1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
|
---
slug: polycvss-v0.2.0
title: "polycvss v0.2.0"
date: "2025-10-04T03:15:48-04:00"
---
I just released [polycvss][] version 0.2.0.
[polycvss][] is a [Rust][] library to parse and score [CVSS][] vector
strings.
Features:
- [CVSS v2][doc-v2], [CVSS v3][doc-v3], and [CVSS v4][doc-v4] support.
- Version-agnostic parsing and scoring [API][].
- Memory efficient: Vectors are 8 bytes. Scores and severities are 1 byte.
- No dependencies by default except the standard library.
- Optional [serde][] integration via the `serde` build feature.
- Extensive tests: Tested against thousands of vectors and scores from
the [NVD][] [CVSS][] calculators.
Here is an example tool which parses the first command-line argument as
a [CVSS][] vector string, then prints the score and severity:
```rust
use polycvss::{Err, Score, Severity, Vector};
fn main() -> Result<(), Err> {
let args: Vec<String> = std::env::args().collect(); // get cli args
if args.len() == 2 {
let vec: Vector = args[1].parse()?; // parse string
let score = Score::from(vec); // get score
let severity = Severity::from(score); // get severity
println!("{score} {severity}"); // print score and severity
} else {
let name = args.first().map_or("app", |s| s); // get app name
eprintln!("Usage: {name} [VECTOR]"); // print usage
}
Ok(())
}
```
Here is the example tool output for a [CVSS v2][doc-v2] vector string, a
[CVSS v3][doc-v3] vector string, and a [CVSS v4][doc-v4] vector string:
```sh
# test with cvss v2 vector string
$ cvss-score "AV:A/AC:H/Au:N/C:C/I:C/A:C"
6.8 MEDIUM
# test with cvss v3 vector string
$ cvss-score "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
9.8 CRITICAL
# test with cvss v4 vector string
$ cvss-score "CVSS:4.0/AV:L/AC:H/AT:N/PR:N/UI:P/VC:L/VI:L/VA:L/SC:H/SI:H/SA:H"
5.2 MEDIUM
```
This example tool is included in the [Git repository][] as
[`src/bin/cvss-score.rs`][cvss-score].
### Links
- [polycvss Git repository][polycvss]
- [polycvss package on crates.io][crates-io-polycvss]
- [polycvss API Documentation on docs.rs][docs-rs-polycvss]
**Update (2025-10-12):** [polycvss v0.2.1][] released. Adds
[`polycvss::v4::Nomenclature`][v4-nomenclature], documentation
improvements, and misc fixes.
[html]: https://en.wikipedia.org/wiki/HTML
"HyperText Markup Language"
[rust]: https://rust-lang.org/
"Rust programming language."
[cvss]: https://www.first.org/cvss/
"Common Vulnerability Scoring System (CVSS)"
[doc-v2]: https://www.first.org/cvss/v2/guide
"CVSS v2.0 Documentation"
[doc-v3]: https://www.first.org/cvss/v3-1/specification-document
"CVSS v3.1 Specification"
[doc-v4]: https://www.first.org/cvss/v4-0/specification-document
"Common Vulnerability Scoring System (CVSS) version 4.0 Specification"
[bit-field]: https://en.wikipedia.org/wiki/Bit_field
"Bit field (Wikipedia)"
[cvss-score]: https://github.com/pablotron/polycvss/blob/main/src/bin/cvss-score.rs
"Example command-line tool which parses a CVSS vector and prints the score and severity to standard output."
[git repository]: https://github.com/pablotron/polycvss
"polycvss git repository"
[polycvss]: https://github.com/pablotron/polycvss
"polycvss Rust library"
[v2-calc]: https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator
"NVD CVSS v2 calculator"
[v3-calc]: https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator
"NVD CVSS v3 calculator"
[v4-calc]: https://nvd.nist.gov/site-scripts/cvss-v4-calculator-main/
"NVD CVSS v4 calculator"
[cargo]: https://doc.rust-lang.org/cargo/
"Rust package manager"
[podman]: https://podman.io/
"Podman container management tool"
[docker]: https://docker.com/
"Docker container management tool"
[api]: https://en.wikipedia.org/wiki/API
"Application Programming Interface (API)"
[linter]: https://en.wikipedia.org/wiki/Lint_(software)
"Static code analysis tool to catch common mistakes"
[src-v2-rs]: src/v2.rs
"CVSS v2 parsing and scoring"
[src-v3-rs]: src/v3.rs
"CVSS v3 parsing and scoring"
[src-v4-rs]: src/v4.rs
"CVSS v4 parsing and scoring"
[nvd]: https://nvd.nist.gov/
"National Vulnerability Database (NVD)"
[cvss-calcs]: https://github.com/pablotron/cvss-calcs
"Generate random CVSS vector strings and score them."
[crates.io]: https://crates.io/
"Rust package registry"
[docs-rs-polycvss]: https://docs.rs/polycvss
"polycvss API documentation on docs.rs"
[crates-io-polycvss]: https://crates.io/crates/polycvss
"polycvss on crates.io"
[serde]: https://serde.rs/
"Rust serializing and deserializing framework."
[polycvss v0.2.1]: https://github.com/pablotron/polycvss/releases/tag/0.2.1
"polycvss version 0.2.1"
[v4-nomenclature]: https://docs.rs/polycvss/latest/polycvss/v4/enum.Nomenclature.html
"polycvss::v4::Nomenclature documentation."
|
