aboutsummaryrefslogtreecommitdiff
path: root/cvss
diff options
context:
space:
mode:
authorPaul Duncan <pabs@pablotron.org>2022-02-07 07:58:11 -0500
committerPaul Duncan <pabs@pablotron.org>2022-02-07 07:58:11 -0500
commita4a14b1eb70ebdaf75c58e080b1e43c33536504c (patch)
tree91af497ec98e05952278c7baf3a0995636790e06 /cvss
parent336b2474298dda59807ff19aac184d0b1b69a611 (diff)
downloadcvez-a4a14b1eb70ebdaf75c58e080b1e43c33536504c.tar.bz2
cvez-a4a14b1eb70ebdaf75c58e080b1e43c33536504c.zip
cvss/v2scores.go: add newV2ScoresFromFloats(), fix temporal score and env score equations
Diffstat (limited to 'cvss')
-rw-r--r--cvss/v2scores.go80
1 files changed, 46 insertions, 34 deletions
diff --git a/cvss/v2scores.go b/cvss/v2scores.go
index c4643d4..3dec4a3 100644
--- a/cvss/v2scores.go
+++ b/cvss/v2scores.go
@@ -11,6 +11,34 @@ type v2Scores struct {
env v2Score // environmental score
}
+// Create new CVSS v2Scores from floats.
+func newV2ScoresFromFloats(base, temporal, env float64) (v2Scores, error) {
+ // convert base score from float to v2score
+ baseScore, err := newV2Score(base)
+ if err != nil {
+ return v2Scores{}, err
+ }
+
+ // convert temporal score from float to v2score
+ tempScore, err := newV2Score(temporal)
+ if err != nil {
+ return v2Scores{}, err
+ }
+
+ // convert env score from float to v2score
+ envScore, err := newV2Score(env)
+ if err != nil {
+ return v2Scores{}, err
+ }
+
+ // return success
+ return v2Scores {
+ base: baseScore,
+ temporal: tempScore,
+ env: envScore,
+ }, nil
+}
+
// Create new v2 scores from v2 vector.
func newV2Scores(v v2Vector) (v2Scores, error) {
// CVSS v2 (https://www.first.org/cvss/v2/guide 3.2.1)
@@ -190,13 +218,13 @@ func newV2Scores(v v2Vector) (v2Scores, error) {
//
// TemporalScore = round_to_1_decimal(BaseScore*Exploitability
// *RemediationLevel*ReportConfidence)
- temporalScore := 0.0
+ tempScore := 0.0
{
- temporalScore = baseScore * exploitability * remediationLevel * reportConfidence
- temporalScore = math.Round(10.0 * temporalScore) / 10.0
+ tempScore = baseScore * exploitability * remediationLevel * reportConfidence
+ tempScore = math.Round(10.0 * tempScore) / 10.0
}
- // calculate environmental score (3.2.4 Environmental Equation)
+ // calculate environmental score (3.2.3 Environmental Equation)
//
// AdjustedImpact = min(10,10.41*(1-(1-ConfImpact*ConfReq)*(1-IntegImpact*IntegReq)
// *(1-AvailImpact*AvailReq)))
@@ -209,45 +237,29 @@ func newV2Scores(v v2Vector) (v2Scores, error) {
//
envScore := 0.0
{
- impact := 10.41 * (1 - (1 - confImpact) * (1 - integImpact) * (1 - availImpact))
+ // calc adjusted impact
adjImpact := math.Min(
10.0,
10.41 * (1 - (1 - confImpact * confReq) * (1 - integImpact * integReq) * (1 - availImpact * availReq)),
)
+ fImpact := 0.0
+ if adjImpact > 0.0 {
+ fImpact = 1.176
+ }
+ // calculate environmental base score using adjusted impact
baseExpl := 20 * accessVector * accessComplexity * auth
- envBaseScore := ((0.6 * impact + 0.4 * baseExpl) - 1.5) * adjImpact
- envBaseScore = 10.0 * math.Round(envBaseScore) / 10.0
+ envBaseScore := ((0.6 * adjImpact + 0.4 * baseExpl) - 1.5) * fImpact
+ envBaseScore = math.Round(10.0 * envBaseScore) / 10.0
- adjTemporalScore := envBaseScore * exploitability * remediationLevel * reportConfidence
- adjTemporalScore = 10.0 * math.Round(adjTemporalScore) / 10.0
+ // calculate adjusted temporal score
+ adjTempScore := envBaseScore * exploitability * remediationLevel * reportConfidence
+ adjTempScore = math.Round(10.0 * adjTempScore) / 10.0
- envScore = adjTemporalScore + (10 - adjTemporalScore) * cdp * td
+ envScore = (adjTempScore + (10 - adjTempScore) * cdp) * td
envScore = math.Round(10.0 * envScore) / 10.0
}
- // convert base score from float to v2score
- rBaseScore, err := newV2Score(baseScore)
- if err != nil {
- return v2Scores{}, err
- }
-
- // convert temporal score from float to v2score
- rTemporalScore, err := newV2Score(temporalScore)
- if err != nil {
- return v2Scores{}, err
- }
-
- // convert env score from float to v2score
- rEnvScore, err := newV2Score(envScore)
- if err != nil {
- return v2Scores{}, err
- }
-
- // return success
- return v2Scores {
- base: rBaseScore,
- temporal: rTemporalScore,
- env: rEnvScore,
- }, nil
+ // build and return result
+ return newV2ScoresFromFloats(baseScore, tempScore, envScore)
}