Giter Club home page Giter Club logo

cvss-suite's Introduction

CvssSuite for Ruby

Gem Version Ruby Version Cvss Support Cvss Support Cvss Support RSpec

This Ruby gem helps you to process the vector of the Common Vulnerability Scoring System. Besides calculating the Base, Temporal and Environmental Score, you are able to extract the selected option.

Installation

Add this line to your application's Gemfile:

gem 'cvss-suite'

Since the naming of this gem is not following the naming convention you can also add the following line to automatically require the gem:

gem 'cvss-suite', require: 'cvss_suite'

And then execute:

$ bundle

Or install it yourself as:

$ gem install cvss-suite

Version 2.x

If you are still using CvssSuite 2.x please refer to the specific branch for documentation and changelog.

Version 1.x

If you are still using CvssSuite 1.x please refer to the specific branch for documentation and changelog.

Usage

require 'cvss_suite'

cvss3 = CvssSuite.new('CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:L/CR:L/IR:M/AR:H/MAV:N/MAC:H/MPR:N/MUI:R/MS:U/MC:N/MI:L/MA:H')

vector = cvss3.vector       # 'CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:L/CR:L/IR:M/AR:H/MAV:N/MAC:H/MPR:N/MUI:R/MS:U/MC:N/MI:L/MA:H'
version = cvss3.version     # 3.0
valid = cvss3.valid?        # true
severity = cvss3.severity   # 'High'

cvss31 = CvssSuite.new('CVSS:3.1/AV:P/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:H/E:H/RL:U/RC:U')

vector = cvss31.vector     # 'CVSS:3.1/AV:P/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:H/E:H/RL:U/RC:U'
version = cvss31.version   # 3.1
valid = cvss31.valid?      # true
severity = cvss31.severity # 'Medium'

cvss = CvssSuite.new('AV:A/AC:M/Au:S/C:P/I:P/A:P/E:POC/RL:TF/RC:UC/CDP:L/TD:M/CR:M/IR:M/AR:M')

vector = cvss.vector       # 'AV:A/AC:M/Au:S/C:P/I:P/A:P/E:POC/RL:TF/RC:UC/CDP:L/TD:M/CR:M/IR:M/AR:M'
version = cvss.version     # 2
valid = cvss.valid?        # true
severity = cvss.severity   # 'Low'

# Scores
base_score = cvss.base_score                        # 4.9
temporal_score = cvss.temporal_score                # 3.6
environmental_score = cvss.environmental_score      # 3.2
overall_score = cvss.overall_score                  # 3.2

# Available options
access_vector = cvss.base.access_vector.name                # 'Access Vector'
remediation_level = cvss.temporal.remediation_level.name    # 'Remediation Level'

access_vector.values.each do |value|
    value[:name]           # 'Local', 'Adjacent Network', 'Network'
    value[:abbreviation]   # 'L', 'A', 'N'
    value[:selected]       # false, true, false
end

# Selected options
cvss.base.access_vector.selected_value[:name]          # Adjacent Network
cvss.temporal.remediation_level.selected_value[:name]  # Temporary Fix

# Exceptions

cvss = CvssSuite.new('random_string')  # invalid vector
valid = cvss.valid?     # false
version = cvss.version  # will throw CvssSuite::Errors::InvalidVector: Vector is not valid!
cvss.base_score         # will throw CvssSuite::Errors::InvalidVector: Vector is not valid!

cvss = CvssSuite.new(1337)  # invalid vector
valid = cvss.valid?     # false
version = cvss.version  # will throw CvssSuite::Errors::InvalidVector: Vector is not valid!
cvss.base_score         # will throw CvssSuite::Errors::InvalidVector: Vector is not valid!

CvssSuite.new()         # will throw a ArgumentError

cvss = CvssSuite.new('AV:N/AC:P/C:P/AV:U/RL:OF/RC:C')   # invalid vector, authentication is missing
version = cvss.version  # 2
valid = cvss.valid?     # false
cvss.base_score         # will throw CvssSuite::Errors::InvalidVector: Vector is not valid!

Known Issues

There is a possibility of implementations generating different scores (+/- 0,1) due to small floating-point inaccuracies. This can happen due to differences in floating point arithmetic between different languages and hardware platforms.

Changelog

Click here to see all changes.

Contributing

Bug reports and pull requests are welcome on GitHub at https://github.com/0llirocks/cvss-suite. This project is intended to be a safe, welcoming space for collaboration.

References

CvssSuite for .NET

cvss-suite's People

Contributors

0llirocks avatar adamrdavid avatar fwininger avatar joepedantic avatar noraj avatar

Stargazers

avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar

Watchers

avatar avatar avatar avatar

Forkers

jptosso bugcrowd noraj cyberwatch swastikdey175 joepedantic rubyonworld gogainda ethicalsecurity-agency ilhanmercan

cvss-suite's Issues

Updated - [Important Information] Repository moved to a new home

Update: Friendly people agreed to transfer the repository instead of using my fork as the new home. This means that everything stays the same, except the repository now belongs to me.

# This gem moved to a new home

## Why?
I (the maintainer) am no longer part of the GitHub organisation and therefore lost access to this repository.

## What does that mean?
- As a user of the gem it does not matter at all. The gem is still supported by the same person and will still receive updates.
- As a GitHub user who follows or watches this repository it probably means, that there won't be any new activity. Feel free to follow and fork the new repository.
- Since I am still following this repository I will notice issue reports and will react accordingly with changes to the gem (but in the new repository), but I highly recommend to open new issues directly in the new repository.

I hope we meet again on the other side 😄

Best regards,
Oliver

CVSS prefix is missing in v3.1.0

Subject of the issue

Version 3.1.0 produces invalid vector string. CVSS prefix is missing. From the spec:

The v3.0 vector string begins with the label "CVSS:"

Previous version (3.0.1) is not affected by this.

Your environment

  • version of cvss-suite gem: 3.1.0
  • version of ruby: 3.2.0

Steps to reproduce

irb(main):001:0> c = CvssSuite.new('CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N/E:U/RL:O/RC:C')
=> 
#<CvssSuite::Cvss31:0x00007fb5ea2aede0
...
irb(main):002:0> c.vector
=> "AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N/E:U/RL:O/RC:C"

Expected behaviour

c.vector == 'CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N/E:U/RL:O/RC:C'

Actual behaviour

c.vector == 'AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N/E:U/RL:O/RC:C'

Temporal Score is given even if no temporal metrics are defined

When creating a CVSSv2 with undefined temporal metrics, the "temporal_score" method still delivers a score.

Example:

cvss = CvssSuite.new('AV:L/AC:L/Au:N/C:C/I:C/A:C/E:ND/RL:ND/RC:ND')
cvss.temporal_score # returns 7.1 even though all temporal metrics are ND

Expected behavior:
cvss.temporal_score should probably return something like nil

CVSS v3 base metrics are order-dependent

Subject of the issue

The CVSS v3.1 and CVSS v3.0 specifications state the following:

Programs reading CVSS v3.[1,0] vector strings must accept metrics in any order

However, when re-ordering the base metrics in a v3.1 or v3.0 vector string,
cvss-suite considers the vector to be invalid.

Your environment

  • version of cvss-suite gem: 3.0.1
  • version of ruby: ruby 2.7.5p203 (2021-11-24 revision f69aeb8314) [arm64-darwin21]

Steps to reproduce

Run this program:

require 'cvss_suite'

puts CvssSuite.new("CVSS:3.1/A:L/I:L/C:N/S:C/AV:N/UI:N/PR:L/AC:H").valid?
puts CvssSuite.new("CVSS:3.0/A:L/I:L/C:N/S:C/AV:N/UI:N/PR:L/AC:H").valid?

Expected behaviour

The program should output:

true
true

Actual behaviour

The program ouputs:

false
false

Allow parentheses in CVSS v2 vector

Currently, it is not possible to create a CVSSv2 from a string that contains parentheses, even though it is a valid notation of v2 vectors.

E.g.
CvssSuite.new('(AV:N/AC:L/Au:N/C:N/I:N/A:P/E:U/RL:OF/RC:C)') throws an error, while
CvssSuite.new('AV:N/AC:L/Au:N/C:N/I:N/A:P/E:U/RL:OF/RC:C') does not.

Would it be possible to add this feature to the best CVSS gem available?

Discussion: Remove of CVSS v2 support

Disclaimer: I am currently NOT planning to remove support for CVSS v2. I know this should be a topic in the discussion tab (which is currently disabled), but since the topic can easily be closed (will not implement or implemeted), I decided to open an issue for this.

While working on CVSS v4.0 I noticed that the code includes some workarounds only for version 2 (e.g. has no unique string at the beginning, allows parentheses). These workarounds do not hinder me from adding new features, but I just wanted the check whether version 2 is still in use. If if turns out that version 2 is no longer used, I could clean up the code to improve the readabilitiy.

If a lot of people still rely on version 2, I will just keep everything as it is.

If I remove version 2, I will not include the changes in the next version. Maybe in the next major release or even later. This issue is only the see how people are working with version 2.

Best regards,
Oliver

CVSS Vector "CVSS:3.0/" raises exception "bad value for range"

Subject of the issue

CVSS Vector "CVSS:3.0/" raises exception "bad value for range"

Your environment

  • version of cvss-suite gem: 1.1.0
  • version of ruby: 2.3.1

Steps to reproduce

CvssSuite.new("CVSS:3.0/").valid?

Expected behaviour

The valid? method should return false.

Actual behaviour

ArgumentError: bad value for range is raised instead.

Raising runtime errors makes it difficult to determine validity

I have created a brittle method to determine the validity of a cvss_string. I would prefer to catch a specific error class raised by CvssSuite so that I do not have to rely on the error string as the string could likely change.

CvssVector.valid?

def valid?(cvss_string)
  return false if cvss_string.nil?
  CvssSuite.new(cvss_string).valid?
rescue ArgumentError, RuntimeError => e
  raise e if e == RuntimeError && e.message != 'Vector is not valid!'
  raise e if e == ArgumentError && e.message != 'bad value for range'
  false
end

Additionally, it would be (possibly) beneficial if CvssSuite would perform this validity checking without raising errors and simply return true/false.

I will create a pull request to add the error classing, however, this would unfortunately be a 'breaking change' and likely cause a major version bump to the gem since users will currently be expecting the RuntimeError and ArgumentError

Fixnum is deprecated warning

Subject of the issue

irb(main):002:0> require 'cvss_suite'
/home/noraj/.gem/ruby/2.5.0/gems/cvss-suite-1.1.1/lib/cvss_suite/helpers/extensions.rb:24: warning: constant ::Fixnum is deprecated
=> true

Ruby 2.4.0 introduced this change: Unify Fixnum and Bignum into Integer.

See here for the announcement: https://www.ruby-lang.org/en/news/2016/12/25/ruby-2-4-0-released/

Also see this article discussing the issue : https://blog.bigbinary.com/2016/11/18/ruby-2-4-unifies-fixnum-and-bignum-into-integer.html (with the link to Rails PR handling the problem).

Your environment

  • version of cvss-suite gem : 1.1.1
  • version of ruby : 2.5.3p105

Steps to reproduce

In ruby 2.4+ just require the gem.

Expected behaviour

No warning printed.

Actual behaviour

A warning is printed.

Configure a CI

Is your feature request related to a problem? Please describe.

Can you configure a CI like travis or something else ?

Add static parameters for CVSS attributes and their options

When creating input forms for CVSS vectors, it is tedious and badly maintainable to create all the necessary form items and their valid options by hand.

Instead it would be much easier to have a static method with which to retrieve all CVSS metrics (i.e. attack vector, attack complexity, scope, etc.) and their corresponding options. One could then iterate over them in order to generate the input fields as desired.

However there is no static methods to do so, forcing one to create a "dummy" CVSS vector, in order to iterate over all the various metrics.

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.