goark / go-cvss Goto Github PK

During differential fuzzing with github.com/pandatix/go-cvss I discovered that your implementation does not properly computes CVSS v2 environmental scores (as for #18).

For instance, the vector AV:A/AC:L/Au:N/C:C/I:C/A:C/CDP:H/TD:H/CR:L/IR:ND/AR:ND have an environmental score of 9.0, according to the NVD CVSS v2 calculator. Nevertheless, the following Go code illustrates this issue i.e. invalid scores.

package main

import (
	"fmt"
	"log"

	"github.com/goark/go-cvss/v2/metric"
)

func main() {
	raw := "AV:A/AC:L/Au:N/C:C/I:C/A:C/CDP:H/TD:H/CR:L/IR:ND/AR:ND"
	vec, err := metric.NewEnvironmental().Decode(raw)
	if err != nil {
		log.Fatal(err)
	}

	b, t, e := vec.Base.Score(), vec.Temporal.Score(), vec.Score()
	fmt.Printf("Scores: %.1f;%.1f;%.1f\n", b, t, e)
}

produces ->

Scores: 8.3;8.3;9.1

Common Vulnerability Scoring System Version 4.0

While differential fuzzing with github.com/pandatix/go-cvss I discovered that your implementation does not properly validate CVSS v2 vectors, as it don't check the metric order.

In order to be compliant with the first.org specification Section 2.4 ("the vector lists these metrics in a predetermined order [...]") you must validate that every metric is in the order of Table 13.

The following Go code illustrates this issue.

package main

import (
	"fmt"

	"github.com/goark/go-cvss/v2/metric"
)

func main() {
	raw := "AV:N/AC:L/Au:N/C:N/A:C/I:N"
	vec, err := metric.NewEnvironmental().Decode(raw)

	fmt.Printf("vec: %v\n", vec)
	fmt.Printf("err: %v\n", err)
}

produces ->

vec: AV:N/AC:L/Au:N/C:N/I:N/A:C
err: <nil>

As the order is AV -> AC -> Au -> C -> I -> A, the CVSS v2 vector AV:N/AC:L/Au:N/C:N/A:C/I:N is invalid.
Notice this is not specified in CVSS v3 (no metric order), so this issue could not be reproduced with submodule v3.

After #10 and #13, I fuzzed again the implementation and discovered that other invalid inputs did not raise errors.
This could be categorized as CWE-20.

For instance, the following Go code does not produce any error.

package main

import (
	"fmt"

	"github.com/goark/go-cvss/v3/metric"
)

func main() {
	vec, err := metric.NewEnvironmental().Decode("CVSS:3.1/AV:A/AC:H/PR:L/UI:N/S:C/C:H/I:L/A:n")

	fmt.Printf("vec: %v\n", vec)
	fmt.Printf("err: %v\n", err)
}

produces ->

vec: &{0xc0000a0a50 X X X X X X X X X X X map[]}
err: <nil>

You can check this input is invalid, using the official first.org calculator which does not give scores despite base metrics being all defined, or by looking at the specification Table 15 which shows the A (Availability) metric can only be equal to [H,L,N] (not their lowercase equivalent).
The root of this issue is validating lowercase equivalents, what is not compliant with the first.org specifications.

During differential fuzzing with github.com/pandatix/go-cvss, I discovered that some invalid inputs did not raise errors.
This could be categorized as CWE-20.

For instance, the following Go code does not produce any error (using tag v1.4.4).

package main

import (
	"fmt"

	"github.com/goark/go-cvss/v2/base"
)

func main() {
	vec, err := base.Decode("AV:N/AC:L/Au:N/C:C/I:C/A:C/E:F/RL:OF/rc:C")

	fmt.Printf("vec: %v\n", vec)
	fmt.Printf("err: %v\n", err)
}

produces ->

vec: AV:N/AC:L/Au:N/C:C/I:C/A:C/E:F/RL:OF/RC:C
err: <nil>

You can check this input is invalid by looking at the specification Table 13 which shows metrics are only uppercase.
This issue is similar to #15 but related to metrics directly and not their values.

Hello,

Are you interested in the Temporal Score parsing and calculation? I'm asking because I have an internal fork of your repo and I needed that so i thought it would be nice to propose the patch upstream.

Regards,

During differential fuzzing with github.com/pandatix/go-cvss I discovered that your implementation does not properly handle the case of a CVSS v2 environmental parsing for vectors that does not have environmental metrics defined.
This could be categorized as CWE-20.

In order to be compliant with the first.org specification you must validate vectors that does not have environmental metrics defined.

The following Go code illustrates this issue.
Notice the input vector comes from the specification section 3.3.1 for the CVE-2002-0392.

package main

import (
	"fmt"

	"github.com/goark/go-cvss/v2/metric"
)

func main() {
	raw := "AV:N/AC:L/Au:N/C:N/I:N/A:C/E:F/RL:OF/RC:C"
	vec, err := metric.NewEnvironmental().Decode(raw)

	fmt.Printf("vec: %v\n", vec)
	fmt.Printf("err: %v\n", err)
}

produces ->

vec: 
err: no metrics

Still while fuzzing the implementation, I discovered that environmental scores were not computed properly, leading to invalid scores.
For instance, the following Go code computes the three scores and prints them.

package main

import (
	"fmt"
	"log"

	"github.com/goark/go-cvss/v3/metric"
)

func main() {
	vec, err := metric.NewEnvironmental().Decode("CVSS:3.1/AV:A/AC:H/PR:L/UI:N/S:U/C:H/I:L/A:N/MS:C")
	if err != nil {
		log.Fatal(err)
	}

	b, t, e := vec.Base.Score(), vec.Temporal.Score(), vec.Score()
	fmt.Printf("Scores: %.1f;%.1f;%.1f\n", b, t, e)
}

produces ->

Scores: 5.4;5.4;6.4

You can check this input is valid, using the official first.org calculator but then computes an environmental score of 6.5.

During differential fuzzing with github.com/pandatix/go-cvss I discovered that your implementation does not properly validate CVSS v2 vectors when environmental metrics values are not defined.
This could be categorized as CWE-20.

In order to be compliant with the first.org specification Table 13 you must only validate a vector when all the group metrics are defined in the input vector, even if Temporal and Environmental ones are set to ND (Not Defined).

The following Go code illustrates this issue.

package main

import (
	"fmt"

	"github.com/goark/go-cvss/v2/metric"
)

func main() {
	raw := "AV:A/AC:L/Au:N/C:C/I:C/A:C/CDP:H/TD:H/CR:H"
	vec, err := metric.NewEnvironmental().Decode(raw)

	fmt.Printf("vec: %v\n", vec)
	fmt.Printf("err: %v\n", err)
}

produces ->

vec: AV:A/AC:L/Au:N/C:C/I:C/A:C/CDP:H/TD:H/CR:H/IR:ND/AR:ND
err: <nil>

While fuzzing this implementation, I discovered that some invalid inputs did not raise errors.
This could be categorized as CWE-20.

For instance, the following Go code does not produce any error.

package main

import (
	"fmt"

	"github.com/goark/go-cvss/v3/metric"
)

func main() {
	rawVec := "CVSS:3.1/AV:A/AC:H/PR:L/UI:N/S:C/C:H/I:L/A:L/RC:"
	vec, err := metric.NewEnvironmental().Decode(rawVec)

	fmt.Printf("vec: %v\n", vec)
	fmt.Printf("err: %v\n", err)
}

produces ->

vec: &{0xc0000bc000 X X X X X X X X X X X}
err: <nil>

You can check this input is invalid, using the official first.org calculator which does not give scores despite base metrics being all defined, or by looking at the specification Table 15 which shows the RC (ReportConfidence) metric can't be empty.

During differential fuzzing with github.com/pandatix/go-cvss, I discovered that your implementation does not emit valid CVSS v2 vectors.
Indeed, after parsing it, it only emit the temporal metrics that are different of ND (Not Defined).

In order to be compliant, you must emit all group metrics even if they are equal to ND, according to the first.org specification Table 13 that shows all metrics of a group are required.
Notice this is not the case with CVSS v3 as first.org specification Table 15 states temporal and environmental metrics are not mandatory when equal to X (Not Defined).

The following Go code illustrates this issue.

package main

import (
	"fmt"
	"log"

	"github.com/goark/go-cvss/v2/base"
)

func main() {
	raw := "AV:L/AC:M/Au:S/C:N/I:N/A:P/CDP:N/TD:ND/CR:M/IR:ND/AR:ND"
	vec, err := base.Decode(raw)
	if err != nil {
		log.Fatal(err)
	}

	out := vec.String()
	fmt.Printf("out: %v\n", out)
}

produces ->

out: AV:L/AC:M/Au:S/C:N/I:N/A:P/CDP:N/CR:M

After #10, I fuzzed again the implementation and discovered that other invalid inputs did not raise errors.
This could be categorized as CWE-20.

For instance, the following Go code does not produce any error.

package main

import (
	"fmt"

	"github.com/goark/go-cvss/v3/metric"
)

func main() {
	vec, err := metric.NewEnvironmental().Decode("CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:0/A:H")

	fmt.Printf("vec: %v\n", vec)
	fmt.Printf("err: %v\n", err)
}

produces ->

vec: &{0xc0000ba000 X X X X X X X X X X X}
err: <nil>

The CVSS v3.1 vector is invalid because A is defined twice, but as one is valid, there is no error raised.

You can check this input is invalid, using the official first.org calculator which does not give scores despite base metrics being all defined, or by looking at the specification Table 15 which shows the A (Availability) metric can't be 0.