 If there's anything else that's important and relevant to your pull
@@ -26,11 +33,13 @@ products, we must have the copyright associated with the entire
 codebase. Any code you create which is merged must be owned by us.
 That's not us trying to be a jerks, that's just the way it works.
-Please review the [CONTRIBUTING.md](https://github.com/dradis/dradis-ce/blob/master/CONTRIBUTING.md)
-file for the details.
 You can delete this section, but the following sentence needs to
 remain in the PR's description:
 > I assign all rights, including copyright, to any future Dradis
 > work by myself to Security Roots.
+### Check List
+- [ ] Added a CHANGELOG entry
+- [ ] Added specs

data/CHANGELOG.md CHANGED Viewed

@@ -1,3 +1,9 @@
+v4.12.0 (May 2024)
+  - Add CVSS v4 support
+v4.11.0 (January 2024)
+  - No changes
 v4.10.0 (September 2023)
   - Update gemspec links
   - Update views for compatibility with Font Awesome 6

data/README.md CHANGED Viewed

@@ -22,12 +22,12 @@ Restart your Dradis server and you should be good to go.
 ## More information
-See the Dradis Framework's [README.md](https://github.com/dradis/dradisframework/blob/master/README.md)
+See the Dradis Framework's [README.md](https://github.com/dradis/dradis-ce/blob/develop/README.md)
 ## Contributing
-See the Dradis Framework's [CONTRIBUTING.md](https://github.com/dradis/dradisframework/blob/master/CONTRIBUTING.md)
+See the Dradis Framework's [CONTRIBUTING.md](https://github.com/dradis/dradis-ce/blob/develop/CONTRIBUTING.md)
 ## License

data/app/assets/javascripts/dradis/plugins/calculators/cvss/cvss.js ADDED Viewed

@@ -0,0 +1,32 @@
+$(document).on('turbolinks:load', function () {
+  if ($('[data-behavior~=cvss-version]').length) {
+    function handleVersionSelection() {
+      var selectedValue = $('[data-behavior~=cvss-version]').val();
+      $('[data-cvss-version]').addClass('d-none');
+      switch (selectedValue) {
+        case '40':
+          $('[data-cvss-version=4]').removeClass('d-none');
+          window.calculator = new CVSS40Calculator();
+          break;
+        case '31':
+          $('[data-cvss-version=3]').removeClass('d-none');
+          window.calculator = new CVSS31Calculator();
+          break;
+        case '30':
+          $('[data-cvss-version=3]').removeClass('d-none');
+          window.calculator = new CVSS30Calculator();
+          break;
+      }
+    }
+    handleVersionSelection();
+    $('[data-behavior~=cvss-error]').addClass('d-none');
+    $('[data-behavior~=cvss-buttons] button').on('click', function () {
+      var $this = $(this);
+      $this.parent().find('button').removeClass('active btn-primary');
+      $this.addClass('active btn-primary');
+      $(`input[name="${$this.attr('name')}"]`).val($this.val());
+      window.calculator.calculate();
+    });
+    $('[data-behavior~=cvss-version]').on('change', handleVersionSelection);
+  }
+});

data/app/assets/javascripts/dradis/plugins/calculators/cvss/manifests/application.js CHANGED Viewed

@@ -3,8 +3,19 @@
 //= require bootstrap
 //= require turbolinks
-//= require dradis/plugins/calculators/cvss/vendor/cvsscalc30
-//= require dradis/plugins/calculators/cvss/vendor/cvsscalc30_helptext
-//= require dradis/plugins/calculators/cvss/vendor/cvsscalc31
-//= require dradis/plugins/calculators/cvss/vendor/cvsscalc31_helptext
-//= require dradis/plugins/calculators/cvss/calculator
+//= require dradis/plugins/calculators/cvss/v3/vendor/cvsscalc30
+//= require dradis/plugins/calculators/cvss/v3/vendor/cvsscalc30_helptext
+//= require dradis/plugins/calculators/cvss/v3/vendor/cvsscalc31
+//= require dradis/plugins/calculators/cvss/v3/vendor/cvsscalc31_helptext
+//= require dradis/plugins/calculators/cvss/v3/calculator
+//= require dradis/plugins/calculators/cvss/v4/vendor/app
+//= require dradis/plugins/calculators/cvss/v4/vendor/cvss_config
+//= require dradis/plugins/calculators/cvss/v4/vendor/cvss_details
+//= require dradis/plugins/calculators/cvss/v4/vendor/cvss_lookup
+//= require dradis/plugins/calculators/cvss/v4/vendor/max_composed
+//= require dradis/plugins/calculators/cvss/v4/vendor/max_severity
+//= require dradis/plugins/calculators/cvss/v4/vendor/metrics
+//= require dradis/plugins/calculators/cvss/v4/calculator
+//= require dradis/plugins/calculators/cvss/cvss

data/app/assets/javascripts/dradis/plugins/calculators/cvss/manifests/tylium.js CHANGED Viewed

@@ -1,5 +1,16 @@
-//= require dradis/plugins/calculators/cvss/vendor/cvsscalc30
-//= require dradis/plugins/calculators/cvss/vendor/cvsscalc30_helptext
-//= require dradis/plugins/calculators/cvss/vendor/cvsscalc31
-//= require dradis/plugins/calculators/cvss/vendor/cvsscalc31_helptext
-//= require dradis/plugins/calculators/cvss/calculator
+//= require dradis/plugins/calculators/cvss/v3/vendor/cvsscalc30
+//= require dradis/plugins/calculators/cvss/v3/vendor/cvsscalc30_helptext
+//= require dradis/plugins/calculators/cvss/v3/vendor/cvsscalc31
+//= require dradis/plugins/calculators/cvss/v3/vendor/cvsscalc31_helptext
+//= require dradis/plugins/calculators/cvss/v3/calculator
+//= require dradis/plugins/calculators/cvss/v4/vendor/app
+//= require dradis/plugins/calculators/cvss/v4/vendor/cvss_config
+//= require dradis/plugins/calculators/cvss/v4/vendor/cvss_details
+//= require dradis/plugins/calculators/cvss/v4/vendor/cvss_lookup
+//= require dradis/plugins/calculators/cvss/v4/vendor/max_composed
+//= require dradis/plugins/calculators/cvss/v4/vendor/max_severity
+//= require dradis/plugins/calculators/cvss/v4/vendor/metrics
+//= require dradis/plugins/calculators/cvss/v4/calculator
+//= require dradis/plugins/calculators/cvss/cvss

data/app/assets/javascripts/dradis/plugins/calculators/cvss/{calculator.js.coffee → v3/calculator.js.coffee} RENAMED Viewed

@@ -128,38 +128,16 @@ class CVSSCalculator
       $('input[type=submit]').attr('disabled', 'disabled')
       $('[data-behavior~=cvss-error]').removeClass('d-none').text(errorMessage)
-class CVSS30Calculator extends CVSSCalculator
-   constructor: ->
-     @calc = CVSS
-     @cvssHelp = CVSS_Help
-     super()
-class CVSS31Calculator extends CVSSCalculator
-   constructor: ->
-     @calc = CVSS31
-     @cvssHelp = CVSS31_Help
-     super()
-document.addEventListener "turbolinks:load", ->
-  if $('[data-behavior~=cvss-buttons]').length
-    if $('[data-behavior~=cvss-version-toggle]').prop('checked')
-      window.calculator = new CVSS30Calculator()
-    else
-      window.calculator = new CVSS31Calculator()
+class @CVSS30Calculator extends CVSSCalculator
+  constructor: ->
+    @calc = CVSS
+    @cvssHelp = CVSS_Help
-    $('[data-behavior~=cvss-error]').addClass('d-none')
+    super()
-    $('[data-behavior~=cvss-buttons] button').on 'click', ->
-      $this = $(this)
-      $this.parent().find('button').removeClass('active btn-primary')
-      $this.addClass('active btn-primary')
-      $("input[name=#{$this.attr('name')}]").val($this.val())
-      window.calculator.calculate()
+class @CVSS31Calculator extends CVSSCalculator
+  constructor: ->
+    @calc = CVSS31
+    @cvssHelp = CVSS31_Help
-    $('[data-behavior~=cvss-version-toggle]').on 'change', ->
-      if $('[data-behavior~=cvss-version-toggle]').prop('checked')
-        window.calculator = new CVSS30Calculator()
-      else
-        window.calculator = new CVSS31Calculator()
+    super()

data/app/assets/javascripts/dradis/plugins/calculators/cvss/v4/calculator.js ADDED Viewed

@@ -0,0 +1,168 @@
+class CVSS4Calculator {
+  constructor() {
+    $('[data-cvss-heading], [data-cvss-option]').each(function (_, item) {
+      let heading, metrics, metricGroup, tooltipContent;
+      metrics = $(item).parents('[data-cvss-metrics]').data('cvss-metrics');
+      metricGroup = $(item)
+        .parents('[data-cvss-metric-group]')
+        .data('cvss-metric-group');
+      if ($(item).is('[data-cvss-option]')) {
+        let option = $(item).data('cvss-option');
+        heading = $(item)
+          .parent()
+          .prevAll('[data-cvss-heading]:first')
+          .data('cvss-heading');
+        tooltipContent =
+          cvss40Config[metrics].metric_groups[metricGroup][heading].options[
+            option
+          ].tooltip;
+      } else {
+        heading = $(item).data('cvss-heading');
+        tooltipContent =
+          cvss40Config[metrics].metric_groups[metricGroup][heading].tooltip;
+      }
+      $(item).attr('title', tooltipContent);
+    });
+  }
+}
+class CVSS40Calculator extends CVSS4Calculator {
+  constructor() {
+    super()
+    this.app = cvss_v4_app();
+    this.calculate();
+  }
+  calculate() {
+    const regex = / \(.+?\)/i;
+    $('input[type=submit]').attr('disabled', null);
+    const that = this;
+    $('[data-cvss-metrics] .btn-group').each(function(){
+      const selected = $(this).find('[data-cvss-option].active');
+      if (selected.length == 1) {
+        that.app.cvssSelected[selected.attr('name').toUpperCase()] = selected.attr('value');
+        const label = selected.data('cvss-option');
+        that.app.cvssSelectedValue[selected.attr('name').toUpperCase()] = label.replace(regex, '');
+      }
+    });
+    this.setResult();
+    return true;
+  }
+  baseVector() {
+    let baseVector = 'CVSS:4.0';
+    const that = this;
+    Object.keys(expectedMetricOrder).forEach(function(metric) {
+      if (that.app.cvssSelected[metric] && that.app.cvssSelected[metric] != 'X') {
+        baseVector += `/${metric}:${that.app.cvssSelected[metric]}`
+      }
+    })
+    return baseVector;
+  }
+  setResult() {
+    let issue_cvss = ''
+    issue_cvss += "#[CVSSv4.BaseVector]#\n"
+    issue_cvss += `${this.baseVector()}\n\n`
+    issue_cvss += "#[CVSSv4.BaseScore]#\n"
+    issue_cvss += `${this.app.score()}\n\n`
+    issue_cvss += "#[CVSSv4.BaseSeverity]#\n"
+    issue_cvss += `${this.app.qualScore()}\n\n`
+    issue_cvss += "#[CVSSv4.MacroVector]#\n";
+    issue_cvss += `${this.app.macroVector()}\n\n`
+    const that = this;
+    [
+      'Exploitability', 'Complexity', 'VulnerableSystem', 'SubsequentSystem',
+      'Exploitation', 'SecurityRequirements'
+    ].forEach(function(macroMetric) {
+      issue_cvss += "#[CVSSv4." + macroMetric + "]#\n"
+      issue_cvss += cvssMacroVectorValues[that.app.macroVector()[cvssMacroVectorDetails[macroMetric]]] + "\n\n"
+    });
+    issue_cvss += "#[CVSSv4.BaseExploitableAttackVector]#\n"
+    issue_cvss += `${this.app.cvssSelectedValue['AV']}\n\n`
+    issue_cvss += "#[CVSSv4.BaseExploitableAttackComplexity]#\n"
+    issue_cvss += `${this.app.cvssSelectedValue['AC']}\n\n`
+    issue_cvss += "#[CVSSv4.BaseExploitableAttackRequirements]#\n"
+    issue_cvss += `${this.app.cvssSelectedValue['AT']}\n\n`
+    issue_cvss += "#[CVSSv4.BaseExploitablePrivilegesRequired]#\n"
+    issue_cvss += `${this.app.cvssSelectedValue['PR']}\n\n`
+    issue_cvss += "#[CVSSv4.BaseExploitableUserInteraction]#\n"
+    issue_cvss += `${this.app.cvssSelectedValue['UI']}\n\n`
+    issue_cvss += "#[CVSSv4.BaseVulnerableConfidentiality]#\n"
+    issue_cvss += `${this.app.cvssSelectedValue['VC']}\n\n`
+    issue_cvss += "#[CVSSv4.BaseVulnerableIntegrity]#\n"
+    issue_cvss += `${this.app.cvssSelectedValue['VI']}\n\n`
+    issue_cvss += "#[CVSSv4.BaseVulnerableAvailability]#\n"
+    issue_cvss += `${this.app.cvssSelectedValue['VA']}\n\n`
+    issue_cvss += "#[CVSSv4.BaseSubsequentConfidentiality]#\n"
+    issue_cvss += `${this.app.cvssSelectedValue['SC']}\n\n`
+    issue_cvss += "#[CVSSv4.BaseSubsequentIntegrity]#\n"
+    issue_cvss += `${this.app.cvssSelectedValue['SI']}\n\n`
+    issue_cvss += "#[CVSSv4.BaseSubsequentAvailability]#\n"
+    issue_cvss += `${this.app.cvssSelectedValue['SA']}\n\n`
+    issue_cvss += "#[CVSSv4.SupplementalSafety]#\n"
+    issue_cvss += `${this.app.cvssSelectedValue['S']}\n\n`
+    issue_cvss += "#[CVSSv4.SupplementalAutomatable]#\n"
+    issue_cvss += `${this.app.cvssSelectedValue['AU']}\n\n`
+    issue_cvss += "#[CVSSv4.SupplementalRecovery]#\n"
+    issue_cvss += `${this.app.cvssSelectedValue['R']}\n\n`
+    issue_cvss += "#[CVSSv4.SupplementalValueDensity]#\n"
+    issue_cvss += `${this.app.cvssSelectedValue['V']}\n\n`
+    issue_cvss += "#[CVSSv4.SupplementalVulnerabilityResponseEffort]#\n"
+    issue_cvss += `${this.app.cvssSelectedValue['RE']}\n\n`
+    issue_cvss += "#[CVSSv4.SupplementalProviderUrgency]#\n"
+    issue_cvss += `${this.app.cvssSelectedValue['U']}\n\n`
+    issue_cvss += "#[CVSSv4.EnvironmentalExploitabilityAttackVector]#\n"
+    issue_cvss += `${this.app.cvssSelectedValue['MAV']}\n\n`
+    issue_cvss += "#[CVSSv4.EnvironmentalExploitabilityAttackComplexity]#\n"
+    issue_cvss += `${this.app.cvssSelectedValue['MAC']}\n\n`
+    issue_cvss += "#[CVSSv4.EnvironmentalExploitabilityAttackRequirements]#\n"
+    issue_cvss += `${this.app.cvssSelectedValue['MAT']}\n\n`
+    issue_cvss += "#[CVSSv4.EnvironmentalExploitabilityPrivilegesRequired]#\n"
+    issue_cvss += `${this.app.cvssSelectedValue['MPR']}\n\n`
+    issue_cvss += "#[CVSSv4.EnvironmentalExploitabilityUserInteraction]#\n"
+    issue_cvss += `${this.app.cvssSelectedValue['MUI']}\n\n`
+    issue_cvss += "#[CVSSv4.EnvironmentalVulnerableConfidentiality]#\n"
+    issue_cvss += `${this.app.cvssSelectedValue['MVC']}\n\n`
+    issue_cvss += "#[CVSSv4.EnvironmentalVulnerableIntegrity]#\n"
+    issue_cvss += `${this.app.cvssSelectedValue['MVI']}\n\n`
+    issue_cvss += "#[CVSSv4.EnvironmentalVulnerableAvailability]#\n"
+    issue_cvss += `${this.app.cvssSelectedValue['MVA']}\n\n`
+    issue_cvss += "#[CVSSv4.EnvironmentalSubsequentConfidentiality]#\n"
+    issue_cvss += `${this.app.cvssSelectedValue['MSC']}\n\n`
+    issue_cvss += "#[CVSSv4.EnvironmentalSubsequentIntegrity]#\n"
+    issue_cvss += `${this.app.cvssSelectedValue['MSI']}\n\n`
+    issue_cvss += "#[CVSSv4.EnvironmentalSubsequentAvailability]#\n"
+    issue_cvss += `${this.app.cvssSelectedValue['MSA']}\n\n`
+    issue_cvss += "#[CVSSv4.EnvironmentalConfidentialityRequirements]#\n"
+    issue_cvss += `${this.app.cvssSelectedValue['CR']}\n\n`
+    issue_cvss += "#[CVSSv4.EnvironmentalIntegrityRequirements]#\n"
+    issue_cvss += `${this.app.cvssSelectedValue['IR']}\n\n`
+    issue_cvss += "#[CVSSv4.EnvironmentalAvailabilityRequirements]#\n"
+    issue_cvss += `${this.app.cvssSelectedValue['AR']}\n\n`
+    issue_cvss += "#[CVSSv4.ThreatExploitMaturity]#\n"
+    issue_cvss += `${this.app.cvssSelectedValue['E']}\n\n`
+    $('[data-behavior=cvss4-result-text] textarea').val(issue_cvss)
+    $('[data-behavior=cvss4-result]').html(this.app.score() + ' (' + this.app.qualScore() + ')')
+  }
+}