Support for CVSS v4

[0llirocks]

CVSS v4 is currently planned for October 1, 2023.

This issue will document the implementation for this gem.

[0llirocks]

Official publication date (planned) moved to October 31, 2023.

[bharat619]

Hello @0llirocks ,
I hope you're doing well. I was wondering if you could share what the plan is for CVSS version 4? I'm curious to know about any updates or developments in this regard.
I am pretty new to the CVSS specifications, but if I could help you to contribute in any way on this I would be glad to.

[0llirocks]

@bharat619 Thank you for your comment. I am planning to start the development after all feedback on the new standard was addressed, which is currently planned for September 30.
Since calculation changes completely for v4 I need to rewrite the calculation for the new version.

Feel free to open a pull request with your ideas, in the end the gem comes down to the calculation which is documented here. Currently the score is calculated in the score method. But I don't think that anything from v3 and v3.1 can be reused.

Since I haven't started yet, there is nothing I can provide you with.

Version 4 introduces a lot of new properties and attributes for the different scores, if you want to start simple, think about creating new test cases and how the new standard can be tested. What edge cases can occur? What else must be considered?

[kernelsmith]

Hello @0llirocks , I hope you're doing well. I was wondering if you could share what the plan is for CVSS version 4? I'm curious to know about any updates or developments in this regard. I am pretty new to the CVSS specifications, but if I could help you to contribute in any way on this I would be glad to.

@bharat619
https://www.first.org/cvss/v4-0/index.html
https://www.first.org/cvss/v4-0/cvss-v40-presentation.pdf
https://www.first.org/cvss/v4.0/specification-document

@0llirocks I've been involved with CVSS 4 recently and I know Ruby, so if you want any help, LMK the best way I can do so. I'll fork and see if there are any obvious PRs I can get going, but I won't be able to even look at it for a week. You'll be able to reuse some of the 3.x scoring method for base metrics

tho a couple metrics have gained or lost 1 possible value but Attack Requirements (AT) is completely new. Otherwise, most of the expansion has happened in the supplemental and environmental metrics

So calculating base score won't be bad, but calculating the full or partial (but not just base) scores is going to be mostly new and a bit messy possibly

[0llirocks]

@kernelsmith Thank you for your comment. Are you sure that I can reuse the base calculation? Maybe I misunderstood the new scoring but from my point of view, the scoring changed completely. I already recognised that the base metrics and most properties are similar, but the scoring changed from a function to macro vectors and interpolation. I would love to see a way to reuse my current code. If you have any idea, feel free to create a PR.
Besides that I am still struggling to find the best way to get the level for each macro vector. Maybe regex? In some cases a simple if-else is sufficient e.g. EQ2 or EQ5. But I am not sure about the other vectors.

[pandatix]

Hey, FIRST.ORG CVSS SIG member and co-author of the CVSS v4.0 specification.
You can't reuse the previous CVSS scoring systems as we completely reworked it.

If you want help on how to implement it (because yes, it is way more complex than before for the sake of interpretability), maybe take a look at the official calculator source code from RedHat.
Bests, Lucas :)

[0llirocks]

@pandatix Hello Lucas, thank you for your comment 👍I just went through the RedHat code and I have to admit that the new calculation is much more complex than I thought. If it was just the calculation of the marcovectors but all the hamming distance stuff is new to me. I started copying the RedHat code from js to ruby but I currently do not have the time and motivation to understand the code. Since I will not publish code I do not understand I will delay (not cancel) the implementation of cvssv4 for now.

Maybe someone else (or future me) is willing to implement it for this gem.

[pandatix]

No problem here, we also had trouble implementing the maths, and it took me two full weeks to understand it for https://github.com/pandatix/go-cvss 😉

Nevertheless the Hamming distances where misleading and are vocabulary relica from another math option we dropped. It is currently defined as a "severity distance" and is more a Manhattan distance than an Hamming one (despite not being exactly true).

[brphelps]

👋 @0llirocks we over at GitHub utilize this library in some of our security advisory curation flows, and we're looking into adopting CVSS 4.0. Is there appetite for a contribution of CVSS 4.0 support back to this library? We're still in the evaluation phase, but we're thinking about looking at the implementation @pandatix laid out in go-cvss and porting the test suite + logic to a fork for PR, would that be welcome?

[0llirocks]

Hello @brphelps , thank you so much for your comment. Hearing that this gem is used by GitHub gives my a huge motivation boost 😆

Any help is more than welcome. If you are willing to open a PR let me know if there is anything I can do to make your life easier. I could e.g. help porting the test cases (at least). Feel free to implement it the way you want to do it, there's no need to create a copy of the cvss 3 classes (other than keeping the compatibility). My plan was to release the cvss 4 feature as 3.2.0 and therefore keeping support for ruby 2.6 (and release 4.0.0 right after without support for 2.6 and 2.7) but if you already need ruby 3.0 for cvss 4 feel free to do so.

Thank you for your (possible) help and keep up the good work over at GitHub!