@vyuhlabs/dxkit 1.5.1 → 1.6.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (257) hide show
  1. package/CHANGELOG.md +264 -0
  2. package/README.md +265 -352
  3. package/THIRD_PARTY_NOTICES.md +40 -0
  4. package/dist/analyzers/developer/detailed.d.ts +26 -0
  5. package/dist/analyzers/developer/detailed.d.ts.map +1 -0
  6. package/dist/analyzers/developer/detailed.js +193 -0
  7. package/dist/analyzers/developer/detailed.js.map +1 -0
  8. package/dist/analyzers/developer/gather.d.ts +11 -0
  9. package/dist/analyzers/developer/gather.d.ts.map +1 -0
  10. package/dist/analyzers/developer/gather.js +167 -0
  11. package/dist/analyzers/developer/gather.js.map +1 -0
  12. package/dist/analyzers/developer/index.d.ts +8 -0
  13. package/dist/analyzers/developer/index.d.ts.map +1 -0
  14. package/dist/analyzers/developer/index.js +168 -0
  15. package/dist/analyzers/developer/index.js.map +1 -0
  16. package/dist/analyzers/developer/types.d.ts +49 -0
  17. package/dist/analyzers/developer/types.d.ts.map +1 -0
  18. package/dist/analyzers/developer/types.js +6 -0
  19. package/dist/analyzers/developer/types.js.map +1 -0
  20. package/dist/analyzers/docs/shallow.d.ts +9 -0
  21. package/dist/analyzers/docs/shallow.d.ts.map +1 -0
  22. package/dist/analyzers/docs/shallow.js +8 -0
  23. package/dist/analyzers/docs/shallow.js.map +1 -0
  24. package/dist/analyzers/dx/shallow.d.ts +9 -0
  25. package/dist/analyzers/dx/shallow.d.ts.map +1 -0
  26. package/dist/analyzers/dx/shallow.js +8 -0
  27. package/dist/analyzers/dx/shallow.js.map +1 -0
  28. package/dist/analyzers/evidence.d.ts +36 -0
  29. package/dist/analyzers/evidence.d.ts.map +1 -0
  30. package/dist/analyzers/evidence.js +3 -0
  31. package/dist/analyzers/evidence.js.map +1 -0
  32. package/dist/analyzers/health/actions.d.ts +10 -0
  33. package/dist/analyzers/health/actions.d.ts.map +1 -0
  34. package/dist/analyzers/health/actions.js +284 -0
  35. package/dist/analyzers/health/actions.js.map +1 -0
  36. package/dist/analyzers/health/detailed.d.ts +26 -0
  37. package/dist/analyzers/health/detailed.d.ts.map +1 -0
  38. package/dist/analyzers/health/detailed.js +147 -0
  39. package/dist/analyzers/health/detailed.js.map +1 -0
  40. package/dist/analyzers/health.d.ts +22 -0
  41. package/dist/analyzers/health.d.ts.map +1 -0
  42. package/dist/analyzers/health.js +270 -0
  43. package/dist/analyzers/health.js.map +1 -0
  44. package/dist/analyzers/index.d.ts +3 -0
  45. package/dist/analyzers/index.d.ts.map +1 -0
  46. package/dist/analyzers/index.js +6 -0
  47. package/dist/analyzers/index.js.map +1 -0
  48. package/dist/analyzers/maintainability/shallow.d.ts +9 -0
  49. package/dist/analyzers/maintainability/shallow.d.ts.map +1 -0
  50. package/dist/analyzers/maintainability/shallow.js +8 -0
  51. package/dist/analyzers/maintainability/shallow.js.map +1 -0
  52. package/dist/analyzers/quality/actions.d.ts +5 -0
  53. package/dist/analyzers/quality/actions.d.ts.map +1 -0
  54. package/dist/analyzers/quality/actions.js +158 -0
  55. package/dist/analyzers/quality/actions.js.map +1 -0
  56. package/dist/analyzers/quality/detailed.d.ts +17 -0
  57. package/dist/analyzers/quality/detailed.d.ts.map +1 -0
  58. package/dist/analyzers/quality/detailed.js +122 -0
  59. package/dist/analyzers/quality/detailed.js.map +1 -0
  60. package/dist/analyzers/quality/gather.d.ts +38 -0
  61. package/dist/analyzers/quality/gather.d.ts.map +1 -0
  62. package/dist/analyzers/quality/gather.js +279 -0
  63. package/dist/analyzers/quality/gather.js.map +1 -0
  64. package/dist/analyzers/quality/index.d.ts +12 -0
  65. package/dist/analyzers/quality/index.d.ts.map +1 -0
  66. package/dist/analyzers/quality/index.js +281 -0
  67. package/dist/analyzers/quality/index.js.map +1 -0
  68. package/dist/analyzers/quality/shallow.d.ts +9 -0
  69. package/dist/analyzers/quality/shallow.d.ts.map +1 -0
  70. package/dist/analyzers/quality/shallow.js +8 -0
  71. package/dist/analyzers/quality/shallow.js.map +1 -0
  72. package/dist/analyzers/quality/types.d.ts +66 -0
  73. package/dist/analyzers/quality/types.d.ts.map +1 -0
  74. package/dist/analyzers/quality/types.js +3 -0
  75. package/dist/analyzers/quality/types.js.map +1 -0
  76. package/dist/analyzers/remediation.d.ts +42 -0
  77. package/dist/analyzers/remediation.d.ts.map +1 -0
  78. package/dist/analyzers/remediation.js +28 -0
  79. package/dist/analyzers/remediation.js.map +1 -0
  80. package/dist/analyzers/scoring.d.ts +32 -0
  81. package/dist/analyzers/scoring.d.ts.map +1 -0
  82. package/dist/analyzers/scoring.js +410 -0
  83. package/dist/analyzers/scoring.js.map +1 -0
  84. package/dist/analyzers/security/actions.d.ts +7 -0
  85. package/dist/analyzers/security/actions.d.ts.map +1 -0
  86. package/dist/analyzers/security/actions.js +104 -0
  87. package/dist/analyzers/security/actions.js.map +1 -0
  88. package/dist/analyzers/security/detailed.d.ts +14 -0
  89. package/dist/analyzers/security/detailed.d.ts.map +1 -0
  90. package/dist/analyzers/security/detailed.js +124 -0
  91. package/dist/analyzers/security/detailed.js.map +1 -0
  92. package/dist/analyzers/security/gather.d.ts +12 -0
  93. package/dist/analyzers/security/gather.d.ts.map +1 -0
  94. package/dist/analyzers/security/gather.js +195 -0
  95. package/dist/analyzers/security/gather.js.map +1 -0
  96. package/dist/analyzers/security/index.d.ts +8 -0
  97. package/dist/analyzers/security/index.d.ts.map +1 -0
  98. package/dist/analyzers/security/index.js +173 -0
  99. package/dist/analyzers/security/index.js.map +1 -0
  100. package/dist/analyzers/security/scoring.d.ts +29 -0
  101. package/dist/analyzers/security/scoring.d.ts.map +1 -0
  102. package/dist/analyzers/security/scoring.js +40 -0
  103. package/dist/analyzers/security/scoring.js.map +1 -0
  104. package/dist/analyzers/security/shallow.d.ts +10 -0
  105. package/dist/analyzers/security/shallow.d.ts.map +1 -0
  106. package/dist/analyzers/security/shallow.js +8 -0
  107. package/dist/analyzers/security/shallow.js.map +1 -0
  108. package/dist/analyzers/security/types.d.ts +43 -0
  109. package/dist/analyzers/security/types.d.ts.map +1 -0
  110. package/dist/analyzers/security/types.js +6 -0
  111. package/dist/analyzers/security/types.js.map +1 -0
  112. package/dist/analyzers/tests/actions.d.ts +6 -0
  113. package/dist/analyzers/tests/actions.d.ts.map +1 -0
  114. package/dist/analyzers/tests/actions.js +80 -0
  115. package/dist/analyzers/tests/actions.js.map +1 -0
  116. package/dist/analyzers/tests/detailed.d.ts +14 -0
  117. package/dist/analyzers/tests/detailed.d.ts.map +1 -0
  118. package/dist/analyzers/tests/detailed.js +121 -0
  119. package/dist/analyzers/tests/detailed.js.map +1 -0
  120. package/dist/analyzers/tests/gather.d.ts +5 -0
  121. package/dist/analyzers/tests/gather.d.ts.map +1 -0
  122. package/dist/analyzers/tests/gather.js +270 -0
  123. package/dist/analyzers/tests/gather.js.map +1 -0
  124. package/dist/analyzers/tests/import-graph.d.ts +48 -0
  125. package/dist/analyzers/tests/import-graph.d.ts.map +1 -0
  126. package/dist/analyzers/tests/import-graph.js +231 -0
  127. package/dist/analyzers/tests/import-graph.js.map +1 -0
  128. package/dist/analyzers/tests/index.d.ts +8 -0
  129. package/dist/analyzers/tests/index.d.ts.map +1 -0
  130. package/dist/analyzers/tests/index.js +247 -0
  131. package/dist/analyzers/tests/index.js.map +1 -0
  132. package/dist/analyzers/tests/scoring.d.ts +27 -0
  133. package/dist/analyzers/tests/scoring.d.ts.map +1 -0
  134. package/dist/analyzers/tests/scoring.js +38 -0
  135. package/dist/analyzers/tests/scoring.js.map +1 -0
  136. package/dist/analyzers/tests/shallow.d.ts +9 -0
  137. package/dist/analyzers/tests/shallow.d.ts.map +1 -0
  138. package/dist/analyzers/tests/shallow.js +8 -0
  139. package/dist/analyzers/tests/shallow.js.map +1 -0
  140. package/dist/analyzers/tests/types.d.ts +49 -0
  141. package/dist/analyzers/tests/types.d.ts.map +1 -0
  142. package/dist/analyzers/tests/types.js +6 -0
  143. package/dist/analyzers/tests/types.js.map +1 -0
  144. package/dist/analyzers/tools/cloc.d.ts +8 -0
  145. package/dist/analyzers/tools/cloc.d.ts.map +1 -0
  146. package/dist/analyzers/tools/cloc.js +49 -0
  147. package/dist/analyzers/tools/cloc.js.map +1 -0
  148. package/dist/analyzers/tools/coverage.d.ts +59 -0
  149. package/dist/analyzers/tools/coverage.d.ts.map +1 -0
  150. package/dist/analyzers/tools/coverage.js +280 -0
  151. package/dist/analyzers/tools/coverage.js.map +1 -0
  152. package/dist/analyzers/tools/cvss-v4-lookup.d.ts +10 -0
  153. package/dist/analyzers/tools/cvss-v4-lookup.d.ts.map +1 -0
  154. package/dist/analyzers/tools/cvss-v4-lookup.js +284 -0
  155. package/dist/analyzers/tools/cvss-v4-lookup.js.map +1 -0
  156. package/dist/analyzers/tools/cvss-v4.d.ts +24 -0
  157. package/dist/analyzers/tools/cvss-v4.d.ts.map +1 -0
  158. package/dist/analyzers/tools/cvss-v4.js +362 -0
  159. package/dist/analyzers/tools/cvss-v4.js.map +1 -0
  160. package/dist/analyzers/tools/default-exclusions.gitignore +56 -0
  161. package/dist/analyzers/tools/exclusions.d.ts +70 -0
  162. package/dist/analyzers/tools/exclusions.d.ts.map +1 -0
  163. package/dist/analyzers/tools/exclusions.js +250 -0
  164. package/dist/analyzers/tools/exclusions.js.map +1 -0
  165. package/dist/analyzers/tools/generic.d.ts +4 -0
  166. package/dist/analyzers/tools/generic.d.ts.map +1 -0
  167. package/dist/analyzers/tools/generic.js +198 -0
  168. package/dist/analyzers/tools/generic.js.map +1 -0
  169. package/dist/analyzers/tools/gitleaks.d.ts +8 -0
  170. package/dist/analyzers/tools/gitleaks.d.ts.map +1 -0
  171. package/dist/analyzers/tools/gitleaks.js +58 -0
  172. package/dist/analyzers/tools/gitleaks.js.map +1 -0
  173. package/dist/analyzers/tools/graphify.d.ts +4 -0
  174. package/dist/analyzers/tools/graphify.d.ts.map +1 -0
  175. package/dist/analyzers/tools/graphify.js +222 -0
  176. package/dist/analyzers/tools/graphify.js.map +1 -0
  177. package/dist/analyzers/tools/osv.d.ts +51 -0
  178. package/dist/analyzers/tools/osv.d.ts.map +1 -0
  179. package/dist/analyzers/tools/osv.js +188 -0
  180. package/dist/analyzers/tools/osv.js.map +1 -0
  181. package/dist/analyzers/tools/parallel.d.ts +8 -0
  182. package/dist/analyzers/tools/parallel.d.ts.map +1 -0
  183. package/dist/analyzers/tools/parallel.js +195 -0
  184. package/dist/analyzers/tools/parallel.js.map +1 -0
  185. package/dist/analyzers/tools/runner.d.ts +13 -0
  186. package/dist/analyzers/tools/runner.d.ts.map +1 -0
  187. package/dist/analyzers/tools/runner.js +109 -0
  188. package/dist/analyzers/tools/runner.js.map +1 -0
  189. package/dist/analyzers/tools/suppressions.d.ts +55 -0
  190. package/dist/analyzers/tools/suppressions.d.ts.map +1 -0
  191. package/dist/analyzers/tools/suppressions.js +203 -0
  192. package/dist/analyzers/tools/suppressions.js.map +1 -0
  193. package/dist/analyzers/tools/timing.d.ts +9 -0
  194. package/dist/analyzers/tools/timing.d.ts.map +1 -0
  195. package/dist/analyzers/tools/timing.js +29 -0
  196. package/dist/analyzers/tools/timing.js.map +1 -0
  197. package/dist/analyzers/tools/tool-registry.d.ts +86 -0
  198. package/dist/analyzers/tools/tool-registry.d.ts.map +1 -0
  199. package/dist/analyzers/tools/tool-registry.js +705 -0
  200. package/dist/analyzers/tools/tool-registry.js.map +1 -0
  201. package/dist/analyzers/types.d.ts +125 -0
  202. package/dist/analyzers/types.d.ts.map +1 -0
  203. package/dist/analyzers/types.js +11 -0
  204. package/dist/analyzers/types.js.map +1 -0
  205. package/dist/cli.d.ts.map +1 -1
  206. package/dist/cli.js +405 -0
  207. package/dist/cli.js.map +1 -1
  208. package/dist/detect.d.ts.map +1 -1
  209. package/dist/detect.js +24 -15
  210. package/dist/detect.js.map +1 -1
  211. package/dist/languages/csharp.d.ts +5 -0
  212. package/dist/languages/csharp.d.ts.map +1 -0
  213. package/dist/languages/csharp.js +265 -0
  214. package/dist/languages/csharp.js.map +1 -0
  215. package/dist/languages/go.d.ts +11 -0
  216. package/dist/languages/go.d.ts.map +1 -0
  217. package/dist/languages/go.js +321 -0
  218. package/dist/languages/go.js.map +1 -0
  219. package/dist/languages/index.d.ts +6 -0
  220. package/dist/languages/index.d.ts.map +1 -0
  221. package/dist/languages/index.js +18 -0
  222. package/dist/languages/index.js.map +1 -0
  223. package/dist/languages/python.d.ts +3 -0
  224. package/dist/languages/python.d.ts.map +1 -0
  225. package/dist/languages/python.js +284 -0
  226. package/dist/languages/python.js.map +1 -0
  227. package/dist/languages/rust.d.ts +17 -0
  228. package/dist/languages/rust.d.ts.map +1 -0
  229. package/dist/languages/rust.js +333 -0
  230. package/dist/languages/rust.js.map +1 -0
  231. package/dist/languages/types.d.ts +38 -0
  232. package/dist/languages/types.d.ts.map +1 -0
  233. package/dist/languages/types.js +3 -0
  234. package/dist/languages/types.js.map +1 -0
  235. package/dist/languages/typescript.d.ts +15 -0
  236. package/dist/languages/typescript.d.ts.map +1 -0
  237. package/dist/languages/typescript.js +353 -0
  238. package/dist/languages/typescript.js.map +1 -0
  239. package/dist/logger.d.ts +1 -0
  240. package/dist/logger.d.ts.map +1 -1
  241. package/dist/logger.js +25 -12
  242. package/dist/logger.js.map +1 -1
  243. package/dist/project-yaml.d.ts.map +1 -1
  244. package/dist/project-yaml.js +1 -0
  245. package/dist/project-yaml.js.map +1 -1
  246. package/dist/tools-cli.d.ts +2 -0
  247. package/dist/tools-cli.d.ts.map +1 -0
  248. package/dist/tools-cli.js +231 -0
  249. package/dist/tools-cli.js.map +1 -0
  250. package/dist/types.d.ts +10 -0
  251. package/dist/types.d.ts.map +1 -1
  252. package/package.json +6 -2
  253. package/templates/.claude/commands/dev-report.md +34 -4
  254. package/templates/.claude/commands/health.md +45 -2
  255. package/templates/.claude/commands/quality.md.template +38 -15
  256. package/templates/.claude/commands/test-gaps.md +36 -2
  257. package/templates/.claude/commands/vulnerabilities.md +36 -2
@@ -0,0 +1,284 @@
1
+ "use strict";
2
+ Object.defineProperty(exports, "__esModule", { value: true });
3
+ exports.CVSS_V4_LOOKUP = void 0;
4
+ /**
5
+ * CVSS v4.0 MacroVector → base score lookup table.
6
+ * 270 entries, one per valid macrovector.
7
+ *
8
+ * Source: https://github.com/FIRSTdotorg/cvss-v4-calculator/blob/main/cvss_lookup.js
9
+ * Copyright FIRST, Red Hat, and contributors. SPDX-License-Identifier: BSD-2-Clause.
10
+ * See THIRD_PARTY_NOTICES.md for attribution.
11
+ */
12
+ exports.CVSS_V4_LOOKUP = {
13
+ '000000': 10,
14
+ '000001': 9.9,
15
+ '000010': 9.8,
16
+ '000011': 9.5,
17
+ '000020': 9.5,
18
+ '000021': 9.2,
19
+ '000100': 10,
20
+ '000101': 9.6,
21
+ '000110': 9.3,
22
+ '000111': 8.7,
23
+ '000120': 9.1,
24
+ '000121': 8.1,
25
+ '000200': 9.3,
26
+ '000201': 9,
27
+ '000210': 8.9,
28
+ '000211': 8,
29
+ '000220': 8.1,
30
+ '000221': 6.8,
31
+ '001000': 9.8,
32
+ '001001': 9.5,
33
+ '001010': 9.5,
34
+ '001011': 9.2,
35
+ '001020': 9,
36
+ '001021': 8.4,
37
+ '001100': 9.3,
38
+ '001101': 9.2,
39
+ '001110': 8.9,
40
+ '001111': 8.1,
41
+ '001120': 8.1,
42
+ '001121': 6.5,
43
+ '001200': 8.8,
44
+ '001201': 8,
45
+ '001210': 7.8,
46
+ '001211': 7,
47
+ '001220': 6.9,
48
+ '001221': 4.8,
49
+ '002001': 9.2,
50
+ '002011': 8.2,
51
+ '002021': 7.2,
52
+ '002101': 7.9,
53
+ '002111': 6.9,
54
+ '002121': 5,
55
+ '002201': 6.9,
56
+ '002211': 5.5,
57
+ '002221': 2.7,
58
+ '010000': 9.9,
59
+ '010001': 9.7,
60
+ '010010': 9.5,
61
+ '010011': 9.2,
62
+ '010020': 9.2,
63
+ '010021': 8.5,
64
+ '010100': 9.5,
65
+ '010101': 9.1,
66
+ '010110': 9,
67
+ '010111': 8.3,
68
+ '010120': 8.4,
69
+ '010121': 7.1,
70
+ '010200': 9.2,
71
+ '010201': 8.1,
72
+ '010210': 8.2,
73
+ '010211': 7.1,
74
+ '010220': 7.2,
75
+ '010221': 5.3,
76
+ '011000': 9.5,
77
+ '011001': 9.3,
78
+ '011010': 9.2,
79
+ '011011': 8.5,
80
+ '011020': 8.5,
81
+ '011021': 7.3,
82
+ '011100': 9.2,
83
+ '011101': 8.2,
84
+ '011110': 8,
85
+ '011111': 7.2,
86
+ '011120': 7,
87
+ '011121': 5.9,
88
+ '011200': 8.4,
89
+ '011201': 7,
90
+ '011210': 7.1,
91
+ '011211': 5.2,
92
+ '011220': 5,
93
+ '011221': 3,
94
+ '012001': 8.6,
95
+ '012011': 7.5,
96
+ '012021': 5.2,
97
+ '012101': 7.1,
98
+ '012111': 5.2,
99
+ '012121': 2.9,
100
+ '012201': 6.3,
101
+ '012211': 2.9,
102
+ '012221': 1.7,
103
+ '100000': 9.8,
104
+ '100001': 9.5,
105
+ '100010': 9.4,
106
+ '100011': 8.7,
107
+ '100020': 9.1,
108
+ '100021': 8.1,
109
+ '100100': 9.4,
110
+ '100101': 8.9,
111
+ '100110': 8.6,
112
+ '100111': 7.4,
113
+ '100120': 7.7,
114
+ '100121': 6.4,
115
+ '100200': 8.7,
116
+ '100201': 7.5,
117
+ '100210': 7.4,
118
+ '100211': 6.3,
119
+ '100220': 6.3,
120
+ '100221': 4.9,
121
+ '101000': 9.4,
122
+ '101001': 8.9,
123
+ '101010': 8.8,
124
+ '101011': 7.7,
125
+ '101020': 7.6,
126
+ '101021': 6.7,
127
+ '101100': 8.6,
128
+ '101101': 7.6,
129
+ '101110': 7.4,
130
+ '101111': 5.8,
131
+ '101120': 5.9,
132
+ '101121': 5,
133
+ '101200': 7.2,
134
+ '101201': 5.7,
135
+ '101210': 5.7,
136
+ '101211': 5.2,
137
+ '101220': 5.2,
138
+ '101221': 2.5,
139
+ '102001': 8.3,
140
+ '102011': 7,
141
+ '102021': 5.4,
142
+ '102101': 6.5,
143
+ '102111': 5.8,
144
+ '102121': 2.6,
145
+ '102201': 5.3,
146
+ '102211': 2.1,
147
+ '102221': 1.3,
148
+ '110000': 9.5,
149
+ '110001': 9,
150
+ '110010': 8.8,
151
+ '110011': 7.6,
152
+ '110020': 7.6,
153
+ '110021': 7,
154
+ '110100': 9,
155
+ '110101': 7.7,
156
+ '110110': 7.5,
157
+ '110111': 6.2,
158
+ '110120': 6.1,
159
+ '110121': 5.3,
160
+ '110200': 7.7,
161
+ '110201': 6.6,
162
+ '110210': 6.8,
163
+ '110211': 5.9,
164
+ '110220': 5.2,
165
+ '110221': 3,
166
+ '111000': 8.9,
167
+ '111001': 7.8,
168
+ '111010': 7.6,
169
+ '111011': 6.7,
170
+ '111020': 6.2,
171
+ '111021': 5.8,
172
+ '111100': 7.4,
173
+ '111101': 5.9,
174
+ '111110': 5.7,
175
+ '111111': 5.7,
176
+ '111120': 4.7,
177
+ '111121': 2.3,
178
+ '111200': 6.1,
179
+ '111201': 5.2,
180
+ '111210': 5.7,
181
+ '111211': 2.9,
182
+ '111220': 2.4,
183
+ '111221': 1.6,
184
+ '112001': 7.1,
185
+ '112011': 5.9,
186
+ '112021': 3,
187
+ '112101': 5.8,
188
+ '112111': 2.6,
189
+ '112121': 1.5,
190
+ '112201': 2.3,
191
+ '112211': 1.3,
192
+ '112221': 0.6,
193
+ '200000': 9.3,
194
+ '200001': 8.7,
195
+ '200010': 8.6,
196
+ '200011': 7.2,
197
+ '200020': 7.5,
198
+ '200021': 5.8,
199
+ '200100': 8.6,
200
+ '200101': 7.4,
201
+ '200110': 7.4,
202
+ '200111': 6.1,
203
+ '200120': 5.6,
204
+ '200121': 3.4,
205
+ '200200': 7,
206
+ '200201': 5.4,
207
+ '200210': 5.2,
208
+ '200211': 4,
209
+ '200220': 4,
210
+ '200221': 2.2,
211
+ '201000': 8.5,
212
+ '201001': 7.5,
213
+ '201010': 7.4,
214
+ '201011': 5.5,
215
+ '201020': 6.2,
216
+ '201021': 5.1,
217
+ '201100': 7.2,
218
+ '201101': 5.7,
219
+ '201110': 5.5,
220
+ '201111': 4.1,
221
+ '201120': 4.6,
222
+ '201121': 1.9,
223
+ '201200': 5.3,
224
+ '201201': 3.6,
225
+ '201210': 3.4,
226
+ '201211': 1.9,
227
+ '201220': 1.9,
228
+ '201221': 0.8,
229
+ '202001': 6.4,
230
+ '202011': 5.1,
231
+ '202021': 2,
232
+ '202101': 4.7,
233
+ '202111': 2.1,
234
+ '202121': 1.1,
235
+ '202201': 2.4,
236
+ '202211': 0.9,
237
+ '202221': 0.4,
238
+ '210000': 8.8,
239
+ '210001': 7.5,
240
+ '210010': 7.3,
241
+ '210011': 5.3,
242
+ '210020': 6,
243
+ '210021': 5,
244
+ '210100': 7.3,
245
+ '210101': 5.5,
246
+ '210110': 5.9,
247
+ '210111': 4,
248
+ '210120': 4.1,
249
+ '210121': 2,
250
+ '210200': 5.4,
251
+ '210201': 4.3,
252
+ '210210': 4.5,
253
+ '210211': 2.2,
254
+ '210220': 2,
255
+ '210221': 1.1,
256
+ '211000': 7.5,
257
+ '211001': 5.5,
258
+ '211010': 5.8,
259
+ '211011': 4.5,
260
+ '211020': 4,
261
+ '211021': 2.1,
262
+ '211100': 6.1,
263
+ '211101': 5.1,
264
+ '211110': 4.8,
265
+ '211111': 1.8,
266
+ '211120': 2,
267
+ '211121': 0.9,
268
+ '211200': 4.6,
269
+ '211201': 1.8,
270
+ '211210': 1.7,
271
+ '211211': 0.7,
272
+ '211220': 0.8,
273
+ '211221': 0.2,
274
+ '212001': 5.3,
275
+ '212011': 2.4,
276
+ '212021': 1.4,
277
+ '212101': 2.4,
278
+ '212111': 1.2,
279
+ '212121': 0.5,
280
+ '212201': 1,
281
+ '212211': 0.3,
282
+ '212221': 0.1,
283
+ };
284
+ //# sourceMappingURL=cvss-v4-lookup.js.map
@@ -0,0 +1 @@
1
+ {"version":3,"file":"cvss-v4-lookup.js","sourceRoot":"","sources":["../../../src/analyzers/tools/cvss-v4-lookup.ts"],"names":[],"mappings":";;;AAAA;;;;;;;GAOG;AACU,QAAA,cAAc,GAA2B;IACpD,QAAQ,EAAE,EAAE;IACZ,QAAQ,EAAE,GAAG;IACb,QAAQ,EAAE,GAAG;IACb,QAAQ,EAAE,GAAG;IACb,QAAQ,EAAE,GAAG;IACb,QAAQ,EAAE,GAAG;IACb,QAAQ,EAAE,EAAE;IACZ,QAAQ,EAAE,GAAG;IACb,QAAQ,EAAE,GAAG;IACb,QAAQ,EAAE,GAAG;IACb,QAAQ,EAAE,GAAG;IACb,QAAQ,EAAE,GAAG;IACb,QAAQ,EAAE,GAAG;IACb,QAAQ,EAAE,CAAC;IACX,QAAQ,EAAE,GAAG;IACb,QAAQ,EAAE,CAAC;IACX,QAAQ,EAAE,GAAG;IACb,QAAQ,EAAE,GAAG;IACb,QAAQ,EAAE,GAAG;IACb,QAAQ,EAAE,GAAG;IACb,QAAQ,EAAE,GAAG;IACb,QAAQ,EAAE,GAAG;IACb,QAAQ,EAAE,CAAC;IACX,QAAQ,EAAE,GAAG;IACb,QAAQ,EAAE,GAAG;IACb,QAAQ,EAAE,GAAG;IACb,QAAQ,EAAE,GAAG;IACb,QAAQ,EAAE,GAAG;IACb,QAAQ,EAAE,GAAG;IACb,QAAQ,EAAE,GAAG;IACb,QAAQ,EAAE,GAAG;IACb,QAAQ,EAAE,CAAC;IACX,QAAQ,EAAE,GAAG;IACb,QAAQ,EAAE,CAAC;IACX,QAAQ,EAAE,GAAG;IACb,QAAQ,EAAE,GAAG;IACb,QAAQ,EAAE,GAAG;IACb,QAAQ,EAAE,GAAG;IACb,QAAQ,EAAE,GAAG;IACb,QAAQ,EAAE,GAAG;IACb,QAAQ,EAAE,GAAG;IACb,QAAQ,EAAE,CAAC;IACX,QAAQ,EAAE,GAAG;IACb,QAAQ,EAAE,GAAG;IACb,QAAQ,EAAE,GAAG;IACb,QAAQ,EAAE,GAAG;IACb,QAAQ,EAAE,GAAG;IACb,QAAQ,EAAE,GAAG;IACb,QAAQ,EAAE,GAAG;IACb,QAAQ,EAAE,GAAG;IACb,QAAQ,EAAE,GAAG;IACb,QAAQ,EAAE,GAAG;IACb,QAAQ,EAAE,GAAG;IACb,QAAQ,EAAE,CAAC;IACX,QAAQ,EAAE,GAAG;IACb,QAAQ,EAAE,GAAG;IACb,QAAQ,EAAE,GAAG;IACb,QAAQ,EAAE,GAAG;IACb,QAAQ,EAAE,GAAG;IACb,QAAQ,EAAE,GAAG;IACb,QAAQ,EAAE,GAAG;IACb,QAAQ,EAAE,GAAG;IACb,QAAQ,EAAE,GAAG;IACb,QAAQ,EAAE,GAAG;IACb,QAAQ,EAAE,GAAG;IACb,QAAQ,EAAE,GAAG;IACb,QAAQ,EAAE,GAAG;IACb,QAAQ,EAAE,GAAG;IACb,QAAQ,EAAE,GAAG;IACb,QAAQ,EAAE,GAAG;IACb,QAAQ,EAAE,GAAG;IACb,QAAQ,EAAE,CAAC;IACX,QAAQ,EAAE,GAAG;IACb,QAAQ,EAAE,CAAC;IACX,QAAQ,EAAE,GAAG;IACb,QAAQ,EAAE,GAAG;IACb,QAAQ,EAAE,CAAC;IACX,QAAQ,EAAE,GAAG;IACb,QAAQ,EAAE,GAAG;IACb,QAAQ,EAAE,CAAC;IACX,QAAQ,EAAE,CAAC;IACX,QAAQ,EAAE,GAAG;IACb,QAAQ,EAAE,GAAG;IACb,QAAQ,EAAE,GAAG;IACb,QAAQ,EAAE,GAAG;IACb,QAAQ,EAAE,GAAG;IACb,QAAQ,EAAE,GAAG;IACb,QAAQ,EAAE,GAAG;IACb,QAAQ,EAAE,GAAG;IACb,QAAQ,EAAE,GAAG;IACb,QAAQ,EAAE,GAAG;IACb,QAAQ,EAAE,GAAG;IACb,QAAQ,EAAE,GAAG;IACb,QAAQ,EAAE,GAAG;IACb,QAAQ,EAAE,GAAG;IACb,QAAQ,EAAE,GAAG;IACb,QAAQ,EAAE,GAAG;IACb,QAAQ,EAAE,GAAG;IACb,QAAQ,EAAE,GAAG;IACb,QAAQ,EAAE,GAAG;IACb,QAAQ,EAAE,GAAG;IACb,QAAQ,EAAE,GAAG;IACb,QAAQ,EAAE,GAAG;IACb,QAAQ,EAAE,GAAG;IACb,QAAQ,EAAE,GAAG;IACb,QAAQ,EAAE,GAAG;IACb,QAAQ,EAAE,GAAG;IACb,QAAQ,EAAE,GAAG;IACb,QAAQ,EAAE,GAAG;IACb,QAAQ,EAAE,GAAG;IACb,QAAQ,EAAE,GAAG;IACb,QAAQ,EAAE,GAAG;IACb,QAAQ,EAAE,GAAG;IACb,QAAQ,EAAE,GAAG;IACb,QAAQ,EAAE,GAAG;IACb,QAAQ,EAAE,GAAG;IACb,QAAQ,EAAE,GAAG;IACb,QAAQ,EAAE,GAAG;IACb,QAAQ,EAAE,GAAG;IACb,QAAQ,EAAE,CAAC;IACX,QAAQ,EAAE,GAAG;IACb,QAAQ,EAAE,GAAG;IACb,QAAQ,EAAE,GAAG;IACb,QAAQ,EAAE,GAAG;IACb,QAAQ,EAAE,GAAG;IACb,QAAQ,EAAE,GAAG;IACb,QAAQ,EAAE,GAAG;IACb,QAAQ,EAAE,CAAC;IACX,QAAQ,EAAE,GAAG;IACb,QAAQ,EAAE,GAAG;IACb,QAAQ,EAAE,GAAG;IACb,QAAQ,EAAE,GAAG;IACb,QAAQ,EAAE,GAAG;IACb,QAAQ,EAAE,GAAG;IACb,QAAQ,EAAE,GAAG;IACb,QAAQ,EAAE,GAAG;IACb,QAAQ,EAAE,CAAC;IACX,QAAQ,EAAE,GAAG;IACb,QAAQ,EAAE,GAAG;IACb,QAAQ,EAAE,GAAG;IACb,QAAQ,EAAE,CAAC;IACX,QAAQ,EAAE,CAAC;IACX,QAAQ,EAAE,GAAG;IACb,QAAQ,EAAE,GAAG;IACb,QAAQ,EAAE,GAAG;IACb,QAAQ,EAAE,GAAG;IACb,QAAQ,EAAE,GAAG;IACb,QAAQ,EAAE,GAAG;IACb,QAAQ,EAAE,GAAG;IACb,QAAQ,EAAE,GAAG;IACb,QAAQ,EAAE,GAAG;IACb,QAAQ,EAAE,GAAG;IACb,QAAQ,EAAE,CAAC;IACX,QAAQ,EAAE,GAAG;IACb,QAAQ,EAAE,GAAG;IACb,QAAQ,EAAE,GAAG;IACb,QAAQ,EAAE,GAAG;IACb,QAAQ,EAAE,GAAG;IACb,QAAQ,EAAE,GAAG;IACb,QAAQ,EAAE,GAAG;IACb,QAAQ,EAAE,GAAG;IACb,QAAQ,EAAE,GAAG;IACb,QAAQ,EAAE,GAAG;IACb,QAAQ,EAAE,GAAG;IACb,QAAQ,EAAE,GAAG;IACb,QAAQ,EAAE,GAAG;IACb,QAAQ,EAAE,GAAG;IACb,QAAQ,EAAE,GAAG;IACb,QAAQ,EAAE,GAAG;IACb,QAAQ,EAAE,GAAG;IACb,QAAQ,EAAE,GAAG;IACb,QAAQ,EAAE,GAAG;IACb,QAAQ,EAAE,GAAG;IACb,QAAQ,EAAE,CAAC;IACX,QAAQ,EAAE,GAAG;IACb,QAAQ,EAAE,GAAG;IACb,QAAQ,EAAE,GAAG;IACb,QAAQ,EAAE,GAAG;IACb,QAAQ,EAAE,GAAG;IACb,QAAQ,EAAE,GAAG;IACb,QAAQ,EAAE,GAAG;IACb,QAAQ,EAAE,GAAG;IACb,QAAQ,EAAE,GAAG;IACb,QAAQ,EAAE,GAAG;IACb,QAAQ,EAAE,GAAG;IACb,QAAQ,EAAE,GAAG;IACb,QAAQ,EAAE,GAAG;IACb,QAAQ,EAAE,GAAG;IACb,QAAQ,EAAE,GAAG;IACb,QAAQ,EAAE,GAAG;IACb,QAAQ,EAAE,GAAG;IACb,QAAQ,EAAE,GAAG;IACb,QAAQ,EAAE,CAAC;IACX,QAAQ,EAAE,GAAG;IACb,QAAQ,EAAE,GAAG;IACb,QAAQ,EAAE,CAAC;IACX,QAAQ,EAAE,CAAC;IACX,QAAQ,EAAE,GAAG;IACb,QAAQ,EAAE,GAAG;IACb,QAAQ,EAAE,GAAG;IACb,QAAQ,EAAE,GAAG;IACb,QAAQ,EAAE,GAAG;IACb,QAAQ,EAAE,GAAG;IACb,QAAQ,EAAE,GAAG;IACb,QAAQ,EAAE,GAAG;IACb,QAAQ,EAAE,GAAG;IACb,QAAQ,EAAE,GAAG;IACb,QAAQ,EAAE,GAAG;IACb,QAAQ,EAAE,GAAG;IACb,QAAQ,EAAE,GAAG;IACb,QAAQ,EAAE,GAAG;IACb,QAAQ,EAAE,GAAG;IACb,QAAQ,EAAE,GAAG;IACb,QAAQ,EAAE,GAAG;IACb,QAAQ,EAAE,GAAG;IACb,QAAQ,EAAE,GAAG;IACb,QAAQ,EAAE,GAAG;IACb,QAAQ,EAAE,GAAG;IACb,QAAQ,EAAE,CAAC;IACX,QAAQ,EAAE,GAAG;IACb,QAAQ,EAAE,GAAG;IACb,QAAQ,EAAE,GAAG;IACb,QAAQ,EAAE,GAAG;IACb,QAAQ,EAAE,GAAG;IACb,QAAQ,EAAE,GAAG;IACb,QAAQ,EAAE,GAAG;IACb,QAAQ,EAAE,GAAG;IACb,QAAQ,EAAE,GAAG;IACb,QAAQ,EAAE,GAAG;IACb,QAAQ,EAAE,CAAC;IACX,QAAQ,EAAE,CAAC;IACX,QAAQ,EAAE,GAAG;IACb,QAAQ,EAAE,GAAG;IACb,QAAQ,EAAE,GAAG;IACb,QAAQ,EAAE,CAAC;IACX,QAAQ,EAAE,GAAG;IACb,QAAQ,EAAE,CAAC;IACX,QAAQ,EAAE,GAAG;IACb,QAAQ,EAAE,GAAG;IACb,QAAQ,EAAE,GAAG;IACb,QAAQ,EAAE,GAAG;IACb,QAAQ,EAAE,CAAC;IACX,QAAQ,EAAE,GAAG;IACb,QAAQ,EAAE,GAAG;IACb,QAAQ,EAAE,GAAG;IACb,QAAQ,EAAE,GAAG;IACb,QAAQ,EAAE,GAAG;IACb,QAAQ,EAAE,CAAC;IACX,QAAQ,EAAE,GAAG;IACb,QAAQ,EAAE,GAAG;IACb,QAAQ,EAAE,GAAG;IACb,QAAQ,EAAE,GAAG;IACb,QAAQ,EAAE,GAAG;IACb,QAAQ,EAAE,CAAC;IACX,QAAQ,EAAE,GAAG;IACb,QAAQ,EAAE,GAAG;IACb,QAAQ,EAAE,GAAG;IACb,QAAQ,EAAE,GAAG;IACb,QAAQ,EAAE,GAAG;IACb,QAAQ,EAAE,GAAG;IACb,QAAQ,EAAE,GAAG;IACb,QAAQ,EAAE,GAAG;IACb,QAAQ,EAAE,GAAG;IACb,QAAQ,EAAE,GAAG;IACb,QAAQ,EAAE,GAAG;IACb,QAAQ,EAAE,GAAG;IACb,QAAQ,EAAE,GAAG;IACb,QAAQ,EAAE,CAAC;IACX,QAAQ,EAAE,GAAG;IACb,QAAQ,EAAE,GAAG;CACd,CAAC"}
@@ -0,0 +1,24 @@
1
+ /**
2
+ * CVSS v4.0 base score calculator.
3
+ *
4
+ * Port of FIRST's reference implementation into deterministic TypeScript.
5
+ * Source: https://github.com/FIRSTdotorg/cvss-v4-calculator
6
+ *
7
+ * The lookup table, max-severity data, and max-composed vectors are taken
8
+ * verbatim from the upstream project. The scoring algorithm (macrovector
9
+ * computation + severity-distance refinement) mirrors cvss_score.js.
10
+ *
11
+ * Copyright FIRST, Red Hat, and contributors (for embedded data tables
12
+ * and algorithm shape). SPDX-License-Identifier: BSD-2-Clause.
13
+ * See THIRD_PARTY_NOTICES.md for full attribution.
14
+ *
15
+ * Typical usage:
16
+ * const score = parseCvssV4BaseScore('CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N');
17
+ * // => 9.3
18
+ */
19
+ /**
20
+ * Main entry point: compute a CVSS v4 base score from a vector string.
21
+ * Returns null on malformed input. Range: 0.0 to 10.0, one decimal.
22
+ */
23
+ export declare function parseCvssV4BaseScore(vector: string): number | null;
24
+ //# sourceMappingURL=cvss-v4.d.ts.map
@@ -0,0 +1 @@
1
+ {"version":3,"file":"cvss-v4.d.ts","sourceRoot":"","sources":["../../../src/analyzers/tools/cvss-v4.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;GAiBG;AA0LH;;;GAGG;AACH,wBAAgB,oBAAoB,CAAC,MAAM,EAAE,MAAM,GAAG,MAAM,GAAG,IAAI,CAwLlE"}
@@ -0,0 +1,362 @@
1
+ "use strict";
2
+ /**
3
+ * CVSS v4.0 base score calculator.
4
+ *
5
+ * Port of FIRST's reference implementation into deterministic TypeScript.
6
+ * Source: https://github.com/FIRSTdotorg/cvss-v4-calculator
7
+ *
8
+ * The lookup table, max-severity data, and max-composed vectors are taken
9
+ * verbatim from the upstream project. The scoring algorithm (macrovector
10
+ * computation + severity-distance refinement) mirrors cvss_score.js.
11
+ *
12
+ * Copyright FIRST, Red Hat, and contributors (for embedded data tables
13
+ * and algorithm shape). SPDX-License-Identifier: BSD-2-Clause.
14
+ * See THIRD_PARTY_NOTICES.md for full attribution.
15
+ *
16
+ * Typical usage:
17
+ * const score = parseCvssV4BaseScore('CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N');
18
+ * // => 9.3
19
+ */
20
+ Object.defineProperty(exports, "__esModule", { value: true });
21
+ exports.parseCvssV4BaseScore = parseCvssV4BaseScore;
22
+ const cvss_v4_lookup_1 = require("./cvss-v4-lookup");
23
+ /** Max severity depth per equivalence set (lower macrovector distance). */
24
+ const MAX_SEVERITY = {
25
+ eq1: { 0: 1, 1: 4, 2: 5 },
26
+ eq2: { 0: 1, 1: 2 },
27
+ eq3eq6: {
28
+ 0: { 0: 7, 1: 6 },
29
+ 1: { 0: 8, 1: 8 },
30
+ 2: { 1: 10 },
31
+ },
32
+ eq4: { 0: 6, 1: 5, 2: 4 },
33
+ eq5: { 0: 1, 1: 1, 2: 1 },
34
+ };
35
+ /** Max-composed vectors per (eq, level) — representative highest-severity vectors. */
36
+ const MAX_COMPOSED = {
37
+ eq1: {
38
+ 0: ['AV:N/PR:N/UI:N/'],
39
+ 1: ['AV:A/PR:N/UI:N/', 'AV:N/PR:L/UI:N/', 'AV:N/PR:N/UI:P/'],
40
+ 2: ['AV:P/PR:N/UI:N/', 'AV:A/PR:L/UI:P/'],
41
+ },
42
+ eq2: {
43
+ 0: ['AC:L/AT:N/'],
44
+ 1: ['AC:H/AT:N/', 'AC:L/AT:P/'],
45
+ },
46
+ eq3: {
47
+ 0: {
48
+ '0': ['VC:H/VI:H/VA:H/CR:H/IR:H/AR:H/'],
49
+ '1': ['VC:H/VI:H/VA:L/CR:M/IR:M/AR:H/', 'VC:H/VI:H/VA:H/CR:M/IR:M/AR:M/'],
50
+ },
51
+ 1: {
52
+ '0': ['VC:L/VI:H/VA:H/CR:H/IR:H/AR:H/', 'VC:H/VI:L/VA:H/CR:H/IR:H/AR:H/'],
53
+ '1': [
54
+ 'VC:L/VI:H/VA:L/CR:H/IR:M/AR:H/',
55
+ 'VC:L/VI:H/VA:H/CR:H/IR:M/AR:M/',
56
+ 'VC:H/VI:L/VA:H/CR:M/IR:H/AR:M/',
57
+ 'VC:H/VI:L/VA:L/CR:M/IR:H/AR:H/',
58
+ 'VC:L/VI:L/VA:H/CR:H/IR:H/AR:M/',
59
+ ],
60
+ },
61
+ 2: { '1': ['VC:L/VI:L/VA:L/CR:H/IR:H/AR:H/'] },
62
+ },
63
+ eq4: {
64
+ 0: ['SC:H/SI:S/SA:S/'],
65
+ 1: ['SC:H/SI:H/SA:H/'],
66
+ 2: ['SC:L/SI:L/SA:L/'],
67
+ },
68
+ eq5: {
69
+ 0: ['E:A/'],
70
+ 1: ['E:P/'],
71
+ 2: ['E:U/'],
72
+ },
73
+ };
74
+ /** Ordinal weights per metric value — used in severity-distance calculation. */
75
+ const LEVELS = {
76
+ AV: { N: 0.0, A: 0.1, L: 0.2, P: 0.3 },
77
+ PR: { N: 0.0, L: 0.1, H: 0.2 },
78
+ UI: { N: 0.0, P: 0.1, A: 0.2 },
79
+ AC: { L: 0.0, H: 0.1 },
80
+ AT: { N: 0.0, P: 0.1 },
81
+ VC: { H: 0.0, L: 0.1, N: 0.2 },
82
+ VI: { H: 0.0, L: 0.1, N: 0.2 },
83
+ VA: { H: 0.0, L: 0.1, N: 0.2 },
84
+ SC: { H: 0.1, L: 0.2, N: 0.3 },
85
+ SI: { S: 0.0, H: 0.1, L: 0.2, N: 0.3 },
86
+ SA: { S: 0.0, H: 0.1, L: 0.2, N: 0.3 },
87
+ CR: { H: 0.0, M: 0.1, L: 0.2 },
88
+ IR: { H: 0.0, M: 0.1, L: 0.2 },
89
+ AR: { H: 0.0, M: 0.1, L: 0.2 },
90
+ };
91
+ const STEP = 0.1;
92
+ /**
93
+ * Resolve a metric value accounting for "X" (not defined) defaults and
94
+ * environmental modifiers (M-prefixed metrics override base values).
95
+ *
96
+ * Defaults when X:
97
+ * E → A (Attacked)
98
+ * CR, IR, AR → H (High)
99
+ * Modified metrics (M*) → base metric value
100
+ */
101
+ function m(metrics, metric) {
102
+ const selected = metrics.get(metric) ?? 'X';
103
+ if (metric === 'E' && selected === 'X')
104
+ return 'A';
105
+ if ((metric === 'CR' || metric === 'IR' || metric === 'AR') && selected === 'X')
106
+ return 'H';
107
+ // For base metrics, check if a Modified override is present
108
+ const modifiedKey = 'M' + metric;
109
+ if (metrics.has(modifiedKey)) {
110
+ const mod = metrics.get(modifiedKey);
111
+ if (mod && mod !== 'X')
112
+ return mod;
113
+ }
114
+ return selected;
115
+ }
116
+ /** Compute the 6-digit macrovector string for a metrics map. */
117
+ function macroVector(metrics) {
118
+ // EQ1: 0 = AV:N AND PR:N AND UI:N
119
+ // 1 = (AV:N OR PR:N OR UI:N) AND NOT (all three N) AND NOT AV:P
120
+ // 2 = AV:P OR NOT (AV:N OR PR:N OR UI:N)
121
+ const av = m(metrics, 'AV');
122
+ const pr = m(metrics, 'PR');
123
+ const ui = m(metrics, 'UI');
124
+ let eq1;
125
+ if (av === 'N' && pr === 'N' && ui === 'N')
126
+ eq1 = 0;
127
+ else if ((av === 'N' || pr === 'N' || ui === 'N') &&
128
+ !(av === 'N' && pr === 'N' && ui === 'N') &&
129
+ av !== 'P')
130
+ eq1 = 1;
131
+ else
132
+ eq1 = 2; // AV:P OR none of them N
133
+ // EQ2: 0 = AC:L AND AT:N, else 1
134
+ const ac = m(metrics, 'AC');
135
+ const at = m(metrics, 'AT');
136
+ const eq2 = ac === 'L' && at === 'N' ? 0 : 1;
137
+ // EQ3: 0 = VC:H AND VI:H
138
+ // 1 = NOT (VC:H AND VI:H) AND (VC:H OR VI:H OR VA:H)
139
+ // 2 = NOT (VC:H OR VI:H OR VA:H)
140
+ const vc = m(metrics, 'VC');
141
+ const vi = m(metrics, 'VI');
142
+ const va = m(metrics, 'VA');
143
+ let eq3;
144
+ if (vc === 'H' && vi === 'H')
145
+ eq3 = 0;
146
+ else if (!(vc === 'H' && vi === 'H') && (vc === 'H' || vi === 'H' || va === 'H'))
147
+ eq3 = 1;
148
+ else
149
+ eq3 = 2;
150
+ // EQ4: 0 = MSI:S OR MSA:S
151
+ // 1 = NOT (MSI:S OR MSA:S) AND (SC:H OR SI:H OR SA:H)
152
+ // 2 = NOT (MSI:S OR MSA:S) AND NOT (SC:H OR SI:H OR SA:H)
153
+ const msi = m(metrics, 'MSI');
154
+ const msa = m(metrics, 'MSA');
155
+ const sc = m(metrics, 'SC');
156
+ const si = m(metrics, 'SI');
157
+ const sa = m(metrics, 'SA');
158
+ let eq4;
159
+ if (msi === 'S' || msa === 'S')
160
+ eq4 = 0;
161
+ else if (sc === 'H' || si === 'H' || sa === 'H')
162
+ eq4 = 1;
163
+ else
164
+ eq4 = 2;
165
+ // EQ5: 0 = E:A, 1 = E:P, 2 = E:U
166
+ const e = m(metrics, 'E');
167
+ const eq5 = e === 'A' ? 0 : e === 'P' ? 1 : 2;
168
+ // EQ6: 0 = (CR:H AND VC:H) OR (IR:H AND VI:H) OR (AR:H AND VA:H)
169
+ // 1 = otherwise
170
+ const cr = m(metrics, 'CR');
171
+ const ir = m(metrics, 'IR');
172
+ const ar = m(metrics, 'AR');
173
+ const eq6 = (cr === 'H' && vc === 'H') || (ir === 'H' && vi === 'H') || (ar === 'H' && va === 'H') ? 0 : 1;
174
+ return `${eq1}${eq2}${eq3}${eq4}${eq5}${eq6}`;
175
+ }
176
+ /** Pull a metric's value out of a composed-vector fragment like "AV:N/PR:L/UI:N/". */
177
+ function extractValueMetric(metric, str) {
178
+ const idx = str.indexOf(metric + ':');
179
+ if (idx < 0)
180
+ return '';
181
+ const start = idx + metric.length + 1;
182
+ const end = str.indexOf('/', start);
183
+ return end < 0 ? str.slice(start) : str.slice(start, end);
184
+ }
185
+ /** Get max composed vectors for (eq, macrovector). eq=3 is indexed by both eq3 and eq6. */
186
+ function getEqMaxes(mv, eq) {
187
+ const key = 'eq' + eq;
188
+ const level = parseInt(mv[eq - 1], 10);
189
+ const entry = MAX_COMPOSED[key][level];
190
+ if (Array.isArray(entry))
191
+ return entry;
192
+ // eq3 — entry is a map keyed by eq6
193
+ const eq6 = mv[5];
194
+ return entry[eq6] ?? [];
195
+ }
196
+ /**
197
+ * Main entry point: compute a CVSS v4 base score from a vector string.
198
+ * Returns null on malformed input. Range: 0.0 to 10.0, one decimal.
199
+ */
200
+ function parseCvssV4BaseScore(vector) {
201
+ if (!vector.startsWith('CVSS:4.'))
202
+ return null;
203
+ const metrics = new Map();
204
+ for (const kv of vector.split('/').slice(1)) {
205
+ const [k, v] = kv.split(':');
206
+ if (k && v)
207
+ metrics.set(k, v);
208
+ }
209
+ // Required base metrics
210
+ for (const req of ['AV', 'AC', 'AT', 'PR', 'UI', 'VC', 'VI', 'VA', 'SC', 'SI', 'SA']) {
211
+ if (!metrics.has(req))
212
+ return null;
213
+ }
214
+ // Shortcut: no impact at all → 0
215
+ const impactMetrics = ['VC', 'VI', 'VA', 'SC', 'SI', 'SA'];
216
+ if (impactMetrics.every((k) => m(metrics, k) === 'N'))
217
+ return 0;
218
+ const mv = macroVector(metrics);
219
+ const baseScore = cvss_v4_lookup_1.CVSS_V4_LOOKUP[mv];
220
+ if (baseScore === undefined)
221
+ return null;
222
+ // Severity-distance refinement (see cvss_score.js in upstream).
223
+ const eq1 = parseInt(mv[0], 10);
224
+ const eq2 = parseInt(mv[1], 10);
225
+ const eq3 = parseInt(mv[2], 10);
226
+ const eq4 = parseInt(mv[3], 10);
227
+ const eq5 = parseInt(mv[4], 10);
228
+ const eq6 = parseInt(mv[5], 10);
229
+ // Compute next-lower macrovectors per eq (may not exist).
230
+ const nextLower = (digits) => digits.join('');
231
+ const mvEq1Lower = nextLower([eq1 + 1, eq2, eq3, eq4, eq5, eq6]);
232
+ const mvEq2Lower = nextLower([eq1, eq2 + 1, eq3, eq4, eq5, eq6]);
233
+ // eq3 and eq6 are entangled (spec quirk).
234
+ let mvEq3Eq6LowerLeft = null;
235
+ let mvEq3Eq6LowerRight = null;
236
+ let mvEq3Eq6Lower = null;
237
+ if (eq3 === 1 && eq6 === 1) {
238
+ mvEq3Eq6Lower = nextLower([eq1, eq2, eq3 + 1, eq4, eq5, eq6]);
239
+ }
240
+ else if (eq3 === 0 && eq6 === 1) {
241
+ mvEq3Eq6Lower = nextLower([eq1, eq2, eq3 + 1, eq4, eq5, eq6]);
242
+ }
243
+ else if (eq3 === 1 && eq6 === 0) {
244
+ mvEq3Eq6Lower = nextLower([eq1, eq2, eq3, eq4, eq5, eq6 + 1]);
245
+ }
246
+ else if (eq3 === 0 && eq6 === 0) {
247
+ mvEq3Eq6LowerLeft = nextLower([eq1, eq2, eq3, eq4, eq5, eq6 + 1]);
248
+ mvEq3Eq6LowerRight = nextLower([eq1, eq2, eq3 + 1, eq4, eq5, eq6]);
249
+ }
250
+ else {
251
+ // 21 → 32 (doesn't exist, produces NaN lookup which is fine)
252
+ mvEq3Eq6Lower = nextLower([eq1, eq2, eq3 + 1, eq4, eq5, eq6 + 1]);
253
+ }
254
+ const mvEq4Lower = nextLower([eq1, eq2, eq3, eq4 + 1, eq5, eq6]);
255
+ const mvEq5Lower = nextLower([eq1, eq2, eq3, eq4, eq5 + 1, eq6]);
256
+ const scoreEq1Lower = cvss_v4_lookup_1.CVSS_V4_LOOKUP[mvEq1Lower];
257
+ const scoreEq2Lower = cvss_v4_lookup_1.CVSS_V4_LOOKUP[mvEq2Lower];
258
+ let scoreEq3Eq6Lower;
259
+ if (eq3 === 0 && eq6 === 0) {
260
+ const left = cvss_v4_lookup_1.CVSS_V4_LOOKUP[mvEq3Eq6LowerLeft];
261
+ const right = cvss_v4_lookup_1.CVSS_V4_LOOKUP[mvEq3Eq6LowerRight];
262
+ // Upstream uses the higher — NaN-safe
263
+ scoreEq3Eq6Lower = (left ?? -Infinity) > (right ?? -Infinity) ? left : right;
264
+ }
265
+ else if (mvEq3Eq6Lower !== null) {
266
+ scoreEq3Eq6Lower = cvss_v4_lookup_1.CVSS_V4_LOOKUP[mvEq3Eq6Lower];
267
+ }
268
+ const scoreEq4Lower = cvss_v4_lookup_1.CVSS_V4_LOOKUP[mvEq4Lower];
269
+ const scoreEq5Lower = cvss_v4_lookup_1.CVSS_V4_LOOKUP[mvEq5Lower];
270
+ // Find a max-severity composed vector within the current macrovector.
271
+ const eq1Maxes = getEqMaxes(mv, 1);
272
+ const eq2Maxes = getEqMaxes(mv, 2);
273
+ const eq3Eq6Maxes = getEqMaxes(mv, 3);
274
+ const eq4Maxes = getEqMaxes(mv, 4);
275
+ const eq5Maxes = getEqMaxes(mv, 5);
276
+ const maxVectors = [];
277
+ for (const a of eq1Maxes)
278
+ for (const b of eq2Maxes)
279
+ for (const c of eq3Eq6Maxes)
280
+ for (const d of eq4Maxes)
281
+ for (const eMax of eq5Maxes)
282
+ maxVectors.push(a + b + c + d + eMax);
283
+ let distances = null;
284
+ for (const max of maxVectors) {
285
+ const d = {
286
+ AV: LEVELS.AV[m(metrics, 'AV')] - LEVELS.AV[extractValueMetric('AV', max)],
287
+ PR: LEVELS.PR[m(metrics, 'PR')] - LEVELS.PR[extractValueMetric('PR', max)],
288
+ UI: LEVELS.UI[m(metrics, 'UI')] - LEVELS.UI[extractValueMetric('UI', max)],
289
+ AC: LEVELS.AC[m(metrics, 'AC')] - LEVELS.AC[extractValueMetric('AC', max)],
290
+ AT: LEVELS.AT[m(metrics, 'AT')] - LEVELS.AT[extractValueMetric('AT', max)],
291
+ VC: LEVELS.VC[m(metrics, 'VC')] - LEVELS.VC[extractValueMetric('VC', max)],
292
+ VI: LEVELS.VI[m(metrics, 'VI')] - LEVELS.VI[extractValueMetric('VI', max)],
293
+ VA: LEVELS.VA[m(metrics, 'VA')] - LEVELS.VA[extractValueMetric('VA', max)],
294
+ SC: LEVELS.SC[m(metrics, 'SC')] - LEVELS.SC[extractValueMetric('SC', max)],
295
+ SI: LEVELS.SI[m(metrics, 'SI')] - LEVELS.SI[extractValueMetric('SI', max)],
296
+ SA: LEVELS.SA[m(metrics, 'SA')] - LEVELS.SA[extractValueMetric('SA', max)],
297
+ CR: LEVELS.CR[m(metrics, 'CR')] - LEVELS.CR[extractValueMetric('CR', max)],
298
+ IR: LEVELS.IR[m(metrics, 'IR')] - LEVELS.IR[extractValueMetric('IR', max)],
299
+ AR: LEVELS.AR[m(metrics, 'AR')] - LEVELS.AR[extractValueMetric('AR', max)],
300
+ };
301
+ // Any NaN or negative → not the right max
302
+ const values = Object.values(d);
303
+ if (values.some((v) => Number.isNaN(v) || v < 0))
304
+ continue;
305
+ distances = d;
306
+ break;
307
+ }
308
+ // If no valid max found, treat distances as zero (no refinement).
309
+ const sevDistEq1 = distances ? distances.AV + distances.PR + distances.UI : 0;
310
+ const sevDistEq2 = distances ? distances.AC + distances.AT : 0;
311
+ const sevDistEq3Eq6 = distances
312
+ ? distances.VC + distances.VI + distances.VA + distances.CR + distances.IR + distances.AR
313
+ : 0;
314
+ const sevDistEq4 = distances ? distances.SC + distances.SI + distances.SA : 0;
315
+ // EQ5 proportion is always 0 in upstream (max severity depth stays flat), so no sevDistEq5.
316
+ const maxSevEq1 = MAX_SEVERITY.eq1[eq1] * STEP;
317
+ const maxSevEq2 = MAX_SEVERITY.eq2[eq2] * STEP;
318
+ const maxSevEq3Eq6 = (MAX_SEVERITY.eq3eq6[eq3]?.[eq6] ?? 0) * STEP;
319
+ const maxSevEq4 = MAX_SEVERITY.eq4[eq4] * STEP;
320
+ const availEq1 = baseScore - (scoreEq1Lower ?? NaN);
321
+ const availEq2 = baseScore - (scoreEq2Lower ?? NaN);
322
+ const availEq3Eq6 = baseScore - (scoreEq3Eq6Lower ?? NaN);
323
+ const availEq4 = baseScore - (scoreEq4Lower ?? NaN);
324
+ const availEq5 = baseScore - (scoreEq5Lower ?? NaN);
325
+ let nExistingLower = 0;
326
+ let normEq1 = 0;
327
+ let normEq2 = 0;
328
+ let normEq3Eq6 = 0;
329
+ let normEq4 = 0;
330
+ let normEq5 = 0;
331
+ if (!Number.isNaN(availEq1)) {
332
+ nExistingLower++;
333
+ normEq1 = maxSevEq1 > 0 ? availEq1 * (sevDistEq1 / maxSevEq1) : 0;
334
+ }
335
+ if (!Number.isNaN(availEq2)) {
336
+ nExistingLower++;
337
+ normEq2 = maxSevEq2 > 0 ? availEq2 * (sevDistEq2 / maxSevEq2) : 0;
338
+ }
339
+ if (!Number.isNaN(availEq3Eq6)) {
340
+ nExistingLower++;
341
+ normEq3Eq6 = maxSevEq3Eq6 > 0 ? availEq3Eq6 * (sevDistEq3Eq6 / maxSevEq3Eq6) : 0;
342
+ }
343
+ if (!Number.isNaN(availEq4)) {
344
+ nExistingLower++;
345
+ normEq4 = maxSevEq4 > 0 ? availEq4 * (sevDistEq4 / maxSevEq4) : 0;
346
+ }
347
+ if (!Number.isNaN(availEq5)) {
348
+ nExistingLower++;
349
+ // EQ5 proportion is always 0 in upstream (max severity stays flat)
350
+ normEq5 = availEq5 * 0;
351
+ }
352
+ const meanDistance = nExistingLower === 0
353
+ ? 0
354
+ : (normEq1 + normEq2 + normEq3Eq6 + normEq4 + normEq5) / nExistingLower;
355
+ let finalScore = baseScore - meanDistance;
356
+ if (finalScore < 0)
357
+ finalScore = 0;
358
+ if (finalScore > 10)
359
+ finalScore = 10;
360
+ return Math.round(finalScore * 10) / 10;
361
+ }
362
+ //# sourceMappingURL=cvss-v4.js.map