From 093cc60affd28717f762da672fc6ee8b48d67372 Mon Sep 17 00:00:00 2001 From: Paul Duncan Date: Mon, 7 Feb 2022 19:47:10 -0500 Subject: cvss/v31vector.go: fix temporal score, add temporal score tests --- cvss/v31vector.go | 31 +++++++++++++-- cvss/v31vector_test.go | 102 +++++++++++++++++++++++++++++++++++++++++++++++-- 2 files changed, 127 insertions(+), 6 deletions(-) diff --git a/cvss/v31vector.go b/cvss/v31vector.go index a9d5205..b191ce0 100644 --- a/cvss/v31vector.go +++ b/cvss/v31vector.go @@ -119,6 +119,18 @@ func isV31VectorString(s string) bool { v31VecRe.MatchString(s) } +// Does the map have at least one of the keys needed for a temporal +// score defined? +func hasTemporalScoreKeys(keys map[Key]v3Metric) bool { + ecm, ecm_ok := keys[v3ExploitCodeMaturity] // E + rl, rl_ok := keys[v3RemediationLevel] // RL + rc, rc_ok := keys[v3ReportConfidence] // RC + + return (ecm_ok && ecm != v3ENotDefined) || + (rl_ok && rl != v3RLNotDefined) || + (rc_ok && rc != v3RCNotDefined) +} + // roundup implemention (from CVSS v3.1 spec, appendix A) func roundup(val float64) float64 { return math.Ceil(10.0 * val) / 10.0 @@ -343,8 +355,18 @@ func (v v31Vector) Scores() (Scores, error) { // calculate impact impact := 0.0 if scopeChanged { - // impact = 7.52 * (iss - 0.029) - 3.25 * math.Pow(iss - 0.02, 15) - impact = 6.42 * iss + impact = 7.52 * (iss - 0.029) - 3.25 * math.Pow(iss - 0.02, 15) + + // adjust privileges required based on scopeChanged + // (CVSS v3.1 spec, section 7.4, table 16) + if pr, ok := keys[v3PrivilegesRequired]; ok { + switch pr { + case v3PRLow: // PR:L + privsRequired = 0.68 + case v3PRHigh: // PR:H + privsRequired = 0.50 + } + } } else { impact = 6.42 * iss } @@ -362,7 +384,10 @@ func (v v31Vector) Scores() (Scores, error) { } // temporal score (CVSS v3.1 spec, section 7.2) - tempScore := roundup(baseScore * ecm * remediationLevel * reportConfidence) + tempScore := 0.0 + if hasTemporalScoreKeys(keys) { + tempScore = roundup(baseScore * ecm * remediationLevel * reportConfidence) + } // environmental score (CVSS v3.1 spec, section 7.3) // diff --git a/cvss/v31vector_test.go b/cvss/v31vector_test.go index 86fb8eb..519b18a 100644 --- a/cvss/v31vector_test.go +++ b/cvss/v31vector_test.go @@ -573,15 +573,111 @@ func TestV31VectorScores(t *testing.T) { }, { name: "initial I:H", val: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", - exp: []float64 { 9.8, 9.8, 0.0 }, + exp: []float64 { 9.8, 0.0, 0.0 }, }, { name: "initial A:L", val: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", - exp: []float64 { 5.3, 5.3, 0.0 }, + exp: []float64 { 5.3, 0.0, 0.0 }, }, { name: "AV:A", val: "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", - exp: []float64 { 6.3, 6.3, 0.0 }, + exp: []float64 { 6.3, 0.0, 0.0 }, + }, { + name: "AV:L", + val: "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", + exp: []float64 { 5.9, 0.0, 0.0 }, + }, { + name: "AV:P", + val: "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", + exp: []float64 { 4.3, 0.0, 0.0 }, + }, { + name: "AC:H", + val: "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L", + exp: []float64 { 5.6, 0.0, 0.0 }, + }, { + name: "PR:L", + val: "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L", + exp: []float64 { 6.3, 0.0, 0.0 }, + }, { + name: "PR:H", + val: "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L", + exp: []float64 { 4.7, 0.0, 0.0 }, + }, { + name: "UI:R", + val: "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L", + exp: []float64 { 6.3, 0.0, 0.0 }, + }, { + name: "S:C", + val: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L", + exp: []float64 { 8.3, 0.0, 0.0 }, + }, { + name: "C:N", + val: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L", + exp: []float64 { 6.5, 0.0, 0.0 }, + }, { + name: "C:H", + val: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L", + exp: []float64 { 8.6, 0.0, 0.0 }, + }, { + name: "I:N", + val: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L", + exp: []float64 { 6.5, 0.0, 0.0 }, + }, { + name: "I:H", + val: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:L", + exp: []float64 { 8.6, 0.0, 0.0 }, + }, { + name: "A:N", + val: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", + exp: []float64 { 6.5, 0.0, 0.0 }, + }, { + name: "A:H", + val: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H", + exp: []float64 { 8.6, 0.0, 0.0 }, + }, { + name: "E:U", + val: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:U", + exp: []float64 { 7.3, 6.7, 0.0 }, + }, { + name: "E:P", + val: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P", + exp: []float64 { 7.3, 6.9, 0.0 }, + }, { + name: "E:F", + val: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:F", + exp: []float64 { 7.3, 7.1, 0.0 }, + }, { + name: "E:H", + val: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:H", + exp: []float64 { 7.3, 7.3, 0.0 }, + }, { + name: "RL:O", + val: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/RL:O", + exp: []float64 { 7.3, 7.0, 0.0 }, + }, { + name: "RL:T", + val: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/RL:T", + exp: []float64 { 7.3, 7.1, 0.0 }, + }, { + name: "RL:W", + val: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/RL:W", + exp: []float64 { 7.3, 7.1, 0.0 }, + }, { + name: "RL:U", + val: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/RL:U", + exp: []float64 { 7.3, 7.3, 0.0 }, + }, { + name: "RC:U", + val: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/RC:U", + exp: []float64 { 7.3, 6.8, 0.0 }, + }, { + name: "RC:R", + val: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/RC:R", + exp: []float64 { 7.3, 7.1, 0.0 }, + }, { + name: "RC:C", + val: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/RC:C", + exp: []float64 { 7.3, 7.3, 0.0 }, }} for _, test := range(tests) { -- cgit v1.2.3