dradis-calculator_cvss 3.8.0 → 3.9.0

Sign up to get free protection for your applications and to get access to all the features.
Files changed (8) hide show
  1. checksums.yaml +4 -4
  2. data/.gitignore +2 -0
  3. data/CHANGELOG.md +4 -0
  4. data/app/assets/javascripts/dradis/plugins/calculators/cvss/calculator.js.coffee +21 -0
  5. data/app/assets/javascripts/dradis/plugins/calculators/cvss/vendor/cvsscalc30.js +23 -14
  6. data/app/views/dradis/plugins/calculators/cvss/base/index.html.erb +15 -1
  7. data/lib/dradis/plugins/calculators/cvss/gem_version.rb +1 -1
  8. metadata +3 -3
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA1:
3
- metadata.gz: 882c1a92bcc32700537c98c25b437a3404fe470c
4
- data.tar.gz: 9eb58d415b4009b0460471544a181dd5a5257140
3
+ metadata.gz: 9059cc506241b4850a98aa6b6c0e7fb83cb6353b
4
+ data.tar.gz: b71d798d1c1536ce2874746c924c8ccc6246e59e
5
5
  SHA512:
6
- metadata.gz: 41a053eefb8b52dbe1aada595eb4a6b18c4c320fc5ec93efc1fb2d9d323599d1841156261336462b64a08dcd6ede4c9a4951e0571f7373e27a09e9242515e1da
7
- data.tar.gz: 17088c8a4aea65e0dd78e615106c7660d7eed3560a275eaa46a97bd2e2038eaad3c2ec2b8362a503d7d2d07ed4695ae798a31e86771cc9d14535a6e5b03a444e
6
+ metadata.gz: e6bec56423eaf8e4a3de6a265a3ad7ddc002d6960656af9c40942887dd02c5b69d99870e8193bf6dfaa96095145049778bbc1c0997b9288526e17ecd76ca7340
7
+ data.tar.gz: 8ca39f08a7acc81f264d8f1eeedc1894545b1957d13e992920a1b020cd3c2f7db5bf1d26ca9d96e3960e1fe57e488fbd8004869e34972594c84a6381e6d89ab9
data/.gitignore CHANGED
@@ -1,3 +1,5 @@
1
+ # Random
2
+ .DS_Store
1
3
 
2
4
  # Bundler config
3
5
  Gemfile.lock
data/CHANGELOG.md CHANGED
@@ -1,3 +1,7 @@
1
+ ## Dradis Framework 3.9 (January, 2018) ##
2
+
3
+ * Add metric-specific fields to calculator output (v3.8.1)
4
+
1
5
  ## Dradis Framework 3.8 (September, 2017) ##
2
6
 
3
7
  * No changes.
data/app/assets/javascripts/dradis/plugins/calculators/cvss/calculator.js.coffee CHANGED
@@ -56,6 +56,27 @@
56
56
  issue_cvss += "#{output.environmentalMetricScore}\n\n"
57
57
  issue_cvss += "#[CVSSv3.EnvironmentalSeverity]#\n"
58
58
  issue_cvss += "#{output.environmentalSeverity}\n\n"
59
+
60
+ issue_cvss += "#[CVSSv3.BaseAttackVector]#\n"
61
+ issue_cvss += "#{output.baseAttackVector}\n\n"
62
+ issue_cvss += "#[CVSSv3.BaseAttackComplexity]#\n"
63
+ issue_cvss += "#{output.baseAttackComplexity}\n\n"
64
+ issue_cvss += "#[CVSSv3.BasePrivilegesRequired]#\n"
65
+ issue_cvss += "#{output.basePrivilegesRequired}\n\n"
66
+ issue_cvss += "#[CVSSv3.BaseUserInteraction]#\n"
67
+ issue_cvss += "#{output.baseUserInteraction}\n\n"
68
+ issue_cvss += "#[CVSSv3.BaseScope]#\n"
69
+ issue_cvss += "#{output.baseScope}\n\n"
70
+ issue_cvss += "#[CVSSv3.BaseConfidentiality]#\n"
71
+ issue_cvss += "#{output.baseConfidentiality}\n\n"
72
+ issue_cvss += "#[CVSSv3.BaseIntegrity]#\n"
73
+ issue_cvss += "#{output.baseIntegrity}\n\n"
74
+ issue_cvss += "#[CVSSv3.BaseAvailability]#\n"
75
+ issue_cvss += "#{output.baseAvailability}\n\n"
76
+ issue_cvss += "#[CVSSv3.EnvironmentalConfidentialityRequirement]#\n"
77
+ issue_cvss += "#{output.environmentalConfidentialityRequirement}\n\n"
78
+ issue_cvss += "#[CVSSv3.EnvironmentalIntegrityRequirement]#\n"
79
+ issue_cvss += "#{output.environmentalIntegrityRequirement}\n\n"
59
80
  $('#blob').text(issue_cvss)
60
81
  else
61
82
  if output.errorType == 'MissingBaseMetric'
data/app/assets/javascripts/dradis/plugins/calculators/cvss/vendor/cvsscalc30.js CHANGED
@@ -352,13 +352,22 @@ CVSS.calculateCVSSFromMetrics = function (
352
352
  success: true,
353
353
  baseMetricScore: baseScore.toFixed(1),
354
354
  baseSeverity: CVSS.severityRating( baseScore.toFixed(1) ),
355
-
356
355
  temporalMetricScore: temporalScore.toFixed(1),
357
356
  temporalSeverity: CVSS.severityRating( temporalScore.toFixed(1) ),
358
-
359
357
  environmentalMetricScore: envScore.toFixed(1),
360
358
  environmentalSeverity: CVSS.severityRating( envScore.toFixed(1) ),
361
359
 
360
+ baseAttackVector: CVSS.XML_MetricNames["MAV"][AttackVector],
361
+ baseAttackComplexity: CVSS.XML_MetricNames["MAC"][AttackComplexity],
362
+ basePrivilegesRequired: CVSS.XML_MetricNames["MPR"][PrivilegesRequired],
363
+ baseUserInteraction: CVSS.XML_MetricNames["MUI"][UserInteraction],
364
+ baseScope: CVSS.XML_MetricNames["MS"][Scope],
365
+ baseConfidentiality: CVSS.XML_MetricNames["MCIA"][Confidentiality],
366
+ baseIntegrity: CVSS.XML_MetricNames["MCIA"][Integrity],
367
+ baseAvailability: CVSS.XML_MetricNames["MCIA"][Availability],
368
+ environmentalConfidentialityRequirement: CVSS.XML_MetricNames["CIAR"][ConfidentialityRequirement || "X"],
369
+ environmentalIntegrityRequirement: CVSS.XML_MetricNames["CIAR"][IntegrityRequirement || "X"],
370
+
362
371
  vectorString: vectorString
363
372
  };
364
373
  };
@@ -483,17 +492,17 @@ CVSS.severityRating = function (score) {
483
492
  // because the latter is the same as the former, except it also includes a "NOT_DEFINED" value.
484
493
 
485
494
  CVSS.XML_MetricNames = {
486
- E: { X: "NOT_DEFINED", U: "UNPROVEN", P: "PROOF_OF_CONCEPT", F: "FUNCTIONAL", H: "HIGH"},
487
- RL: { X: "NOT_DEFINED", O: "OFFICIAL_FIX", T: "TEMPORARY_FIX", W: "WORKAROUND", U: "UNAVAILABLE"},
488
- RC: { X: "NOT_DEFINED", U: "UNKNOWN", R: "REASONABLE", C: "CONFIRMED"},
489
-
490
- CIAR: { X: "NOT_DEFINED", L: "LOW", M: "MEDIUM", H: "HIGH"}, // CR, IR and AR use the same metric names
491
- MAV: { N: "NETWORK", A: "ADJACENT_NETWORK", L: "LOCAL", P: "PHYSICAL", X: "NOT_DEFINED" },
492
- MAC: { H: "HIGH", L: "LOW", X: "NOT_DEFINED" },
493
- MPR: { N: "NONE", L: "LOW", H: "HIGH", X: "NOT_DEFINED" },
494
- MUI: { N: "NONE", R: "REQUIRED", X: "NOT_DEFINED" },
495
- MS: { U: "UNCHANGED", C: "CHANGED", X: "NOT_DEFINED" },
496
- MCIA: { N: "NONE", L: "LOW", H: "HIGH", X: "NOT_DEFINED" } // C, I and A use the same metric names
495
+ E: { X: "Not Defined", U: "Unproven", P: "Proof of Concept", F: "Functional", H: "High"},
496
+ RL: { X: "Not Defined", O: "Official Fix", T: "Temporary Fix", W: "Workaround", U: "Unavailable"},
497
+ RC: { X: "Not Defined", U: "Unknown", R: "Reasonable", C: "Confirmed"},
498
+
499
+ CIAR: { X: "Not Defined", L: "Low", M: "Medium", H: "High"}, // CR, IR and AR use the same metric names
500
+ MAV: { N: "Network", A: "Adjacent Network", L: "Local", P: "Physical", X: "Not Defined" },
501
+ MAC: { H: "High", L: "Low", X: "Not Defined" },
502
+ MPR: { N: "None", L: "Low", H: "High", X: "Not Defined" },
503
+ MUI: { N: "None", R: "Required", X: "Not Defined" },
504
+ MS: { U: "Unchanged", C: "Changed", X: "Not Defined" },
505
+ MCIA: { N: "None", L: "Low", H: "High", X: "Not Defined" } // C, I and A use the same metric names
497
506
  };
498
507
 
499
508
 
@@ -589,7 +598,7 @@ CVSS.generateXMLFromMetrics = function (
589
598
  }
590
599
 
591
600
  var xmlOutput = xmlTemplate;
592
- xmlOutput = xmlOutput.replace ("__AttackVector__", CVSS.XML_MetricNames["MAV"][AttackVector]);
601
+ xmlOutput = xmlOutput.replace ("__AttackVector__", CVSS.XML_MetricNames["MAC"][AttackVector]);
593
602
  xmlOutput = xmlOutput.replace ("__AttackComplexity__", CVSS.XML_MetricNames["MAC"][AttackComplexity]);
594
603
  xmlOutput = xmlOutput.replace ("__PrivilegesRequired__", CVSS.XML_MetricNames["MPR"][PrivilegesRequired]);
595
604
  xmlOutput = xmlOutput.replace ("__UserInteraction__", CVSS.XML_MetricNames["MUI"][UserInteraction]);
data/app/views/dradis/plugins/calculators/cvss/base/index.html.erb CHANGED
@@ -152,10 +152,12 @@
152
152
  <div class="span6">
153
153
  <h3 title="This metric reflects the context by which vulnerability exploitation is possible. The Base Score increases the more remote (logically, and physically) an attacker can be in order to exploit the vulnerable component.">Mod. Attack Vector (MAV)</h3>
154
154
  <input type="hidden" id="mav" />
155
- <div class="btn-group" data-toggle="buttons-radio">
155
+ <div class="btn-group-vertical" data-toggle="buttons-radio">
156
156
  <button type="button" class="btn btn-med active" name="mav" value="X" title="Use the value assigned to the corresponding Base Score metric.">Not Defined (X) <i class="fa fa-question-circle-o" aria-hidden="true"></i></button>
157
157
  <button type="button" class="btn btn-med" name="mav" value="N" title="A vulnerability exploitable with network access means the vulnerable component is bound to the network stack and the attacker's path is through OSI layer 3 (the network layer). Such a vulnerability is often termed 'remotely exploitable' and can be thought of as an attack being exploitable one or more network hops away.">Network (N) <i class="fa fa-question-circle-o" aria-hidden="true"></i></button>
158
158
  <button type="button" class="btn btn-med" name="mav" value="A" title="A vulnerability exploitable with adjacent network access means the vulnerable component is bound to the network stack, however the attack is limited to the same shared physical (e.g. Bluetooth, IEEE 802.11), or logical (e.g. local IP subnet) network, and cannot be performed across an OSI layer 3 boundary (e.g. a router).">Adjacent (A) <i class="fa fa-question-circle-o" aria-hidden="true"></i></button>
159
+ </div>
160
+ <div class="btn-group-vertical" data-toggle="buttons-radio">
159
161
  <button type="button" class="btn btn-med" name="mav" value="L" title="A vulnerability exploitable with local access means that the vulnerable component is not bound to the network stack, and the attacker’s path is via read/write/execute capabilities. In some cases, the attacker may be logged in locally in order to exploit the vulnerability, otherwise, she may rely on User Interaction to execute a malicious file.">Local (L) <i class="fa fa-question-circle-o" aria-hidden="true"></i></button>
160
162
  <button type="button" class="btn btn-med" name="mav" value="P" title="A vulnerability exploitable with physical access requires the attacker to physically touch or manipulate the vulnerable component. Physical interaction may be brief or persistent.">Physical (P) <i class="fa fa-question-circle-o" aria-hidden="true"></i></button>
161
163
  </div>
@@ -247,6 +249,18 @@ N/A
247
249
 
248
250
  #[CVSSv3.EnvironmentalSeverity]#
249
251
  N/A
252
+
253
+ #[CVSSv3.BaseAttackVector]#
254
+ #[CVSSv3.BaseAttackComplexity]#
255
+ #[CVSSv3.BasePrivilegesRequired]#
256
+ #[CVSSv3.BaseUserInteraction]#
257
+ #[CVSSv3.BaseScope]#
258
+ #[CVSSv3.BaseConfidentiality]#
259
+ #[CVSSv3.BaseIntegrity]#
260
+ #[CVSSv3.BaseAvailability]#
261
+ #[CVSSv3.EnvironmentalConfidentialityRequirement]#
262
+ #[CVSSv3.EnvironmentalIntegrityRequirement]#
263
+
250
264
  </pre>
251
265
  </div>
252
266
  </div>
data/lib/dradis/plugins/calculators/cvss/gem_version.rb CHANGED
@@ -9,7 +9,7 @@ module Dradis
9
9
 
10
10
  module VERSION
11
11
  MAJOR = 3
12
- MINOR = 8
12
+ MINOR = 9
13
13
  TINY = 0
14
14
  PRE = nil
15
15
 
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: dradis-calculator_cvss
3
3
  version: !ruby/object:Gem::Version
4
- version: 3.8.0
4
+ version: 3.9.0
5
5
  platform: ruby
6
6
  authors:
7
7
  - Daniel Martin
8
8
  autorequire:
9
9
  bindir: bin
10
10
  cert_chain: []
11
- date: 2017-09-27 00:00:00.000000000 Z
11
+ date: 2018-01-08 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: dradis-plugins
@@ -99,7 +99,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
99
99
  version: '0'
100
100
  requirements: []
101
101
  rubyforge_project:
102
- rubygems_version: 2.6.8
102
+ rubygems_version: 2.4.5
103
103
  signing_key:
104
104
  specification_version: 4
105
105
  summary: This plugin adds a CVSSv3 score calculator to Dradis.