dradis-calculator_cvss 4.11.0 → 4.12.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: d6acd6e29e8fa4309712a19174e16c7eb93dcb274d5939b66b12dc32f415cafb
-  data.tar.gz: 736e35f1882e65a535b27ec62854310b01ff6366107dc5daf1e2e42d5f9c365e
+  metadata.gz: ea68a10e94cb20e0854d84fa245cfbd8cbf26f6dd3ae9c9c30602667a216856f
+  data.tar.gz: 2883a651f2bd078b4c707a78fd5081dd7dde1294c91bd9ac90e1ff3e0af3495e
 SHA512:
-  metadata.gz: 32069f876d21f11181880564be41c990e41810865e6ecd8a8553e43c37830fa18fae4925f292cca32697e734fe7b7c11896c086cd41865badeb87c3d60656d3e
-  data.tar.gz: fa54b045f546487fc46e9f94a4109f312b3d2ae1d54da87b97ede1e588f45e948c8eea3dcbe815bb31e8208a4c519a9448f99d6bede105459726cc9b8095722f
+  metadata.gz: 97bdfdfc740b2d81b59e5082a2c89e71d261ce40613ad1692484d643c92326bf28797c3dad3aa68cb6110f25493f1403482ade15fa44c081e00699f3dd13f15a
+  data.tar.gz: 3725740d1aa3c93d36d10931e14cd67b755e2c75c0bb974efc9d3684d591b65dd024e01c8666f2e6e60dd66c423c68779110db876dd8e7f55e39bdc9663aedad

data/CHANGELOG.md

@@ -1,3 +1,6 @@
+v4.12.0 (May 2024)
+  - Add CVSS v4 support
+
 v4.11.0 (January 2024)
   - No changes
 

data/app/assets/javascripts/dradis/plugins/calculators/cvss/cvss.js

@@ -0,0 +1,32 @@
+$(document).on('turbolinks:load', function () {
+  if ($('[data-behavior~=cvss-version]').length) {
+    function handleVersionSelection() {
+      var selectedValue = $('[data-behavior~=cvss-version]').val();
+      $('[data-cvss-version]').addClass('d-none');
+      switch (selectedValue) {
+        case '40':
+          $('[data-cvss-version=4]').removeClass('d-none');
+          window.calculator = new CVSS40Calculator();
+          break;
+        case '31':
+          $('[data-cvss-version=3]').removeClass('d-none');
+          window.calculator = new CVSS31Calculator();
+          break;
+        case '30':
+          $('[data-cvss-version=3]').removeClass('d-none');
+          window.calculator = new CVSS30Calculator();
+          break;
+      }
+    }
+    handleVersionSelection();
+    $('[data-behavior~=cvss-error]').addClass('d-none');
+    $('[data-behavior~=cvss-buttons] button').on('click', function () {
+      var $this = $(this);
+      $this.parent().find('button').removeClass('active btn-primary');
+      $this.addClass('active btn-primary');
+      $(`input[name="${$this.attr('name')}"]`).val($this.val());
+      window.calculator.calculate();
+    });
+    $('[data-behavior~=cvss-version]').on('change', handleVersionSelection);
+  }
+});

data/app/assets/javascripts/dradis/plugins/calculators/cvss/manifests/application.js

@@ -3,8 +3,19 @@
 //= require bootstrap
 //= require turbolinks
 
-//= require dradis/plugins/calculators/cvss/vendor/cvsscalc30
-//= require dradis/plugins/calculators/cvss/vendor/cvsscalc30_helptext
-//= require dradis/plugins/calculators/cvss/vendor/cvsscalc31
-//= require dradis/plugins/calculators/cvss/vendor/cvsscalc31_helptext
-//= require dradis/plugins/calculators/cvss/calculator
+//= require dradis/plugins/calculators/cvss/v3/vendor/cvsscalc30
+//= require dradis/plugins/calculators/cvss/v3/vendor/cvsscalc30_helptext
+//= require dradis/plugins/calculators/cvss/v3/vendor/cvsscalc31
+//= require dradis/plugins/calculators/cvss/v3/vendor/cvsscalc31_helptext
+//= require dradis/plugins/calculators/cvss/v3/calculator
+
+//= require dradis/plugins/calculators/cvss/v4/vendor/app
+//= require dradis/plugins/calculators/cvss/v4/vendor/cvss_config
+//= require dradis/plugins/calculators/cvss/v4/vendor/cvss_details
+//= require dradis/plugins/calculators/cvss/v4/vendor/cvss_lookup
+//= require dradis/plugins/calculators/cvss/v4/vendor/max_composed
+//= require dradis/plugins/calculators/cvss/v4/vendor/max_severity
+//= require dradis/plugins/calculators/cvss/v4/vendor/metrics
+//= require dradis/plugins/calculators/cvss/v4/calculator
+
+//= require dradis/plugins/calculators/cvss/cvss

data/app/assets/javascripts/dradis/plugins/calculators/cvss/manifests/tylium.js

@@ -1,5 +1,16 @@
-//= require dradis/plugins/calculators/cvss/vendor/cvsscalc30
-//= require dradis/plugins/calculators/cvss/vendor/cvsscalc30_helptext
-//= require dradis/plugins/calculators/cvss/vendor/cvsscalc31
-//= require dradis/plugins/calculators/cvss/vendor/cvsscalc31_helptext
-//= require dradis/plugins/calculators/cvss/calculator
+//= require dradis/plugins/calculators/cvss/v3/vendor/cvsscalc30
+//= require dradis/plugins/calculators/cvss/v3/vendor/cvsscalc30_helptext
+//= require dradis/plugins/calculators/cvss/v3/vendor/cvsscalc31
+//= require dradis/plugins/calculators/cvss/v3/vendor/cvsscalc31_helptext
+//= require dradis/plugins/calculators/cvss/v3/calculator
+
+//= require dradis/plugins/calculators/cvss/v4/vendor/app
+//= require dradis/plugins/calculators/cvss/v4/vendor/cvss_config
+//= require dradis/plugins/calculators/cvss/v4/vendor/cvss_details
+//= require dradis/plugins/calculators/cvss/v4/vendor/cvss_lookup
+//= require dradis/plugins/calculators/cvss/v4/vendor/max_composed
+//= require dradis/plugins/calculators/cvss/v4/vendor/max_severity
+//= require dradis/plugins/calculators/cvss/v4/vendor/metrics
+//= require dradis/plugins/calculators/cvss/v4/calculator
+
+//= require dradis/plugins/calculators/cvss/cvss

data/app/assets/javascripts/dradis/plugins/calculators/cvss/{calculator.js.coffee → v3/calculator.js.coffee}

@@ -128,38 +128,16 @@ class CVSSCalculator
       $('input[type=submit]').attr('disabled', 'disabled')
       $('[data-behavior~=cvss-error]').removeClass('d-none').text(errorMessage)
 
-class CVSS30Calculator extends CVSSCalculator
-   constructor: ->
-     @calc = CVSS
-     @cvssHelp = CVSS_Help
-
-     super()
-
-class CVSS31Calculator extends CVSSCalculator
-   constructor: ->
-     @calc = CVSS31
-     @cvssHelp = CVSS31_Help
-
-     super()
-
-document.addEventListener "turbolinks:load", ->
-  if $('[data-behavior~=cvss-buttons]').length
-    if $('[data-behavior~=cvss-version-toggle]').prop('checked')
-      window.calculator = new CVSS30Calculator()
-    else
-      window.calculator = new CVSS31Calculator()
+class @CVSS30Calculator extends CVSSCalculator
+  constructor: ->
+    @calc = CVSS
+    @cvssHelp = CVSS_Help
 
-    $('[data-behavior~=cvss-error]').addClass('d-none')
+    super()
 
-    $('[data-behavior~=cvss-buttons] button').on 'click', ->
-      $this = $(this)
-      $this.parent().find('button').removeClass('active btn-primary')
-      $this.addClass('active btn-primary')
-      $("input[name=#{$this.attr('name')}]").val($this.val())
-      window.calculator.calculate()
+class @CVSS31Calculator extends CVSSCalculator
+  constructor: ->
+    @calc = CVSS31
+    @cvssHelp = CVSS31_Help
 
-    $('[data-behavior~=cvss-version-toggle]').on 'change', ->
-      if $('[data-behavior~=cvss-version-toggle]').prop('checked')
-        window.calculator = new CVSS30Calculator()
-      else
-        window.calculator = new CVSS31Calculator()
+    super()

data/app/assets/javascripts/dradis/plugins/calculators/cvss/v4/calculator.js

@@ -0,0 +1,168 @@
+class CVSS4Calculator {
+  constructor() {
+    $('[data-cvss-heading], [data-cvss-option]').each(function (_, item) {
+      let heading, metrics, metricGroup, tooltipContent;
+
+      metrics = $(item).parents('[data-cvss-metrics]').data('cvss-metrics');
+      metricGroup = $(item)
+        .parents('[data-cvss-metric-group]')
+        .data('cvss-metric-group');
+
+      if ($(item).is('[data-cvss-option]')) {
+        let option = $(item).data('cvss-option');
+        heading = $(item)
+          .parent()
+          .prevAll('[data-cvss-heading]:first')
+          .data('cvss-heading');
+        tooltipContent =
+          cvss40Config[metrics].metric_groups[metricGroup][heading].options[
+            option
+          ].tooltip;
+      } else {
+        heading = $(item).data('cvss-heading');
+        tooltipContent =
+          cvss40Config[metrics].metric_groups[metricGroup][heading].tooltip;
+      }
+
+      $(item).attr('title', tooltipContent);
+    });
+  }
+}
+
+class CVSS40Calculator extends CVSS4Calculator {
+  constructor() {
+    super()
+
+    this.app = cvss_v4_app();
+    this.calculate();
+  }
+
+  calculate() {
+    const regex = / \(.+?\)/i;
+
+    $('input[type=submit]').attr('disabled', null);
+
+    const that = this;
+    $('[data-cvss-metrics] .btn-group').each(function(){
+      const selected = $(this).find('[data-cvss-option].active');
+
+      if (selected.length == 1) {
+        that.app.cvssSelected[selected.attr('name').toUpperCase()] = selected.attr('value');
+
+        const label = selected.data('cvss-option');
+        that.app.cvssSelectedValue[selected.attr('name').toUpperCase()] = label.replace(regex, '');
+      }
+    });
+
+    this.setResult();
+
+    return true;
+  }
+
+  baseVector() {
+    let baseVector = 'CVSS:4.0';
+    const that = this;
+
+    Object.keys(expectedMetricOrder).forEach(function(metric) {
+      if (that.app.cvssSelected[metric] && that.app.cvssSelected[metric] != 'X') {
+        baseVector += `/${metric}:${that.app.cvssSelected[metric]}`
+      }
+    })
+
+    return baseVector;
+  }
+
+  setResult() {
+    let issue_cvss = ''
+
+    issue_cvss += "#[CVSSv4.BaseVector]#\n"
+    issue_cvss += `${this.baseVector()}\n\n`
+    issue_cvss += "#[CVSSv4.BaseScore]#\n"
+    issue_cvss += `${this.app.score()}\n\n`
+    issue_cvss += "#[CVSSv4.BaseSeverity]#\n"
+    issue_cvss += `${this.app.qualScore()}\n\n`
+
+    issue_cvss += "#[CVSSv4.MacroVector]#\n";
+    issue_cvss += `${this.app.macroVector()}\n\n`
+
+    const that = this;
+    [
+      'Exploitability', 'Complexity', 'VulnerableSystem', 'SubsequentSystem',
+      'Exploitation', 'SecurityRequirements'
+    ].forEach(function(macroMetric) {
+      issue_cvss += "#[CVSSv4." + macroMetric + "]#\n"
+      issue_cvss += cvssMacroVectorValues[that.app.macroVector()[cvssMacroVectorDetails[macroMetric]]] + "\n\n"
+    });
+
+    issue_cvss += "#[CVSSv4.BaseExploitableAttackVector]#\n"
+    issue_cvss += `${this.app.cvssSelectedValue['AV']}\n\n`
+    issue_cvss += "#[CVSSv4.BaseExploitableAttackComplexity]#\n"
+    issue_cvss += `${this.app.cvssSelectedValue['AC']}\n\n`
+    issue_cvss += "#[CVSSv4.BaseExploitableAttackRequirements]#\n"
+    issue_cvss += `${this.app.cvssSelectedValue['AT']}\n\n`
+    issue_cvss += "#[CVSSv4.BaseExploitablePrivilegesRequired]#\n"
+    issue_cvss += `${this.app.cvssSelectedValue['PR']}\n\n`
+    issue_cvss += "#[CVSSv4.BaseExploitableUserInteraction]#\n"
+    issue_cvss += `${this.app.cvssSelectedValue['UI']}\n\n`
+    issue_cvss += "#[CVSSv4.BaseVulnerableConfidentiality]#\n"
+    issue_cvss += `${this.app.cvssSelectedValue['VC']}\n\n`
+    issue_cvss += "#[CVSSv4.BaseVulnerableIntegrity]#\n"
+    issue_cvss += `${this.app.cvssSelectedValue['VI']}\n\n`
+    issue_cvss += "#[CVSSv4.BaseVulnerableAvailability]#\n"
+    issue_cvss += `${this.app.cvssSelectedValue['VA']}\n\n`
+    issue_cvss += "#[CVSSv4.BaseSubsequentConfidentiality]#\n"
+    issue_cvss += `${this.app.cvssSelectedValue['SC']}\n\n`
+    issue_cvss += "#[CVSSv4.BaseSubsequentIntegrity]#\n"
+    issue_cvss += `${this.app.cvssSelectedValue['SI']}\n\n`
+    issue_cvss += "#[CVSSv4.BaseSubsequentAvailability]#\n"
+    issue_cvss += `${this.app.cvssSelectedValue['SA']}\n\n`
+
+    issue_cvss += "#[CVSSv4.SupplementalSafety]#\n"
+    issue_cvss += `${this.app.cvssSelectedValue['S']}\n\n`
+    issue_cvss += "#[CVSSv4.SupplementalAutomatable]#\n"
+    issue_cvss += `${this.app.cvssSelectedValue['AU']}\n\n`
+    issue_cvss += "#[CVSSv4.SupplementalRecovery]#\n"
+    issue_cvss += `${this.app.cvssSelectedValue['R']}\n\n`
+    issue_cvss += "#[CVSSv4.SupplementalValueDensity]#\n"
+    issue_cvss += `${this.app.cvssSelectedValue['V']}\n\n`
+    issue_cvss += "#[CVSSv4.SupplementalVulnerabilityResponseEffort]#\n"
+    issue_cvss += `${this.app.cvssSelectedValue['RE']}\n\n`
+    issue_cvss += "#[CVSSv4.SupplementalProviderUrgency]#\n"
+    issue_cvss += `${this.app.cvssSelectedValue['U']}\n\n`
+
+    issue_cvss += "#[CVSSv4.EnvironmentalExploitabilityAttackVector]#\n"
+    issue_cvss += `${this.app.cvssSelectedValue['MAV']}\n\n`
+    issue_cvss += "#[CVSSv4.EnvironmentalExploitabilityAttackComplexity]#\n"
+    issue_cvss += `${this.app.cvssSelectedValue['MAC']}\n\n`
+    issue_cvss += "#[CVSSv4.EnvironmentalExploitabilityAttackRequirements]#\n"
+    issue_cvss += `${this.app.cvssSelectedValue['MAT']}\n\n`
+    issue_cvss += "#[CVSSv4.EnvironmentalExploitabilityPrivilegesRequired]#\n"
+    issue_cvss += `${this.app.cvssSelectedValue['MPR']}\n\n`
+    issue_cvss += "#[CVSSv4.EnvironmentalExploitabilityUserInteraction]#\n"
+    issue_cvss += `${this.app.cvssSelectedValue['MUI']}\n\n`
+    issue_cvss += "#[CVSSv4.EnvironmentalVulnerableConfidentiality]#\n"
+    issue_cvss += `${this.app.cvssSelectedValue['MVC']}\n\n`
+    issue_cvss += "#[CVSSv4.EnvironmentalVulnerableIntegrity]#\n"
+    issue_cvss += `${this.app.cvssSelectedValue['MVI']}\n\n`
+    issue_cvss += "#[CVSSv4.EnvironmentalVulnerableAvailability]#\n"
+    issue_cvss += `${this.app.cvssSelectedValue['MVA']}\n\n`
+    issue_cvss += "#[CVSSv4.EnvironmentalSubsequentConfidentiality]#\n"
+    issue_cvss += `${this.app.cvssSelectedValue['MSC']}\n\n`
+    issue_cvss += "#[CVSSv4.EnvironmentalSubsequentIntegrity]#\n"
+    issue_cvss += `${this.app.cvssSelectedValue['MSI']}\n\n`
+    issue_cvss += "#[CVSSv4.EnvironmentalSubsequentAvailability]#\n"
+    issue_cvss += `${this.app.cvssSelectedValue['MSA']}\n\n`
+    issue_cvss += "#[CVSSv4.EnvironmentalConfidentialityRequirements]#\n"
+    issue_cvss += `${this.app.cvssSelectedValue['CR']}\n\n`
+    issue_cvss += "#[CVSSv4.EnvironmentalIntegrityRequirements]#\n"
+    issue_cvss += `${this.app.cvssSelectedValue['IR']}\n\n`
+    issue_cvss += "#[CVSSv4.EnvironmentalAvailabilityRequirements]#\n"
+    issue_cvss += `${this.app.cvssSelectedValue['AR']}\n\n`
+
+    issue_cvss += "#[CVSSv4.ThreatExploitMaturity]#\n"
+    issue_cvss += `${this.app.cvssSelectedValue['E']}\n\n`
+
+    $('[data-behavior=cvss4-result-text] textarea').val(issue_cvss)
+    $('[data-behavior=cvss4-result]').html(this.app.score() + ' (' + this.app.qualScore() + ')')
+  }
+}