aaronmccall / cvss Goto Github PK

View Code? Open in Web Editor NEW

11.0 4.0 8.0 99 KB

A CommonJS library for working with Common Vulnerability Scoring System vectors and scores.

License: ISC License

JavaScript 100.00%

cvss's Introduction

cvss

A CommonJS library for working with Common Vulnerability Scoring System vectors and scores.

Install

npm i cvss

Usage

var cvss = require('cvss');

var score = cvss.getScore('CVSS:3.0/AV:P/AC:H/PR:N/UI:R/S:C/C:L/I:H/A:L');

console.log(score) // => 6.2

var rating = cvss.getRating(score);

console.log(rating) // => Medium

#getScore [String or Object input], [Object options (optional)]

This is the main scoring method. It may be called with either a valid CVSS3 vector string ('CVSS:3.0/AV:P/AC:H/PR:N/UI:R/S:C/C:L/I:H/A:L') or an object containing the key/value pairs ({ AV: 'P', AC: 'H', PR: 'N', UI:'R', S: 'C', C: 'L', I: 'H', A: 'L' }) corresponding to one as its input parameter.

The optional options parameter controls whether validation errors throw or not and whether optional temporal and environmental metrics are considered in score calculation

options

throw: if validation returns an error, throw the error
baseOnly: only consider base metrics when calculating score
temporal: include temporal metrics when calculating score
env: include temporal AND environmental metrics when calculating score (both are included per CVSS3 spec)

#getBaseScore [String or Object input], [Object options (optional)]

Accepts the same arguments as getScore above, but enforces the baseOnly option.

#getTemporalScore [String or Object input], [Object options (optional)]

Accepts the same arguments as getScore above, but enforces the temporal option.

#getEnvironmentalScore [String or Object input], [Object options (optional)]

Accepts the same arguments as getScore above, but enforces the environmental option.

#getRating [Number score]

Given a numeric score, returns the appropriate CVSS3 severity rating for that number: None for scores < 0.1, Low for scores >= 0.1 and < 4, Medium for scores >=4 and < 7, High for scores >= 7 and < 9, Critical for scores >= 9.

#getBase [String or Object input], [Object options (optional)]

Returns an object with the base score and its rating. Equivalent to

{
    score: getBaseScore(input),
    rating: getRating(getBaseScore(input))
}

#getEnvironmental [String or Object input], [Object options (optional)]

Returns an object with the environmental score and its rating. Equivalent to

{
    score: getEnvironmentalScore(input),
    rating: getRating(getEnvironmentalScore(input))
}

#getTemporal [String or Object input], [Object options (optional)]

Returns an object with the environmental score and its rating. Equivalent to

{
    score: getTemporalScore(input),
    rating: getRating(getTemporalScore(input))
}

#getAll [String or Object input], [Object options (optional)]

Returns object with the score and rating for all three scores:

{
    base: getBase(input),
    temporal: getTemporal(input),
    environmental: getEnvironmental(input)
}

cvss's People

Contributors

Stargazers

Watchers

Forkers

pdehaan arnoschn mluberry chriswininger lirantal karenyavine jobertabma kobianisland

cvss's Issues

Score Off with S:C and AV:N (high exploitability term and modifier)

I noticed with certain vectors such as: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:C/C:N/I:N/A:H, this library appears to be off by 0.1 as compared to https://www.first.org/cvss/calculator/3.0#CVSS:3.0/ and https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator.

It looks like the issue is how you apply the modifier of 1.08 when S:C is in the vector. In getBase the library is returning return exports.formatScore(modifier * impact + exploitability); but according to https://www.first.org/cvss/specification-document: Scope Changed Round up (Minimum [1.08 × (Impact + Exploitability), 10])

To see this mistake you need decently high impact and/or exploitability terms with a modifier set. I have created a pull request which corrects the logic and adds a test case that would have caught this.

Hope this is helpful. Thanks for putting this out there :-)

Incorrect score calculated when Environmental Requirement metrics are provided

Steps to reproduce

To reproduce, run the following test:

it('returns the correct environmental score for vector without modifiers', function () {
  var someVector = parseVector('CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:L/CR:H/IR:H/AR:H');

  expect(scores.getBase(someVector, { env: true })).to.equal(7.4);
});

This test will fail as getBase returns 6.3 instead of 7.4. As can be seen on FIRST.org, 7.4 should be the environmental score: https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:L/CR:H/IR:H/AR:H.

Workaround for v1.0.5

The temporary workaround that I used was to always pass the Modified Scope (MS) metric to the vector string and make sure that it has the same value as the Scope (S) metric. The following test passes:

it('returns the correct environmental score for vector without modifiers', function () {
  var someVector = parseVector('CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:L/CR:H/IR:H/AR:H/MS:C');

  expect(scores.getBase(someVector, { env: true })).to.equal(7.4);
});

This was tested against version 1.0.5.

Environmental Options

In your options, you specify in your documentation, you have an option for environmental in getScore
https://github.com/aaronmccall/cvss
options.environment

However, in reviewing the code, it appears you are looking for an options called env and not environmental.

This should be corrected.

add cvss 3.1 support

https://www.first.org/cvss/user-guide#CVSS-Version-3-1-Release

Bad environmental score

Hi,

It seems that the environmental score is inaccurate for this vector :
CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:H/E:H/RL:U/RC:C/CR:H/IR:H/AR:H/MAV:N/MAC:L/MPR:N/MUI:N/MS:C/MC:H/MI:H/MA:H

We have a value of 9.7 instead of 10.0.

Is it possible to fix this ?
Thanks for your job.

Matt