From 7eb7b615f8f8b07922426b35712938e58e9abee9 Mon Sep 17 00:00:00 2001 From: Paul Duncan Date: Sat, 4 Oct 2025 03:31:28 -0400 Subject: add content/posts/2025-10-04-polycvss-v0.2.0.md --- content/posts/2025-10-04-polycvss-v0.2.0.md | 125 ++++++++++++++++++++++++++++ 1 file changed, 125 insertions(+) create mode 100644 content/posts/2025-10-04-polycvss-v0.2.0.md (limited to 'content') diff --git a/content/posts/2025-10-04-polycvss-v0.2.0.md b/content/posts/2025-10-04-polycvss-v0.2.0.md new file mode 100644 index 0000000..b9d3b9b --- /dev/null +++ b/content/posts/2025-10-04-polycvss-v0.2.0.md @@ -0,0 +1,125 @@ +--- +slug: polycvss-v0.2.0 +title: "polycvss v0.2.0" +date: "2025-10-04T03:15:48-04:00" +--- +I just released [polycvss][] version 0.2.0. + +[polycvss][] is a [Rust][] library to parse and score [CVSS][] vector +strings. + +Features: + +- [CVSS v2][doc-v2], [CVSS v3][doc-v3], and [CVSS v4][doc-v4] support. +- Version-agnostic parsing and scoring [API][]. +- Memory efficient: Vectors are 8 bytes. Scores and severities are 1 byte. +- No dependencies by default except the standard library. +- Optional [serde][] integration via the `serde` build feature. +- Extensive tests: Tested against thousands of vectors and scores from + the [NVD][] [CVSS][] calculators. + +Here is an example tool which parses the first command-line argument as +a [CVSS][] vector string, then prints the score and severity: + +```rust +use polycvss::{Err, Score, Severity, Vector}; + +fn main() -> Result<(), Err> { + let args: Vec = std::env::args().collect(); // get cli args + + if args.len() == 2 { + let vec: Vector = args[1].parse()?; // parse string + let score = Score::from(vec); // get score + let severity = Severity::from(score); // get severity + println!("{score} {severity}"); // print score and severity + } else { + let name = args.first().map_or("app", |s| s); // get app name + eprintln!("Usage: {name} [VECTOR]"); // print usage + } + + Ok(()) +} +``` +  + +Here is the example tool output for a [CVSS v2][doc-v2] vector string, a +[CVSS v3][doc-v3] vector string, and a [CVSS v4][doc-v4] vector string: + +```sh +# test with cvss v2 vector string +$ cvss-score "AV:A/AC:H/Au:N/C:C/I:C/A:C" +6.8 MEDIUM + +# test with cvss v3 vector string +$ cvss-score "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" +9.8 CRITICAL + +# test with cvss v4 vector string +$ cvss-score "CVSS:4.0/AV:L/AC:H/AT:N/PR:N/UI:P/VC:L/VI:L/VA:L/SC:H/SI:H/SA:H" +5.2 MEDIUM +``` +  + +This example tool is included in the [Git repository][] as +[`src/bin/cvss-score.rs`][cvss-score]. + +### Links + +- [polycvss Git repository][polycvss] +- [polycvss package on crates.io][crates-io-polycvss] +- [polycvss API Documentation on docs.rs][docs-rs-polycvss] + +[html]: https://en.wikipedia.org/wiki/HTML + "HyperText Markup Language" +[rust]: https://rust-lang.org/ + "Rust programming language." +[cvss]: https://www.first.org/cvss/ + "Common Vulnerability Scoring System (CVSS)" +[doc-v2]: https://www.first.org/cvss/v2/guide + "CVSS v2.0 Documentation" +[doc-v3]: https://www.first.org/cvss/v3-1/specification-document + "CVSS v3.1 Specification" +[doc-v4]: https://www.first.org/cvss/v4-0/specification-document + "Common Vulnerability Scoring System (CVSS) version 4.0 Specification" +[bit-field]: https://en.wikipedia.org/wiki/Bit_field + "Bit field (Wikipedia)" +[cvss-score]: https://github.com/pablotron/polycvss/blob/main/src/bin/cvss-score.rs + "Example command-line tool which parses a CVSS vector and prints the score and severity to standard output." +[git repository]: https://github.com/pablotron/polycvss + "polycvss git repository" +[polycvss]: https://github.com/pablotron/polycvss + "polycvss Rust library" +[v2-calc]: https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator + "NVD CVSS v2 calculator" +[v3-calc]: https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator + "NVD CVSS v3 calculator" +[v4-calc]: https://nvd.nist.gov/site-scripts/cvss-v4-calculator-main/ + "NVD CVSS v4 calculator" +[cargo]: https://doc.rust-lang.org/cargo/ + "Rust package manager" +[podman]: https://podman.io/ + "Podman container management tool" +[docker]: https://docker.com/ + "Docker container management tool" +[api]: https://en.wikipedia.org/wiki/API + "Application Programming Interface (API)" +[linter]: https://en.wikipedia.org/wiki/Lint_(software) + "Static code analysis tool to catch common mistakes" +[src-v2-rs]: src/v2.rs + "CVSS v2 parsing and scoring" +[src-v3-rs]: src/v3.rs + "CVSS v3 parsing and scoring" +[src-v4-rs]: src/v4.rs + "CVSS v4 parsing and scoring" +[nvd]: https://nvd.nist.gov/ + "National Vulnerability Database (NVD)" +[cvss-calcs]: https://github.com/pablotron/cvss-calcs + "Generate random CVSS vector strings and score them." +[crates.io]: https://crates.io/ + "Rust package registry" +[docs-rs-polycvss]: https://docs.rs/polycvss + "polycvss API documentation on docs.rs" +[crates-io-polycvss]: https://crates.io/crates/polycvss + "polycvss on crates.io" +[serde]: https://serde.rs/ + "Rust serializing and deserializing framework." -- cgit v1.2.3