0llirocks / cvss-suite Goto Github PK
View Code? Open in Web Editor NEWCvssSuite - This Ruby gem helps you to process the vector of the Common Vulnerability Scoring System.
Home Page: https://cvss-suite.0lli.rocks
License: Other
CvssSuite - This Ruby gem helps you to process the vector of the Common Vulnerability Scoring System.
Home Page: https://cvss-suite.0lli.rocks
License: Other
Version 3.1.0 produces invalid vector string. CVSS prefix is missing. From the spec:
The v3.0 vector string begins with the label "CVSS:"
Previous version (3.0.1) is not affected by this.
irb(main):001:0> c = CvssSuite.new('CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N/E:U/RL:O/RC:C')
=>
#<CvssSuite::Cvss31:0x00007fb5ea2aede0
...
irb(main):002:0> c.vector
=> "AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N/E:U/RL:O/RC:C"
c.vector == 'CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N/E:U/RL:O/RC:C'
c.vector == 'AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N/E:U/RL:O/RC:C'
Override Ruby class Float and Integer is a bad pattern for a integration in a big project.
Use a helper for roundup and round_up methods
CVSS Vector "CVSS:3.0/" raises exception "bad value for range"
CvssSuite.new("CVSS:3.0/").valid?
The valid? method should return false.
ArgumentError: bad value for range is raised instead.
I have created a brittle method to determine the validity of a cvss_string
. I would prefer to catch a specific error class raised by CvssSuite
so that I do not have to rely on the error string as the string could likely change.
CvssVector.valid?
def valid?(cvss_string)
return false if cvss_string.nil?
CvssSuite.new(cvss_string).valid?
rescue ArgumentError, RuntimeError => e
raise e if e == RuntimeError && e.message != 'Vector is not valid!'
raise e if e == ArgumentError && e.message != 'bad value for range'
false
end
Additionally, it would be (possibly) beneficial if CvssSuite
would perform this validity checking without raising errors and simply return true/false.
I will create a pull request to add the error classing, however, this would unfortunately be a 'breaking change' and likely cause a major version bump to the gem since users will currently be expecting the RuntimeError
and ArgumentError
The CVSS v3.1 and CVSS v3.0 specifications state the following:
Programs reading CVSS v3.[1,0] vector strings must accept metrics in any order
However, when re-ordering the base metrics in a v3.1 or v3.0 vector string,
cvss-suite considers the vector to be invalid.
3.0.1
ruby 2.7.5p203 (2021-11-24 revision f69aeb8314) [arm64-darwin21]
Run this program:
require 'cvss_suite'
puts CvssSuite.new("CVSS:3.1/A:L/I:L/C:N/S:C/AV:N/UI:N/PR:L/AC:H").valid?
puts CvssSuite.new("CVSS:3.0/A:L/I:L/C:N/S:C/AV:N/UI:N/PR:L/AC:H").valid?
The program should output:
true
true
The program ouputs:
false
false
The standard officially defines severity ranges of CVSS Vectors based on their score, i.e. low, medium, high, and critical. See here for reference: https://www.first.org/cvss/specification-document#5-Qualitative-Severity-Rating-Scale
It would make sense to add this to the gem directly, as it is part of the standard.
Mir freundliche Grüse!
CVSS v4 is currently planned for October 1, 2023.
This issue will document the implementation for this gem.
Is your feature request related to a problem? Please describe.
Can we support only ruby >= 2.4 to use new syntax and rubocop feature ?
This request has breaking change for user that use old ruby.
Additional context
The EOL of ruby 2.4 is 2020-03-31 and ruby 2.3 is 2019-03-31
Update: Friendly people agreed to transfer the repository instead of using my fork as the new home. This means that everything stays the same, except the repository now belongs to me.
# This gem moved to a new home
## Why?
I (the maintainer) am no longer part of the GitHub organisation and therefore lost access to this repository.
## What does that mean?
- As a user of the gem it does not matter at all. The gem is still supported by the same person and will still receive updates.
- As a GitHub user who follows or watches this repository it probably means, that there won't be any new activity. Feel free to follow and fork the new repository.
- Since I am still following this repository I will notice issue reports and will react accordingly with changes to the gem (but in the new repository), but I highly recommend to open new issues directly in the new repository.
I hope we meet again on the other side 😄
Best regards,
Oliver
Disclaimer: I am currently NOT planning to remove support for CVSS v2. I know this should be a topic in the discussion tab (which is currently disabled), but since the topic can easily be closed (will not implement or implemeted), I decided to open an issue for this.
While working on CVSS v4.0 I noticed that the code includes some workarounds only for version 2 (e.g. has no unique string at the beginning, allows parentheses). These workarounds do not hinder me from adding new features, but I just wanted the check whether version 2 is still in use. If if turns out that version 2 is no longer used, I could clean up the code to improve the readabilitiy.
If a lot of people still rely on version 2, I will just keep everything as it is.
If I remove version 2, I will not include the changes in the next version. Maybe in the next major release or even later. This issue is only the see how people are working with version 2.
Best regards,
Oliver
It would be useful to have an example Rails view with a form that shows the Gem being used. An example calculator for example, https://www.first.org/cvss/calculator/3.1
It would save everyone from "reinventing the wheel" when they want to use the Gem.
(P.S. Thanks for the gem! I'm going to try it out.)
irb(main):002:0> require 'cvss_suite'
/home/noraj/.gem/ruby/2.5.0/gems/cvss-suite-1.1.1/lib/cvss_suite/helpers/extensions.rb:24: warning: constant ::Fixnum is deprecated
=> true
Ruby 2.4.0 introduced this change: Unify Fixnum and Bignum into Integer.
See here for the announcement: https://www.ruby-lang.org/en/news/2016/12/25/ruby-2-4-0-released/
Also see this article discussing the issue : https://blog.bigbinary.com/2016/11/18/ruby-2-4-unifies-fixnum-and-bignum-into-integer.html (with the link to Rails PR handling the problem).
In ruby 2.4+ just require the gem.
No warning printed.
A warning is printed.
Currently, it is not possible to create a CVSSv2 from a string that contains parentheses, even though it is a valid notation of v2 vectors.
E.g.
CvssSuite.new('(AV:N/AC:L/Au:N/C:N/I:N/A:P/E:U/RL:OF/RC:C)')
throws an error, while
CvssSuite.new('AV:N/AC:L/Au:N/C:N/I:N/A:P/E:U/RL:OF/RC:C')
does not.
Would it be possible to add this feature to the best CVSS gem available?
When creating a CVSSv2 with undefined temporal metrics, the "temporal_score" method still delivers a score.
Example:
cvss = CvssSuite.new('AV:L/AC:L/Au:N/C:C/I:C/A:C/E:ND/RL:ND/RC:ND')
cvss.temporal_score # returns 7.1 even though all temporal metrics are ND
Expected behavior:
cvss.temporal_score
should probably return something like nil
I already have a class Cvss on my project and I have a conflit with the Cvss class of this gem because all class are not scope on a CvssSuite module.
https://github.com/siemens/cvss-suite/blob/master/lib/cvss_suite/cvss.rb#L14
I will work on a PR to fix this.
When creating input forms for CVSS vectors, it is tedious and badly maintainable to create all the necessary form items and their valid options by hand.
Instead it would be much easier to have a static method with which to retrieve all CVSS metrics (i.e. attack vector, attack complexity, scope, etc.) and their corresponding options. One could then iterate over them in order to generate the input fields as desired.
However there is no static methods to do so, forcing one to create a "dummy" CVSS vector, in order to iterate over all the various metrics.
Is your feature request related to a problem? Please describe.
Can you configure a CI like travis or something else ?
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.