aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorPaul Duncan <pabs@pablotron.org>2022-02-07 19:47:10 -0500
committerPaul Duncan <pabs@pablotron.org>2022-02-07 19:47:10 -0500
commit093cc60affd28717f762da672fc6ee8b48d67372 (patch)
treef2f0e660180e251bb68620410f1ab7b4ecddba90
parentf34d8eb8d5de5fe22e13c6dd81b4949c5379522c (diff)
downloadcvez-093cc60affd28717f762da672fc6ee8b48d67372.tar.bz2
cvez-093cc60affd28717f762da672fc6ee8b48d67372.zip
cvss/v31vector.go: fix temporal score, add temporal score tests
-rw-r--r--cvss/v31vector.go31
-rw-r--r--cvss/v31vector_test.go102
2 files changed, 127 insertions, 6 deletions
diff --git a/cvss/v31vector.go b/cvss/v31vector.go
index a9d5205..b191ce0 100644
--- a/cvss/v31vector.go
+++ b/cvss/v31vector.go
@@ -119,6 +119,18 @@ func isV31VectorString(s string) bool {
v31VecRe.MatchString(s)
}
+// Does the map have at least one of the keys needed for a temporal
+// score defined?
+func hasTemporalScoreKeys(keys map[Key]v3Metric) bool {
+ ecm, ecm_ok := keys[v3ExploitCodeMaturity] // E
+ rl, rl_ok := keys[v3RemediationLevel] // RL
+ rc, rc_ok := keys[v3ReportConfidence] // RC
+
+ return (ecm_ok && ecm != v3ENotDefined) ||
+ (rl_ok && rl != v3RLNotDefined) ||
+ (rc_ok && rc != v3RCNotDefined)
+}
+
// roundup implemention (from CVSS v3.1 spec, appendix A)
func roundup(val float64) float64 {
return math.Ceil(10.0 * val) / 10.0
@@ -343,8 +355,18 @@ func (v v31Vector) Scores() (Scores, error) {
// calculate impact
impact := 0.0
if scopeChanged {
- // impact = 7.52 * (iss - 0.029) - 3.25 * math.Pow(iss - 0.02, 15)
- impact = 6.42 * iss
+ impact = 7.52 * (iss - 0.029) - 3.25 * math.Pow(iss - 0.02, 15)
+
+ // adjust privileges required based on scopeChanged
+ // (CVSS v3.1 spec, section 7.4, table 16)
+ if pr, ok := keys[v3PrivilegesRequired]; ok {
+ switch pr {
+ case v3PRLow: // PR:L
+ privsRequired = 0.68
+ case v3PRHigh: // PR:H
+ privsRequired = 0.50
+ }
+ }
} else {
impact = 6.42 * iss
}
@@ -362,7 +384,10 @@ func (v v31Vector) Scores() (Scores, error) {
}
// temporal score (CVSS v3.1 spec, section 7.2)
- tempScore := roundup(baseScore * ecm * remediationLevel * reportConfidence)
+ tempScore := 0.0
+ if hasTemporalScoreKeys(keys) {
+ tempScore = roundup(baseScore * ecm * remediationLevel * reportConfidence)
+ }
// environmental score (CVSS v3.1 spec, section 7.3)
//
diff --git a/cvss/v31vector_test.go b/cvss/v31vector_test.go
index 86fb8eb..519b18a 100644
--- a/cvss/v31vector_test.go
+++ b/cvss/v31vector_test.go
@@ -573,15 +573,111 @@ func TestV31VectorScores(t *testing.T) {
}, {
name: "initial I:H",
val: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
- exp: []float64 { 9.8, 9.8, 0.0 },
+ exp: []float64 { 9.8, 0.0, 0.0 },
}, {
name: "initial A:L",
val: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
- exp: []float64 { 5.3, 5.3, 0.0 },
+ exp: []float64 { 5.3, 0.0, 0.0 },
}, {
name: "AV:A",
val: "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
- exp: []float64 { 6.3, 6.3, 0.0 },
+ exp: []float64 { 6.3, 0.0, 0.0 },
+ }, {
+ name: "AV:L",
+ val: "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
+ exp: []float64 { 5.9, 0.0, 0.0 },
+ }, {
+ name: "AV:P",
+ val: "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
+ exp: []float64 { 4.3, 0.0, 0.0 },
+ }, {
+ name: "AC:H",
+ val: "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L",
+ exp: []float64 { 5.6, 0.0, 0.0 },
+ }, {
+ name: "PR:L",
+ val: "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
+ exp: []float64 { 6.3, 0.0, 0.0 },
+ }, {
+ name: "PR:H",
+ val: "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L",
+ exp: []float64 { 4.7, 0.0, 0.0 },
+ }, {
+ name: "UI:R",
+ val: "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L",
+ exp: []float64 { 6.3, 0.0, 0.0 },
+ }, {
+ name: "S:C",
+ val: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L",
+ exp: []float64 { 8.3, 0.0, 0.0 },
+ }, {
+ name: "C:N",
+ val: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L",
+ exp: []float64 { 6.5, 0.0, 0.0 },
+ }, {
+ name: "C:H",
+ val: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L",
+ exp: []float64 { 8.6, 0.0, 0.0 },
+ }, {
+ name: "I:N",
+ val: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L",
+ exp: []float64 { 6.5, 0.0, 0.0 },
+ }, {
+ name: "I:H",
+ val: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:L",
+ exp: []float64 { 8.6, 0.0, 0.0 },
+ }, {
+ name: "A:N",
+ val: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
+ exp: []float64 { 6.5, 0.0, 0.0 },
+ }, {
+ name: "A:H",
+ val: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H",
+ exp: []float64 { 8.6, 0.0, 0.0 },
+ }, {
+ name: "E:U",
+ val: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:U",
+ exp: []float64 { 7.3, 6.7, 0.0 },
+ }, {
+ name: "E:P",
+ val: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P",
+ exp: []float64 { 7.3, 6.9, 0.0 },
+ }, {
+ name: "E:F",
+ val: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:F",
+ exp: []float64 { 7.3, 7.1, 0.0 },
+ }, {
+ name: "E:H",
+ val: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:H",
+ exp: []float64 { 7.3, 7.3, 0.0 },
+ }, {
+ name: "RL:O",
+ val: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/RL:O",
+ exp: []float64 { 7.3, 7.0, 0.0 },
+ }, {
+ name: "RL:T",
+ val: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/RL:T",
+ exp: []float64 { 7.3, 7.1, 0.0 },
+ }, {
+ name: "RL:W",
+ val: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/RL:W",
+ exp: []float64 { 7.3, 7.1, 0.0 },
+ }, {
+ name: "RL:U",
+ val: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/RL:U",
+ exp: []float64 { 7.3, 7.3, 0.0 },
+ }, {
+ name: "RC:U",
+ val: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/RC:U",
+ exp: []float64 { 7.3, 6.8, 0.0 },
+ }, {
+ name: "RC:R",
+ val: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/RC:R",
+ exp: []float64 { 7.3, 7.1, 0.0 },
+ }, {
+ name: "RC:C",
+ val: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/RC:C",
+ exp: []float64 { 7.3, 7.3, 0.0 },
}}
for _, test := range(tests) {