redhatproductsecurity / cvss Goto Github PK

At this line in parse_vector a dictionary lookup on 'S' is made. S is a mandatory metric but that check is not made until after parse_vector.

As a result, initializing a CVSS3 with an invalid vector missing 'S' raises a KeyError instead of the expected CVSS3MandatoryError.

https://github.com/skontar/cvss/blob/master/cvss/cvss3.py#L147

It could be beneficial if the test suite of cvss library could be run with any continuous integration service to make sure that it works with various python versions.

I would suggest trying Travis.

The library is great! While using it one of our people noticed a tiny scoring difference between the library and NVD and I am not actually certain which is correct.

https://nvd.nist.gov/cvss.cfm?version=2&vector=(AV:N/AC:L/Au:S/C:C/I:C/A:C/E:U/RL:U/RC:C)
Returns 7.7

from cvss import CVSS2, CVSS3
vector_1 = 'AV:N/AC:L/Au:S/C:C/I:C/A:C/E:U/RL:U/RC:C'
CVSS2(vector_1).scores()

(9.0, 7.6, None)

https://nvd.nist.gov/cvss.cfm?version=2&vector=(AV:N/AC:L/Au:S/C:C/I:C/A:C/E:F/RL:U/RC:C)
Returns 8.7

from cvss import CVSS2, CVSS3
vector_2 = 'AV:N/AC:L/Au:S/C:C/I:C/A:C/E:F/RL:U/RC:C'
CVSS2(vector_2).scores()

(9.0, 8.6, None)

Version: CVSS 2.2

Dear skontar,

While trying your tool, I detected something strange:

CVE-ID CVSS-SCORE | cvss3.clean_vector() cvss3.scores() cvss3.severities()
CVE-2020-10713 8.2 | CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H (8.2, 8.2, 8.3) ('High', 'High', 'High')
CVE-2019-9500 8.3 | CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H (8.3, 8.3, 8.4) ('High', 'High', 'High')
CVE-2019-9503 8.3 | CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H (8.3, 8.3, 8.4) ('High', 'High', 'High')
CVE-2020-14372 7.5 | CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H (7.5, 7.5, 7.6) ('High', 'High', 'High')
CVE-2020-25632 8.2 | CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H (8.2, 8.2, 8.3) ('High', 'High', 'High')
CVE-2020-25647 7.6 | CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H (7.6, 7.6, 7.7) ('High', 'High', 'High')
CVE-2020-27779 7.5 | CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H (7.5, 7.5, 7.6) ('High', 'High', 'High')
CVE-2021-20233 8.2 | CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H (8.2, 8.2, 8.3) ('High', 'High', 'High')
CVE-2020-2803 8.3 | CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H (8.3, 8.3, 8.4) ('High', 'High', 'High')
CVE-2020-2805 8.3 | CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H (8.3, 8.3, 8.4) ('High', 'High', 'High')
CVE-2020-14583 8.3 | CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H (8.3, 8.3, 8.4) ('High', 'High', 'High')
CVE-2019-10063 9.0 | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H (9.0, 9.0, 9.1) ('Critical', 'Critical', 'Critical')
CVE-2019-9811 8.3 | CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H (8.3, 8.3, 8.4) ('High', 'High', 'High')
CVE-2020-3962 8.2 | CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H (8.2, 8.2, 8.3) ('High', 'High', 'High')
CVE-2020-3969 7.8 | CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H (7.8, 7.8, 7.9) ('High', 'High', 'High')
CVE-2020-3967 7.5 | CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H (7.5, 7.5, 7.6) ('High', 'High', 'High')
CVE-2020-3968 8.2 | CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H (8.2, 8.2, 8.3) ('High', 'High', 'High')
CVE-2020-3966 7.5 | CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H (7.5, 7.5, 7.6) ('High', 'High', 'High')
CVE-2020-4004 8.2 | CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H (8.2, 8.2, 8.3) ('High', 'High', 'High')

As you can see, for these cases, environmental score are higher than the base one while nothing in the vector may change it.

Do you thing this can be an error on computation precision ?

Cannot use interactive calculator for CVSSv3. ask_interactively returns vector without mandatory "CVSS:3.0" prefix. That results in CVSS3MalformedError (unable to feed the result to CVSS3 constructor):

cvss.exceptions.CVSS3MalformedError: Malformed CVSS3 vector "AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:H" is missing mandatory prefix

Hi,
I've discovered a problem while using an environmental severity with the cvss3 implementation:
When using the as_json() function in the latest version the temporal and environmental severities are switched.

See: https://github.com/skontar/cvss/blob/5f8e1e8f3ba557fa44d83a4e1c488f466e9b7286/cvss/cvss3.py#L474-L475

The interactive calculator mode needs to be updated to work with version 4.0.

Thanks for the tool and adding support for CVSSv4.

Just doing some testing and got an unexpected result. Using the CVSSv4 update it was able to calculate the base score for the vector "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:L/SI:L/SA:L" as 6.9 correctly but not the correct severity.

Please see code snippet below and in the screenshot.

Actual Results:

>>> from cvss import CVSS4
>>> vector = 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:L/SI:L/SA:L'
>>> c = CVSS4(vector)
>>> print(c.as_json()['baseScore'])
6.9
>>> print(c.as_json()['baseSeverity'])
None
>>> print(c.severity)
High
>>> 

Screenshot to compare to CVSSv4 Website

Expected Results:

>>> from cvss import CVSS4
>>> vector = 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:L/SI:L/SA:L'
>>> c = CVSS4(vector)
>>> print(c.as_json()['baseScore'])
6.9
>>> print(c.as_json()['baseSeverity'])
Medium
>>> print(c.severity)
Medium
>>> 

Hi,

Will you be updating to support 3.1? The changes to scoring look minimal.

https://www.first.org/cvss/user-guide#CVSS-Version-3-1-Release

In [1]: from cvss import CVSS3

In [2]: from cvss.exceptions import CVSS3MalformedError

In [3]: vector = 'CVSS:3.0//AC:H/PR:H/UI:R/S:U/C:L/I:N/A:L'

In [4]: try:
   ...:     cvss = CVSS3(vector)
   ...: except CVSS3MalformedError as e:
   ...:     print(e)
   ...:
Malformed CVSS3 field ""

The vector is missing the AV value but the error message is not very helpful in this case since it shows an empty string. Perhaps default to showing the whole string in case of an empty string.

See the following output:

$ python
Python 3.10.9 (main, Dec  7 2022, 01:12:00) [GCC 9.4.0] on linux
Type "help", "copyright", "credits" or "license" for more information.
>>> import cvss
>>> c = cvss.CVSS3("CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H")      
>>> c.base_score
Decimal('9.0')
>>> c.environmental_score
Decimal('9.1')

The given vector contains no environmental entries, yet the score still differs.
This matches the behaviour of the CVSS calculator by first.org, however, it is still incorrect.

https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator calculates it correctly.

Should be easy for a beginner to update this parse_cvss_from_text method in cvss/parser.py file for CVSSv4 support.

Assuming the CVSS4 class methods are keeping parity with the previous versions (i've not checked this)

Note: I don't need this change, I just thought it would be worth highlighting for someone to get an easy W

Hello,

I've noticed that this project seems to be dual licensed, however it is not evident from the project's LICENSE file nor from Readme.

The original code is under LGPL-3.0 license, however the new CVSSv4 is under BSD-2-Clause license.

This might have an impact when packaging this to Fedora Project.

Thank you for helping with this.

EDIT: Pypi also has incomplete information wrt license https://pypi.org/project/cvss/

I noticed there is a clean_vector function that returns the vector string from the object dictionary in correct CVSS order. Unfortunately, this only acts on the original vector string, and I am not seeing anything that acts on the modified vector string in the same way. This acts more like a reset_to_original_vector than a clean_vector

Suggestions:

1. add a sort_vector_metrics that takes the cvss dictionary object and returns the vector string in the proper cvss order according to cvss.constants METRICS_ABBREVIATIONS. This way, regardless of changes to the cvss object, the new vector string is returned in the order expected by information security tooling.

Happy to code this myself if you folks have a contribution policy.

When adding a prefix to CVSS3 vector for constructor, no error is produced. Prefix is silently dropped.

>>> CVSS3('CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:N')
<cvss.cvss3.CVSS3 object at 0x...>

Please also check same issue for CVSS2 and for alien prefixes.

Thanks.

It would be awesome if you mind to cut a release with the latest commit.
Thanks!

Hello, I help maintain homebrew/core and was looking to update a formula that depends on cvss. Normally we fetch Python package dependencies from PyPI source tarballs, but I noticed 3.0 doesn't have sources available on PyPI.

See for example 2.6 vs. 3.0.

Was it omitted for any particular reason? If not, would it be possible to get an updated source release to PyPI?

Hi:
Thank you for this code!
Would you consider an alternative license such ass LGPL or else such this library can be used in other non-GPL FLOSS tool such as my https://github.com/nexB/scancode-toolkit which is Apache-licensed?
Thank you for you consideration. Feel free to ignore and close this if you feel strongly about the GPL.

According to the CVSS spec, one of the things that changed from CVSS v2 to v3 is a format of vector string (6. Vector String):

https://www.first.org/cvss/specification-document

Vector string now expects prefix in format CVSS: followed by CVSS version and separated from metric with /.

CVSS library accepts CVSS v3 vector string without this prefix (also examples in readme encourage this). This is likely a bug, not a feature - version prefix has it's purpose and loose implementation of specification can have pitfals down the road. For example, if CVSS v3.1 spec is out and it would contain changes in equations of how score is calculated, then

vector = 'S:C/C:H/I:H/A:N/AV:P/AC:H/PR:H/UI:R/E:H/RL:O/RC:R/CR:H/IR:X/AR:X/MAC:H/MPR:X/MUI:X/MC:L/MA:X'
c = CVSS3(vector)
print(c.scores())

how would library know whether v3.0 or v3.1 equations should be used ? Would cvss lib have to break it's api and implement another class, different for each version (i.e. c = CVSS3_1(vector)), in order to allow vectors without version prefix ?

Please fix cvss lib to refuse malformed CVSS v3 vector without version prefix.

CVSS v4 is around the corner according to: https://www.first.org/cvss/v4-0/cvss-v40-presentation.pdf#page=34

This issue tracks all the necessary work to add v4 support to this library.

Jira issue: SECDATA-77