goark / go-cvss Goto Github PK
View Code? Open in Web Editor NEWCommon Vulnerability Scoring System (CVSS)
License: Apache License 2.0
Common Vulnerability Scoring System (CVSS)
License: Apache License 2.0
During differential fuzzing with github.com/pandatix/go-cvss
I discovered that your implementation does not properly computes CVSS v2 environmental scores (as for #18).
For instance, the vector AV:A/AC:L/Au:N/C:C/I:C/A:C/CDP:H/TD:H/CR:L/IR:ND/AR:ND
have an environmental score of 9.0, according to the NVD CVSS v2 calculator. Nevertheless, the following Go code illustrates this issue i.e. invalid scores.
package main
import (
"fmt"
"log"
"github.com/goark/go-cvss/v2/metric"
)
func main() {
raw := "AV:A/AC:L/Au:N/C:C/I:C/A:C/CDP:H/TD:H/CR:L/IR:ND/AR:ND"
vec, err := metric.NewEnvironmental().Decode(raw)
if err != nil {
log.Fatal(err)
}
b, t, e := vec.Base.Score(), vec.Temporal.Score(), vec.Score()
fmt.Printf("Scores: %.1f;%.1f;%.1f\n", b, t, e)
}
produces ->
Scores: 8.3;8.3;9.1
After #10 and #13, I fuzzed again the implementation and discovered that other invalid inputs did not raise errors.
This could be categorized as CWE-20.
For instance, the following Go code does not produce any error.
package main
import (
"fmt"
"github.com/goark/go-cvss/v3/metric"
)
func main() {
vec, err := metric.NewEnvironmental().Decode("CVSS:3.1/AV:A/AC:H/PR:L/UI:N/S:C/C:H/I:L/A:n")
fmt.Printf("vec: %v\n", vec)
fmt.Printf("err: %v\n", err)
}
produces ->
vec: &{0xc0000a0a50 X X X X X X X X X X X map[]}
err: <nil>
You can check this input is invalid, using the official first.org calculator which does not give scores despite base metrics being all defined, or by looking at the specification Table 15 which shows the A (Availability) metric can only be equal to [H,L,N] (not their lowercase equivalent).
The root of this issue is validating lowercase equivalents, what is not compliant with the first.org specifications.
Still while fuzzing the implementation, I discovered that environmental scores were not computed properly, leading to invalid scores.
For instance, the following Go code computes the three scores and prints them.
package main
import (
"fmt"
"log"
"github.com/goark/go-cvss/v3/metric"
)
func main() {
vec, err := metric.NewEnvironmental().Decode("CVSS:3.1/AV:A/AC:H/PR:L/UI:N/S:U/C:H/I:L/A:N/MS:C")
if err != nil {
log.Fatal(err)
}
b, t, e := vec.Base.Score(), vec.Temporal.Score(), vec.Score()
fmt.Printf("Scores: %.1f;%.1f;%.1f\n", b, t, e)
}
produces ->
Scores: 5.4;5.4;6.4
You can check this input is valid, using the official first.org calculator but then computes an environmental score of 6.5.
During differential fuzzing with github.com/pandatix/go-cvss
I discovered that your implementation does not properly validate CVSS v2 vectors when environmental metrics values are not defined.
This could be categorized as CWE-20.
In order to be compliant with the first.org specification Table 13 you must only validate a vector when all the group metrics are defined in the input vector, even if Temporal and Environmental ones are set to ND
(Not Defined).
The following Go code illustrates this issue.
package main
import (
"fmt"
"github.com/goark/go-cvss/v2/metric"
)
func main() {
raw := "AV:A/AC:L/Au:N/C:C/I:C/A:C/CDP:H/TD:H/CR:H"
vec, err := metric.NewEnvironmental().Decode(raw)
fmt.Printf("vec: %v\n", vec)
fmt.Printf("err: %v\n", err)
}
produces ->
vec: AV:A/AC:L/Au:N/C:C/I:C/A:C/CDP:H/TD:H/CR:H/IR:ND/AR:ND
err: <nil>
During differential fuzzing with github.com/pandatix/go-cvss
, I discovered that some invalid inputs did not raise errors.
This could be categorized as CWE-20.
For instance, the following Go code does not produce any error (using tag v1.4.4).
package main
import (
"fmt"
"github.com/goark/go-cvss/v2/base"
)
func main() {
vec, err := base.Decode("AV:N/AC:L/Au:N/C:C/I:C/A:C/E:F/RL:OF/rc:C")
fmt.Printf("vec: %v\n", vec)
fmt.Printf("err: %v\n", err)
}
produces ->
vec: AV:N/AC:L/Au:N/C:C/I:C/A:C/E:F/RL:OF/RC:C
err: <nil>
You can check this input is invalid by looking at the specification Table 13 which shows metrics are only uppercase.
This issue is similar to #15 but related to metrics directly and not their values.
Hello,
Are you interested in the Temporal Score parsing and calculation? I'm asking because I have an internal fork of your repo and I needed that so i thought it would be nice to propose the patch upstream.
Regards,
During differential fuzzing with github.com/pandatix/go-cvss
, I discovered that your implementation does not emit valid CVSS v2 vectors.
Indeed, after parsing it, it only emit the temporal metrics that are different of ND
(Not Defined).
In order to be compliant, you must emit all group metrics even if they are equal to ND
, according to the first.org specification Table 13 that shows all metrics of a group are required.
Notice this is not the case with CVSS v3 as first.org specification Table 15 states temporal and environmental metrics are not mandatory when equal to X
(Not Defined).
The following Go code illustrates this issue.
package main
import (
"fmt"
"log"
"github.com/goark/go-cvss/v2/base"
)
func main() {
raw := "AV:L/AC:M/Au:S/C:N/I:N/A:P/CDP:N/TD:ND/CR:M/IR:ND/AR:ND"
vec, err := base.Decode(raw)
if err != nil {
log.Fatal(err)
}
out := vec.String()
fmt.Printf("out: %v\n", out)
}
produces ->
out: AV:L/AC:M/Au:S/C:N/I:N/A:P/CDP:N/CR:M
After #10, I fuzzed again the implementation and discovered that other invalid inputs did not raise errors.
This could be categorized as CWE-20.
For instance, the following Go code does not produce any error.
package main
import (
"fmt"
"github.com/goark/go-cvss/v3/metric"
)
func main() {
vec, err := metric.NewEnvironmental().Decode("CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:0/A:H")
fmt.Printf("vec: %v\n", vec)
fmt.Printf("err: %v\n", err)
}
produces ->
vec: &{0xc0000ba000 X X X X X X X X X X X}
err: <nil>
The CVSS v3.1 vector is invalid because A is defined twice, but as one is valid, there is no error raised.
You can check this input is invalid, using the official first.org calculator which does not give scores despite base metrics being all defined, or by looking at the specification Table 15 which shows the A (Availability) metric can't be 0.
During differential fuzzing with github.com/pandatix/go-cvss
I discovered that your implementation does not properly handle the case of a CVSS v2 environmental parsing for vectors that does not have environmental metrics defined.
This could be categorized as CWE-20.
In order to be compliant with the first.org specification you must validate vectors that does not have environmental metrics defined.
The following Go code illustrates this issue.
Notice the input vector comes from the specification section 3.3.1 for the CVE-2002-0392.
package main
import (
"fmt"
"github.com/goark/go-cvss/v2/metric"
)
func main() {
raw := "AV:N/AC:L/Au:N/C:N/I:N/A:C/E:F/RL:OF/RC:C"
vec, err := metric.NewEnvironmental().Decode(raw)
fmt.Printf("vec: %v\n", vec)
fmt.Printf("err: %v\n", err)
}
produces ->
vec:
err: no metrics
While differential fuzzing with github.com/pandatix/go-cvss
I discovered that your implementation does not properly validate CVSS v2 vectors, as it don't check the metric order.
In order to be compliant with the first.org specification Section 2.4 ("the vector lists these metrics in a predetermined order [...]") you must validate that every metric is in the order of Table 13.
The following Go code illustrates this issue.
package main
import (
"fmt"
"github.com/goark/go-cvss/v2/metric"
)
func main() {
raw := "AV:N/AC:L/Au:N/C:N/A:C/I:N"
vec, err := metric.NewEnvironmental().Decode(raw)
fmt.Printf("vec: %v\n", vec)
fmt.Printf("err: %v\n", err)
}
produces ->
vec: AV:N/AC:L/Au:N/C:N/I:N/A:C
err: <nil>
As the order is AV
-> AC
-> Au
-> C
-> I
-> A
, the CVSS v2 vector AV:N/AC:L/Au:N/C:N/A:C/I:N
is invalid.
Notice this is not specified in CVSS v3 (no metric order), so this issue could not be reproduced with submodule v3
.
While fuzzing this implementation, I discovered that some invalid inputs did not raise errors.
This could be categorized as CWE-20.
For instance, the following Go code does not produce any error.
package main
import (
"fmt"
"github.com/goark/go-cvss/v3/metric"
)
func main() {
rawVec := "CVSS:3.1/AV:A/AC:H/PR:L/UI:N/S:C/C:H/I:L/A:L/RC:"
vec, err := metric.NewEnvironmental().Decode(rawVec)
fmt.Printf("vec: %v\n", vec)
fmt.Printf("err: %v\n", err)
}
produces ->
vec: &{0xc0000bc000 X X X X X X X X X X X}
err: <nil>
You can check this input is invalid, using the official first.org calculator which does not give scores despite base metrics being all defined, or by looking at the specification Table 15 which shows the RC
(ReportConfidence
) metric can't be empty.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.