@vyuhlabs/dxkit 1.5.1 → 1.6.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/CHANGELOG.md +264 -0
- package/README.md +265 -352
- package/THIRD_PARTY_NOTICES.md +40 -0
- package/dist/analyzers/developer/detailed.d.ts +26 -0
- package/dist/analyzers/developer/detailed.d.ts.map +1 -0
- package/dist/analyzers/developer/detailed.js +193 -0
- package/dist/analyzers/developer/detailed.js.map +1 -0
- package/dist/analyzers/developer/gather.d.ts +11 -0
- package/dist/analyzers/developer/gather.d.ts.map +1 -0
- package/dist/analyzers/developer/gather.js +167 -0
- package/dist/analyzers/developer/gather.js.map +1 -0
- package/dist/analyzers/developer/index.d.ts +8 -0
- package/dist/analyzers/developer/index.d.ts.map +1 -0
- package/dist/analyzers/developer/index.js +168 -0
- package/dist/analyzers/developer/index.js.map +1 -0
- package/dist/analyzers/developer/types.d.ts +49 -0
- package/dist/analyzers/developer/types.d.ts.map +1 -0
- package/dist/analyzers/developer/types.js +6 -0
- package/dist/analyzers/developer/types.js.map +1 -0
- package/dist/analyzers/docs/shallow.d.ts +9 -0
- package/dist/analyzers/docs/shallow.d.ts.map +1 -0
- package/dist/analyzers/docs/shallow.js +8 -0
- package/dist/analyzers/docs/shallow.js.map +1 -0
- package/dist/analyzers/dx/shallow.d.ts +9 -0
- package/dist/analyzers/dx/shallow.d.ts.map +1 -0
- package/dist/analyzers/dx/shallow.js +8 -0
- package/dist/analyzers/dx/shallow.js.map +1 -0
- package/dist/analyzers/evidence.d.ts +36 -0
- package/dist/analyzers/evidence.d.ts.map +1 -0
- package/dist/analyzers/evidence.js +3 -0
- package/dist/analyzers/evidence.js.map +1 -0
- package/dist/analyzers/health/actions.d.ts +10 -0
- package/dist/analyzers/health/actions.d.ts.map +1 -0
- package/dist/analyzers/health/actions.js +284 -0
- package/dist/analyzers/health/actions.js.map +1 -0
- package/dist/analyzers/health/detailed.d.ts +26 -0
- package/dist/analyzers/health/detailed.d.ts.map +1 -0
- package/dist/analyzers/health/detailed.js +147 -0
- package/dist/analyzers/health/detailed.js.map +1 -0
- package/dist/analyzers/health.d.ts +22 -0
- package/dist/analyzers/health.d.ts.map +1 -0
- package/dist/analyzers/health.js +270 -0
- package/dist/analyzers/health.js.map +1 -0
- package/dist/analyzers/index.d.ts +3 -0
- package/dist/analyzers/index.d.ts.map +1 -0
- package/dist/analyzers/index.js +6 -0
- package/dist/analyzers/index.js.map +1 -0
- package/dist/analyzers/maintainability/shallow.d.ts +9 -0
- package/dist/analyzers/maintainability/shallow.d.ts.map +1 -0
- package/dist/analyzers/maintainability/shallow.js +8 -0
- package/dist/analyzers/maintainability/shallow.js.map +1 -0
- package/dist/analyzers/quality/actions.d.ts +5 -0
- package/dist/analyzers/quality/actions.d.ts.map +1 -0
- package/dist/analyzers/quality/actions.js +158 -0
- package/dist/analyzers/quality/actions.js.map +1 -0
- package/dist/analyzers/quality/detailed.d.ts +17 -0
- package/dist/analyzers/quality/detailed.d.ts.map +1 -0
- package/dist/analyzers/quality/detailed.js +122 -0
- package/dist/analyzers/quality/detailed.js.map +1 -0
- package/dist/analyzers/quality/gather.d.ts +38 -0
- package/dist/analyzers/quality/gather.d.ts.map +1 -0
- package/dist/analyzers/quality/gather.js +279 -0
- package/dist/analyzers/quality/gather.js.map +1 -0
- package/dist/analyzers/quality/index.d.ts +12 -0
- package/dist/analyzers/quality/index.d.ts.map +1 -0
- package/dist/analyzers/quality/index.js +281 -0
- package/dist/analyzers/quality/index.js.map +1 -0
- package/dist/analyzers/quality/shallow.d.ts +9 -0
- package/dist/analyzers/quality/shallow.d.ts.map +1 -0
- package/dist/analyzers/quality/shallow.js +8 -0
- package/dist/analyzers/quality/shallow.js.map +1 -0
- package/dist/analyzers/quality/types.d.ts +66 -0
- package/dist/analyzers/quality/types.d.ts.map +1 -0
- package/dist/analyzers/quality/types.js +3 -0
- package/dist/analyzers/quality/types.js.map +1 -0
- package/dist/analyzers/remediation.d.ts +42 -0
- package/dist/analyzers/remediation.d.ts.map +1 -0
- package/dist/analyzers/remediation.js +28 -0
- package/dist/analyzers/remediation.js.map +1 -0
- package/dist/analyzers/scoring.d.ts +32 -0
- package/dist/analyzers/scoring.d.ts.map +1 -0
- package/dist/analyzers/scoring.js +410 -0
- package/dist/analyzers/scoring.js.map +1 -0
- package/dist/analyzers/security/actions.d.ts +7 -0
- package/dist/analyzers/security/actions.d.ts.map +1 -0
- package/dist/analyzers/security/actions.js +104 -0
- package/dist/analyzers/security/actions.js.map +1 -0
- package/dist/analyzers/security/detailed.d.ts +14 -0
- package/dist/analyzers/security/detailed.d.ts.map +1 -0
- package/dist/analyzers/security/detailed.js +124 -0
- package/dist/analyzers/security/detailed.js.map +1 -0
- package/dist/analyzers/security/gather.d.ts +12 -0
- package/dist/analyzers/security/gather.d.ts.map +1 -0
- package/dist/analyzers/security/gather.js +195 -0
- package/dist/analyzers/security/gather.js.map +1 -0
- package/dist/analyzers/security/index.d.ts +8 -0
- package/dist/analyzers/security/index.d.ts.map +1 -0
- package/dist/analyzers/security/index.js +173 -0
- package/dist/analyzers/security/index.js.map +1 -0
- package/dist/analyzers/security/scoring.d.ts +29 -0
- package/dist/analyzers/security/scoring.d.ts.map +1 -0
- package/dist/analyzers/security/scoring.js +40 -0
- package/dist/analyzers/security/scoring.js.map +1 -0
- package/dist/analyzers/security/shallow.d.ts +10 -0
- package/dist/analyzers/security/shallow.d.ts.map +1 -0
- package/dist/analyzers/security/shallow.js +8 -0
- package/dist/analyzers/security/shallow.js.map +1 -0
- package/dist/analyzers/security/types.d.ts +43 -0
- package/dist/analyzers/security/types.d.ts.map +1 -0
- package/dist/analyzers/security/types.js +6 -0
- package/dist/analyzers/security/types.js.map +1 -0
- package/dist/analyzers/tests/actions.d.ts +6 -0
- package/dist/analyzers/tests/actions.d.ts.map +1 -0
- package/dist/analyzers/tests/actions.js +80 -0
- package/dist/analyzers/tests/actions.js.map +1 -0
- package/dist/analyzers/tests/detailed.d.ts +14 -0
- package/dist/analyzers/tests/detailed.d.ts.map +1 -0
- package/dist/analyzers/tests/detailed.js +121 -0
- package/dist/analyzers/tests/detailed.js.map +1 -0
- package/dist/analyzers/tests/gather.d.ts +5 -0
- package/dist/analyzers/tests/gather.d.ts.map +1 -0
- package/dist/analyzers/tests/gather.js +270 -0
- package/dist/analyzers/tests/gather.js.map +1 -0
- package/dist/analyzers/tests/import-graph.d.ts +48 -0
- package/dist/analyzers/tests/import-graph.d.ts.map +1 -0
- package/dist/analyzers/tests/import-graph.js +231 -0
- package/dist/analyzers/tests/import-graph.js.map +1 -0
- package/dist/analyzers/tests/index.d.ts +8 -0
- package/dist/analyzers/tests/index.d.ts.map +1 -0
- package/dist/analyzers/tests/index.js +247 -0
- package/dist/analyzers/tests/index.js.map +1 -0
- package/dist/analyzers/tests/scoring.d.ts +27 -0
- package/dist/analyzers/tests/scoring.d.ts.map +1 -0
- package/dist/analyzers/tests/scoring.js +38 -0
- package/dist/analyzers/tests/scoring.js.map +1 -0
- package/dist/analyzers/tests/shallow.d.ts +9 -0
- package/dist/analyzers/tests/shallow.d.ts.map +1 -0
- package/dist/analyzers/tests/shallow.js +8 -0
- package/dist/analyzers/tests/shallow.js.map +1 -0
- package/dist/analyzers/tests/types.d.ts +49 -0
- package/dist/analyzers/tests/types.d.ts.map +1 -0
- package/dist/analyzers/tests/types.js +6 -0
- package/dist/analyzers/tests/types.js.map +1 -0
- package/dist/analyzers/tools/cloc.d.ts +8 -0
- package/dist/analyzers/tools/cloc.d.ts.map +1 -0
- package/dist/analyzers/tools/cloc.js +49 -0
- package/dist/analyzers/tools/cloc.js.map +1 -0
- package/dist/analyzers/tools/coverage.d.ts +59 -0
- package/dist/analyzers/tools/coverage.d.ts.map +1 -0
- package/dist/analyzers/tools/coverage.js +280 -0
- package/dist/analyzers/tools/coverage.js.map +1 -0
- package/dist/analyzers/tools/cvss-v4-lookup.d.ts +10 -0
- package/dist/analyzers/tools/cvss-v4-lookup.d.ts.map +1 -0
- package/dist/analyzers/tools/cvss-v4-lookup.js +284 -0
- package/dist/analyzers/tools/cvss-v4-lookup.js.map +1 -0
- package/dist/analyzers/tools/cvss-v4.d.ts +24 -0
- package/dist/analyzers/tools/cvss-v4.d.ts.map +1 -0
- package/dist/analyzers/tools/cvss-v4.js +362 -0
- package/dist/analyzers/tools/cvss-v4.js.map +1 -0
- package/dist/analyzers/tools/default-exclusions.gitignore +56 -0
- package/dist/analyzers/tools/exclusions.d.ts +70 -0
- package/dist/analyzers/tools/exclusions.d.ts.map +1 -0
- package/dist/analyzers/tools/exclusions.js +250 -0
- package/dist/analyzers/tools/exclusions.js.map +1 -0
- package/dist/analyzers/tools/generic.d.ts +4 -0
- package/dist/analyzers/tools/generic.d.ts.map +1 -0
- package/dist/analyzers/tools/generic.js +198 -0
- package/dist/analyzers/tools/generic.js.map +1 -0
- package/dist/analyzers/tools/gitleaks.d.ts +8 -0
- package/dist/analyzers/tools/gitleaks.d.ts.map +1 -0
- package/dist/analyzers/tools/gitleaks.js +58 -0
- package/dist/analyzers/tools/gitleaks.js.map +1 -0
- package/dist/analyzers/tools/graphify.d.ts +4 -0
- package/dist/analyzers/tools/graphify.d.ts.map +1 -0
- package/dist/analyzers/tools/graphify.js +222 -0
- package/dist/analyzers/tools/graphify.js.map +1 -0
- package/dist/analyzers/tools/osv.d.ts +51 -0
- package/dist/analyzers/tools/osv.d.ts.map +1 -0
- package/dist/analyzers/tools/osv.js +188 -0
- package/dist/analyzers/tools/osv.js.map +1 -0
- package/dist/analyzers/tools/parallel.d.ts +8 -0
- package/dist/analyzers/tools/parallel.d.ts.map +1 -0
- package/dist/analyzers/tools/parallel.js +195 -0
- package/dist/analyzers/tools/parallel.js.map +1 -0
- package/dist/analyzers/tools/runner.d.ts +13 -0
- package/dist/analyzers/tools/runner.d.ts.map +1 -0
- package/dist/analyzers/tools/runner.js +109 -0
- package/dist/analyzers/tools/runner.js.map +1 -0
- package/dist/analyzers/tools/suppressions.d.ts +55 -0
- package/dist/analyzers/tools/suppressions.d.ts.map +1 -0
- package/dist/analyzers/tools/suppressions.js +203 -0
- package/dist/analyzers/tools/suppressions.js.map +1 -0
- package/dist/analyzers/tools/timing.d.ts +9 -0
- package/dist/analyzers/tools/timing.d.ts.map +1 -0
- package/dist/analyzers/tools/timing.js +29 -0
- package/dist/analyzers/tools/timing.js.map +1 -0
- package/dist/analyzers/tools/tool-registry.d.ts +86 -0
- package/dist/analyzers/tools/tool-registry.d.ts.map +1 -0
- package/dist/analyzers/tools/tool-registry.js +705 -0
- package/dist/analyzers/tools/tool-registry.js.map +1 -0
- package/dist/analyzers/types.d.ts +125 -0
- package/dist/analyzers/types.d.ts.map +1 -0
- package/dist/analyzers/types.js +11 -0
- package/dist/analyzers/types.js.map +1 -0
- package/dist/cli.d.ts.map +1 -1
- package/dist/cli.js +405 -0
- package/dist/cli.js.map +1 -1
- package/dist/detect.d.ts.map +1 -1
- package/dist/detect.js +24 -15
- package/dist/detect.js.map +1 -1
- package/dist/languages/csharp.d.ts +5 -0
- package/dist/languages/csharp.d.ts.map +1 -0
- package/dist/languages/csharp.js +265 -0
- package/dist/languages/csharp.js.map +1 -0
- package/dist/languages/go.d.ts +11 -0
- package/dist/languages/go.d.ts.map +1 -0
- package/dist/languages/go.js +321 -0
- package/dist/languages/go.js.map +1 -0
- package/dist/languages/index.d.ts +6 -0
- package/dist/languages/index.d.ts.map +1 -0
- package/dist/languages/index.js +18 -0
- package/dist/languages/index.js.map +1 -0
- package/dist/languages/python.d.ts +3 -0
- package/dist/languages/python.d.ts.map +1 -0
- package/dist/languages/python.js +284 -0
- package/dist/languages/python.js.map +1 -0
- package/dist/languages/rust.d.ts +17 -0
- package/dist/languages/rust.d.ts.map +1 -0
- package/dist/languages/rust.js +333 -0
- package/dist/languages/rust.js.map +1 -0
- package/dist/languages/types.d.ts +38 -0
- package/dist/languages/types.d.ts.map +1 -0
- package/dist/languages/types.js +3 -0
- package/dist/languages/types.js.map +1 -0
- package/dist/languages/typescript.d.ts +15 -0
- package/dist/languages/typescript.d.ts.map +1 -0
- package/dist/languages/typescript.js +353 -0
- package/dist/languages/typescript.js.map +1 -0
- package/dist/logger.d.ts +1 -0
- package/dist/logger.d.ts.map +1 -1
- package/dist/logger.js +25 -12
- package/dist/logger.js.map +1 -1
- package/dist/project-yaml.d.ts.map +1 -1
- package/dist/project-yaml.js +1 -0
- package/dist/project-yaml.js.map +1 -1
- package/dist/tools-cli.d.ts +2 -0
- package/dist/tools-cli.d.ts.map +1 -0
- package/dist/tools-cli.js +231 -0
- package/dist/tools-cli.js.map +1 -0
- package/dist/types.d.ts +10 -0
- package/dist/types.d.ts.map +1 -1
- package/package.json +6 -2
- package/templates/.claude/commands/dev-report.md +34 -4
- package/templates/.claude/commands/health.md +45 -2
- package/templates/.claude/commands/quality.md.template +38 -15
- package/templates/.claude/commands/test-gaps.md +36 -2
- package/templates/.claude/commands/vulnerabilities.md +36 -2
|
@@ -0,0 +1,284 @@
|
|
|
1
|
+
"use strict";
|
|
2
|
+
Object.defineProperty(exports, "__esModule", { value: true });
|
|
3
|
+
exports.CVSS_V4_LOOKUP = void 0;
|
|
4
|
+
/**
|
|
5
|
+
* CVSS v4.0 MacroVector → base score lookup table.
|
|
6
|
+
* 270 entries, one per valid macrovector.
|
|
7
|
+
*
|
|
8
|
+
* Source: https://github.com/FIRSTdotorg/cvss-v4-calculator/blob/main/cvss_lookup.js
|
|
9
|
+
* Copyright FIRST, Red Hat, and contributors. SPDX-License-Identifier: BSD-2-Clause.
|
|
10
|
+
* See THIRD_PARTY_NOTICES.md for attribution.
|
|
11
|
+
*/
|
|
12
|
+
exports.CVSS_V4_LOOKUP = {
|
|
13
|
+
'000000': 10,
|
|
14
|
+
'000001': 9.9,
|
|
15
|
+
'000010': 9.8,
|
|
16
|
+
'000011': 9.5,
|
|
17
|
+
'000020': 9.5,
|
|
18
|
+
'000021': 9.2,
|
|
19
|
+
'000100': 10,
|
|
20
|
+
'000101': 9.6,
|
|
21
|
+
'000110': 9.3,
|
|
22
|
+
'000111': 8.7,
|
|
23
|
+
'000120': 9.1,
|
|
24
|
+
'000121': 8.1,
|
|
25
|
+
'000200': 9.3,
|
|
26
|
+
'000201': 9,
|
|
27
|
+
'000210': 8.9,
|
|
28
|
+
'000211': 8,
|
|
29
|
+
'000220': 8.1,
|
|
30
|
+
'000221': 6.8,
|
|
31
|
+
'001000': 9.8,
|
|
32
|
+
'001001': 9.5,
|
|
33
|
+
'001010': 9.5,
|
|
34
|
+
'001011': 9.2,
|
|
35
|
+
'001020': 9,
|
|
36
|
+
'001021': 8.4,
|
|
37
|
+
'001100': 9.3,
|
|
38
|
+
'001101': 9.2,
|
|
39
|
+
'001110': 8.9,
|
|
40
|
+
'001111': 8.1,
|
|
41
|
+
'001120': 8.1,
|
|
42
|
+
'001121': 6.5,
|
|
43
|
+
'001200': 8.8,
|
|
44
|
+
'001201': 8,
|
|
45
|
+
'001210': 7.8,
|
|
46
|
+
'001211': 7,
|
|
47
|
+
'001220': 6.9,
|
|
48
|
+
'001221': 4.8,
|
|
49
|
+
'002001': 9.2,
|
|
50
|
+
'002011': 8.2,
|
|
51
|
+
'002021': 7.2,
|
|
52
|
+
'002101': 7.9,
|
|
53
|
+
'002111': 6.9,
|
|
54
|
+
'002121': 5,
|
|
55
|
+
'002201': 6.9,
|
|
56
|
+
'002211': 5.5,
|
|
57
|
+
'002221': 2.7,
|
|
58
|
+
'010000': 9.9,
|
|
59
|
+
'010001': 9.7,
|
|
60
|
+
'010010': 9.5,
|
|
61
|
+
'010011': 9.2,
|
|
62
|
+
'010020': 9.2,
|
|
63
|
+
'010021': 8.5,
|
|
64
|
+
'010100': 9.5,
|
|
65
|
+
'010101': 9.1,
|
|
66
|
+
'010110': 9,
|
|
67
|
+
'010111': 8.3,
|
|
68
|
+
'010120': 8.4,
|
|
69
|
+
'010121': 7.1,
|
|
70
|
+
'010200': 9.2,
|
|
71
|
+
'010201': 8.1,
|
|
72
|
+
'010210': 8.2,
|
|
73
|
+
'010211': 7.1,
|
|
74
|
+
'010220': 7.2,
|
|
75
|
+
'010221': 5.3,
|
|
76
|
+
'011000': 9.5,
|
|
77
|
+
'011001': 9.3,
|
|
78
|
+
'011010': 9.2,
|
|
79
|
+
'011011': 8.5,
|
|
80
|
+
'011020': 8.5,
|
|
81
|
+
'011021': 7.3,
|
|
82
|
+
'011100': 9.2,
|
|
83
|
+
'011101': 8.2,
|
|
84
|
+
'011110': 8,
|
|
85
|
+
'011111': 7.2,
|
|
86
|
+
'011120': 7,
|
|
87
|
+
'011121': 5.9,
|
|
88
|
+
'011200': 8.4,
|
|
89
|
+
'011201': 7,
|
|
90
|
+
'011210': 7.1,
|
|
91
|
+
'011211': 5.2,
|
|
92
|
+
'011220': 5,
|
|
93
|
+
'011221': 3,
|
|
94
|
+
'012001': 8.6,
|
|
95
|
+
'012011': 7.5,
|
|
96
|
+
'012021': 5.2,
|
|
97
|
+
'012101': 7.1,
|
|
98
|
+
'012111': 5.2,
|
|
99
|
+
'012121': 2.9,
|
|
100
|
+
'012201': 6.3,
|
|
101
|
+
'012211': 2.9,
|
|
102
|
+
'012221': 1.7,
|
|
103
|
+
'100000': 9.8,
|
|
104
|
+
'100001': 9.5,
|
|
105
|
+
'100010': 9.4,
|
|
106
|
+
'100011': 8.7,
|
|
107
|
+
'100020': 9.1,
|
|
108
|
+
'100021': 8.1,
|
|
109
|
+
'100100': 9.4,
|
|
110
|
+
'100101': 8.9,
|
|
111
|
+
'100110': 8.6,
|
|
112
|
+
'100111': 7.4,
|
|
113
|
+
'100120': 7.7,
|
|
114
|
+
'100121': 6.4,
|
|
115
|
+
'100200': 8.7,
|
|
116
|
+
'100201': 7.5,
|
|
117
|
+
'100210': 7.4,
|
|
118
|
+
'100211': 6.3,
|
|
119
|
+
'100220': 6.3,
|
|
120
|
+
'100221': 4.9,
|
|
121
|
+
'101000': 9.4,
|
|
122
|
+
'101001': 8.9,
|
|
123
|
+
'101010': 8.8,
|
|
124
|
+
'101011': 7.7,
|
|
125
|
+
'101020': 7.6,
|
|
126
|
+
'101021': 6.7,
|
|
127
|
+
'101100': 8.6,
|
|
128
|
+
'101101': 7.6,
|
|
129
|
+
'101110': 7.4,
|
|
130
|
+
'101111': 5.8,
|
|
131
|
+
'101120': 5.9,
|
|
132
|
+
'101121': 5,
|
|
133
|
+
'101200': 7.2,
|
|
134
|
+
'101201': 5.7,
|
|
135
|
+
'101210': 5.7,
|
|
136
|
+
'101211': 5.2,
|
|
137
|
+
'101220': 5.2,
|
|
138
|
+
'101221': 2.5,
|
|
139
|
+
'102001': 8.3,
|
|
140
|
+
'102011': 7,
|
|
141
|
+
'102021': 5.4,
|
|
142
|
+
'102101': 6.5,
|
|
143
|
+
'102111': 5.8,
|
|
144
|
+
'102121': 2.6,
|
|
145
|
+
'102201': 5.3,
|
|
146
|
+
'102211': 2.1,
|
|
147
|
+
'102221': 1.3,
|
|
148
|
+
'110000': 9.5,
|
|
149
|
+
'110001': 9,
|
|
150
|
+
'110010': 8.8,
|
|
151
|
+
'110011': 7.6,
|
|
152
|
+
'110020': 7.6,
|
|
153
|
+
'110021': 7,
|
|
154
|
+
'110100': 9,
|
|
155
|
+
'110101': 7.7,
|
|
156
|
+
'110110': 7.5,
|
|
157
|
+
'110111': 6.2,
|
|
158
|
+
'110120': 6.1,
|
|
159
|
+
'110121': 5.3,
|
|
160
|
+
'110200': 7.7,
|
|
161
|
+
'110201': 6.6,
|
|
162
|
+
'110210': 6.8,
|
|
163
|
+
'110211': 5.9,
|
|
164
|
+
'110220': 5.2,
|
|
165
|
+
'110221': 3,
|
|
166
|
+
'111000': 8.9,
|
|
167
|
+
'111001': 7.8,
|
|
168
|
+
'111010': 7.6,
|
|
169
|
+
'111011': 6.7,
|
|
170
|
+
'111020': 6.2,
|
|
171
|
+
'111021': 5.8,
|
|
172
|
+
'111100': 7.4,
|
|
173
|
+
'111101': 5.9,
|
|
174
|
+
'111110': 5.7,
|
|
175
|
+
'111111': 5.7,
|
|
176
|
+
'111120': 4.7,
|
|
177
|
+
'111121': 2.3,
|
|
178
|
+
'111200': 6.1,
|
|
179
|
+
'111201': 5.2,
|
|
180
|
+
'111210': 5.7,
|
|
181
|
+
'111211': 2.9,
|
|
182
|
+
'111220': 2.4,
|
|
183
|
+
'111221': 1.6,
|
|
184
|
+
'112001': 7.1,
|
|
185
|
+
'112011': 5.9,
|
|
186
|
+
'112021': 3,
|
|
187
|
+
'112101': 5.8,
|
|
188
|
+
'112111': 2.6,
|
|
189
|
+
'112121': 1.5,
|
|
190
|
+
'112201': 2.3,
|
|
191
|
+
'112211': 1.3,
|
|
192
|
+
'112221': 0.6,
|
|
193
|
+
'200000': 9.3,
|
|
194
|
+
'200001': 8.7,
|
|
195
|
+
'200010': 8.6,
|
|
196
|
+
'200011': 7.2,
|
|
197
|
+
'200020': 7.5,
|
|
198
|
+
'200021': 5.8,
|
|
199
|
+
'200100': 8.6,
|
|
200
|
+
'200101': 7.4,
|
|
201
|
+
'200110': 7.4,
|
|
202
|
+
'200111': 6.1,
|
|
203
|
+
'200120': 5.6,
|
|
204
|
+
'200121': 3.4,
|
|
205
|
+
'200200': 7,
|
|
206
|
+
'200201': 5.4,
|
|
207
|
+
'200210': 5.2,
|
|
208
|
+
'200211': 4,
|
|
209
|
+
'200220': 4,
|
|
210
|
+
'200221': 2.2,
|
|
211
|
+
'201000': 8.5,
|
|
212
|
+
'201001': 7.5,
|
|
213
|
+
'201010': 7.4,
|
|
214
|
+
'201011': 5.5,
|
|
215
|
+
'201020': 6.2,
|
|
216
|
+
'201021': 5.1,
|
|
217
|
+
'201100': 7.2,
|
|
218
|
+
'201101': 5.7,
|
|
219
|
+
'201110': 5.5,
|
|
220
|
+
'201111': 4.1,
|
|
221
|
+
'201120': 4.6,
|
|
222
|
+
'201121': 1.9,
|
|
223
|
+
'201200': 5.3,
|
|
224
|
+
'201201': 3.6,
|
|
225
|
+
'201210': 3.4,
|
|
226
|
+
'201211': 1.9,
|
|
227
|
+
'201220': 1.9,
|
|
228
|
+
'201221': 0.8,
|
|
229
|
+
'202001': 6.4,
|
|
230
|
+
'202011': 5.1,
|
|
231
|
+
'202021': 2,
|
|
232
|
+
'202101': 4.7,
|
|
233
|
+
'202111': 2.1,
|
|
234
|
+
'202121': 1.1,
|
|
235
|
+
'202201': 2.4,
|
|
236
|
+
'202211': 0.9,
|
|
237
|
+
'202221': 0.4,
|
|
238
|
+
'210000': 8.8,
|
|
239
|
+
'210001': 7.5,
|
|
240
|
+
'210010': 7.3,
|
|
241
|
+
'210011': 5.3,
|
|
242
|
+
'210020': 6,
|
|
243
|
+
'210021': 5,
|
|
244
|
+
'210100': 7.3,
|
|
245
|
+
'210101': 5.5,
|
|
246
|
+
'210110': 5.9,
|
|
247
|
+
'210111': 4,
|
|
248
|
+
'210120': 4.1,
|
|
249
|
+
'210121': 2,
|
|
250
|
+
'210200': 5.4,
|
|
251
|
+
'210201': 4.3,
|
|
252
|
+
'210210': 4.5,
|
|
253
|
+
'210211': 2.2,
|
|
254
|
+
'210220': 2,
|
|
255
|
+
'210221': 1.1,
|
|
256
|
+
'211000': 7.5,
|
|
257
|
+
'211001': 5.5,
|
|
258
|
+
'211010': 5.8,
|
|
259
|
+
'211011': 4.5,
|
|
260
|
+
'211020': 4,
|
|
261
|
+
'211021': 2.1,
|
|
262
|
+
'211100': 6.1,
|
|
263
|
+
'211101': 5.1,
|
|
264
|
+
'211110': 4.8,
|
|
265
|
+
'211111': 1.8,
|
|
266
|
+
'211120': 2,
|
|
267
|
+
'211121': 0.9,
|
|
268
|
+
'211200': 4.6,
|
|
269
|
+
'211201': 1.8,
|
|
270
|
+
'211210': 1.7,
|
|
271
|
+
'211211': 0.7,
|
|
272
|
+
'211220': 0.8,
|
|
273
|
+
'211221': 0.2,
|
|
274
|
+
'212001': 5.3,
|
|
275
|
+
'212011': 2.4,
|
|
276
|
+
'212021': 1.4,
|
|
277
|
+
'212101': 2.4,
|
|
278
|
+
'212111': 1.2,
|
|
279
|
+
'212121': 0.5,
|
|
280
|
+
'212201': 1,
|
|
281
|
+
'212211': 0.3,
|
|
282
|
+
'212221': 0.1,
|
|
283
|
+
};
|
|
284
|
+
//# sourceMappingURL=cvss-v4-lookup.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"cvss-v4-lookup.js","sourceRoot":"","sources":["../../../src/analyzers/tools/cvss-v4-lookup.ts"],"names":[],"mappings":";;;AAAA;;;;;;;GAOG;AACU,QAAA,cAAc,GAA2B;IACpD,QAAQ,EAAE,EAAE;IACZ,QAAQ,EAAE,GAAG;IACb,QAAQ,EAAE,GAAG;IACb,QAAQ,EAAE,GAAG;IACb,QAAQ,EAAE,GAAG;IACb,QAAQ,EAAE,GAAG;IACb,QAAQ,EAAE,EAAE;IACZ,QAAQ,EAAE,GAAG;IACb,QAAQ,EAAE,GAAG;IACb,QAAQ,EAAE,GAAG;IACb,QAAQ,EAAE,GAAG;IACb,QAAQ,EAAE,GAAG;IACb,QAAQ,EAAE,GAAG;IACb,QAAQ,EAAE,CAAC;IACX,QAAQ,EAAE,GAAG;IACb,QAAQ,EAAE,CAAC;IACX,QAAQ,EAAE,GAAG;IACb,QAAQ,EAAE,GAAG;IACb,QAAQ,EAAE,GAAG;IACb,QAAQ,EAAE,GAAG;IACb,QAAQ,EAAE,GAAG;IACb,QAAQ,EAAE,GAAG;IACb,QAAQ,EAAE,CAAC;IACX,QAAQ,EAAE,GAAG;IACb,QAAQ,EAAE,GAAG;IACb,QAAQ,EAAE,GAAG;IACb,QAAQ,EAAE,GAAG;IACb,QAAQ,EAAE,GAAG;IACb,QAAQ,EAAE,GAAG;IACb,QAAQ,EAAE,GAAG;IACb,QAAQ,EAAE,GAAG;IACb,QAAQ,EAAE,CAAC;IACX,QAAQ,EAAE,GAAG;IACb,QAAQ,EAAE,CAAC;IACX,QAAQ,EAAE,GAAG;IACb,QAAQ,EAAE,GAAG;IACb,QAAQ,EAAE,GAAG;IACb,QAAQ,EAAE,GAAG;IACb,QAAQ,EAAE,GAAG;IACb,QAAQ,EAAE,GAAG;IACb,QAAQ,EAAE,GAAG;IACb,QAAQ,EAAE,CAAC;IACX,QAAQ,EAAE,GAAG;IACb,QAAQ,EAAE,GAAG;IACb,QAAQ,EAAE,GAAG;IACb,QAAQ,EAAE,GAAG;IACb,QAAQ,EAAE,GAAG;IACb,QAAQ,EAAE,GAAG;IACb,QAAQ,EAAE,GAAG;IACb,QAAQ,EAAE,GAAG;IACb,QAAQ,EAAE,GAAG;IACb,QAAQ,EAAE,GAAG;IACb,QAAQ,EAAE,GAAG;IACb,QAAQ,EAAE,CAAC;IACX,QAAQ,EAAE,GAAG;IACb,QAAQ,EAAE,GAAG;IACb,QAAQ,EAAE,GAAG;IACb,QAAQ,EAAE,GAAG;IACb,QAAQ,EAAE,GAAG;IACb,QAAQ,EAAE,GAAG;IACb,QAAQ,EAAE,GAAG;IACb,QAAQ,EAAE,GAAG;IACb,QAAQ,EAAE,GAAG;IACb,QAAQ,EAAE,GAAG;IACb,QAAQ,EAAE,GAAG;IACb,QAAQ,EAAE,GAAG;IACb,QAAQ,EAAE,GAAG;IACb,QAAQ,EAAE,GAAG;IACb,QAAQ,EAAE,GAAG;IACb,QAAQ,EAAE,GAAG;IACb,QAAQ,EAAE,GAAG;IACb,QAAQ,EAAE,CAAC;IACX,QAAQ,EAAE,GAAG;IACb,QAAQ,EAAE,CAAC;IACX,QAAQ,EAAE,GAAG;IACb,QAAQ,EAAE,GAAG;IACb,QAAQ,EAAE,CAAC;IACX,QAAQ,EAAE,GAAG;IACb,QAAQ,EAAE,GAAG;IACb,QAAQ,EAAE,CAAC;IACX,QAAQ,EAAE,CAAC;IACX,QAAQ,EAAE,GAAG;IACb,QAAQ,EAAE,GAAG;IACb,QAAQ,EAAE,GAAG;IACb,QAAQ,EAAE,GAAG;IACb,QAAQ,EAAE,GAAG;IACb,QAAQ,EAAE,GAAG;IACb,QAAQ,EAAE,GAAG;IACb,QAAQ,EAAE,GAAG;IACb,QAAQ,EAAE,GAAG;IACb,QAAQ,EAAE,GAAG;IACb,QAAQ,EAAE,GAAG;IACb,QAAQ,EAAE,GAAG;IACb,QAAQ,EAAE,GAAG;IACb,QAAQ,EAAE,GAAG;IACb,QAAQ,EAAE,GAAG;IACb,QAAQ,EAAE,GAAG;IACb,QAAQ,EAAE,GAAG;IACb,QAAQ,EAAE,GAAG;IACb,QAAQ,EAAE,GAAG;IACb,QAAQ,EAAE,GAAG;IACb,QAAQ,EAAE,GAAG;IACb,QAAQ,EAAE,GAAG;IACb,QAAQ,EAAE,GAAG;IACb,QAAQ,EAAE,GAAG;IACb,QAAQ,EAAE,GAAG;IACb,QAAQ,EAAE,GAAG;IACb,QAAQ,EAAE,GAAG;IACb,QAAQ,EAAE,GAAG;IACb,QAAQ,EAAE,GAAG;IACb,QAAQ,EAAE,GAAG;IACb,QAAQ,EAAE,GAAG;IACb,QAAQ,EAAE,GAAG;IACb,QAAQ,EAAE,GAAG;IACb,QAAQ,EAAE,GAAG;IACb,QAAQ,EAAE,GAAG;IACb,QAAQ,EAAE,GAAG;IACb,QAAQ,EAAE,GAAG;IACb,QAAQ,EAAE,GAAG;IACb,QAAQ,EAAE,CAAC;IACX,QAAQ,EAAE,GAAG;IACb,QAAQ,EAAE,GAAG;IACb,QAAQ,EAAE,GAAG;IACb,QAAQ,EAAE,GAAG;IACb,QAAQ,EAAE,GAAG;IACb,QAAQ,EAAE,GAAG;IACb,QAAQ,EAAE,GAAG;IACb,QAAQ,EAAE,CAAC;IACX,QAAQ,EAAE,GAAG;IACb,QAAQ,EAAE,GAAG;IACb,QAAQ,EAAE,GAAG;IACb,QAAQ,EAAE,GAAG;IACb,QAAQ,EAAE,GAAG;IACb,QAAQ,EAAE,GAAG;IACb,QAAQ,EAAE,GAAG;IACb,QAAQ,EAAE,GAAG;IACb,QAAQ,EAAE,CAAC;IACX,QAAQ,EAAE,GAAG;IACb,QAAQ,EAAE,GAAG;IACb,QAAQ,EAAE,GAAG;IACb,QAAQ,EAAE,CAAC;IACX,QAAQ,EAAE,CAAC;IACX,QAAQ,EAAE,GAAG;IACb,QAAQ,EAAE,GAAG;IACb,QAAQ,EAAE,GAAG;IACb,QAAQ,EAAE,GAAG;IACb,QAAQ,EAAE,GAAG;IACb,QAAQ,EAAE,GAAG;IACb,QAAQ,EAAE,GAAG;IACb,QAAQ,EAAE,GAAG;IACb,QAAQ,EAAE,GAAG;IACb,QAAQ,EAAE,GAAG;IACb,QAAQ,EAAE,CAAC;IACX,QAAQ,EAAE,GAAG;IACb,QAAQ,EAAE,GAAG;IACb,QAAQ,EAAE,GAAG;IACb,QAAQ,EAAE,GAAG;IACb,QAAQ,EAAE,GAAG;IACb,QAAQ,EAAE,GAAG;IACb,QAAQ,EAAE,GAAG;IACb,QAAQ,EAAE,GAAG;IACb,QAAQ,EAAE,GAAG;IACb,QAAQ,EAAE,GAAG;IACb,QAAQ,EAAE,GAAG;IACb,QAAQ,EAAE,GAAG;IACb,QAAQ,EAAE,GAAG;IACb,QAAQ,EAAE,GAAG;IACb,QAAQ,EAAE,GAAG;IACb,QAAQ,EAAE,GAAG;IACb,QAAQ,EAAE,GAAG;IACb,QAAQ,EAAE,GAAG;IACb,QAAQ,EAAE,GAAG;IACb,QAAQ,EAAE,GAAG;IACb,QAAQ,EAAE,CAAC;IACX,QAAQ,EAAE,GAAG;IACb,QAAQ,EAAE,GAAG;IACb,QAAQ,EAAE,GAAG;IACb,QAAQ,EAAE,GAAG;IACb,QAAQ,EAAE,GAAG;IACb,QAAQ,EAAE,GAAG;IACb,QAAQ,EAAE,GAAG;IACb,QAAQ,EAAE,GAAG;IACb,QAAQ,EAAE,GAAG;IACb,QAAQ,EAAE,GAAG;IACb,QAAQ,EAAE,GAAG;IACb,QAAQ,EAAE,GAAG;IACb,QAAQ,EAAE,GAAG;IACb,QAAQ,EAAE,GAAG;IACb,QAAQ,EAAE,GAAG;IACb,QAAQ,EAAE,GAAG;IACb,QAAQ,EAAE,GAAG;IACb,QAAQ,EAAE,GAAG;IACb,QAAQ,EAAE,CAAC;IACX,QAAQ,EAAE,GAAG;IACb,QAAQ,EAAE,GAAG;IACb,QAAQ,EAAE,CAAC;IACX,QAAQ,EAAE,CAAC;IACX,QAAQ,EAAE,GAAG;IACb,QAAQ,EAAE,GAAG;IACb,QAAQ,EAAE,GAAG;IACb,QAAQ,EAAE,GAAG;IACb,QAAQ,EAAE,GAAG;IACb,QAAQ,EAAE,GAAG;IACb,QAAQ,EAAE,GAAG;IACb,QAAQ,EAAE,GAAG;IACb,QAAQ,EAAE,GAAG;IACb,QAAQ,EAAE,GAAG;IACb,QAAQ,EAAE,GAAG;IACb,QAAQ,EAAE,GAAG;IACb,QAAQ,EAAE,GAAG;IACb,QAAQ,EAAE,GAAG;IACb,QAAQ,EAAE,GAAG;IACb,QAAQ,EAAE,GAAG;IACb,QAAQ,EAAE,GAAG;IACb,QAAQ,EAAE,GAAG;IACb,QAAQ,EAAE,GAAG;IACb,QAAQ,EAAE,GAAG;IACb,QAAQ,EAAE,GAAG;IACb,QAAQ,EAAE,CAAC;IACX,QAAQ,EAAE,GAAG;IACb,QAAQ,EAAE,GAAG;IACb,QAAQ,EAAE,GAAG;IACb,QAAQ,EAAE,GAAG;IACb,QAAQ,EAAE,GAAG;IACb,QAAQ,EAAE,GAAG;IACb,QAAQ,EAAE,GAAG;IACb,QAAQ,EAAE,GAAG;IACb,QAAQ,EAAE,GAAG;IACb,QAAQ,EAAE,GAAG;IACb,QAAQ,EAAE,CAAC;IACX,QAAQ,EAAE,CAAC;IACX,QAAQ,EAAE,GAAG;IACb,QAAQ,EAAE,GAAG;IACb,QAAQ,EAAE,GAAG;IACb,QAAQ,EAAE,CAAC;IACX,QAAQ,EAAE,GAAG;IACb,QAAQ,EAAE,CAAC;IACX,QAAQ,EAAE,GAAG;IACb,QAAQ,EAAE,GAAG;IACb,QAAQ,EAAE,GAAG;IACb,QAAQ,EAAE,GAAG;IACb,QAAQ,EAAE,CAAC;IACX,QAAQ,EAAE,GAAG;IACb,QAAQ,EAAE,GAAG;IACb,QAAQ,EAAE,GAAG;IACb,QAAQ,EAAE,GAAG;IACb,QAAQ,EAAE,GAAG;IACb,QAAQ,EAAE,CAAC;IACX,QAAQ,EAAE,GAAG;IACb,QAAQ,EAAE,GAAG;IACb,QAAQ,EAAE,GAAG;IACb,QAAQ,EAAE,GAAG;IACb,QAAQ,EAAE,GAAG;IACb,QAAQ,EAAE,CAAC;IACX,QAAQ,EAAE,GAAG;IACb,QAAQ,EAAE,GAAG;IACb,QAAQ,EAAE,GAAG;IACb,QAAQ,EAAE,GAAG;IACb,QAAQ,EAAE,GAAG;IACb,QAAQ,EAAE,GAAG;IACb,QAAQ,EAAE,GAAG;IACb,QAAQ,EAAE,GAAG;IACb,QAAQ,EAAE,GAAG;IACb,QAAQ,EAAE,GAAG;IACb,QAAQ,EAAE,GAAG;IACb,QAAQ,EAAE,GAAG;IACb,QAAQ,EAAE,GAAG;IACb,QAAQ,EAAE,CAAC;IACX,QAAQ,EAAE,GAAG;IACb,QAAQ,EAAE,GAAG;CACd,CAAC"}
|
|
@@ -0,0 +1,24 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* CVSS v4.0 base score calculator.
|
|
3
|
+
*
|
|
4
|
+
* Port of FIRST's reference implementation into deterministic TypeScript.
|
|
5
|
+
* Source: https://github.com/FIRSTdotorg/cvss-v4-calculator
|
|
6
|
+
*
|
|
7
|
+
* The lookup table, max-severity data, and max-composed vectors are taken
|
|
8
|
+
* verbatim from the upstream project. The scoring algorithm (macrovector
|
|
9
|
+
* computation + severity-distance refinement) mirrors cvss_score.js.
|
|
10
|
+
*
|
|
11
|
+
* Copyright FIRST, Red Hat, and contributors (for embedded data tables
|
|
12
|
+
* and algorithm shape). SPDX-License-Identifier: BSD-2-Clause.
|
|
13
|
+
* See THIRD_PARTY_NOTICES.md for full attribution.
|
|
14
|
+
*
|
|
15
|
+
* Typical usage:
|
|
16
|
+
* const score = parseCvssV4BaseScore('CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N');
|
|
17
|
+
* // => 9.3
|
|
18
|
+
*/
|
|
19
|
+
/**
|
|
20
|
+
* Main entry point: compute a CVSS v4 base score from a vector string.
|
|
21
|
+
* Returns null on malformed input. Range: 0.0 to 10.0, one decimal.
|
|
22
|
+
*/
|
|
23
|
+
export declare function parseCvssV4BaseScore(vector: string): number | null;
|
|
24
|
+
//# sourceMappingURL=cvss-v4.d.ts.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"cvss-v4.d.ts","sourceRoot":"","sources":["../../../src/analyzers/tools/cvss-v4.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;GAiBG;AA0LH;;;GAGG;AACH,wBAAgB,oBAAoB,CAAC,MAAM,EAAE,MAAM,GAAG,MAAM,GAAG,IAAI,CAwLlE"}
|
|
@@ -0,0 +1,362 @@
|
|
|
1
|
+
"use strict";
|
|
2
|
+
/**
|
|
3
|
+
* CVSS v4.0 base score calculator.
|
|
4
|
+
*
|
|
5
|
+
* Port of FIRST's reference implementation into deterministic TypeScript.
|
|
6
|
+
* Source: https://github.com/FIRSTdotorg/cvss-v4-calculator
|
|
7
|
+
*
|
|
8
|
+
* The lookup table, max-severity data, and max-composed vectors are taken
|
|
9
|
+
* verbatim from the upstream project. The scoring algorithm (macrovector
|
|
10
|
+
* computation + severity-distance refinement) mirrors cvss_score.js.
|
|
11
|
+
*
|
|
12
|
+
* Copyright FIRST, Red Hat, and contributors (for embedded data tables
|
|
13
|
+
* and algorithm shape). SPDX-License-Identifier: BSD-2-Clause.
|
|
14
|
+
* See THIRD_PARTY_NOTICES.md for full attribution.
|
|
15
|
+
*
|
|
16
|
+
* Typical usage:
|
|
17
|
+
* const score = parseCvssV4BaseScore('CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N');
|
|
18
|
+
* // => 9.3
|
|
19
|
+
*/
|
|
20
|
+
Object.defineProperty(exports, "__esModule", { value: true });
|
|
21
|
+
exports.parseCvssV4BaseScore = parseCvssV4BaseScore;
|
|
22
|
+
const cvss_v4_lookup_1 = require("./cvss-v4-lookup");
|
|
23
|
+
/** Max severity depth per equivalence set (lower macrovector distance). */
|
|
24
|
+
const MAX_SEVERITY = {
|
|
25
|
+
eq1: { 0: 1, 1: 4, 2: 5 },
|
|
26
|
+
eq2: { 0: 1, 1: 2 },
|
|
27
|
+
eq3eq6: {
|
|
28
|
+
0: { 0: 7, 1: 6 },
|
|
29
|
+
1: { 0: 8, 1: 8 },
|
|
30
|
+
2: { 1: 10 },
|
|
31
|
+
},
|
|
32
|
+
eq4: { 0: 6, 1: 5, 2: 4 },
|
|
33
|
+
eq5: { 0: 1, 1: 1, 2: 1 },
|
|
34
|
+
};
|
|
35
|
+
/** Max-composed vectors per (eq, level) — representative highest-severity vectors. */
|
|
36
|
+
const MAX_COMPOSED = {
|
|
37
|
+
eq1: {
|
|
38
|
+
0: ['AV:N/PR:N/UI:N/'],
|
|
39
|
+
1: ['AV:A/PR:N/UI:N/', 'AV:N/PR:L/UI:N/', 'AV:N/PR:N/UI:P/'],
|
|
40
|
+
2: ['AV:P/PR:N/UI:N/', 'AV:A/PR:L/UI:P/'],
|
|
41
|
+
},
|
|
42
|
+
eq2: {
|
|
43
|
+
0: ['AC:L/AT:N/'],
|
|
44
|
+
1: ['AC:H/AT:N/', 'AC:L/AT:P/'],
|
|
45
|
+
},
|
|
46
|
+
eq3: {
|
|
47
|
+
0: {
|
|
48
|
+
'0': ['VC:H/VI:H/VA:H/CR:H/IR:H/AR:H/'],
|
|
49
|
+
'1': ['VC:H/VI:H/VA:L/CR:M/IR:M/AR:H/', 'VC:H/VI:H/VA:H/CR:M/IR:M/AR:M/'],
|
|
50
|
+
},
|
|
51
|
+
1: {
|
|
52
|
+
'0': ['VC:L/VI:H/VA:H/CR:H/IR:H/AR:H/', 'VC:H/VI:L/VA:H/CR:H/IR:H/AR:H/'],
|
|
53
|
+
'1': [
|
|
54
|
+
'VC:L/VI:H/VA:L/CR:H/IR:M/AR:H/',
|
|
55
|
+
'VC:L/VI:H/VA:H/CR:H/IR:M/AR:M/',
|
|
56
|
+
'VC:H/VI:L/VA:H/CR:M/IR:H/AR:M/',
|
|
57
|
+
'VC:H/VI:L/VA:L/CR:M/IR:H/AR:H/',
|
|
58
|
+
'VC:L/VI:L/VA:H/CR:H/IR:H/AR:M/',
|
|
59
|
+
],
|
|
60
|
+
},
|
|
61
|
+
2: { '1': ['VC:L/VI:L/VA:L/CR:H/IR:H/AR:H/'] },
|
|
62
|
+
},
|
|
63
|
+
eq4: {
|
|
64
|
+
0: ['SC:H/SI:S/SA:S/'],
|
|
65
|
+
1: ['SC:H/SI:H/SA:H/'],
|
|
66
|
+
2: ['SC:L/SI:L/SA:L/'],
|
|
67
|
+
},
|
|
68
|
+
eq5: {
|
|
69
|
+
0: ['E:A/'],
|
|
70
|
+
1: ['E:P/'],
|
|
71
|
+
2: ['E:U/'],
|
|
72
|
+
},
|
|
73
|
+
};
|
|
74
|
+
/** Ordinal weights per metric value — used in severity-distance calculation. */
|
|
75
|
+
const LEVELS = {
|
|
76
|
+
AV: { N: 0.0, A: 0.1, L: 0.2, P: 0.3 },
|
|
77
|
+
PR: { N: 0.0, L: 0.1, H: 0.2 },
|
|
78
|
+
UI: { N: 0.0, P: 0.1, A: 0.2 },
|
|
79
|
+
AC: { L: 0.0, H: 0.1 },
|
|
80
|
+
AT: { N: 0.0, P: 0.1 },
|
|
81
|
+
VC: { H: 0.0, L: 0.1, N: 0.2 },
|
|
82
|
+
VI: { H: 0.0, L: 0.1, N: 0.2 },
|
|
83
|
+
VA: { H: 0.0, L: 0.1, N: 0.2 },
|
|
84
|
+
SC: { H: 0.1, L: 0.2, N: 0.3 },
|
|
85
|
+
SI: { S: 0.0, H: 0.1, L: 0.2, N: 0.3 },
|
|
86
|
+
SA: { S: 0.0, H: 0.1, L: 0.2, N: 0.3 },
|
|
87
|
+
CR: { H: 0.0, M: 0.1, L: 0.2 },
|
|
88
|
+
IR: { H: 0.0, M: 0.1, L: 0.2 },
|
|
89
|
+
AR: { H: 0.0, M: 0.1, L: 0.2 },
|
|
90
|
+
};
|
|
91
|
+
const STEP = 0.1;
|
|
92
|
+
/**
|
|
93
|
+
* Resolve a metric value accounting for "X" (not defined) defaults and
|
|
94
|
+
* environmental modifiers (M-prefixed metrics override base values).
|
|
95
|
+
*
|
|
96
|
+
* Defaults when X:
|
|
97
|
+
* E → A (Attacked)
|
|
98
|
+
* CR, IR, AR → H (High)
|
|
99
|
+
* Modified metrics (M*) → base metric value
|
|
100
|
+
*/
|
|
101
|
+
function m(metrics, metric) {
|
|
102
|
+
const selected = metrics.get(metric) ?? 'X';
|
|
103
|
+
if (metric === 'E' && selected === 'X')
|
|
104
|
+
return 'A';
|
|
105
|
+
if ((metric === 'CR' || metric === 'IR' || metric === 'AR') && selected === 'X')
|
|
106
|
+
return 'H';
|
|
107
|
+
// For base metrics, check if a Modified override is present
|
|
108
|
+
const modifiedKey = 'M' + metric;
|
|
109
|
+
if (metrics.has(modifiedKey)) {
|
|
110
|
+
const mod = metrics.get(modifiedKey);
|
|
111
|
+
if (mod && mod !== 'X')
|
|
112
|
+
return mod;
|
|
113
|
+
}
|
|
114
|
+
return selected;
|
|
115
|
+
}
|
|
116
|
+
/** Compute the 6-digit macrovector string for a metrics map. */
|
|
117
|
+
function macroVector(metrics) {
|
|
118
|
+
// EQ1: 0 = AV:N AND PR:N AND UI:N
|
|
119
|
+
// 1 = (AV:N OR PR:N OR UI:N) AND NOT (all three N) AND NOT AV:P
|
|
120
|
+
// 2 = AV:P OR NOT (AV:N OR PR:N OR UI:N)
|
|
121
|
+
const av = m(metrics, 'AV');
|
|
122
|
+
const pr = m(metrics, 'PR');
|
|
123
|
+
const ui = m(metrics, 'UI');
|
|
124
|
+
let eq1;
|
|
125
|
+
if (av === 'N' && pr === 'N' && ui === 'N')
|
|
126
|
+
eq1 = 0;
|
|
127
|
+
else if ((av === 'N' || pr === 'N' || ui === 'N') &&
|
|
128
|
+
!(av === 'N' && pr === 'N' && ui === 'N') &&
|
|
129
|
+
av !== 'P')
|
|
130
|
+
eq1 = 1;
|
|
131
|
+
else
|
|
132
|
+
eq1 = 2; // AV:P OR none of them N
|
|
133
|
+
// EQ2: 0 = AC:L AND AT:N, else 1
|
|
134
|
+
const ac = m(metrics, 'AC');
|
|
135
|
+
const at = m(metrics, 'AT');
|
|
136
|
+
const eq2 = ac === 'L' && at === 'N' ? 0 : 1;
|
|
137
|
+
// EQ3: 0 = VC:H AND VI:H
|
|
138
|
+
// 1 = NOT (VC:H AND VI:H) AND (VC:H OR VI:H OR VA:H)
|
|
139
|
+
// 2 = NOT (VC:H OR VI:H OR VA:H)
|
|
140
|
+
const vc = m(metrics, 'VC');
|
|
141
|
+
const vi = m(metrics, 'VI');
|
|
142
|
+
const va = m(metrics, 'VA');
|
|
143
|
+
let eq3;
|
|
144
|
+
if (vc === 'H' && vi === 'H')
|
|
145
|
+
eq3 = 0;
|
|
146
|
+
else if (!(vc === 'H' && vi === 'H') && (vc === 'H' || vi === 'H' || va === 'H'))
|
|
147
|
+
eq3 = 1;
|
|
148
|
+
else
|
|
149
|
+
eq3 = 2;
|
|
150
|
+
// EQ4: 0 = MSI:S OR MSA:S
|
|
151
|
+
// 1 = NOT (MSI:S OR MSA:S) AND (SC:H OR SI:H OR SA:H)
|
|
152
|
+
// 2 = NOT (MSI:S OR MSA:S) AND NOT (SC:H OR SI:H OR SA:H)
|
|
153
|
+
const msi = m(metrics, 'MSI');
|
|
154
|
+
const msa = m(metrics, 'MSA');
|
|
155
|
+
const sc = m(metrics, 'SC');
|
|
156
|
+
const si = m(metrics, 'SI');
|
|
157
|
+
const sa = m(metrics, 'SA');
|
|
158
|
+
let eq4;
|
|
159
|
+
if (msi === 'S' || msa === 'S')
|
|
160
|
+
eq4 = 0;
|
|
161
|
+
else if (sc === 'H' || si === 'H' || sa === 'H')
|
|
162
|
+
eq4 = 1;
|
|
163
|
+
else
|
|
164
|
+
eq4 = 2;
|
|
165
|
+
// EQ5: 0 = E:A, 1 = E:P, 2 = E:U
|
|
166
|
+
const e = m(metrics, 'E');
|
|
167
|
+
const eq5 = e === 'A' ? 0 : e === 'P' ? 1 : 2;
|
|
168
|
+
// EQ6: 0 = (CR:H AND VC:H) OR (IR:H AND VI:H) OR (AR:H AND VA:H)
|
|
169
|
+
// 1 = otherwise
|
|
170
|
+
const cr = m(metrics, 'CR');
|
|
171
|
+
const ir = m(metrics, 'IR');
|
|
172
|
+
const ar = m(metrics, 'AR');
|
|
173
|
+
const eq6 = (cr === 'H' && vc === 'H') || (ir === 'H' && vi === 'H') || (ar === 'H' && va === 'H') ? 0 : 1;
|
|
174
|
+
return `${eq1}${eq2}${eq3}${eq4}${eq5}${eq6}`;
|
|
175
|
+
}
|
|
176
|
+
/** Pull a metric's value out of a composed-vector fragment like "AV:N/PR:L/UI:N/". */
|
|
177
|
+
function extractValueMetric(metric, str) {
|
|
178
|
+
const idx = str.indexOf(metric + ':');
|
|
179
|
+
if (idx < 0)
|
|
180
|
+
return '';
|
|
181
|
+
const start = idx + metric.length + 1;
|
|
182
|
+
const end = str.indexOf('/', start);
|
|
183
|
+
return end < 0 ? str.slice(start) : str.slice(start, end);
|
|
184
|
+
}
|
|
185
|
+
/** Get max composed vectors for (eq, macrovector). eq=3 is indexed by both eq3 and eq6. */
|
|
186
|
+
function getEqMaxes(mv, eq) {
|
|
187
|
+
const key = 'eq' + eq;
|
|
188
|
+
const level = parseInt(mv[eq - 1], 10);
|
|
189
|
+
const entry = MAX_COMPOSED[key][level];
|
|
190
|
+
if (Array.isArray(entry))
|
|
191
|
+
return entry;
|
|
192
|
+
// eq3 — entry is a map keyed by eq6
|
|
193
|
+
const eq6 = mv[5];
|
|
194
|
+
return entry[eq6] ?? [];
|
|
195
|
+
}
|
|
196
|
+
/**
|
|
197
|
+
* Main entry point: compute a CVSS v4 base score from a vector string.
|
|
198
|
+
* Returns null on malformed input. Range: 0.0 to 10.0, one decimal.
|
|
199
|
+
*/
|
|
200
|
+
function parseCvssV4BaseScore(vector) {
|
|
201
|
+
if (!vector.startsWith('CVSS:4.'))
|
|
202
|
+
return null;
|
|
203
|
+
const metrics = new Map();
|
|
204
|
+
for (const kv of vector.split('/').slice(1)) {
|
|
205
|
+
const [k, v] = kv.split(':');
|
|
206
|
+
if (k && v)
|
|
207
|
+
metrics.set(k, v);
|
|
208
|
+
}
|
|
209
|
+
// Required base metrics
|
|
210
|
+
for (const req of ['AV', 'AC', 'AT', 'PR', 'UI', 'VC', 'VI', 'VA', 'SC', 'SI', 'SA']) {
|
|
211
|
+
if (!metrics.has(req))
|
|
212
|
+
return null;
|
|
213
|
+
}
|
|
214
|
+
// Shortcut: no impact at all → 0
|
|
215
|
+
const impactMetrics = ['VC', 'VI', 'VA', 'SC', 'SI', 'SA'];
|
|
216
|
+
if (impactMetrics.every((k) => m(metrics, k) === 'N'))
|
|
217
|
+
return 0;
|
|
218
|
+
const mv = macroVector(metrics);
|
|
219
|
+
const baseScore = cvss_v4_lookup_1.CVSS_V4_LOOKUP[mv];
|
|
220
|
+
if (baseScore === undefined)
|
|
221
|
+
return null;
|
|
222
|
+
// Severity-distance refinement (see cvss_score.js in upstream).
|
|
223
|
+
const eq1 = parseInt(mv[0], 10);
|
|
224
|
+
const eq2 = parseInt(mv[1], 10);
|
|
225
|
+
const eq3 = parseInt(mv[2], 10);
|
|
226
|
+
const eq4 = parseInt(mv[3], 10);
|
|
227
|
+
const eq5 = parseInt(mv[4], 10);
|
|
228
|
+
const eq6 = parseInt(mv[5], 10);
|
|
229
|
+
// Compute next-lower macrovectors per eq (may not exist).
|
|
230
|
+
const nextLower = (digits) => digits.join('');
|
|
231
|
+
const mvEq1Lower = nextLower([eq1 + 1, eq2, eq3, eq4, eq5, eq6]);
|
|
232
|
+
const mvEq2Lower = nextLower([eq1, eq2 + 1, eq3, eq4, eq5, eq6]);
|
|
233
|
+
// eq3 and eq6 are entangled (spec quirk).
|
|
234
|
+
let mvEq3Eq6LowerLeft = null;
|
|
235
|
+
let mvEq3Eq6LowerRight = null;
|
|
236
|
+
let mvEq3Eq6Lower = null;
|
|
237
|
+
if (eq3 === 1 && eq6 === 1) {
|
|
238
|
+
mvEq3Eq6Lower = nextLower([eq1, eq2, eq3 + 1, eq4, eq5, eq6]);
|
|
239
|
+
}
|
|
240
|
+
else if (eq3 === 0 && eq6 === 1) {
|
|
241
|
+
mvEq3Eq6Lower = nextLower([eq1, eq2, eq3 + 1, eq4, eq5, eq6]);
|
|
242
|
+
}
|
|
243
|
+
else if (eq3 === 1 && eq6 === 0) {
|
|
244
|
+
mvEq3Eq6Lower = nextLower([eq1, eq2, eq3, eq4, eq5, eq6 + 1]);
|
|
245
|
+
}
|
|
246
|
+
else if (eq3 === 0 && eq6 === 0) {
|
|
247
|
+
mvEq3Eq6LowerLeft = nextLower([eq1, eq2, eq3, eq4, eq5, eq6 + 1]);
|
|
248
|
+
mvEq3Eq6LowerRight = nextLower([eq1, eq2, eq3 + 1, eq4, eq5, eq6]);
|
|
249
|
+
}
|
|
250
|
+
else {
|
|
251
|
+
// 21 → 32 (doesn't exist, produces NaN lookup which is fine)
|
|
252
|
+
mvEq3Eq6Lower = nextLower([eq1, eq2, eq3 + 1, eq4, eq5, eq6 + 1]);
|
|
253
|
+
}
|
|
254
|
+
const mvEq4Lower = nextLower([eq1, eq2, eq3, eq4 + 1, eq5, eq6]);
|
|
255
|
+
const mvEq5Lower = nextLower([eq1, eq2, eq3, eq4, eq5 + 1, eq6]);
|
|
256
|
+
const scoreEq1Lower = cvss_v4_lookup_1.CVSS_V4_LOOKUP[mvEq1Lower];
|
|
257
|
+
const scoreEq2Lower = cvss_v4_lookup_1.CVSS_V4_LOOKUP[mvEq2Lower];
|
|
258
|
+
let scoreEq3Eq6Lower;
|
|
259
|
+
if (eq3 === 0 && eq6 === 0) {
|
|
260
|
+
const left = cvss_v4_lookup_1.CVSS_V4_LOOKUP[mvEq3Eq6LowerLeft];
|
|
261
|
+
const right = cvss_v4_lookup_1.CVSS_V4_LOOKUP[mvEq3Eq6LowerRight];
|
|
262
|
+
// Upstream uses the higher — NaN-safe
|
|
263
|
+
scoreEq3Eq6Lower = (left ?? -Infinity) > (right ?? -Infinity) ? left : right;
|
|
264
|
+
}
|
|
265
|
+
else if (mvEq3Eq6Lower !== null) {
|
|
266
|
+
scoreEq3Eq6Lower = cvss_v4_lookup_1.CVSS_V4_LOOKUP[mvEq3Eq6Lower];
|
|
267
|
+
}
|
|
268
|
+
const scoreEq4Lower = cvss_v4_lookup_1.CVSS_V4_LOOKUP[mvEq4Lower];
|
|
269
|
+
const scoreEq5Lower = cvss_v4_lookup_1.CVSS_V4_LOOKUP[mvEq5Lower];
|
|
270
|
+
// Find a max-severity composed vector within the current macrovector.
|
|
271
|
+
const eq1Maxes = getEqMaxes(mv, 1);
|
|
272
|
+
const eq2Maxes = getEqMaxes(mv, 2);
|
|
273
|
+
const eq3Eq6Maxes = getEqMaxes(mv, 3);
|
|
274
|
+
const eq4Maxes = getEqMaxes(mv, 4);
|
|
275
|
+
const eq5Maxes = getEqMaxes(mv, 5);
|
|
276
|
+
const maxVectors = [];
|
|
277
|
+
for (const a of eq1Maxes)
|
|
278
|
+
for (const b of eq2Maxes)
|
|
279
|
+
for (const c of eq3Eq6Maxes)
|
|
280
|
+
for (const d of eq4Maxes)
|
|
281
|
+
for (const eMax of eq5Maxes)
|
|
282
|
+
maxVectors.push(a + b + c + d + eMax);
|
|
283
|
+
let distances = null;
|
|
284
|
+
for (const max of maxVectors) {
|
|
285
|
+
const d = {
|
|
286
|
+
AV: LEVELS.AV[m(metrics, 'AV')] - LEVELS.AV[extractValueMetric('AV', max)],
|
|
287
|
+
PR: LEVELS.PR[m(metrics, 'PR')] - LEVELS.PR[extractValueMetric('PR', max)],
|
|
288
|
+
UI: LEVELS.UI[m(metrics, 'UI')] - LEVELS.UI[extractValueMetric('UI', max)],
|
|
289
|
+
AC: LEVELS.AC[m(metrics, 'AC')] - LEVELS.AC[extractValueMetric('AC', max)],
|
|
290
|
+
AT: LEVELS.AT[m(metrics, 'AT')] - LEVELS.AT[extractValueMetric('AT', max)],
|
|
291
|
+
VC: LEVELS.VC[m(metrics, 'VC')] - LEVELS.VC[extractValueMetric('VC', max)],
|
|
292
|
+
VI: LEVELS.VI[m(metrics, 'VI')] - LEVELS.VI[extractValueMetric('VI', max)],
|
|
293
|
+
VA: LEVELS.VA[m(metrics, 'VA')] - LEVELS.VA[extractValueMetric('VA', max)],
|
|
294
|
+
SC: LEVELS.SC[m(metrics, 'SC')] - LEVELS.SC[extractValueMetric('SC', max)],
|
|
295
|
+
SI: LEVELS.SI[m(metrics, 'SI')] - LEVELS.SI[extractValueMetric('SI', max)],
|
|
296
|
+
SA: LEVELS.SA[m(metrics, 'SA')] - LEVELS.SA[extractValueMetric('SA', max)],
|
|
297
|
+
CR: LEVELS.CR[m(metrics, 'CR')] - LEVELS.CR[extractValueMetric('CR', max)],
|
|
298
|
+
IR: LEVELS.IR[m(metrics, 'IR')] - LEVELS.IR[extractValueMetric('IR', max)],
|
|
299
|
+
AR: LEVELS.AR[m(metrics, 'AR')] - LEVELS.AR[extractValueMetric('AR', max)],
|
|
300
|
+
};
|
|
301
|
+
// Any NaN or negative → not the right max
|
|
302
|
+
const values = Object.values(d);
|
|
303
|
+
if (values.some((v) => Number.isNaN(v) || v < 0))
|
|
304
|
+
continue;
|
|
305
|
+
distances = d;
|
|
306
|
+
break;
|
|
307
|
+
}
|
|
308
|
+
// If no valid max found, treat distances as zero (no refinement).
|
|
309
|
+
const sevDistEq1 = distances ? distances.AV + distances.PR + distances.UI : 0;
|
|
310
|
+
const sevDistEq2 = distances ? distances.AC + distances.AT : 0;
|
|
311
|
+
const sevDistEq3Eq6 = distances
|
|
312
|
+
? distances.VC + distances.VI + distances.VA + distances.CR + distances.IR + distances.AR
|
|
313
|
+
: 0;
|
|
314
|
+
const sevDistEq4 = distances ? distances.SC + distances.SI + distances.SA : 0;
|
|
315
|
+
// EQ5 proportion is always 0 in upstream (max severity depth stays flat), so no sevDistEq5.
|
|
316
|
+
const maxSevEq1 = MAX_SEVERITY.eq1[eq1] * STEP;
|
|
317
|
+
const maxSevEq2 = MAX_SEVERITY.eq2[eq2] * STEP;
|
|
318
|
+
const maxSevEq3Eq6 = (MAX_SEVERITY.eq3eq6[eq3]?.[eq6] ?? 0) * STEP;
|
|
319
|
+
const maxSevEq4 = MAX_SEVERITY.eq4[eq4] * STEP;
|
|
320
|
+
const availEq1 = baseScore - (scoreEq1Lower ?? NaN);
|
|
321
|
+
const availEq2 = baseScore - (scoreEq2Lower ?? NaN);
|
|
322
|
+
const availEq3Eq6 = baseScore - (scoreEq3Eq6Lower ?? NaN);
|
|
323
|
+
const availEq4 = baseScore - (scoreEq4Lower ?? NaN);
|
|
324
|
+
const availEq5 = baseScore - (scoreEq5Lower ?? NaN);
|
|
325
|
+
let nExistingLower = 0;
|
|
326
|
+
let normEq1 = 0;
|
|
327
|
+
let normEq2 = 0;
|
|
328
|
+
let normEq3Eq6 = 0;
|
|
329
|
+
let normEq4 = 0;
|
|
330
|
+
let normEq5 = 0;
|
|
331
|
+
if (!Number.isNaN(availEq1)) {
|
|
332
|
+
nExistingLower++;
|
|
333
|
+
normEq1 = maxSevEq1 > 0 ? availEq1 * (sevDistEq1 / maxSevEq1) : 0;
|
|
334
|
+
}
|
|
335
|
+
if (!Number.isNaN(availEq2)) {
|
|
336
|
+
nExistingLower++;
|
|
337
|
+
normEq2 = maxSevEq2 > 0 ? availEq2 * (sevDistEq2 / maxSevEq2) : 0;
|
|
338
|
+
}
|
|
339
|
+
if (!Number.isNaN(availEq3Eq6)) {
|
|
340
|
+
nExistingLower++;
|
|
341
|
+
normEq3Eq6 = maxSevEq3Eq6 > 0 ? availEq3Eq6 * (sevDistEq3Eq6 / maxSevEq3Eq6) : 0;
|
|
342
|
+
}
|
|
343
|
+
if (!Number.isNaN(availEq4)) {
|
|
344
|
+
nExistingLower++;
|
|
345
|
+
normEq4 = maxSevEq4 > 0 ? availEq4 * (sevDistEq4 / maxSevEq4) : 0;
|
|
346
|
+
}
|
|
347
|
+
if (!Number.isNaN(availEq5)) {
|
|
348
|
+
nExistingLower++;
|
|
349
|
+
// EQ5 proportion is always 0 in upstream (max severity stays flat)
|
|
350
|
+
normEq5 = availEq5 * 0;
|
|
351
|
+
}
|
|
352
|
+
const meanDistance = nExistingLower === 0
|
|
353
|
+
? 0
|
|
354
|
+
: (normEq1 + normEq2 + normEq3Eq6 + normEq4 + normEq5) / nExistingLower;
|
|
355
|
+
let finalScore = baseScore - meanDistance;
|
|
356
|
+
if (finalScore < 0)
|
|
357
|
+
finalScore = 0;
|
|
358
|
+
if (finalScore > 10)
|
|
359
|
+
finalScore = 10;
|
|
360
|
+
return Math.round(finalScore * 10) / 10;
|
|
361
|
+
}
|
|
362
|
+
//# sourceMappingURL=cvss-v4.js.map
|