From a4a14b1eb70ebdaf75c58e080b1e43c33536504c Mon Sep 17 00:00:00 2001 From: Paul Duncan Date: Mon, 7 Feb 2022 07:58:11 -0500 Subject: cvss/v2scores.go: add newV2ScoresFromFloats(), fix temporal score and env score equations --- cvss/v2scores.go | 80 ++++++++++++++++++++++++++++++++------------------------ 1 file changed, 46 insertions(+), 34 deletions(-) (limited to 'cvss') diff --git a/cvss/v2scores.go b/cvss/v2scores.go index c4643d4..3dec4a3 100644 --- a/cvss/v2scores.go +++ b/cvss/v2scores.go @@ -11,6 +11,34 @@ type v2Scores struct { env v2Score // environmental score } +// Create new CVSS v2Scores from floats. +func newV2ScoresFromFloats(base, temporal, env float64) (v2Scores, error) { + // convert base score from float to v2score + baseScore, err := newV2Score(base) + if err != nil { + return v2Scores{}, err + } + + // convert temporal score from float to v2score + tempScore, err := newV2Score(temporal) + if err != nil { + return v2Scores{}, err + } + + // convert env score from float to v2score + envScore, err := newV2Score(env) + if err != nil { + return v2Scores{}, err + } + + // return success + return v2Scores { + base: baseScore, + temporal: tempScore, + env: envScore, + }, nil +} + // Create new v2 scores from v2 vector. func newV2Scores(v v2Vector) (v2Scores, error) { // CVSS v2 (https://www.first.org/cvss/v2/guide 3.2.1) @@ -190,13 +218,13 @@ func newV2Scores(v v2Vector) (v2Scores, error) { // // TemporalScore = round_to_1_decimal(BaseScore*Exploitability // *RemediationLevel*ReportConfidence) - temporalScore := 0.0 + tempScore := 0.0 { - temporalScore = baseScore * exploitability * remediationLevel * reportConfidence - temporalScore = math.Round(10.0 * temporalScore) / 10.0 + tempScore = baseScore * exploitability * remediationLevel * reportConfidence + tempScore = math.Round(10.0 * tempScore) / 10.0 } - // calculate environmental score (3.2.4 Environmental Equation) + // calculate environmental score (3.2.3 Environmental Equation) // // AdjustedImpact = min(10,10.41*(1-(1-ConfImpact*ConfReq)*(1-IntegImpact*IntegReq) // *(1-AvailImpact*AvailReq))) @@ -209,45 +237,29 @@ func newV2Scores(v v2Vector) (v2Scores, error) { // envScore := 0.0 { - impact := 10.41 * (1 - (1 - confImpact) * (1 - integImpact) * (1 - availImpact)) + // calc adjusted impact adjImpact := math.Min( 10.0, 10.41 * (1 - (1 - confImpact * confReq) * (1 - integImpact * integReq) * (1 - availImpact * availReq)), ) + fImpact := 0.0 + if adjImpact > 0.0 { + fImpact = 1.176 + } + // calculate environmental base score using adjusted impact baseExpl := 20 * accessVector * accessComplexity * auth - envBaseScore := ((0.6 * impact + 0.4 * baseExpl) - 1.5) * adjImpact - envBaseScore = 10.0 * math.Round(envBaseScore) / 10.0 + envBaseScore := ((0.6 * adjImpact + 0.4 * baseExpl) - 1.5) * fImpact + envBaseScore = math.Round(10.0 * envBaseScore) / 10.0 - adjTemporalScore := envBaseScore * exploitability * remediationLevel * reportConfidence - adjTemporalScore = 10.0 * math.Round(adjTemporalScore) / 10.0 + // calculate adjusted temporal score + adjTempScore := envBaseScore * exploitability * remediationLevel * reportConfidence + adjTempScore = math.Round(10.0 * adjTempScore) / 10.0 - envScore = adjTemporalScore + (10 - adjTemporalScore) * cdp * td + envScore = (adjTempScore + (10 - adjTempScore) * cdp) * td envScore = math.Round(10.0 * envScore) / 10.0 } - // convert base score from float to v2score - rBaseScore, err := newV2Score(baseScore) - if err != nil { - return v2Scores{}, err - } - - // convert temporal score from float to v2score - rTemporalScore, err := newV2Score(temporalScore) - if err != nil { - return v2Scores{}, err - } - - // convert env score from float to v2score - rEnvScore, err := newV2Score(envScore) - if err != nil { - return v2Scores{}, err - } - - // return success - return v2Scores { - base: rBaseScore, - temporal: rTemporalScore, - env: rEnvScore, - }, nil + // build and return result + return newV2ScoresFromFloats(baseScore, tempScore, envScore) } -- cgit v1.2.3