From 02469f18e832eb0a641cc1a5095726b66f56a479 Mon Sep 17 00:00:00 2001 From: Paul Duncan Date: Mon, 31 Jan 2022 13:59:15 -0500 Subject: internal/cvss/cvss.go: hide internals --- internal/cvss/cvss.go | 1404 ++++++++++++++++++++++++++----------------------- 1 file changed, 741 insertions(+), 663 deletions(-) (limited to 'internal/cvss/cvss.go') diff --git a/internal/cvss/cvss.go b/internal/cvss/cvss.go index e50f718..f260ce2 100644 --- a/internal/cvss/cvss.go +++ b/internal/cvss/cvss.go @@ -7,11 +7,11 @@ import ( ) //go:generate stringer -linecomment -type=Version -//go:generate stringer -linecomment -type=MetricCategory -//go:generate stringer -linecomment -type=V2MetricKey -//go:generate stringer -linecomment -type=V2Metric -//go:generate stringer -linecomment -type=V3MetricKey -//go:generate stringer -linecomment -type=V3Metric +//go:generate stringer -linecomment -type=Category +//go:generate stringer -linecomment -type=v2MetricKey +//go:generate stringer -linecomment -type=v2Metric +//go:generate stringer -linecomment -type=v3MetricKey +//go:generate stringer -linecomment -type=v3Metric // CVSS version type Version byte @@ -23,330 +23,340 @@ const ( ) // CVSS metric category. -type MetricCategory byte +type Category byte const ( - Base MetricCategory = iota // Base + Base Category = iota // Base Temporal // Temporal Environmental // Environmental ) -// CVSS metric key -type V2MetricKey byte +// CVSS metric key. +type v2MetricKey byte const ( - V2AccessVector V2MetricKey = iota // AV - V2AccessComplexity // AC - V2Authentication // Au - V2ConfidentialityImpact // C - V2IntegrityImpact // I - V2AvailabilityImpact // A - V2Exploitability // E - V2RemediationLevel // RL - V2ReportConfidence // RC - V2CollateralDamagePotential // CDP - V2TargetDistribution // TD - V2ConfidentialityRequirement // CR - V2IntegrityRequirement // IR - V2AvailabilityRequirement // AR + v2AccessVector v2MetricKey = iota // AV + v2AccessComplexity // AC + v2Authentication // Au + v2ConfidentialityImpact // C + v2IntegrityImpact // I + v2AvailabilityImpact // A + v2Exploitability // E + v2RemediationLevel // RL + v2ReportConfidence // RC + v2CollateralDamagePotential // CDP + v2TargetDistribution // TD + v2ConfidentialityRequirement // CR + v2IntegrityRequirement // IR + v2AvailabilityRequirement // AR + + v2InvalidMetricKey // invalid ) // CVSS V2 metric key info lut -var v2MetricKeys = map[V2MetricKey]struct { +var v2MetricKeys = map[v2MetricKey]struct { Name string - Category MetricCategory + Category Category } { - V2AccessVector: { "Access Vector", Base }, - V2AccessComplexity: { "Access Complexity", Base }, - V2Authentication: { "Authentication", Base }, - V2ConfidentialityImpact: { "Confidentiality Impact", Base }, - V2IntegrityImpact: { "Integrity Impact", Base }, - V2AvailabilityImpact: { "Availability Impact", Base }, - V2Exploitability: { "Exploitability", Temporal }, - V2RemediationLevel: { "Remediation Level", Temporal }, - V2ReportConfidence: { "Report Confidence", Temporal }, - V2CollateralDamagePotential: { "Collateral Damage Potential", Environmental }, - V2TargetDistribution: { "Target Distribution", Environmental }, - V2ConfidentialityRequirement: { "Confidentiality Requirement", Environmental }, - V2IntegrityRequirement: { "Integrity Requirement", Environmental }, - V2AvailabilityRequirement: { "Availability Requirement", Environmental }, + v2AccessVector: { "Access Vector", Base }, + v2AccessComplexity: { "Access Complexity", Base }, + v2Authentication: { "Authentication", Base }, + v2ConfidentialityImpact: { "Confidentiality Impact", Base }, + v2IntegrityImpact: { "Integrity Impact", Base }, + v2AvailabilityImpact: { "Availability Impact", Base }, + v2Exploitability: { "Exploitability", Temporal }, + v2RemediationLevel: { "Remediation Level", Temporal }, + v2ReportConfidence: { "Report Confidence", Temporal }, + v2CollateralDamagePotential: { "Collateral Damage Potential", Environmental }, + v2TargetDistribution: { "Target Distribution", Environmental }, + v2ConfidentialityRequirement: { "Confidentiality Requirement", Environmental }, + v2IntegrityRequirement: { "Integrity Requirement", Environmental }, + v2AvailabilityRequirement: { "Availability Requirement", Environmental }, } // v2 metric key IDs lut -var v2MetricKeyIds = map[string]V2MetricKey { - "AV": V2AccessVector, - "AC": V2AccessComplexity, - "Au": V2Authentication, - "C": V2ConfidentialityImpact, - "I": V2IntegrityImpact, - "A": V2AvailabilityImpact, - "E": V2Exploitability, - "RL": V2RemediationLevel, - "RC": V2ReportConfidence, - "CDP": V2CollateralDamagePotential, - "TD": V2TargetDistribution, - "CR": V2ConfidentialityRequirement, - "IR": V2IntegrityRequirement, - "AR": V2AvailabilityRequirement, +var v2MetricKeyIds = map[string]v2MetricKey { + "AV": v2AccessVector, + "AC": v2AccessComplexity, + "Au": v2Authentication, + "C": v2ConfidentialityImpact, + "I": v2IntegrityImpact, + "A": v2AvailabilityImpact, + "E": v2Exploitability, + "RL": v2RemediationLevel, + "RC": v2ReportConfidence, + "CDP": v2CollateralDamagePotential, + "TD": v2TargetDistribution, + "CR": v2ConfidentialityRequirement, + "IR": v2IntegrityRequirement, + "AR": v2AvailabilityRequirement, } // Get metric key from string. -func GetV2MetricKeyFromString(s string) (V2MetricKey, error) { +func getV2MetricKeyFromString(s string) (v2MetricKey, error) { k, ok := v2MetricKeyIds[s] if ok { return k, nil } else { - return V2AccessVector, fmt.Errorf("unknown metric key: %s", s) + return v2InvalidMetricKey, fmt.Errorf("invalid metric key: %s", s) } } // Get metric key name. -func (k V2MetricKey) Name() string { +func (k v2MetricKey) Name() string { return v2MetricKeys[k].Name } // Get metric key category. -func (k V2MetricKey) Category() MetricCategory { +func (k v2MetricKey) Category() Category { return v2MetricKeys[k].Category } // CVSS v2 metric value -type V2Metric byte +type v2Metric byte const ( - V2AVNetwork V2Metric = iota // AV:N - V2AVAdjacentNetwork // AV:A - V2AVLocal // AV:L - - V2ACLow // AC:L - V2ACMedium // AC:L - V2ACHigh // AC:H - - V2AuMultiple // Au:M - V2AuSingle // Au:S - V2AuNone // Au:N - - V2CNone // C:N - V2CPartial // C:P - V2CComplete // C:C - - V2INone // I:N - V2IPartial // I:P - V2IComplete // I:C - - V2ANone // A:N - V2APartial // A:P - V2AComplete // A:C - - V2ENotDefined // E:ND - V2EUnproven // E:U - V2EProofOfConcept // E:POC - V2EFunctional // E:F - V2EHigh // E:H - - V2RLOfficialFix // RL:OF - V2RLTemporaryFix // RL:TF - V2RLWorkaround // RL:W - V2RLUnavailable // RL:U - V2RLNotDefined // RL:ND - - V2RCUnconfirmed // RC:UC - V2RCUncorroborated // RC:UR - V2RCConfirmed // RC:C - V2RCNotDefined // RC:ND - - V2CDPNone // CDP:N - V2CDPLow // CDP:L - V2CDPLowMedium // CDP:LM - V2CDPMediumHigh // CDP:MH - V2CDPHigh // CDP:H - V2CDPNotDefined // CDP:ND - - V2TDNone // TD:N - V2TDLow // TD:L - V2TDMedium // TD:M - V2TDHigh // TD:H - V2TDNotDefined // TD:ND - - V2CRLow // CR:L - V2CRMedium // CR:M - V2CRHigh // CR:H - V2CRNotDefined // CR:ND - - V2IRLow // IR:L - V2IRMedium // IR:M - V2IRHigh // IR:H - V2IRNotDefined // IR:ND - - V2ARLow // AR:L - V2ARMedium // AR:M - V2ARHigh // AR:H - V2ARNotDefined // AR:ND + v2AVNetwork v2Metric = iota // AV:N + v2AVAdjacentNetwork // AV:A + v2AVLocal // AV:L + + v2ACLow // AC:L + v2ACMedium // AC:L + v2ACHigh // AC:H + + v2AuMultiple // Au:M + v2AuSingle // Au:S + v2AuNone // Au:N + + v2CNone // C:N + v2CPartial // C:P + v2CComplete // C:C + + v2INone // I:N + v2IPartial // I:P + v2IComplete // I:C + + v2ANone // A:N + v2APartial // A:P + v2AComplete // A:C + + v2ENotDefined // E:ND + v2EUnproven // E:U + v2EProofOfConcept // E:POC + v2EFunctional // E:F + v2EHigh // E:H + + v2RLOfficialFix // RL:OF + v2RLTemporaryFix // RL:TF + v2RLWorkaround // RL:W + v2RLUnavailable // RL:U + v2RLNotDefined // RL:ND + + v2RCUnconfirmed // RC:UC + v2RCUncorroborated // RC:UR + v2RCConfirmed // RC:C + v2RCNotDefined // RC:ND + + v2CDPNone // CDP:N + v2CDPLow // CDP:L + v2CDPLowMedium // CDP:LM + v2CDPMediumHigh // CDP:MH + v2CDPHigh // CDP:H + v2CDPNotDefined // CDP:ND + + v2TDNone // TD:N + v2TDLow // TD:L + v2TDMedium // TD:M + v2TDHigh // TD:H + v2TDNotDefined // TD:ND + + v2CRLow // CR:L + v2CRMedium // CR:M + v2CRHigh // CR:H + v2CRNotDefined // CR:ND + + v2IRLow // IR:L + v2IRMedium // IR:M + v2IRHigh // IR:H + v2IRNotDefined // IR:ND + + v2ARLow // AR:L + v2ARMedium // AR:M + v2ARHigh // AR:H + v2ARNotDefined // AR:ND + + v2InvalidMetric // invalid ) // map of metrics to metric keys -var v2MetricKeyLut = map[V2Metric]V2MetricKey { - V2AVNetwork: V2AccessVector, - V2AVAdjacentNetwork: V2AccessVector, - V2AVLocal: V2AccessVector, - - V2ACLow: V2AccessComplexity, - V2ACMedium: V2AccessComplexity, - V2ACHigh: V2AccessComplexity, - - V2AuMultiple: V2Authentication, - V2AuSingle: V2Authentication, - V2AuNone: V2Authentication, - - V2CNone: V2ConfidentialityImpact, - V2CPartial: V2ConfidentialityImpact, - V2CComplete: V2ConfidentialityImpact, - - V2INone: V2IntegrityImpact, - V2IPartial: V2IntegrityImpact, - V2IComplete: V2IntegrityImpact, - - V2ANone: V2AvailabilityImpact, - V2APartial: V2AvailabilityImpact, - V2AComplete: V2AvailabilityImpact, - - V2ENotDefined: V2Exploitability, - V2EUnproven: V2Exploitability, - V2EProofOfConcept: V2Exploitability, - V2EFunctional: V2Exploitability, - V2EHigh: V2Exploitability, - - V2RLOfficialFix: V2RemediationLevel, - V2RLTemporaryFix: V2RemediationLevel, - V2RLWorkaround: V2RemediationLevel, - V2RLUnavailable: V2RemediationLevel, - V2RLNotDefined: V2RemediationLevel, - - V2RCUnconfirmed: V2ReportConfidence, - V2RCUncorroborated: V2ReportConfidence, - V2RCConfirmed: V2ReportConfidence, - V2RCNotDefined: V2ReportConfidence, - - V2CDPNone: V2CollateralDamagePotential, - V2CDPLow: V2CollateralDamagePotential, - V2CDPLowMedium: V2CollateralDamagePotential, - V2CDPMediumHigh: V2CollateralDamagePotential, - V2CDPHigh: V2CollateralDamagePotential, - V2CDPNotDefined: V2CollateralDamagePotential, - - V2TDNone: V2TargetDistribution, - V2TDLow: V2TargetDistribution, - V2TDMedium: V2TargetDistribution, - V2TDHigh: V2TargetDistribution, - V2TDNotDefined: V2TargetDistribution, - - V2CRLow: V2ConfidentialityRequirement, - V2CRMedium: V2ConfidentialityRequirement, - V2CRHigh: V2ConfidentialityRequirement, - V2CRNotDefined: V2ConfidentialityRequirement, - - V2IRLow: V2IntegrityRequirement, - V2IRMedium: V2IntegrityRequirement, - V2IRHigh: V2IntegrityRequirement, - V2IRNotDefined: V2IntegrityRequirement, - - V2ARLow: V2AvailabilityRequirement, - V2ARMedium: V2AvailabilityRequirement, - V2ARHigh: V2AvailabilityRequirement, - V2ARNotDefined: V2AvailabilityRequirement, +var v2MetricKeyLut = map[v2Metric]v2MetricKey { + v2AVNetwork: v2AccessVector, + v2AVAdjacentNetwork: v2AccessVector, + v2AVLocal: v2AccessVector, + + v2ACLow: v2AccessComplexity, + v2ACMedium: v2AccessComplexity, + v2ACHigh: v2AccessComplexity, + + v2AuMultiple: v2Authentication, + v2AuSingle: v2Authentication, + v2AuNone: v2Authentication, + + v2CNone: v2ConfidentialityImpact, + v2CPartial: v2ConfidentialityImpact, + v2CComplete: v2ConfidentialityImpact, + + v2INone: v2IntegrityImpact, + v2IPartial: v2IntegrityImpact, + v2IComplete: v2IntegrityImpact, + + v2ANone: v2AvailabilityImpact, + v2APartial: v2AvailabilityImpact, + v2AComplete: v2AvailabilityImpact, + + v2ENotDefined: v2Exploitability, + v2EUnproven: v2Exploitability, + v2EProofOfConcept: v2Exploitability, + v2EFunctional: v2Exploitability, + v2EHigh: v2Exploitability, + + v2RLOfficialFix: v2RemediationLevel, + v2RLTemporaryFix: v2RemediationLevel, + v2RLWorkaround: v2RemediationLevel, + v2RLUnavailable: v2RemediationLevel, + v2RLNotDefined: v2RemediationLevel, + + v2RCUnconfirmed: v2ReportConfidence, + v2RCUncorroborated: v2ReportConfidence, + v2RCConfirmed: v2ReportConfidence, + v2RCNotDefined: v2ReportConfidence, + + v2CDPNone: v2CollateralDamagePotential, + v2CDPLow: v2CollateralDamagePotential, + v2CDPLowMedium: v2CollateralDamagePotential, + v2CDPMediumHigh: v2CollateralDamagePotential, + v2CDPHigh: v2CollateralDamagePotential, + v2CDPNotDefined: v2CollateralDamagePotential, + + v2TDNone: v2TargetDistribution, + v2TDLow: v2TargetDistribution, + v2TDMedium: v2TargetDistribution, + v2TDHigh: v2TargetDistribution, + v2TDNotDefined: v2TargetDistribution, + + v2CRLow: v2ConfidentialityRequirement, + v2CRMedium: v2ConfidentialityRequirement, + v2CRHigh: v2ConfidentialityRequirement, + v2CRNotDefined: v2ConfidentialityRequirement, + + v2IRLow: v2IntegrityRequirement, + v2IRMedium: v2IntegrityRequirement, + v2IRHigh: v2IntegrityRequirement, + v2IRNotDefined: v2IntegrityRequirement, + + v2ARLow: v2AvailabilityRequirement, + v2ARMedium: v2AvailabilityRequirement, + v2ARHigh: v2AvailabilityRequirement, + v2ARNotDefined: v2AvailabilityRequirement, } // map of metric strings to metrics -var v2MetricStrLut = map[string]V2Metric { - "AV:N": V2AVNetwork, - "AV:A": V2AVAdjacentNetwork, - "AV:L": V2AVLocal, - - "AC:L": V2ACLow, - "AC:M": V2ACMedium, - "AC:H": V2ACHigh, - - "Au:M": V2AuMultiple, - "Au:S": V2AuSingle, - "Au:N": V2AuNone, - - "C:N": V2CNone, - "C:P": V2CPartial, - "C:C": V2CComplete, - - "I:N": V2INone, - "I:P": V2IPartial, - "I:C": V2IComplete, - - "A:N": V2ANone, - "A:P": V2APartial, - "A:C": V2AComplete, - - "E:ND": V2ENotDefined, - "E:U": V2EUnproven, - "E:POC": V2EProofOfConcept, - "E:F": V2EFunctional, - "E:H": V2EHigh, - - "RL:OF": V2RLOfficialFix, - "RL:TF": V2RLTemporaryFix, - "RL:W": V2RLWorkaround, - "RL:U": V2RLUnavailable, - "RL:ND": V2RLNotDefined, - - "RC:UC": V2RCUnconfirmed, - "RC:UR": V2RCUncorroborated, - "RC:C": V2RCConfirmed, - "RC:ND": V2RCNotDefined, - - "CDP:N": V2CDPNone, - "CDP:L": V2CDPLow, - "CDP:LM": V2CDPLowMedium, - "CDP:MH": V2CDPMediumHigh, - "CDP:H": V2CDPHigh, - "CDP:ND": V2CDPNotDefined, - - "TD:N": V2TDNone, - "TD:L": V2TDLow, - "TD:M": V2TDMedium, - "TD:H": V2TDHigh, - "TD:ND": V2TDNotDefined, - - "CR:L": V2CRLow, - "CR:M": V2CRMedium, - "CR:H": V2CRHigh, - "CR:ND": V2CRNotDefined, - - "IR:L": V2IRLow, - "IR:M": V2IRMedium, - "IR:H": V2IRHigh, - "IR:ND": V2IRNotDefined, - - "AR:L": V2ARLow, - "AR:M": V2ARMedium, - "AR:H": V2ARHigh, - "AR:ND": V2ARNotDefined, +var v2MetricStrLut = map[string]v2Metric { + "AV:N": v2AVNetwork, + "AV:A": v2AVAdjacentNetwork, + "AV:L": v2AVLocal, + + "AC:L": v2ACLow, + "AC:M": v2ACMedium, + "AC:H": v2ACHigh, + + "Au:M": v2AuMultiple, + "Au:S": v2AuSingle, + "Au:N": v2AuNone, + + "C:N": v2CNone, + "C:P": v2CPartial, + "C:C": v2CComplete, + + "I:N": v2INone, + "I:P": v2IPartial, + "I:C": v2IComplete, + + "A:N": v2ANone, + "A:P": v2APartial, + "A:C": v2AComplete, + + "E:ND": v2ENotDefined, + "E:U": v2EUnproven, + "E:POC": v2EProofOfConcept, + "E:F": v2EFunctional, + "E:H": v2EHigh, + + "RL:OF": v2RLOfficialFix, + "RL:TF": v2RLTemporaryFix, + "RL:W": v2RLWorkaround, + "RL:U": v2RLUnavailable, + "RL:ND": v2RLNotDefined, + + "RC:UC": v2RCUnconfirmed, + "RC:UR": v2RCUncorroborated, + "RC:C": v2RCConfirmed, + "RC:ND": v2RCNotDefined, + + "CDP:N": v2CDPNone, + "CDP:L": v2CDPLow, + "CDP:LM": v2CDPLowMedium, + "CDP:MH": v2CDPMediumHigh, + "CDP:H": v2CDPHigh, + "CDP:ND": v2CDPNotDefined, + + "TD:N": v2TDNone, + "TD:L": v2TDLow, + "TD:M": v2TDMedium, + "TD:H": v2TDHigh, + "TD:ND": v2TDNotDefined, + + "CR:L": v2CRLow, + "CR:M": v2CRMedium, + "CR:H": v2CRHigh, + "CR:ND": v2CRNotDefined, + + "IR:L": v2IRLow, + "IR:M": v2IRMedium, + "IR:H": v2IRHigh, + "IR:ND": v2IRNotDefined, + + "AR:L": v2ARLow, + "AR:M": v2ARMedium, + "AR:H": v2ARHigh, + "AR:ND": v2ARNotDefined, } // Convert string to CVSS 2.0 metric. -func GetV2MetricFromString(s string) (V2Metric, error) { +func getV2MetricFromString(s string) (v2Metric, error) { // get metric m, ok := v2MetricStrLut[s] if !ok { - return V2AVNetwork, fmt.Errorf("invalid metric: %s", s) + return v2InvalidMetric, fmt.Errorf("invalid metric: %s", s) } // return success return m, nil } +// Get CVSS 2.0 metric key. +func (m v2Metric) Key() MetricKey { + k, _ := v2MetricKeyLut[m] + return k +} + // CVSS 2.0 vector. -type v2Vector []V2Metric +type v2Vector []v2Metric // Convert vector to string func (v v2Vector) String() string { // convert to slice of metrics - metrics := []V2Metric(v) + metrics := []v2Metric(v) // build vector r := make([]string, len(metrics)) @@ -362,16 +372,27 @@ func (v v2Vector) String() string { func (v2Vector) Version() Version { return V20 } +// Return metrics in this vector. +func (v v2Vector) Metrics() []Metric { + // build result + r := make([]Metric, len(v)) + for i, m := range(v) { + r[i] = m + } + + // return result + return r +} // create CVSS 2.0 vector from string -func NewV2VectorFromString(s string) (Vector, error) { +func newV2Vector(s string) (Vector, error) { strs := strings.Split(s, "/") - r := make([]V2Metric, len(strs)) + r := make([]v2Metric, len(strs)) // walk metric strings for i, ms := range(strs) { // convert string to vector - m, err := GetV2MetricFromString(ms) + m, err := getV2MetricFromString(ms) if err != nil { return nil, err } @@ -385,423 +406,432 @@ func NewV2VectorFromString(s string) (Vector, error) { } // CVSS v3 metric key -type V3MetricKey byte +type v3MetricKey byte const ( - V3AttackVector V3MetricKey = iota // AV - V3AttackComplexity // AC - V3PrivilegesRequired // PR - V3UserInteraction // UI - V3Scope // S - V3Confidentiality // C - V3Integrity // I - V3Availability // A - V3ExploitCodeMaturity // E - V3RemediationLevel // RL - V3ReportConfidence // RC - V3ConfidentialityRequirement // CR - V3IntegrityRequirement // IR - V3AvailabilityRequirement // AR - V3ModifiedAttackVector // MAV - V3ModifiedAttackComplexity // MAC - V3ModifiedPrivilegesRequired // MPR - V3ModifiedUserInteraction // MUI - V3ModifiedScope // MS - V3ModifiedConfidentiality // MC - V3ModifiedIntegrity // MI - V3ModifiedAvailability // MA + v3AttackVector v3MetricKey = iota // AV + v3AttackComplexity // AC + v3PrivilegesRequired // PR + v3UserInteraction // UI + v3Scope // S + v3Confidentiality // C + v3Integrity // I + v3Availability // A + v3ExploitCodeMaturity // E + v3RemediationLevel // RL + v3ReportConfidence // RC + v3ConfidentialityRequirement // CR + v3IntegrityRequirement // IR + v3AvailabilityRequirement // AR + v3ModifiedAttackVector // MAV + v3ModifiedAttackComplexity // MAC + v3ModifiedPrivilegesRequired // MPR + v3ModifiedUserInteraction // MUI + v3ModifiedScope // MS + v3ModifiedConfidentiality // MC + v3ModifiedIntegrity // MI + v3ModifiedAvailability // MA + + v3InvalidMetricKey // invalid ) -// CVSS V3 metric key info lut -var v3MetricKeys = map[V3MetricKey]struct { +// CVSS v3 metric key info lut +var v3MetricKeys = map[v3MetricKey]struct { Name string - Category MetricCategory + Category Category } { - V3AttackVector: { "Attack Vector", Base }, - V3AttackComplexity: { "Attack Complexity", Base }, - V3PrivilegesRequired: { "Privileges Required", Base }, - V3UserInteraction: { "User Interaction", Base }, - V3Scope: { "Scope", Base }, - V3Confidentiality: { "Confidentiality", Base }, - V3Integrity: { "Integrity", Base }, - V3Availability: { "Availability", Base }, - V3ExploitCodeMaturity: { "Exploit Code Maturity", Temporal }, - V3RemediationLevel: { "Remediation Level", Temporal }, - V3ReportConfidence: { "Report Confidence", Temporal }, - V3ConfidentialityRequirement: { "Confidentiality Requirement", Environmental }, - V3IntegrityRequirement: { "Integrity Requirement", Environmental }, - V3AvailabilityRequirement: { "Availability Requirement", Environmental }, - V3ModifiedAttackVector: { "Modified Attack Vector", Environmental }, - V3ModifiedAttackComplexity: { "Modified Attack Complexity", Environmental }, - V3ModifiedPrivilegesRequired: { "Modified Privileges Required", Environmental }, - V3ModifiedUserInteraction: { "Modified User Interaction", Environmental }, - V3ModifiedScope: { "Modified Scope", Environmental }, - V3ModifiedConfidentiality: { "Modified Confidentiality", Environmental }, - V3ModifiedIntegrity: { "Modified Integrity", Environmental }, - V3ModifiedAvailability: { "Modified Availability", Environmental }, + v3AttackVector: { "Attack Vector", Base }, + v3AttackComplexity: { "Attack Complexity", Base }, + v3PrivilegesRequired: { "Privileges Required", Base }, + v3UserInteraction: { "User Interaction", Base }, + v3Scope: { "Scope", Base }, + v3Confidentiality: { "Confidentiality", Base }, + v3Integrity: { "Integrity", Base }, + v3Availability: { "Availability", Base }, + v3ExploitCodeMaturity: { "Exploit Code Maturity", Temporal }, + v3RemediationLevel: { "Remediation Level", Temporal }, + v3ReportConfidence: { "Report Confidence", Temporal }, + v3ConfidentialityRequirement: { "Confidentiality Requirement", Environmental }, + v3IntegrityRequirement: { "Integrity Requirement", Environmental }, + v3AvailabilityRequirement: { "Availability Requirement", Environmental }, + v3ModifiedAttackVector: { "Modified Attack Vector", Environmental }, + v3ModifiedAttackComplexity: { "Modified Attack Complexity", Environmental }, + v3ModifiedPrivilegesRequired: { "Modified Privileges Required", Environmental }, + v3ModifiedUserInteraction: { "Modified User Interaction", Environmental }, + v3ModifiedScope: { "Modified Scope", Environmental }, + v3ModifiedConfidentiality: { "Modified Confidentiality", Environmental }, + v3ModifiedIntegrity: { "Modified Integrity", Environmental }, + v3ModifiedAvailability: { "Modified Availability", Environmental }, } // metric key IDs lut -var v3MetricKeyIds = map[string]V3MetricKey { - "AV": V3AttackVector, - "AC": V3AttackComplexity, - "PR": V3PrivilegesRequired, - "UI": V3UserInteraction, - "S": V3Scope, - "C": V3Confidentiality, - "I": V3Integrity, - "A": V3Availability, - "E": V3ExploitCodeMaturity, - "RL": V3RemediationLevel, - "RC": V3ReportConfidence, - "CR": V3ConfidentialityRequirement, - "IR": V3IntegrityRequirement, - "AR": V3AvailabilityRequirement, - "MAV": V3ModifiedAttackVector, - "MAC": V3ModifiedAttackComplexity, - "MPR": V3ModifiedPrivilegesRequired, - "MUI": V3ModifiedUserInteraction, - "MS": V3ModifiedScope, - "MC": V3ModifiedConfidentiality, - "MI": V3ModifiedIntegrity, - "MA": V3ModifiedAvailability, +var v3MetricKeyIds = map[string]v3MetricKey { + "AV": v3AttackVector, + "AC": v3AttackComplexity, + "PR": v3PrivilegesRequired, + "UI": v3UserInteraction, + "S": v3Scope, + "C": v3Confidentiality, + "I": v3Integrity, + "A": v3Availability, + "E": v3ExploitCodeMaturity, + "RL": v3RemediationLevel, + "RC": v3ReportConfidence, + "CR": v3ConfidentialityRequirement, + "IR": v3IntegrityRequirement, + "AR": v3AvailabilityRequirement, + "MAV": v3ModifiedAttackVector, + "MAC": v3ModifiedAttackComplexity, + "MPR": v3ModifiedPrivilegesRequired, + "MUI": v3ModifiedUserInteraction, + "MS": v3ModifiedScope, + "MC": v3ModifiedConfidentiality, + "MI": v3ModifiedIntegrity, + "MA": v3ModifiedAvailability, } // Get metric key from string. -func GetV3MetricKeyFromString(s string) (V3MetricKey, error) { +func getV3MetricKeyFromString(s string) (v3MetricKey, error) { k, ok := v3MetricKeyIds[s] if ok { return k, nil } else { - return V3AttackVector, fmt.Errorf("unknown metric key: %s", s) + return v3InvalidMetricKey, fmt.Errorf("invalid metric key: %s", s) } } // Get metric key name. -func (k V3MetricKey) Name() string { +func (k v3MetricKey) Name() string { return v3MetricKeys[k].Name } // Get metric key category. -func (k V3MetricKey) Category() MetricCategory { +func (k v3MetricKey) Category() Category { return v3MetricKeys[k].Category } // metric value -type V3Metric byte +type v3Metric byte const ( - V3AVNetwork V3Metric = iota // AV:N - V3AVAdjacentNetwork // AV:A - V3AVLocal // AV:L - V3AVPhysical // AV:P - - V3ACLow // AC:L - V3ACHigh // AC:H - - V3PRNone // PR:N - V3PRLow // PR:L - V3PRHigh // PR:H - - V3UINone // UI:N - V3UIRequired // UI:R - - V3SUnchanged // S:U - V3SChanged // S:C - - V3CHigh // C:H - V3CLow // C:L - V3CNone // C:N - - V3IHigh // I:H - V3ILow // I:L - V3INone // I:N - - V3AHigh // A:H - V3ALow // A:L - V3ANone // A:N - - V3ENotDefined // E:X - V3EHigh // E:H - V3EFunctional // E:F - V3EProofOfConcept // E:P - V3EUnproven // E:U - - V3RLNotDefined // RL:X - V3RLUnavailable // RL:U - V3RLWorkaround // RL:W - V3RLTemporaryFix // RL:T - V3RLOfficialFix // RL:O - - V3RCNotDefined // RC:X - V3RCConfirmed // RC:C - V3RCReasonable // RC:R - V3RCUnknown // RC:U - - V3CRNotDefined // CR:X - V3CRHigh // CR:H - V3CRMedium // CR:M - V3CRLow // CR:L - - V3IRNotDefined // IR:X - V3IRHigh // IR:H - V3IRMedium // IR:M - V3IRLow // IR:L - - V3ARNotDefined // AR:X - V3ARHigh // AR:H - V3ARMedium // AR:M - V3ARLow // AR:L - - V3MAVNotDefined // MAV:X - V3MAVNetwork // MAV:N - V3MAVAdjacentNetwork // MAV:A - V3MAVLocal // MAV:L - V3MAVPhysical // MAV:P - - V3MACNotDefined // MAC:X - V3MACLow // MAC:L - V3MACHigh // MAC:H - - V3MMRNotDefined // MPR:X - V3MPRLow // MPR:L - V3MPRHigh // MPR:H - - V3MUINotDefined // MUI:X - V3MUINone // MUI:N - V3MUIRequired // MUI:R - - V3MSNotDefined // MMS:X - V3MSUnchanged // MMS:U - V3MSChanged // MMS:C - - V3MCNotDefined // MC:X - V3MCHigh // MC:H - V3MCLow // MC:L - V3MCNone // MC:N - - V3MINotDefined // MI:X - V3MIHigh // MI:H - V3MILow // MI:L - V3MINone // MI:N - - V3MANotDefined // MA:X - V3MAHigh // MA:H - V3MALow // MA:L - V3MANone // MA:N - V3UnknownMetric // unknown + v3AVNetwork v3Metric = iota // AV:N + v3AVAdjacentNetwork // AV:A + v3AVLocal // AV:L + v3AVPhysical // AV:P + + v3ACLow // AC:L + v3ACHigh // AC:H + + v3PRNone // PR:N + v3PRLow // PR:L + v3PRHigh // PR:H + + v3UINone // UI:N + v3UIRequired // UI:R + + v3SUnchanged // S:U + v3SChanged // S:C + + v3CHigh // C:H + v3CLow // C:L + v3CNone // C:N + + v3IHigh // I:H + v3ILow // I:L + v3INone // I:N + + v3AHigh // A:H + v3ALow // A:L + v3ANone // A:N + + v3ENotDefined // E:X + v3EHigh // E:H + v3EFunctional // E:F + v3EProofOfConcept // E:P + v3EUnproven // E:U + + v3RLNotDefined // RL:X + v3RLUnavailable // RL:U + v3RLWorkaround // RL:W + v3RLTemporaryFix // RL:T + v3RLOfficialFix // RL:O + + v3RCNotDefined // RC:X + v3RCConfirmed // RC:C + v3RCReasonable // RC:R + v3RCUnknown // RC:U + + v3CRNotDefined // CR:X + v3CRHigh // CR:H + v3CRMedium // CR:M + v3CRLow // CR:L + + v3IRNotDefined // IR:X + v3IRHigh // IR:H + v3IRMedium // IR:M + v3IRLow // IR:L + + v3ARNotDefined // AR:X + v3ARHigh // AR:H + v3ARMedium // AR:M + v3ARLow // AR:L + + v3MAVNotDefined // MAV:X + v3MAVNetwork // MAV:N + v3MAVAdjacentNetwork // MAV:A + v3MAVLocal // MAV:L + v3MAVPhysical // MAV:P + + v3MACNotDefined // MAC:X + v3MACLow // MAC:L + v3MACHigh // MAC:H + + v3MMRNotDefined // MPR:X + v3MPRLow // MPR:L + v3MPRHigh // MPR:H + + v3MUINotDefined // MUI:X + v3MUINone // MUI:N + v3MUIRequired // MUI:R + + v3MSNotDefined // MMS:X + v3MSUnchanged // MMS:U + v3MSChanged // MMS:C + + v3MCNotDefined // MC:X + v3MCHigh // MC:H + v3MCLow // MC:L + v3MCNone // MC:N + + v3MINotDefined // MI:X + v3MIHigh // MI:H + v3MILow // MI:L + v3MINone // MI:N + + v3MANotDefined // MA:X + v3MAHigh // MA:H + v3MALow // MA:L + v3MANone // MA:N + + v3InvalidMetric // invalid ) // map of metrics to metric keys -var v3MetricKeyLut = map[V3Metric]V3MetricKey { - V3AVNetwork: V3AttackVector, // AV:N - V3AVAdjacentNetwork: V3AttackVector, // AV:A - V3AVLocal: V3AttackVector, // AV:L - V3AVPhysical: V3AttackVector, // AV:P - - V3ACLow: V3AttackComplexity, // AC:L - V3ACHigh: V3AttackComplexity, // AC:H - - V3PRNone: V3PrivilegesRequired, // PR:N - V3PRLow: V3PrivilegesRequired, // PR:L - V3PRHigh: V3PrivilegesRequired, // PR:H - - V3UINone: V3UserInteraction, // UI:N - V3UIRequired: V3UserInteraction, // UI:R - - V3SUnchanged: V3Scope, // S:U - V3SChanged: V3Scope, // S:C - - V3CHigh: V3Confidentiality, // C:H - V3CLow: V3Confidentiality, // C:L - V3CNone: V3Confidentiality, // C:N - - V3IHigh: V3Integrity, // I:H - V3ILow: V3Integrity, // I:L - V3INone: V3Integrity, // I:N - - V3AHigh: V3Availability, // A:H - V3ALow: V3Availability, // A:L - V3ANone: V3Availability, // A:N - - V3ENotDefined: V3ExploitCodeMaturity, // E:X - V3EHigh: V3ExploitCodeMaturity, // E:H - V3EFunctional: V3ExploitCodeMaturity, // E:F - V3EProofOfConcept: V3ExploitCodeMaturity, // E:P - V3EUnproven: V3ExploitCodeMaturity, // E:U - - V3RLNotDefined: V3RemediationLevel, // RL:X - V3RLUnavailable: V3RemediationLevel, // RL:U - V3RLWorkaround: V3RemediationLevel, // RL:W - V3RLTemporaryFix: V3RemediationLevel, // RL:T - V3RLOfficialFix: V3RemediationLevel, // RL:O - - V3RCNotDefined: V3ReportConfidence, // RC:X - V3RCConfirmed: V3ReportConfidence, // RC:C - V3RCReasonable: V3ReportConfidence, // RC:R - V3RCUnknown: V3ReportConfidence, // RC:U - - V3CRNotDefined: V3ConfidentialityRequirement, // CR:X - V3CRHigh: V3ConfidentialityRequirement, // CR:H - V3CRMedium: V3ConfidentialityRequirement, // CR:M - V3CRLow: V3ConfidentialityRequirement, // CR:L - - V3IRNotDefined: V3IntegrityRequirement, // IR:X - V3IRHigh: V3IntegrityRequirement, // IR:H - V3IRMedium: V3IntegrityRequirement, // IR:M - V3IRLow: V3IntegrityRequirement, // IR:L - - V3ARNotDefined: V3AvailabilityRequirement, // AR:X - V3ARHigh: V3AvailabilityRequirement, // AR:H - V3ARMedium: V3AvailabilityRequirement, // AR:M - V3ARLow: V3AvailabilityRequirement, // AR:L - - V3MAVNotDefined: V3ModifiedAttackVector, // MAV:X - V3MAVNetwork: V3ModifiedAttackVector, // MAV:N - V3MAVAdjacentNetwork: V3ModifiedAttackVector, // MAV:A - V3MAVLocal: V3ModifiedAttackVector, // MAV:L - V3MAVPhysical: V3ModifiedAttackVector, // MAV:P - - V3MACNotDefined: V3ModifiedAttackComplexity, // MAC:X - V3MACLow: V3ModifiedAttackComplexity, // MAC:L - V3MACHigh: V3ModifiedAttackComplexity, // MAC:H - - V3MMRNotDefined: V3ModifiedPrivilegesRequired, // MPR:X - V3MPRLow: V3ModifiedPrivilegesRequired, // MPR:L - V3MPRHigh: V3ModifiedPrivilegesRequired, // MPR:H - - V3MUINotDefined: V3ModifiedUserInteraction, // MUI:X - V3MUINone: V3ModifiedUserInteraction, // MUI:N - V3MUIRequired: V3ModifiedUserInteraction, // MUI:R - - V3MSNotDefined: V3ModifiedScope, // MMS:X - V3MSUnchanged: V3ModifiedConfidentiality, // MMS:U - V3MSChanged: V3ModifiedIntegrity, // MMS:C - - V3MCNotDefined: V3ModifiedConfidentiality, // MC:X - V3MCHigh: V3ModifiedConfidentiality, // MC:H - V3MCLow: V3ModifiedConfidentiality, // MC:L - V3MCNone: V3ModifiedConfidentiality, // MC:N - - V3MINotDefined: V3ModifiedIntegrity, // MI:X - V3MIHigh: V3ModifiedIntegrity, // MI:H - V3MILow: V3ModifiedIntegrity, // MI:L - V3MINone: V3ModifiedIntegrity, // MI:N - - V3MANotDefined: V3ModifiedAvailability, // MA:X - V3MAHigh: V3ModifiedAvailability, // MA:H - V3MALow: V3ModifiedAvailability, // MA:L - V3MANone: V3ModifiedAvailability, // MA:N +var v3MetricKeyLut = map[v3Metric]v3MetricKey { + v3AVNetwork: v3AttackVector, // AV:N + v3AVAdjacentNetwork: v3AttackVector, // AV:A + v3AVLocal: v3AttackVector, // AV:L + v3AVPhysical: v3AttackVector, // AV:P + + v3ACLow: v3AttackComplexity, // AC:L + v3ACHigh: v3AttackComplexity, // AC:H + + v3PRNone: v3PrivilegesRequired, // PR:N + v3PRLow: v3PrivilegesRequired, // PR:L + v3PRHigh: v3PrivilegesRequired, // PR:H + + v3UINone: v3UserInteraction, // UI:N + v3UIRequired: v3UserInteraction, // UI:R + + v3SUnchanged: v3Scope, // S:U + v3SChanged: v3Scope, // S:C + + v3CHigh: v3Confidentiality, // C:H + v3CLow: v3Confidentiality, // C:L + v3CNone: v3Confidentiality, // C:N + + v3IHigh: v3Integrity, // I:H + v3ILow: v3Integrity, // I:L + v3INone: v3Integrity, // I:N + + v3AHigh: v3Availability, // A:H + v3ALow: v3Availability, // A:L + v3ANone: v3Availability, // A:N + + v3ENotDefined: v3ExploitCodeMaturity, // E:X + v3EHigh: v3ExploitCodeMaturity, // E:H + v3EFunctional: v3ExploitCodeMaturity, // E:F + v3EProofOfConcept: v3ExploitCodeMaturity, // E:P + v3EUnproven: v3ExploitCodeMaturity, // E:U + + v3RLNotDefined: v3RemediationLevel, // RL:X + v3RLUnavailable: v3RemediationLevel, // RL:U + v3RLWorkaround: v3RemediationLevel, // RL:W + v3RLTemporaryFix: v3RemediationLevel, // RL:T + v3RLOfficialFix: v3RemediationLevel, // RL:O + + v3RCNotDefined: v3ReportConfidence, // RC:X + v3RCConfirmed: v3ReportConfidence, // RC:C + v3RCReasonable: v3ReportConfidence, // RC:R + v3RCUnknown: v3ReportConfidence, // RC:U + + v3CRNotDefined: v3ConfidentialityRequirement, // CR:X + v3CRHigh: v3ConfidentialityRequirement, // CR:H + v3CRMedium: v3ConfidentialityRequirement, // CR:M + v3CRLow: v3ConfidentialityRequirement, // CR:L + + v3IRNotDefined: v3IntegrityRequirement, // IR:X + v3IRHigh: v3IntegrityRequirement, // IR:H + v3IRMedium: v3IntegrityRequirement, // IR:M + v3IRLow: v3IntegrityRequirement, // IR:L + + v3ARNotDefined: v3AvailabilityRequirement, // AR:X + v3ARHigh: v3AvailabilityRequirement, // AR:H + v3ARMedium: v3AvailabilityRequirement, // AR:M + v3ARLow: v3AvailabilityRequirement, // AR:L + + v3MAVNotDefined: v3ModifiedAttackVector, // MAV:X + v3MAVNetwork: v3ModifiedAttackVector, // MAV:N + v3MAVAdjacentNetwork: v3ModifiedAttackVector, // MAV:A + v3MAVLocal: v3ModifiedAttackVector, // MAV:L + v3MAVPhysical: v3ModifiedAttackVector, // MAV:P + + v3MACNotDefined: v3ModifiedAttackComplexity, // MAC:X + v3MACLow: v3ModifiedAttackComplexity, // MAC:L + v3MACHigh: v3ModifiedAttackComplexity, // MAC:H + + v3MMRNotDefined: v3ModifiedPrivilegesRequired, // MPR:X + v3MPRLow: v3ModifiedPrivilegesRequired, // MPR:L + v3MPRHigh: v3ModifiedPrivilegesRequired, // MPR:H + + v3MUINotDefined: v3ModifiedUserInteraction, // MUI:X + v3MUINone: v3ModifiedUserInteraction, // MUI:N + v3MUIRequired: v3ModifiedUserInteraction, // MUI:R + + v3MSNotDefined: v3ModifiedScope, // MMS:X + v3MSUnchanged: v3ModifiedConfidentiality, // MMS:U + v3MSChanged: v3ModifiedIntegrity, // MMS:C + + v3MCNotDefined: v3ModifiedConfidentiality, // MC:X + v3MCHigh: v3ModifiedConfidentiality, // MC:H + v3MCLow: v3ModifiedConfidentiality, // MC:L + v3MCNone: v3ModifiedConfidentiality, // MC:N + + v3MINotDefined: v3ModifiedIntegrity, // MI:X + v3MIHigh: v3ModifiedIntegrity, // MI:H + v3MILow: v3ModifiedIntegrity, // MI:L + v3MINone: v3ModifiedIntegrity, // MI:N + + v3MANotDefined: v3ModifiedAvailability, // MA:X + v3MAHigh: v3ModifiedAvailability, // MA:H + v3MALow: v3ModifiedAvailability, // MA:L + v3MANone: v3ModifiedAvailability, // MA:N } // map of metric strings to metrics -var v3MetricStrLut = map[string]V3Metric { - "AV:N": V3AVNetwork, - "AV:A": V3AVAdjacentNetwork, - "AV:L": V3AVLocal, - "AV:P": V3AVPhysical, - - "AC:L": V3ACLow, - "AC:H": V3ACHigh, - - "PR:N": V3PRNone, - "PR:L": V3PRLow, - "PR:H": V3PRHigh, - - "UI:N": V3UINone, - "UI:R": V3UIRequired, - - "S:U": V3SUnchanged, - "S:C": V3SChanged, - - "C:H": V3CHigh, - "C:L": V3CLow, - "C:N": V3CNone, - - "I:H": V3IHigh, - "I:L": V3ILow, - "I:N": V3INone, - - "A:H": V3AHigh, - "A:L": V3ALow, - "A:N": V3ANone, - - "E:X": V3ENotDefined, - "E:H": V3EHigh, - "E:F": V3EFunctional, - "E:P": V3EProofOfConcept, - "E:U": V3EUnproven, - - "RL:X": V3RLNotDefined, - "RL:U": V3RLUnavailable, - "RL:W": V3RLWorkaround, - "RL:T": V3RLTemporaryFix, - "RL:O": V3RLOfficialFix, - - "RC:X": V3RCNotDefined, - "RC:C": V3RCConfirmed, - "RC:R": V3RCReasonable, - "RC:U": V3RCUnknown, - - "CR:X": V3CRNotDefined, - "CR:H": V3CRHigh, - "CR:M": V3CRMedium, - "CR:L": V3CRLow, - - "IR:X": V3IRNotDefined, - "IR:H": V3IRHigh, - "IR:M": V3IRMedium, - "IR:L": V3IRLow, - - "AR:X": V3ARNotDefined, - "AR:H": V3ARHigh, - "AR:M": V3ARMedium, - "AR:L": V3ARLow, - - "MAV:X": V3MAVNotDefined, - "MAV:N": V3MAVNetwork, - "MAV:A": V3MAVAdjacentNetwork, - "MAV:L": V3MAVLocal, - "MAV:P": V3MAVPhysical, - - "MAC:X": V3MACNotDefined, - "MAC:L": V3MACLow, - "MAC:H": V3MACHigh, - - "MPR:X": V3MMRNotDefined, - "MPR:L": V3MPRLow, - "MPR:H": V3MPRHigh, - - "MUI:X": V3MUINotDefined, - "MUI:N": V3MUINone, - "MUI:R": V3MUIRequired, - - "MMS:X": V3MSNotDefined, - "MMS:U": V3MSUnchanged, - "MMS:C": V3MSChanged, - - "MC:X": V3MCNotDefined, - "MC:H": V3MCHigh, - "MC:L": V3MCLow, - "MC:N": V3MCNone, - - "MI:X": V3MINotDefined, - "MI:H": V3MIHigh, - "MI:L": V3MILow, - "MI:N": V3MINone, - - "MA:X": V3MANotDefined, - "MA:H": V3MAHigh, - "MA:L": V3MALow, - "MA:N": V3MANone, +var v3MetricStrLut = map[string]v3Metric { + "AV:N": v3AVNetwork, + "AV:A": v3AVAdjacentNetwork, + "AV:L": v3AVLocal, + "AV:P": v3AVPhysical, + + "AC:L": v3ACLow, + "AC:H": v3ACHigh, + + "PR:N": v3PRNone, + "PR:L": v3PRLow, + "PR:H": v3PRHigh, + + "UI:N": v3UINone, + "UI:R": v3UIRequired, + + "S:U": v3SUnchanged, + "S:C": v3SChanged, + + "C:H": v3CHigh, + "C:L": v3CLow, + "C:N": v3CNone, + + "I:H": v3IHigh, + "I:L": v3ILow, + "I:N": v3INone, + + "A:H": v3AHigh, + "A:L": v3ALow, + "A:N": v3ANone, + + "E:X": v3ENotDefined, + "E:H": v3EHigh, + "E:F": v3EFunctional, + "E:P": v3EProofOfConcept, + "E:U": v3EUnproven, + + "RL:X": v3RLNotDefined, + "RL:U": v3RLUnavailable, + "RL:W": v3RLWorkaround, + "RL:T": v3RLTemporaryFix, + "RL:O": v3RLOfficialFix, + + "RC:X": v3RCNotDefined, + "RC:C": v3RCConfirmed, + "RC:R": v3RCReasonable, + "RC:U": v3RCUnknown, + + "CR:X": v3CRNotDefined, + "CR:H": v3CRHigh, + "CR:M": v3CRMedium, + "CR:L": v3CRLow, + + "IR:X": v3IRNotDefined, + "IR:H": v3IRHigh, + "IR:M": v3IRMedium, + "IR:L": v3IRLow, + + "AR:X": v3ARNotDefined, + "AR:H": v3ARHigh, + "AR:M": v3ARMedium, + "AR:L": v3ARLow, + + "MAV:X": v3MAVNotDefined, + "MAV:N": v3MAVNetwork, + "MAV:A": v3MAVAdjacentNetwork, + "MAV:L": v3MAVLocal, + "MAV:P": v3MAVPhysical, + + "MAC:X": v3MACNotDefined, + "MAC:L": v3MACLow, + "MAC:H": v3MACHigh, + + "MPR:X": v3MMRNotDefined, + "MPR:L": v3MPRLow, + "MPR:H": v3MPRHigh, + + "MUI:X": v3MUINotDefined, + "MUI:N": v3MUINone, + "MUI:R": v3MUIRequired, + + "MMS:X": v3MSNotDefined, + "MMS:U": v3MSUnchanged, + "MMS:C": v3MSChanged, + + "MC:X": v3MCNotDefined, + "MC:H": v3MCHigh, + "MC:L": v3MCLow, + "MC:N": v3MCNone, + + "MI:X": v3MINotDefined, + "MI:H": v3MIHigh, + "MI:L": v3MILow, + "MI:N": v3MINone, + + "MA:X": v3MANotDefined, + "MA:H": v3MAHigh, + "MA:L": v3MALow, + "MA:N": v3MANone, +} + +// Get CVSS 3.x metric key. +func (m v3Metric) Key() MetricKey { + k, _ := v3MetricKeyLut[m] + return k } // Convert string to CVSS 3.1 metric. -func GetV3MetricFromString(s string) (V3Metric, error) { +func getV3Metric(s string) (v3Metric, error) { // get metric m, ok := v3MetricStrLut[s] if !ok { - return V3AVNetwork, fmt.Errorf("invalid metric: %s", s) + return v3InvalidMetric, fmt.Errorf("invalid metric: %s", s) } // return success @@ -812,12 +842,12 @@ func GetV3MetricFromString(s string) (V3Metric, error) { var v30Prefix = "CVSS:3.0/" // CVSS 3.0 vector. -type v30Vector []V3Metric +type v30Vector []v3Metric // Convert vector to string func (v v30Vector) String() string { // convert to slice of metrics - metrics := []V3Metric(v) + metrics := []v3Metric(v) // build vector r := make([]string, len(metrics)) @@ -834,15 +864,27 @@ func (v30Vector) Version() Version { return V30 } +// Return metrics in this vector. +func (v v30Vector) Metrics() []Metric { + // build result + r := make([]Metric, len(v)) + for i, m := range(v) { + r[i] = m + } + + // return result + return r +} + // create CVSS 3.0 vector from string -func NewV30VectorFromString(s string) (Vector, error) { +func newV30Vector(s string) (Vector, error) { strs := strings.Split(s, "/") - r := make([]V3Metric, len(strs)) + r := make([]v3Metric, len(strs)) // walk metric strings for i, ms := range(strs) { - // convert string to vector - m, err := GetV3MetricFromString(ms) + // convert metric string to metric + m, err := getV3Metric(ms) if err != nil { return nil, err } @@ -859,12 +901,12 @@ func NewV30VectorFromString(s string) (Vector, error) { var v31Prefix = "CVSS:3.1/" // CVSS 3.1 vector. -type v31Vector []V3Metric +type v31Vector []v3Metric // Convert vector to string func (v v31Vector) String() string { // convert to slice of metrics - metrics := []V3Metric(v) + metrics := []v3Metric(v) // build vector r := make([]string, len(metrics)) @@ -881,15 +923,27 @@ func (v31Vector) Version() Version { return V31 } +// Return metrics in this vector. +func (v v31Vector) Metrics() []Metric { + // build result + r := make([]Metric, len(v)) + for i, m := range(v) { + r[i] = m + } + + // return result + return r +} + // create CVSS 3.1 vector from string -func NewV31VectorFromString(s string) (Vector, error) { +func newV31Vector(s string) (Vector, error) { strs := strings.Split(s, "/") - r := make([]V3Metric, len(strs)) + r := make([]v3Metric, len(strs)) // walk metric strings for i, ms := range(strs) { - // convert string to vector - m, err := GetV3MetricFromString(ms) + // get metric from string + m, err := getV3Metric(ms) if err != nil { return nil, err } @@ -902,25 +956,49 @@ func NewV31VectorFromString(s string) (Vector, error) { return v31Vector(r), nil } -// CVSS vector +// Metric key. +type MetricKey interface { + // Get full name. + Name() string + + // Get category. + Category() Category + + // Return string representation. + String() string +} + +// CVSS metric. +type Metric interface { + // Get metric key. + Key() MetricKey + + // Return string representation of metric. + String() string +} + +// CVSS metric vector. type Vector interface { // Get CVSS version. Version() Version // Get CVSS vector string. String() string + + // Return metrics in this vector. + Metrics() []Metric } // Create new CVSS vector from vector string. func NewVector(s string) (Vector, error) { if len(s) > len(v31Prefix) && s[:len(v31Prefix)] == v31Prefix { // create CVSS v2.0 vector. - return NewV31VectorFromString(s[len(v31Prefix):]) + return newV31Vector(s[len(v31Prefix):]) } else if len(s) > len(v30Prefix) && s[:len(v30Prefix)] == v30Prefix { // create CVSS v3.0 vector. - return NewV30VectorFromString(s[len(v30Prefix):]) + return newV30Vector(s[len(v30Prefix):]) } else { // create CVSS V2 vector - return NewV2VectorFromString(s) + return newV2Vector(s) } } -- cgit v1.2.3