stevespringett / cvss-calculator Goto Github PK
View Code? Open in Web Editor NEWA Java library for calculating CVSSv2 and CVSSv3 scores and vectors
License: Apache License 2.0
A Java library for calculating CVSSv2 and CVSSv3 scores and vectors
License: Apache License 2.0
I have come across an issue with the CVSS vector: CVSS:3.1/AC:H/AV:N/A:H/C:H/I:H/PR:N/S:U/UI:N
(fetched from the CVEProject and hence not under my control).
Parsing it results in a null result from Cvss.fromVector
as the V3_PATTERN
doesn't match the - admittely rather unusual - order of this vector string.
FIRST's CVSS schema is more relaxed here and sees this order as valid.
From what I can see in the code, this would affect all vector strings that are not in the "usual" order.
Hello,
The official CVSS v3.0 specification includes Environmental metric group, while the library does not support that.
Example code:
String vectorWithEnvMetric = "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L/E:U/RL:O/RC:R/CR:L/IR:M/AR:M/MAV:N/MAC:L/MPR:N/MUI:N/MS:U/MC:N/MI:N/MA:N";
Cvss cvss = Cvss.fromVector(vectorWithEnvMetric);
Score score = cvss.calculateScore();
System.out.println(score.getEnvironmentalScore()); // 0.0 (should be 5.8)
Reference:
https://www.first.org/cvss/v3.0/specification-document#Environmental-Metrics
Expected result using the official CVSS calculator:
https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L/E:U/RL:O/RC:R/CR:L/IR:M/AR:M/MAV:N/MAC:L/MPR:N/MUI:N/MS:U/MC:L/MI:L/MA:L
Let's start by saying that if any of my assumptions is wrong this issue is not relevant.
As far as I know CVSS vectors of version 3.0 and 3.1 are identical at least in the definition of the vector. However the library is splitting them based on the lack of environmental metrics in the vector. If I'm not wrong a CVSS 3.0 could have environmental metrics or a CVSS 3.1 vector could have only the base vector.
The effect in the library is that if we try to serialize the vector we will get a definition that starts with CVSS:3.0 or CVSS:3.1 depending on the environmental metrics which I think is wrong. Wouldn't it be more natural to have:
If it make sense I could even try to create a PR based on that if needed
Hello,
If a vector string did not set metric values in Temporal or Environmental metric groups, the resulting score is "-1.0".
String vectorWithMissingTemporal = "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L/E:F";
Cvss cvss = Cvss.fromVector(vectorWithMissingTemporal);
Score score = cvss.calculateScore();
System.out.println(score.getBaseScore()); // 7.6
System.out.println(score.getTemporalScore()); // -1.0 (should be 7.4)
System.out.println(score.getEnvironmentalScore()); // -1.0 (should be 7.4)
Reference:
https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L/E:F
Hi,
Are you planning to support cvss v4.0.
If so, what is the estimated time for the support?
Best,
Tom
I've ran Cvss.parse(..)
against a couple of vectors, e.g. "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
.
The implementation matches it as 3.0
string, so Cvss.parse(..).toVector()
return vectors of the form "CVSS:3.1/*"
.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.