redhatproductsecurity / cvss Goto Github PK
View Code? Open in Web Editor NEWCVSS2/3/4 library with interactive calculator for Python 2 and Python 3
License: GNU Lesser General Public License v3.0
CVSS2/3/4 library with interactive calculator for Python 2 and Python 3
License: GNU Lesser General Public License v3.0
At this line in parse_vector
a dictionary lookup on 'S' is made. S is a mandatory metric but that check is not made until after parse_vector
.
As a result, initializing a CVSS3 with an invalid vector missing 'S' raises a KeyError instead of the expected CVSS3MandatoryError
.
https://github.com/skontar/cvss/blob/master/cvss/cvss3.py#L147
It could be beneficial if the test suite of cvss library could be run with any continuous integration service to make sure that it works with various python versions.
I would suggest trying Travis.
The library is great! While using it one of our people noticed a tiny scoring difference between the library and NVD and I am not actually certain which is correct.
https://nvd.nist.gov/cvss.cfm?version=2&vector=(AV:N/AC:L/Au:S/C:C/I:C/A:C/E:U/RL:U/RC:C)
Returns 7.7
from cvss import CVSS2, CVSS3
vector_1 = 'AV:N/AC:L/Au:S/C:C/I:C/A:C/E:U/RL:U/RC:C'
CVSS2(vector_1).scores()
(9.0, 7.6, None)
https://nvd.nist.gov/cvss.cfm?version=2&vector=(AV:N/AC:L/Au:S/C:C/I:C/A:C/E:F/RL:U/RC:C)
Returns 8.7
from cvss import CVSS2, CVSS3
vector_2 = 'AV:N/AC:L/Au:S/C:C/I:C/A:C/E:F/RL:U/RC:C'
CVSS2(vector_2).scores()
(9.0, 8.6, None)
Version: CVSS 2.2
Dear skontar,
While trying your tool, I detected something strange:
CVE-ID CVSS-SCORE | cvss3.clean_vector() cvss3.scores() cvss3.severities()
CVE-2020-10713 8.2 | CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H (8.2, 8.2, 8.3) ('High', 'High', 'High')
CVE-2019-9500 8.3 | CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H (8.3, 8.3, 8.4) ('High', 'High', 'High')
CVE-2019-9503 8.3 | CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H (8.3, 8.3, 8.4) ('High', 'High', 'High')
CVE-2020-14372 7.5 | CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H (7.5, 7.5, 7.6) ('High', 'High', 'High')
CVE-2020-25632 8.2 | CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H (8.2, 8.2, 8.3) ('High', 'High', 'High')
CVE-2020-25647 7.6 | CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H (7.6, 7.6, 7.7) ('High', 'High', 'High')
CVE-2020-27779 7.5 | CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H (7.5, 7.5, 7.6) ('High', 'High', 'High')
CVE-2021-20233 8.2 | CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H (8.2, 8.2, 8.3) ('High', 'High', 'High')
CVE-2020-2803 8.3 | CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H (8.3, 8.3, 8.4) ('High', 'High', 'High')
CVE-2020-2805 8.3 | CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H (8.3, 8.3, 8.4) ('High', 'High', 'High')
CVE-2020-14583 8.3 | CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H (8.3, 8.3, 8.4) ('High', 'High', 'High')
CVE-2019-10063 9.0 | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H (9.0, 9.0, 9.1) ('Critical', 'Critical', 'Critical')
CVE-2019-9811 8.3 | CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H (8.3, 8.3, 8.4) ('High', 'High', 'High')
CVE-2020-3962 8.2 | CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H (8.2, 8.2, 8.3) ('High', 'High', 'High')
CVE-2020-3969 7.8 | CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H (7.8, 7.8, 7.9) ('High', 'High', 'High')
CVE-2020-3967 7.5 | CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H (7.5, 7.5, 7.6) ('High', 'High', 'High')
CVE-2020-3968 8.2 | CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H (8.2, 8.2, 8.3) ('High', 'High', 'High')
CVE-2020-3966 7.5 | CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H (7.5, 7.5, 7.6) ('High', 'High', 'High')
CVE-2020-4004 8.2 | CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H (8.2, 8.2, 8.3) ('High', 'High', 'High')
As you can see, for these cases, environmental score are higher than the base one while nothing in the vector may change it.
Do you thing this can be an error on computation precision ?
Cannot use interactive calculator for CVSSv3. ask_interactively
returns vector without mandatory "CVSS:3.0" prefix. That results in CVSS3MalformedError (unable to feed the result to CVSS3
constructor):
cvss.exceptions.CVSS3MalformedError: Malformed CVSS3 vector "AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:H" is missing mandatory prefix
Hi,
I've discovered a problem while using an environmental severity with the cvss3 implementation:
When using the as_json() function in the latest version the temporal and environmental severities are switched.
The interactive calculator mode needs to be updated to work with version 4.0.
Thanks for the tool and adding support for CVSSv4.
Just doing some testing and got an unexpected result. Using the CVSSv4 update it was able to calculate the base score for the vector "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:L/SI:L/SA:L" as 6.9 correctly but not the correct severity.
Please see code snippet below and in the screenshot.
Actual Results:
>>> from cvss import CVSS4
>>> vector = 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:L/SI:L/SA:L'
>>> c = CVSS4(vector)
>>> print(c.as_json()['baseScore'])
6.9
>>> print(c.as_json()['baseSeverity'])
None
>>> print(c.severity)
High
>>>
Screenshot to compare to CVSSv4 Website
Expected Results:
>>> from cvss import CVSS4
>>> vector = 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:L/SI:L/SA:L'
>>> c = CVSS4(vector)
>>> print(c.as_json()['baseScore'])
6.9
>>> print(c.as_json()['baseSeverity'])
Medium
>>> print(c.severity)
Medium
>>>
Hi,
Will you be updating to support 3.1? The changes to scoring look minimal.
https://www.first.org/cvss/user-guide#CVSS-Version-3-1-Release
In [1]: from cvss import CVSS3
In [2]: from cvss.exceptions import CVSS3MalformedError
In [3]: vector = 'CVSS:3.0//AC:H/PR:H/UI:R/S:U/C:L/I:N/A:L'
In [4]: try:
...: cvss = CVSS3(vector)
...: except CVSS3MalformedError as e:
...: print(e)
...:
Malformed CVSS3 field ""
The vector is missing the AV
value but the error message is not very helpful in this case since it shows an empty string. Perhaps default to showing the whole string in case of an empty string.
See the following output:
$ python
Python 3.10.9 (main, Dec 7 2022, 01:12:00) [GCC 9.4.0] on linux
Type "help", "copyright", "credits" or "license" for more information.
>>> import cvss
>>> c = cvss.CVSS3("CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H")
>>> c.base_score
Decimal('9.0')
>>> c.environmental_score
Decimal('9.1')
The given vector contains no environmental entries, yet the score still differs.
This matches the behaviour of the CVSS calculator by first.org, however, it is still incorrect.
https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator calculates it correctly.
Should be easy for a beginner to update this parse_cvss_from_text
method in cvss/parser.py
file for CVSSv4 support.
Assuming the CVSS4
class methods are keeping parity with the previous versions (i've not checked this)
Note: I don't need this change, I just thought it would be worth highlighting for someone to get an easy W
Hello,
I've noticed that this project seems to be dual licensed, however it is not evident from the project's LICENSE file nor from Readme.
The original code is under LGPL-3.0 license, however the new CVSSv4 is under BSD-2-Clause license.
This might have an impact when packaging this to Fedora Project.
Thank you for helping with this.
EDIT: Pypi also has incomplete information wrt license https://pypi.org/project/cvss/
I noticed there is a clean_vector function that returns the vector string from the object dictionary in correct CVSS order. Unfortunately, this only acts on the original vector string, and I am not seeing anything that acts on the modified vector string in the same way. This acts more like a reset_to_original_vector than a clean_vector
Suggestions:
Happy to code this myself if you folks have a contribution policy.
When adding a prefix to CVSS3 vector for constructor, no error is produced. Prefix is silently dropped.
>>> CVSS3('CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:N')
<cvss.cvss3.CVSS3 object at 0x...>
Please also check same issue for CVSS2 and for alien prefixes.
Thanks.
It would be awesome if you mind to cut a release with the latest commit.
Thanks!
Hello, I help maintain homebrew/core and was looking to update a formula that depends on cvss
. Normally we fetch Python package dependencies from PyPI source tarballs, but I noticed 3.0 doesn't have sources available on PyPI.
Was it omitted for any particular reason? If not, would it be possible to get an updated source release to PyPI?
Hi:
Thank you for this code!
Would you consider an alternative license such ass LGPL or else such this library can be used in other non-GPL FLOSS tool such as my https://github.com/nexB/scancode-toolkit which is Apache-licensed?
Thank you for you consideration. Feel free to ignore and close this if you feel strongly about the GPL.
According to the CVSS spec, one of the things that changed from CVSS v2 to v3 is a format of vector string (6. Vector String):
https://www.first.org/cvss/specification-document
Vector string now expects prefix in format CVSS:
followed by CVSS version and separated from metric with /
.
CVSS library accepts CVSS v3 vector string without this prefix (also examples in readme encourage this). This is likely a bug, not a feature - version prefix has it's purpose and loose implementation of specification can have pitfals down the road. For example, if CVSS v3.1 spec is out and it would contain changes in equations of how score is calculated, then
vector = 'S:C/C:H/I:H/A:N/AV:P/AC:H/PR:H/UI:R/E:H/RL:O/RC:R/CR:H/IR:X/AR:X/MAC:H/MPR:X/MUI:X/MC:L/MA:X'
c = CVSS3(vector)
print(c.scores())
how would library know whether v3.0 or v3.1 equations should be used ? Would cvss lib have to break it's api and implement another class, different for each version (i.e. c = CVSS3_1(vector)
), in order to allow vectors without version prefix ?
Please fix cvss lib to refuse malformed CVSS v3 vector without version prefix.
CVSS v4 is around the corner according to: https://www.first.org/cvss/v4-0/cvss-v40-presentation.pdf#page=34
This issue tracks all the necessary work to add v4 support to this library.
Jira issue: SECDATA-77
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.