cvss's Introduction

CVSS calculator for CVSS version 2.10

The details of the Common Vulnerability Scoring System is described in CVSS Guide.

Version

VERSION = 1.20.1

What is new

Completed transformation to a Python package.

How to

Calculate the score by running the program and answering the questions:

$ cvss --help
Calculate CVSS metrics based on a list of Metrics.

Usage:
  cvss [-v] --interactive --all
  cvss [-v] --interactive [--temporal] --base [<vector>]
  cvss [-v] --interactive [--environmental] --temporal --base [<vector>]
  cvss [-v] --base <vector>
  cvss [-v] --vulnerability <vector>
  cvss (--help | --version)

Options:
  -i --interactive          select metric values interactively
  -a --all                  ask for all metrics
  -b --base                 ask for base metrics
  -t --temporal             ask for temporal metrics
  -e --environmental        ask for environmental metrics
  <vector>                  base vulnerability vector
  --vulnerability <vector>  calculate score from vector

  -v --verbose              print verbose results
  -h --help                 show this help message and exit
  --version                 show version and exit

Installation

To avoid installing 3rd party code directly we recommend the use of virtual environments. As of Python version 3.3 virtual environments are part of the standard distribution.

Virtual environments simplify the creation of separate Python setups, allows sharing the system-wide base install as well as enabling private site-packages. This means that using virtual environments we can avoid the need to install packages in the system-wide site-packages. To get this up and running for the first time take the following steps:

Make sure you have at least version 2.7 or 3.3 of Python installed.
Install pip in your virtual environment if it is no already there. For details see the installation instructions for pip. Should pip not be installed in your virtual environment, it is quite probable you will get a "Permission denied error". From version Python 3.4 it is already in place.
Using for example version 3.4 create your own virtual environment and activate it:
$ pyvenv-3.4 ~/tmp/venv
$ source venv/bin/activate
$ deactive                     # does what is says...
$ source venv/bin/activate
With version 2.7 first install virtualenv and then create your own virtual environment and activate it. Make sure that setuptools and pip are updated:
$ virtualenv-2.7 ~/venv/venv27
$ . ~/venv/venv27/bin/activate
$ pip install -U setuptools
$ pip install -U pip
Finally download and install the required packages and do a quick test:
$ git clone https://github.com/FredrikHedman/CVSS.git
$ cd CVSS
$ pip install --editable .
$ cvss -h                      # should list the help message
Exit from the sub-shell environment by:
$ deactive                     # does what is says...

Unit Tests, Use Case Tests and PEP8 compliance

The tests are combination of output driven tests and doctests. All tests are executed by:

$ make alltests

and individually by:

$ make doctests
$ make uctests

No output expected. PEP8 compliance test can be checked by:

$ make pep8

Examples

These are all based on CVSS examples using doctest. No output is expected:

$ make examples

Developers

Fredrik Hedman <[email protected]>

cvss's People

Contributors

Stargazers

Watchers

cvss's Issues

'interactive' mode parsing broken?

$ python cvss.py -i -a

++++++++++ Access Vector AV ++++++++++
(MetricValue('Local','L',0.395,'Local access'), 'Local access')
(MetricValue('Adjecent Network','A',0.646,'Adjacent network access'), 'Adjacent network access')
(MetricValue('Network','N',1.0,'Network access'), 'Network access')
Select one [L]: 'L'
('Selected metric value ###|', 'L', '|###')

++++++++++ Access Complexity AC ++++++++++
(MetricValue('High','H',0.35,'Specialized access conditions exist'), 'Specialized access conditions exist')
(MetricValue('Medium','M',0.61,'The access conditions are somewhat specialized'), 'The access conditions are somewhat specialized')
(MetricValue('Low','L',0.71,'No specialized access exist'), 'No specialized access exist')
Select one [H]: 'H'
('Selected metric value ###|', 'H', '|###')

++++++++++ Authentication Au ++++++++++
(MetricValue('None','N',0.704,'Authentication not required'), 'Authentication not required')
(MetricValue('Multiple','M',0.45,'Authenticate two or more times'), 'Authenticate two or more times')
(MetricValue('Single','S',0.56,'Logged into the system'), 'Logged into the system')
Select one [N]: 'M'
('Selected metric value ###|', 'M', '|###')

++++++++++ Confidentiality Impact C ++++++++++
(MetricValue('None','N',0.0,'No impact'), 'No impact')
(MetricValue('Partial','P',0.275,'Considerable disclosure'), 'Considerable disclosure')
(MetricValue('Complete','C',0.66,'Total inforamtion disclosure'), 'Total inforamtion disclosure')
Select one [N]: 'C'
('Selected metric value ###|', 'C', '|###')

++++++++++ Integrity Impact I ++++++++++
(MetricValue('None','N',0.0,'No impact'), 'No impact')
(MetricValue('Partial','P',0.275,'Possible to modify some system files or information'), 'Possible to modify some system files or information')
(MetricValue('Complete','C',0.66,'Total compromise of system integrity'), 'Total compromise of system integrity')
Select one [N]: 'C'
('Selected metric value ###|', 'C', '|###')

++++++++++ Availability Impact A ++++++++++
(MetricValue('None','N',0.0,'No impact'), 'No impact')
(MetricValue('Partial','P',0.275,'Reduced performance or interruptions in resource availability'), 'Reduced performance or interruptions in resource availability')
(MetricValue('Complete','C',0.66,'Total shutdown of the affected resource'), 'Total shutdown of the affected resource')
Select one [N]: 'C'
('Selected metric value ###|', 'C', '|###')

++++++++++ Exploitability E ++++++++++
(MetricValue('Not Defined','ND',1.0,'Skip this metric'), 'Skip this metric')
(MetricValue('Unproven','U',0.85,'No exploit code is available'), 'No exploit code is available')
(MetricValue('Proof-of-Concept','POC',0.9,'Proof-of-concept exploit code exists'), 'Proof-of-concept exploit code exists')
(MetricValue('Functional','F',0.95,'Functional exploit code is available'), 'Functional exploit code is available')
(MetricValue('High','H',1.0,'Exploitable by functional mobile autonomous code'), 'Exploitable by functional mobile autonomous code')
Select one [ND]: 'H'
('Selected metric value ###|', 'H', '|###')

++++++++++ Remediation Level RL ++++++++++
(MetricValue('Not Defined','ND',1.0,'Skip this metric'), 'Skip this metric')
(MetricValue('Official Fix','OF',0.87,'Complete vendor solution is available'), 'Complete vendor solution is available')
(MetricValue('Temporary Fix','TF',0.9,'Official but temporary fix available'), 'Official but temporary fix available')
(MetricValue('Workaround','W',0.95,'Unofficial, non-vendor solution available'), 'Unofficial, non-vendor solution available')
(MetricValue('Unavailable','U',1.0,'No solution available or it is impossible to apply'), 'No solution available or it is impossible to apply')
Select one [ND]: 'W'
('Selected metric value ###|', 'W', '|###')

++++++++++ Report Confidence RC ++++++++++
(MetricValue('Not Defined','ND',1.0,'Skip this metric'), 'Skip this metric')
(MetricValue('Unconfirmed','UC',0.9,'Single unconfirmed source'), 'Single unconfirmed source')
(MetricValue('Uncorroborated','UR',0.95,'Multiple non-official sources'), 'Multiple non-official sources')
(MetricValue('Confirmed','C',1.0,'Acknowledged by the vendor or author'), 'Acknowledged by the vendor or author')
Select one [ND]: "UR"
('Selected metric value ###|', 'UR', '|###')

++++++++++ Collateral Damage Potential CDP ++++++++++
(MetricValue('Not Defined','ND',0.0,'Skip this metric'), 'Skip this metric')
(MetricValue('None','N',0.0,'No potential for loss of life'), 'No potential for loss of life')
(MetricValue('Low','L',0.1,'Potential for slight physical or property damage'), 'Potential for slight physical or property damage')
(MetricValue('Low-Medium','LM',0.3,'Moderate physical or property damage'), 'Moderate physical or property damage')
(MetricValue('Medium-High','MH',0.4,'Significant physical or property damage or loss'), 'Significant physical or property damage or loss')
(MetricValue('High','H',0.5,'Catastrophic physical or property damage and loss'), 'Catastrophic physical or property damage and loss')
Select one [ND]: "MH"
('Selected metric value ###|', 'MH', '|###')

++++++++++ Target Distribution TD ++++++++++
(MetricValue('Not Defined','ND',1.0,'Skip this metric'), 'Skip this metric')
(MetricValue('None','N',0.0,'No target systems exist'), 'No target systems exist')
(MetricValue('Low','L',0.25,'Targets exist on a small scale inside the environment'), 'Targets exist on a small scale inside the environment')
(MetricValue('Medium','M',0.75,'Targets exist on a medium scale'), 'Targets exist on a medium scale')
(MetricValue('High','H',1.0,'Targets exist on a considerable scale'), 'Targets exist on a considerable scale')
Select one [ND]: 'M'
('Selected metric value ###|', 'M', '|###')

++++++++++ Confidentiality Requirement CR ++++++++++
(MetricValue('Not Defined','ND',1.0,'Skip this metric'), 'Skip this metric')
(MetricValue('Low','L',0.5,'Limited adverse effect'), 'Limited adverse effect')
(MetricValue('Medium','M',1.0,'Serious adverse effect'), 'Serious adverse effect')
(MetricValue('High','H',1.51,'Catastrophic adverse effect'), 'Catastrophic adverse effect')
Select one [ND]: 'M'
('Selected metric value ###|', 'M', '|###')

++++++++++ Integrity Requirement IR ++++++++++
(MetricValue('Not Defined','ND',1.0,'Skip this metric'), 'Skip this metric')
(MetricValue('Low','L',0.5,'Limited adverse effect'), 'Limited adverse effect')
(MetricValue('Medium','M',1.0,'Serious adverse effect'), 'Serious adverse effect')
(MetricValue('High','H',1.51,'Catastrophic adverse effect'), 'Catastrophic adverse effect')
Select one [ND]: 'M'
('Selected metric value ###|', 'M', '|###')

++++++++++ Availability Requirement AR ++++++++++
(MetricValue('Not Defined','ND',1.0,'Skip this metric'), 'Skip this metric')
(MetricValue('Low','L',0.5,'Limited adverse effect'), 'Limited adverse effect')
(MetricValue('Medium','M',1.0,'Serious adverse effect'), 'Serious adverse effect')
(MetricValue('High','H',1.51,'Catastrophic adverse effect'), 'Catastrophic adverse effect')
Select one [ND]: 'M'
('Selected metric value ###|', 'M', '|###')
Traceback (most recent call last):
File "cvss.py", line 348, in
generate_output(cvs, clarg)
File "cvss.py", line 288, in generate_output
cvs.base_score, cvs.base_vulnerability_vector),
File "/Users/blackthorne/Desktop/CVSS/cvss_base.py", line 38, in base_score
return round(self.base_fcn(self.impact), ndigits=1)
File "/Users/blackthorne/Desktop/CVSS/cvss_210.py", line 45, in impact
ConfImpact = float(self['C'])
File "/Users/blackthorne/Desktop/CVSS/metric.py", line 93, in float
return float(self.selected)
File "/Users/blackthorne/Desktop/CVSS/metric.py", line 118, in selected
return self.__values[self.__index]
AttributeError: Metric instance has no attribute '_Metric__index'
$

Recommend Projects

fredrikhedman / cvss Goto Github PK

cvss's Introduction

CVSS calculator for CVSS version 2.10

Version

What is new

How to

Installation

Unit Tests, Use Case Tests and PEP8 compliance

Examples

Developers

cvss's People

Contributors

Stargazers

Watchers

Forkers

cvss's Issues

'interactive' mode parsing broken?

Recommend Projects

React

Vue.js

Typescript

TensorFlow

Django

Laravel

D3

Recommend Topics

javascript

web

server

Machine learning

Visualization

Game

Recommend Org

Facebook

Microsoft

Google

Alibaba

D3

Tencent