Skip to content

Commit b7ad794

Browse files
jjnicolajjnicola
authored
Fix: improve handling of malformed severity vectors. (#793)
* Fix: improve handling of malformed severity vectors. Ospd-openvas handles base metrics only. If there are any optional metric the task fails. With this patch, the error is handled in a way that task can continue. * Add: tests
1 parent 5b25f14 commit b7ad794

File tree

2 files changed

+39
-6
lines changed

2 files changed

+39
-6
lines changed

ospd/cvss.py

Lines changed: 27 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -17,9 +17,14 @@
1717

1818
""" Common Vulnerability Scoring System handling class. """
1919

20+
import logging
21+
2022
import math
2123
from typing import List, Dict, Optional
2224

25+
logger = logging.getLogger(__name__)
26+
27+
2328
CVSS_V2_METRICS = {
2429
'AV': {'L': 0.395, 'A': 0.646, 'N': 1.0},
2530
'AC': {'H': 0.35, 'M': 0.61, 'L': 0.71},
@@ -74,9 +79,13 @@ def cvss_base_v2_value(cls, cvss_base_vector: str) -> Optional[float]:
7479
if not cvss_base_vector:
7580
return None
7681

77-
_av, _ac, _au, _c, _i, _a = cls._parse_cvss_base_vector(
78-
cvss_base_vector
79-
)
82+
try:
83+
_av, _ac, _au, _c, _i, _a = cls._parse_cvss_base_vector(
84+
cvss_base_vector
85+
)
86+
except ValueError:
87+
logger.warning('Invalid severity vector %s', cvss_base_vector)
88+
return None
8089

8190
_impact = 10.41 * (
8291
1
@@ -109,9 +118,21 @@ def cvss_base_v3_value(cls, cvss_base_vector: str) -> Optional[float]:
109118
"""
110119
if not cvss_base_vector:
111120
return None
112-
_ver, _av, _ac, _pr, _ui, _s, _c, _i, _a = cls._parse_cvss_base_vector(
113-
cvss_base_vector
114-
)
121+
try:
122+
(
123+
_ver,
124+
_av,
125+
_ac,
126+
_pr,
127+
_ui,
128+
_s,
129+
_c,
130+
_i,
131+
_a,
132+
) = cls._parse_cvss_base_vector(cvss_base_vector)
133+
except ValueError:
134+
logger.warning('Invalid severity vector %s', cvss_base_vector)
135+
return None
115136

116137
scope_changed = CVSS_V3_METRICS['S'].get(_s)
117138

tests/test_cvss.py

Lines changed: 12 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -35,3 +35,15 @@ def test_cvssv3(self):
3535
cvss_base = CVSS.cvss_base_v3_value(vector)
3636

3737
self.assertEqual(cvss_base, 3.8)
38+
39+
def test_cvssv2_optional_metrics(self):
40+
vector = 'AV:A/AC:L/Au:S/C:P/I:P/A:P/E:F'
41+
cvss_base = CVSS.cvss_base_v2_value(vector)
42+
43+
self.assertEqual(cvss_base, None)
44+
45+
def test_cvssv3_optional_metrics(self):
46+
vector = 'CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N/E:X'
47+
cvss_base = CVSS.cvss_base_v3_value(vector)
48+
49+
self.assertEqual(cvss_base, None)

0 commit comments

Comments
 (0)