blob: b9d3b9be623e3f8503b86014e6d6e30862c2a100 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
|
---
slug: polycvss-v0.2.0
title: "polycvss v0.2.0"
date: "2025-10-04T03:15:48-04:00"
---
I just released [polycvss][] version 0.2.0.
[polycvss][] is a [Rust][] library to parse and score [CVSS][] vector
strings.
Features:
- [CVSS v2][doc-v2], [CVSS v3][doc-v3], and [CVSS v4][doc-v4] support.
- Version-agnostic parsing and scoring [API][].
- Memory efficient: Vectors are 8 bytes. Scores and severities are 1 byte.
- No dependencies by default except the standard library.
- Optional [serde][] integration via the `serde` build feature.
- Extensive tests: Tested against thousands of vectors and scores from
the [NVD][] [CVSS][] calculators.
Here is an example tool which parses the first command-line argument as
a [CVSS][] vector string, then prints the score and severity:
```rust
use polycvss::{Err, Score, Severity, Vector};
fn main() -> Result<(), Err> {
let args: Vec<String> = std::env::args().collect(); // get cli args
if args.len() == 2 {
let vec: Vector = args[1].parse()?; // parse string
let score = Score::from(vec); // get score
let severity = Severity::from(score); // get severity
println!("{score} {severity}"); // print score and severity
} else {
let name = args.first().map_or("app", |s| s); // get app name
eprintln!("Usage: {name} [VECTOR]"); // print usage
}
Ok(())
}
```
Here is the example tool output for a [CVSS v2][doc-v2] vector string, a
[CVSS v3][doc-v3] vector string, and a [CVSS v4][doc-v4] vector string:
```sh
# test with cvss v2 vector string
$ cvss-score "AV:A/AC:H/Au:N/C:C/I:C/A:C"
6.8 MEDIUM
# test with cvss v3 vector string
$ cvss-score "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
9.8 CRITICAL
# test with cvss v4 vector string
$ cvss-score "CVSS:4.0/AV:L/AC:H/AT:N/PR:N/UI:P/VC:L/VI:L/VA:L/SC:H/SI:H/SA:H"
5.2 MEDIUM
```
This example tool is included in the [Git repository][] as
[`src/bin/cvss-score.rs`][cvss-score].
### Links
- [polycvss Git repository][polycvss]
- [polycvss package on crates.io][crates-io-polycvss]
- [polycvss API Documentation on docs.rs][docs-rs-polycvss]
[html]: https://en.wikipedia.org/wiki/HTML
"HyperText Markup Language"
[rust]: https://rust-lang.org/
"Rust programming language."
[cvss]: https://www.first.org/cvss/
"Common Vulnerability Scoring System (CVSS)"
[doc-v2]: https://www.first.org/cvss/v2/guide
"CVSS v2.0 Documentation"
[doc-v3]: https://www.first.org/cvss/v3-1/specification-document
"CVSS v3.1 Specification"
[doc-v4]: https://www.first.org/cvss/v4-0/specification-document
"Common Vulnerability Scoring System (CVSS) version 4.0 Specification"
[bit-field]: https://en.wikipedia.org/wiki/Bit_field
"Bit field (Wikipedia)"
[cvss-score]: https://github.com/pablotron/polycvss/blob/main/src/bin/cvss-score.rs
"Example command-line tool which parses a CVSS vector and prints the score and severity to standard output."
[git repository]: https://github.com/pablotron/polycvss
"polycvss git repository"
[polycvss]: https://github.com/pablotron/polycvss
"polycvss Rust library"
[v2-calc]: https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator
"NVD CVSS v2 calculator"
[v3-calc]: https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator
"NVD CVSS v3 calculator"
[v4-calc]: https://nvd.nist.gov/site-scripts/cvss-v4-calculator-main/
"NVD CVSS v4 calculator"
[cargo]: https://doc.rust-lang.org/cargo/
"Rust package manager"
[podman]: https://podman.io/
"Podman container management tool"
[docker]: https://docker.com/
"Docker container management tool"
[api]: https://en.wikipedia.org/wiki/API
"Application Programming Interface (API)"
[linter]: https://en.wikipedia.org/wiki/Lint_(software)
"Static code analysis tool to catch common mistakes"
[src-v2-rs]: src/v2.rs
"CVSS v2 parsing and scoring"
[src-v3-rs]: src/v3.rs
"CVSS v3 parsing and scoring"
[src-v4-rs]: src/v4.rs
"CVSS v4 parsing and scoring"
[nvd]: https://nvd.nist.gov/
"National Vulnerability Database (NVD)"
[cvss-calcs]: https://github.com/pablotron/cvss-calcs
"Generate random CVSS vector strings and score them."
[crates.io]: https://crates.io/
"Rust package registry"
[docs-rs-polycvss]: https://docs.rs/polycvss
"polycvss API documentation on docs.rs"
[crates-io-polycvss]: https://crates.io/crates/polycvss
"polycvss on crates.io"
[serde]: https://serde.rs/
"Rust serializing and deserializing framework."
|
