dradis-calculator_cvss 4.10.0 → 4.12.0
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/.github/pull_request_template.md +12 -3
- data/CHANGELOG.md +6 -0
- data/README.md +2 -2
- data/app/assets/javascripts/dradis/plugins/calculators/cvss/cvss.js +32 -0
- data/app/assets/javascripts/dradis/plugins/calculators/cvss/manifests/application.js +16 -5
- data/app/assets/javascripts/dradis/plugins/calculators/cvss/manifests/tylium.js +16 -5
- data/app/assets/javascripts/dradis/plugins/calculators/cvss/{calculator.js.coffee → v3/calculator.js.coffee} +10 -32
- data/app/assets/javascripts/dradis/plugins/calculators/cvss/v4/calculator.js +168 -0
- data/app/assets/javascripts/dradis/plugins/calculators/cvss/v4/vendor/app.js +435 -0
- data/app/assets/javascripts/dradis/plugins/calculators/cvss/v4/vendor/cvss_config.js +858 -0
- data/app/assets/javascripts/dradis/plugins/calculators/cvss/v4/vendor/cvss_details.js +18 -0
- data/app/assets/javascripts/dradis/plugins/calculators/cvss/v4/vendor/cvss_lookup.js +275 -0
- data/app/assets/javascripts/dradis/plugins/calculators/cvss/v4/vendor/max_composed.js +35 -0
- data/app/assets/javascripts/dradis/plugins/calculators/cvss/v4/vendor/max_severity.js +30 -0
- data/app/assets/javascripts/dradis/plugins/calculators/cvss/v4/vendor/metrics.js +42 -0
- data/app/assets/stylesheets/dradis/plugins/calculators/cvss/manifests/application.css.scss +2 -1
- data/app/assets/stylesheets/dradis/plugins/calculators/cvss/manifests/tylium.scss +1 -2
- data/app/controllers/dradis/plugins/calculators/cvss/base_controller.rb +3 -1
- data/app/controllers/dradis/plugins/calculators/cvss/issues_controller.rb +35 -9
- data/app/models/dradis/plugins/calculators/cvss/v4.rb +89 -0
- data/app/views/dradis/plugins/calculators/cvss/_version_menu.html.erb +8 -0
- data/app/views/dradis/plugins/calculators/cvss/base/index.html.erb +9 -70
- data/app/views/dradis/plugins/calculators/cvss/base/v3/_base.html.erb +123 -0
- data/app/views/dradis/plugins/calculators/cvss/base/v3/_environmental.html.erb +192 -0
- data/app/views/dradis/plugins/calculators/cvss/base/v3/_index.html.erb +69 -0
- data/app/views/dradis/plugins/calculators/cvss/base/v3/_temporal.html.erb +67 -0
- data/app/views/dradis/plugins/calculators/cvss/base/v4/_base.html.erb +143 -0
- data/app/views/dradis/plugins/calculators/cvss/base/v4/_environmental.html.erb +220 -0
- data/app/views/dradis/plugins/calculators/cvss/base/v4/_index.html.erb +82 -0
- data/app/views/dradis/plugins/calculators/cvss/base/v4/_supplemental.html.erb +85 -0
- data/app/views/dradis/plugins/calculators/cvss/base/v4/_threat.html.erb +19 -0
- data/app/views/dradis/plugins/calculators/cvss/issues/_show-content.html.erb +21 -7
- data/app/views/dradis/plugins/calculators/cvss/issues/edit/_v3.html.erb +91 -0
- data/app/views/dradis/plugins/calculators/cvss/issues/edit/_v4.html.erb +103 -0
- data/app/views/dradis/plugins/calculators/cvss/issues/edit.html.erb +3 -93
- data/lib/dradis/plugins/calculators/cvss/gem_version.rb +1 -1
- metadata +34 -17
- data/app/assets/stylesheets/dradis/plugins/calculators/cvss/_version_switch.scss +0 -26
- data/app/views/dradis/plugins/calculators/cvss/_version_switch.html.erb +0 -10
- data/app/views/dradis/plugins/calculators/cvss/base/_base.html.erb +0 -123
- data/app/views/dradis/plugins/calculators/cvss/base/_environmental.html.erb +0 -192
- data/app/views/dradis/plugins/calculators/cvss/base/_temporal.html.erb +0 -67
- /data/app/assets/javascripts/dradis/plugins/calculators/cvss/{vendor → v3/vendor}/cvsscalc30.js +0 -0
- /data/app/assets/javascripts/dradis/plugins/calculators/cvss/{vendor → v3/vendor}/cvsscalc30_helptext.js +0 -0
- /data/app/assets/javascripts/dradis/plugins/calculators/cvss/{vendor → v3/vendor}/cvsscalc31.js +0 -0
- /data/app/assets/javascripts/dradis/plugins/calculators/cvss/{vendor → v3/vendor}/cvsscalc31_helptext.js +0 -0
@@ -0,0 +1,18 @@
|
|
1
|
+
// Copyright FIRST, Red Hat, and contributors
|
2
|
+
// SPDX-License-Identifier: BSD-2-Clause
|
3
|
+
|
4
|
+
cvssMacroVectorDetails = {
|
5
|
+
"Exploitability": 0,
|
6
|
+
"Complexity": 1,
|
7
|
+
"VulnerableSystem": 2,
|
8
|
+
"SubsequentSystem": 3,
|
9
|
+
"Exploitation": 4,
|
10
|
+
"SecurityRequirements": 5
|
11
|
+
}
|
12
|
+
|
13
|
+
cvssMacroVectorValues = {
|
14
|
+
"0": "High",
|
15
|
+
"1": "Medium",
|
16
|
+
"2": "Low",
|
17
|
+
"3": "None",
|
18
|
+
}
|
@@ -0,0 +1,275 @@
|
|
1
|
+
// Copyright FIRST, Red Hat, and contributors
|
2
|
+
// SPDX-License-Identifier: BSD-2-Clause
|
3
|
+
|
4
|
+
cvssLookup_global = {
|
5
|
+
"000000": 10,
|
6
|
+
"000001": 9.9,
|
7
|
+
"000010": 9.8,
|
8
|
+
"000011": 9.5,
|
9
|
+
"000020": 9.5,
|
10
|
+
"000021": 9.2,
|
11
|
+
"000100": 10,
|
12
|
+
"000101": 9.6,
|
13
|
+
"000110": 9.3,
|
14
|
+
"000111": 8.7,
|
15
|
+
"000120": 9.1,
|
16
|
+
"000121": 8.1,
|
17
|
+
"000200": 9.3,
|
18
|
+
"000201": 9,
|
19
|
+
"000210": 8.9,
|
20
|
+
"000211": 8,
|
21
|
+
"000220": 8.1,
|
22
|
+
"000221": 6.8,
|
23
|
+
"001000": 9.8,
|
24
|
+
"001001": 9.5,
|
25
|
+
"001010": 9.5,
|
26
|
+
"001011": 9.2,
|
27
|
+
"001020": 9,
|
28
|
+
"001021": 8.4,
|
29
|
+
"001100": 9.3,
|
30
|
+
"001101": 9.2,
|
31
|
+
"001110": 8.9,
|
32
|
+
"001111": 8.1,
|
33
|
+
"001120": 8.1,
|
34
|
+
"001121": 6.5,
|
35
|
+
"001200": 8.8,
|
36
|
+
"001201": 8,
|
37
|
+
"001210": 7.8,
|
38
|
+
"001211": 7,
|
39
|
+
"001220": 6.9,
|
40
|
+
"001221": 4.8,
|
41
|
+
"002001": 9.2,
|
42
|
+
"002011": 8.2,
|
43
|
+
"002021": 7.2,
|
44
|
+
"002101": 7.9,
|
45
|
+
"002111": 6.9,
|
46
|
+
"002121": 5,
|
47
|
+
"002201": 6.9,
|
48
|
+
"002211": 5.5,
|
49
|
+
"002221": 2.7,
|
50
|
+
"010000": 9.9,
|
51
|
+
"010001": 9.7,
|
52
|
+
"010010": 9.5,
|
53
|
+
"010011": 9.2,
|
54
|
+
"010020": 9.2,
|
55
|
+
"010021": 8.5,
|
56
|
+
"010100": 9.5,
|
57
|
+
"010101": 9.1,
|
58
|
+
"010110": 9,
|
59
|
+
"010111": 8.3,
|
60
|
+
"010120": 8.4,
|
61
|
+
"010121": 7.1,
|
62
|
+
"010200": 9.2,
|
63
|
+
"010201": 8.1,
|
64
|
+
"010210": 8.2,
|
65
|
+
"010211": 7.1,
|
66
|
+
"010220": 7.2,
|
67
|
+
"010221": 5.3,
|
68
|
+
"011000": 9.5,
|
69
|
+
"011001": 9.3,
|
70
|
+
"011010": 9.2,
|
71
|
+
"011011": 8.5,
|
72
|
+
"011020": 8.5,
|
73
|
+
"011021": 7.3,
|
74
|
+
"011100": 9.2,
|
75
|
+
"011101": 8.2,
|
76
|
+
"011110": 8,
|
77
|
+
"011111": 7.2,
|
78
|
+
"011120": 7,
|
79
|
+
"011121": 5.9,
|
80
|
+
"011200": 8.4,
|
81
|
+
"011201": 7,
|
82
|
+
"011210": 7.1,
|
83
|
+
"011211": 5.2,
|
84
|
+
"011220": 5,
|
85
|
+
"011221": 3,
|
86
|
+
"012001": 8.6,
|
87
|
+
"012011": 7.5,
|
88
|
+
"012021": 5.2,
|
89
|
+
"012101": 7.1,
|
90
|
+
"012111": 5.2,
|
91
|
+
"012121": 2.9,
|
92
|
+
"012201": 6.3,
|
93
|
+
"012211": 2.9,
|
94
|
+
"012221": 1.7,
|
95
|
+
"100000": 9.8,
|
96
|
+
"100001": 9.5,
|
97
|
+
"100010": 9.4,
|
98
|
+
"100011": 8.7,
|
99
|
+
"100020": 9.1,
|
100
|
+
"100021": 8.1,
|
101
|
+
"100100": 9.4,
|
102
|
+
"100101": 8.9,
|
103
|
+
"100110": 8.6,
|
104
|
+
"100111": 7.4,
|
105
|
+
"100120": 7.7,
|
106
|
+
"100121": 6.4,
|
107
|
+
"100200": 8.7,
|
108
|
+
"100201": 7.5,
|
109
|
+
"100210": 7.4,
|
110
|
+
"100211": 6.3,
|
111
|
+
"100220": 6.3,
|
112
|
+
"100221": 4.9,
|
113
|
+
"101000": 9.4,
|
114
|
+
"101001": 8.9,
|
115
|
+
"101010": 8.8,
|
116
|
+
"101011": 7.7,
|
117
|
+
"101020": 7.6,
|
118
|
+
"101021": 6.7,
|
119
|
+
"101100": 8.6,
|
120
|
+
"101101": 7.6,
|
121
|
+
"101110": 7.4,
|
122
|
+
"101111": 5.8,
|
123
|
+
"101120": 5.9,
|
124
|
+
"101121": 5,
|
125
|
+
"101200": 7.2,
|
126
|
+
"101201": 5.7,
|
127
|
+
"101210": 5.7,
|
128
|
+
"101211": 5.2,
|
129
|
+
"101220": 5.2,
|
130
|
+
"101221": 2.5,
|
131
|
+
"102001": 8.3,
|
132
|
+
"102011": 7,
|
133
|
+
"102021": 5.4,
|
134
|
+
"102101": 6.5,
|
135
|
+
"102111": 5.8,
|
136
|
+
"102121": 2.6,
|
137
|
+
"102201": 5.3,
|
138
|
+
"102211": 2.1,
|
139
|
+
"102221": 1.3,
|
140
|
+
"110000": 9.5,
|
141
|
+
"110001": 9,
|
142
|
+
"110010": 8.8,
|
143
|
+
"110011": 7.6,
|
144
|
+
"110020": 7.6,
|
145
|
+
"110021": 7,
|
146
|
+
"110100": 9,
|
147
|
+
"110101": 7.7,
|
148
|
+
"110110": 7.5,
|
149
|
+
"110111": 6.2,
|
150
|
+
"110120": 6.1,
|
151
|
+
"110121": 5.3,
|
152
|
+
"110200": 7.7,
|
153
|
+
"110201": 6.6,
|
154
|
+
"110210": 6.8,
|
155
|
+
"110211": 5.9,
|
156
|
+
"110220": 5.2,
|
157
|
+
"110221": 3,
|
158
|
+
"111000": 8.9,
|
159
|
+
"111001": 7.8,
|
160
|
+
"111010": 7.6,
|
161
|
+
"111011": 6.7,
|
162
|
+
"111020": 6.2,
|
163
|
+
"111021": 5.8,
|
164
|
+
"111100": 7.4,
|
165
|
+
"111101": 5.9,
|
166
|
+
"111110": 5.7,
|
167
|
+
"111111": 5.7,
|
168
|
+
"111120": 4.7,
|
169
|
+
"111121": 2.3,
|
170
|
+
"111200": 6.1,
|
171
|
+
"111201": 5.2,
|
172
|
+
"111210": 5.7,
|
173
|
+
"111211": 2.9,
|
174
|
+
"111220": 2.4,
|
175
|
+
"111221": 1.6,
|
176
|
+
"112001": 7.1,
|
177
|
+
"112011": 5.9,
|
178
|
+
"112021": 3,
|
179
|
+
"112101": 5.8,
|
180
|
+
"112111": 2.6,
|
181
|
+
"112121": 1.5,
|
182
|
+
"112201": 2.3,
|
183
|
+
"112211": 1.3,
|
184
|
+
"112221": 0.6,
|
185
|
+
"200000": 9.3,
|
186
|
+
"200001": 8.7,
|
187
|
+
"200010": 8.6,
|
188
|
+
"200011": 7.2,
|
189
|
+
"200020": 7.5,
|
190
|
+
"200021": 5.8,
|
191
|
+
"200100": 8.6,
|
192
|
+
"200101": 7.4,
|
193
|
+
"200110": 7.4,
|
194
|
+
"200111": 6.1,
|
195
|
+
"200120": 5.6,
|
196
|
+
"200121": 3.4,
|
197
|
+
"200200": 7,
|
198
|
+
"200201": 5.4,
|
199
|
+
"200210": 5.2,
|
200
|
+
"200211": 4,
|
201
|
+
"200220": 4,
|
202
|
+
"200221": 2.2,
|
203
|
+
"201000": 8.5,
|
204
|
+
"201001": 7.5,
|
205
|
+
"201010": 7.4,
|
206
|
+
"201011": 5.5,
|
207
|
+
"201020": 6.2,
|
208
|
+
"201021": 5.1,
|
209
|
+
"201100": 7.2,
|
210
|
+
"201101": 5.7,
|
211
|
+
"201110": 5.5,
|
212
|
+
"201111": 4.1,
|
213
|
+
"201120": 4.6,
|
214
|
+
"201121": 1.9,
|
215
|
+
"201200": 5.3,
|
216
|
+
"201201": 3.6,
|
217
|
+
"201210": 3.4,
|
218
|
+
"201211": 1.9,
|
219
|
+
"201220": 1.9,
|
220
|
+
"201221": 0.8,
|
221
|
+
"202001": 6.4,
|
222
|
+
"202011": 5.1,
|
223
|
+
"202021": 2,
|
224
|
+
"202101": 4.7,
|
225
|
+
"202111": 2.1,
|
226
|
+
"202121": 1.1,
|
227
|
+
"202201": 2.4,
|
228
|
+
"202211": 0.9,
|
229
|
+
"202221": 0.4,
|
230
|
+
"210000": 8.8,
|
231
|
+
"210001": 7.5,
|
232
|
+
"210010": 7.3,
|
233
|
+
"210011": 5.3,
|
234
|
+
"210020": 6,
|
235
|
+
"210021": 5,
|
236
|
+
"210100": 7.3,
|
237
|
+
"210101": 5.5,
|
238
|
+
"210110": 5.9,
|
239
|
+
"210111": 4,
|
240
|
+
"210120": 4.1,
|
241
|
+
"210121": 2,
|
242
|
+
"210200": 5.4,
|
243
|
+
"210201": 4.3,
|
244
|
+
"210210": 4.5,
|
245
|
+
"210211": 2.2,
|
246
|
+
"210220": 2,
|
247
|
+
"210221": 1.1,
|
248
|
+
"211000": 7.5,
|
249
|
+
"211001": 5.5,
|
250
|
+
"211010": 5.8,
|
251
|
+
"211011": 4.5,
|
252
|
+
"211020": 4,
|
253
|
+
"211021": 2.1,
|
254
|
+
"211100": 6.1,
|
255
|
+
"211101": 5.1,
|
256
|
+
"211110": 4.8,
|
257
|
+
"211111": 1.8,
|
258
|
+
"211120": 2,
|
259
|
+
"211121": 0.9,
|
260
|
+
"211200": 4.6,
|
261
|
+
"211201": 1.8,
|
262
|
+
"211210": 1.7,
|
263
|
+
"211211": 0.7,
|
264
|
+
"211220": 0.8,
|
265
|
+
"211221": 0.2,
|
266
|
+
"212001": 5.3,
|
267
|
+
"212011": 2.4,
|
268
|
+
"212021": 1.4,
|
269
|
+
"212101": 2.4,
|
270
|
+
"212111": 1.2,
|
271
|
+
"212121": 0.5,
|
272
|
+
"212201": 1,
|
273
|
+
"212211": 0.3,
|
274
|
+
"212221": 0.1,
|
275
|
+
}
|
@@ -0,0 +1,35 @@
|
|
1
|
+
// Copyright FIRST, Red Hat, and contributors
|
2
|
+
// SPDX-License-Identifier: BSD-2-Clause
|
3
|
+
|
4
|
+
maxComposed = {
|
5
|
+
// EQ1
|
6
|
+
"eq1": {
|
7
|
+
0: ["AV:N/PR:N/UI:N/"],
|
8
|
+
1: ["AV:A/PR:N/UI:N/", "AV:N/PR:L/UI:N/", "AV:N/PR:N/UI:P/"],
|
9
|
+
2: ["AV:P/PR:N/UI:N/", "AV:A/PR:L/UI:P/"]
|
10
|
+
},
|
11
|
+
// EQ2
|
12
|
+
"eq2": {
|
13
|
+
0: ["AC:L/AT:N/"],
|
14
|
+
1: ["AC:H/AT:N/", "AC:L/AT:P/"]
|
15
|
+
},
|
16
|
+
// EQ3+EQ6
|
17
|
+
"eq3": {
|
18
|
+
0: { "0": ["VC:H/VI:H/VA:H/CR:H/IR:H/AR:H/"], "1": ["VC:H/VI:H/VA:L/CR:M/IR:M/AR:H/", "VC:H/VI:H/VA:H/CR:M/IR:M/AR:M/"] },
|
19
|
+
1: { "0": ["VC:L/VI:H/VA:H/CR:H/IR:H/AR:H/", "VC:H/VI:L/VA:H/CR:H/IR:H/AR:H/"], "1": ["VC:L/VI:H/VA:L/CR:H/IR:M/AR:H/", "VC:L/VI:H/VA:H/CR:H/IR:M/AR:M/", "VC:H/VI:L/VA:H/CR:M/IR:H/AR:M/", "VC:H/VI:L/VA:L/CR:M/IR:H/AR:H/", "VC:L/VI:L/VA:H/CR:H/IR:H/AR:M/"] },
|
20
|
+
2: { "1": ["VC:L/VI:L/VA:L/CR:H/IR:H/AR:H/"] },
|
21
|
+
},
|
22
|
+
// EQ4
|
23
|
+
"eq4": {
|
24
|
+
0: ["SC:H/SI:S/SA:S/"],
|
25
|
+
1: ["SC:H/SI:H/SA:H/"],
|
26
|
+
2: ["SC:L/SI:L/SA:L/"]
|
27
|
+
|
28
|
+
},
|
29
|
+
// EQ5
|
30
|
+
"eq5": {
|
31
|
+
0: ["E:A/"],
|
32
|
+
1: ["E:P/"],
|
33
|
+
2: ["E:U/"],
|
34
|
+
},
|
35
|
+
}
|
@@ -0,0 +1,30 @@
|
|
1
|
+
// Copyright FIRST, Red Hat, and contributors
|
2
|
+
// SPDX-License-Identifier: BSD-2-Clause
|
3
|
+
|
4
|
+
// max severity distances in EQs MacroVectors (+1)
|
5
|
+
maxSeverity = {
|
6
|
+
"eq1": {
|
7
|
+
0: 1,
|
8
|
+
1: 4,
|
9
|
+
2: 5
|
10
|
+
},
|
11
|
+
"eq2": {
|
12
|
+
0: 1,
|
13
|
+
1: 2
|
14
|
+
},
|
15
|
+
"eq3eq6": {
|
16
|
+
0: { 0: 7, 1: 6 },
|
17
|
+
1: { 0: 8, 1: 8 },
|
18
|
+
2: { 1: 10 }
|
19
|
+
},
|
20
|
+
"eq4": {
|
21
|
+
0: 6,
|
22
|
+
1: 5,
|
23
|
+
2: 4
|
24
|
+
},
|
25
|
+
"eq5": {
|
26
|
+
0: 1,
|
27
|
+
1: 1,
|
28
|
+
2: 1
|
29
|
+
},
|
30
|
+
}
|
@@ -0,0 +1,42 @@
|
|
1
|
+
// Copyright FIRST, Red Hat, and contributors
|
2
|
+
// SPDX-License-Identifier: BSD-2-Clause
|
3
|
+
|
4
|
+
// CVSS v4.0 metrics ordering and valid values
|
5
|
+
expectedMetricOrder = {
|
6
|
+
// Base (11 metrics)
|
7
|
+
"AV": ["N", "A", "L", "P"],
|
8
|
+
"AC": ["L", "H"],
|
9
|
+
"AT": ["N", "P"],
|
10
|
+
"PR": ["N", "L", "H"],
|
11
|
+
"UI": ["N", "P", "A"],
|
12
|
+
"VC": ["H", "L", "N"],
|
13
|
+
"VI": ["H", "L", "N"],
|
14
|
+
"VA": ["H", "L", "N"],
|
15
|
+
"SC": ["H", "L", "N"],
|
16
|
+
"SI": ["H", "L", "N"],
|
17
|
+
"SA": ["H", "L", "N"],
|
18
|
+
// Threat (1 metric)
|
19
|
+
"E": ["X", "A", "P", "U"],
|
20
|
+
// Environmental (14 metrics)
|
21
|
+
"CR": ["X", "H", "M", "L"],
|
22
|
+
"IR": ["X", "H", "M", "L"],
|
23
|
+
"AR": ["X", "H", "M", "L"],
|
24
|
+
"MAV": ["X", "N", "A", "L", "P"],
|
25
|
+
"MAC": ["X", "L", "H"],
|
26
|
+
"MAT": ["X", "N", "P"],
|
27
|
+
"MPR": ["X", "N", "L", "H"],
|
28
|
+
"MUI": ["X", "N", "P", "A"],
|
29
|
+
"MVC": ["X", "H", "L", "N"],
|
30
|
+
"MVI": ["X", "H", "L", "N"],
|
31
|
+
"MVA": ["X", "H", "L", "N"],
|
32
|
+
"MSC": ["X", "H", "L", "N"],
|
33
|
+
"MSI": ["X", "S", "H", "L", "N"],
|
34
|
+
"MSA": ["X", "S", "H", "L", "N"],
|
35
|
+
// Supplemental (6 metrics)
|
36
|
+
"S": ["X", "N", "P"],
|
37
|
+
"AU": ["X", "N", "Y"],
|
38
|
+
"R": ["X", "A", "U", "I"],
|
39
|
+
"V": ["X", "D", "C"],
|
40
|
+
"RE": ["X", "L", "M", "H"],
|
41
|
+
"U": ["X", "Clear", "Green", "Amber", "Red"],
|
42
|
+
}
|
@@ -1,2 +1 @@
|
|
1
|
-
@import
|
2
|
-
@import "dradis/plugins/calculators/cvss/version_switch"
|
1
|
+
@import 'tylium/variables';
|
@@ -2,7 +2,9 @@ module Dradis::Plugins::Calculators::CVSS
|
|
2
2
|
# Does it matter that we're inheriting from the no-frills controller?
|
3
3
|
class BaseController < ActionController::Base
|
4
4
|
def index
|
5
|
-
@
|
5
|
+
@cvss3_vector = Hash.new { |h, k| h[k] = 'X' }
|
6
|
+
@cvss4_vector = Dradis::Plugins::Calculators::CVSS::V4::DEFAULT_CVSS_V4.clone
|
7
|
+
@cvss_version = '4.0'
|
6
8
|
end
|
7
9
|
end
|
8
10
|
end
|
@@ -1,10 +1,10 @@
|
|
1
1
|
module Dradis::Plugins::Calculators::CVSS
|
2
2
|
# Does it matter that we're inheriting from the no-frills controller?
|
3
3
|
class IssuesController < ::IssuesController
|
4
|
+
before_action :set_cvss_version, only: :edit
|
4
5
|
before_action :set_cvss_vector, only: :edit
|
5
6
|
|
6
|
-
def edit
|
7
|
-
end
|
7
|
+
def edit; end
|
8
8
|
|
9
9
|
def update
|
10
10
|
cvss_fields = Hash[ *params[:cvss_fields].scan(FieldParser::FIELDS_REGEX).flatten.map(&:strip) ]
|
@@ -19,19 +19,45 @@ module Dradis::Plugins::Calculators::CVSS
|
|
19
19
|
end
|
20
20
|
end
|
21
21
|
|
22
|
+
private
|
23
|
+
|
22
24
|
def set_cvss_vector
|
23
25
|
# Undefined Temporal and Environmental default to X
|
24
|
-
@
|
25
|
-
|
26
|
+
@cvss3_vector = Hash.new { |h, k| h[k] = 'X' }
|
27
|
+
@cvss4_vector = Dradis::Plugins::Calculators::CVSS::V4::DEFAULT_CVSS_V4.clone
|
28
|
+
field_value_v3 = @issue.fields['CVSSv3.Vector'] || @issue.fields['CVSSv3Vector']
|
29
|
+
field_value_v4 = @issue.fields['CVSSv4.BaseVector']
|
26
30
|
|
27
31
|
# If no vector is set yet, that's OK
|
28
|
-
return if
|
32
|
+
return if field_value_v3.blank? && field_value_v4.blank?
|
29
33
|
|
30
|
-
if
|
31
|
-
|
32
|
-
|
33
|
-
|
34
|
+
if field_value_v3
|
35
|
+
if field_value_v3 =~ V3::VECTOR_REGEXP
|
36
|
+
field_value_v3.split('/').each { |pair| @cvss3_vector.store *pair.split(':') }
|
37
|
+
else
|
38
|
+
redirect_to main_app.project_issue_path(current_project, @issue), alert: 'The format of the CVSSv3 Vector field is invalid.'
|
39
|
+
end
|
34
40
|
end
|
41
|
+
|
42
|
+
if field_value_v4
|
43
|
+
if field_value_v4.starts_with?('CVSS:4.0')
|
44
|
+
field_value_v4.split('/').each { |pair| @cvss4_vector.store *pair.split(':') }
|
45
|
+
else
|
46
|
+
redirect_to main_app.project_issue_path(current_project, @issue), alert: 'The format of the CVSSv4 Vector field is invalid.'
|
47
|
+
end
|
48
|
+
end
|
49
|
+
end
|
50
|
+
|
51
|
+
def set_cvss_version
|
52
|
+
@cvss_version =
|
53
|
+
case
|
54
|
+
when @issue.fields['CVSSv3.Vector']&.include?('CVSS:3.1')
|
55
|
+
'3.1'
|
56
|
+
when @issue.fields['CVSSv3.Vector']&.include?('CVSS:3.0')
|
57
|
+
'3.0'
|
58
|
+
else
|
59
|
+
'4.0'
|
60
|
+
end
|
35
61
|
end
|
36
62
|
end
|
37
63
|
end
|
@@ -0,0 +1,89 @@
|
|
1
|
+
module Dradis::Plugins::Calculators::CVSS
|
2
|
+
class V4
|
3
|
+
DEFAULT_CVSS_V4 = {
|
4
|
+
'AV' => 'N',
|
5
|
+
'AC' => 'L',
|
6
|
+
'AT' => 'N',
|
7
|
+
'PR' => 'N',
|
8
|
+
'UI' => 'N',
|
9
|
+
'VC' => 'N',
|
10
|
+
'VI' => 'N',
|
11
|
+
'VA' => 'N',
|
12
|
+
'SC' => 'N',
|
13
|
+
'SI' => 'N',
|
14
|
+
'SA' => 'N',
|
15
|
+
'E' => 'X',
|
16
|
+
'CR' => 'X',
|
17
|
+
'IR' => 'X',
|
18
|
+
'AR' => 'X',
|
19
|
+
'MAV' => 'X',
|
20
|
+
'MAC' => 'X',
|
21
|
+
'MAT' => 'X',
|
22
|
+
'MPR' => 'X',
|
23
|
+
'MUI' => 'X',
|
24
|
+
'MVC' => 'X',
|
25
|
+
'MVI' => 'X',
|
26
|
+
'MVA' => 'X',
|
27
|
+
'MSC' => 'X',
|
28
|
+
'MSI' => 'X',
|
29
|
+
'MSA' => 'X',
|
30
|
+
'S' => 'X',
|
31
|
+
'AU' => 'X',
|
32
|
+
'R' => 'X',
|
33
|
+
'V' => 'X',
|
34
|
+
'RE' => 'X',
|
35
|
+
'U' => 'X'
|
36
|
+
}
|
37
|
+
|
38
|
+
FIELD_NAMES = %i{
|
39
|
+
BaseScore
|
40
|
+
BaseSeverity
|
41
|
+
|
42
|
+
MacroVector
|
43
|
+
Exploitability
|
44
|
+
Complexity
|
45
|
+
VulnerableSystem
|
46
|
+
SubsequentSystem
|
47
|
+
Exploitation
|
48
|
+
SecurityRequirements
|
49
|
+
|
50
|
+
BaseExploitableAttackVector
|
51
|
+
BaseExploitableAttackComplexity
|
52
|
+
BaseExploitableAttackRequirements
|
53
|
+
BaseExploitablePrivilegesRequired
|
54
|
+
BaseExploitableUserInteraction
|
55
|
+
BaseVulnerableConfidentiality
|
56
|
+
BaseVulnerableIntegrity
|
57
|
+
BaseVulnerableAvailability
|
58
|
+
BaseSubsequentConfidentiality
|
59
|
+
BaseSubsequentIntegrity
|
60
|
+
BaseSubsequentAvailability
|
61
|
+
|
62
|
+
SupplementalSafety
|
63
|
+
SupplementalAutomatable
|
64
|
+
SupplementalRecovery
|
65
|
+
SupplementalValueDensity
|
66
|
+
SupplementalVulnerabilityResponseEffort
|
67
|
+
SupplementalProviderUrgency
|
68
|
+
|
69
|
+
EnvironmentalExploitabilityAttackVector
|
70
|
+
EnvironmentalExploitabilityAttackComplexity
|
71
|
+
EnvironmentalExploitabilityAttackRequirements
|
72
|
+
EnvironmentalExploitabilityPrivilegesRequired
|
73
|
+
EnvironmentalExploitabilityUserInteraction
|
74
|
+
EnvironmentalVulnerableConfidentiality
|
75
|
+
EnvironmentalVulnerableIntegrity
|
76
|
+
EnvironmentalVulnerableAvailability
|
77
|
+
EnvironmentalSubsequentConfidentiality
|
78
|
+
EnvironmentalSubsequentIntegrity
|
79
|
+
EnvironmentalSubsequentAvailability
|
80
|
+
EnvironmentalConfidentialityRequirements
|
81
|
+
EnvironmentalIntegrityRequirements
|
82
|
+
EnvironmentalAvailabilityRequirements
|
83
|
+
|
84
|
+
ThreatExploitMaturity
|
85
|
+
}.freeze
|
86
|
+
|
87
|
+
FIELDS = (['CVSSv4.BaseVector'.freeze] + FIELD_NAMES.map { |name| "CVSSv4.#{name}".freeze }).freeze
|
88
|
+
end
|
89
|
+
end
|
@@ -0,0 +1,8 @@
|
|
1
|
+
<div class="d-flex align-items-center justify-content-end gap-2 small">
|
2
|
+
<label class="form-label m-0" for="cvss-version">Version:</label>
|
3
|
+
<select id="cvss-version" class="form-select" aria-label="cvss version select" data-behavior="cvss-version">
|
4
|
+
<option value="40" <%= 'selected' if @cvss_version == '4.0' %>>v4.0</option>
|
5
|
+
<option value="31" <%= 'selected' if @cvss_version == '3.1' %>>v3.1</option>
|
6
|
+
<option value="30" <%= 'selected' if @cvss_version == '3.0' %>>v3.0</option>
|
7
|
+
</select>
|
8
|
+
</div>
|
@@ -1,78 +1,17 @@
|
|
1
1
|
<%= content_tag :div, class: 'page-header' do %>
|
2
|
-
<h1
|
3
|
-
|
2
|
+
<h1 class="d-flex align-items-center justify-content-between">
|
3
|
+
CVSS score calculator
|
4
|
+
<div class="fs-3"><%= render 'dradis/plugins/calculators/cvss/version_menu' %></div>
|
5
|
+
</h1>
|
4
6
|
<% end %>
|
5
7
|
|
6
8
|
<p class="lead">Use this page to calculate the <abbr title="Common Vulnerability Scoring System">CVSS</abbr> score of a given finding.</p>
|
7
9
|
|
8
10
|
<p class="alert alert-danger d-none" data-behavior="cvss-error"></p>
|
9
11
|
|
10
|
-
<div
|
11
|
-
|
12
|
-
|
13
|
-
|
14
|
-
|
15
|
-
</h2>
|
16
|
-
<%= render 'dradis/plugins/calculators/cvss/base/base' %>
|
17
|
-
|
18
|
-
<h2 data-cvss="temporalMetricGroup_Legend" class="mt-5">
|
19
|
-
Temporal: <span id="temporal-score">0</span>
|
20
|
-
</h2>
|
21
|
-
<%= render 'dradis/plugins/calculators/cvss/base/temporal' %>
|
22
|
-
|
23
|
-
<h2 data-cvss="environmentalMetricGroup_Legend" class="mt-5">
|
24
|
-
Environmental: <span id="environmental-score">0</span>
|
25
|
-
</h2>
|
26
|
-
<%= render 'dradis/plugins/calculators/cvss/base/environmental' %>
|
27
|
-
</div>
|
28
|
-
|
29
|
-
<div class="col-lg-4">
|
30
|
-
<textarea name="cvss_fields" rows="52" class="form-control mb-4">#[CVSSv3.Vector]#
|
31
|
-
N/A
|
32
|
-
|
33
|
-
#[CVSSv3.BaseScore]#
|
34
|
-
N/A
|
35
|
-
|
36
|
-
#[CVSSv3.BaseSeverity]#
|
37
|
-
N/A
|
38
|
-
|
39
|
-
#[CVSSv3.TemporalScore]#
|
40
|
-
N/A
|
41
|
-
|
42
|
-
#[CVSSv3.TemporalSeverity]#
|
43
|
-
N/A
|
44
|
-
|
45
|
-
#[CVSSv3.EnvironmentalScore]#
|
46
|
-
N/A
|
47
|
-
|
48
|
-
#[CVSSv3.EnvironmentalSeverity]#
|
49
|
-
N/A
|
50
|
-
|
51
|
-
#[CVSSv3.BaseAttackVector]#
|
52
|
-
#[CVSSv3.BaseAttackComplexity]#
|
53
|
-
#[CVSSv3.BasePrivilegesRequired]#
|
54
|
-
#[CVSSv3.BaseUserInteraction]#
|
55
|
-
#[CVSSv3.BaseScope]#
|
56
|
-
#[CVSSv3.BaseConfidentiality]#
|
57
|
-
#[CVSSv3.BaseIntegrity]#
|
58
|
-
#[CVSSv3.BaseAvailability]#
|
59
|
-
|
60
|
-
#[CVSSv3.TemporalExploitCodeMaturity]#
|
61
|
-
#[CVSSv3.TemporalRemediationLevel]#
|
62
|
-
#[CVSSv3.TemporalReportConfidence]#
|
63
|
-
|
64
|
-
#[CVSSv3.EnvironmentalConfidentialityRequirement]#
|
65
|
-
#[CVSSv3.EnvironmentalIntegrityRequirement]#
|
66
|
-
#[CVSSv3.EnvironmentalAvailabilityRequirement]#
|
67
|
-
|
68
|
-
#[CVSSv3.ModifiedAttackVector]#
|
69
|
-
#[CVSSv3.ModifiedAttackComplexity]#
|
70
|
-
#[CVSSv3.ModifiedPrivilegesRequired]#
|
71
|
-
#[CVSSv3.ModifiedUserInteraction]#
|
72
|
-
#[CVSSv3.ModifiedScope]#
|
73
|
-
#[CVSSv3.ModifiedConfidentiality]#
|
74
|
-
#[CVSSv3.ModifiedIntegrity]#
|
75
|
-
#[CVSSv3.ModifiedAvailability]#
|
76
|
-
</textarea>
|
77
|
-
</div>
|
12
|
+
<div id="v3-index d-none" data-cvss-version="3">
|
13
|
+
<%= render 'dradis/plugins/calculators/cvss/base/v3/index' %>
|
14
|
+
</div>
|
15
|
+
<div id="v4-index d-none" data-cvss-version="4">
|
16
|
+
<%= render 'dradis/plugins/calculators/cvss/base/v4/index' %>
|
78
17
|
</div>
|