add CVSS 3.1 temporalMetrics and environmentalMetrics#322
add CVSS 3.1 temporalMetrics and environmentalMetrics#322dancewithheart wants to merge 9 commits intohaskell:mainfrom
Conversation
blackheaven
left a comment
blackheaven
left a comment
There was a problem hiding this comment.
Thanks for your contribution.
Two small adjustments, and I think I have spotted a bug, can you have a look please?
| , ("AV:N/AC:M/Au:N/C:P/I:N/A:N", 4.3, CVSS.Medium) | ||
| , ("CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:X/RL:X/RC:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MPR:X/MUI:X/MS:X/MC:X/MI:X/MA:X" | ||
| , 9.8, CVSS.Critical) | ||
| , ("CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:F/RL:O/RC:R", 9.8, CVSS.Critical) |
There was a problem hiding this comment.
| , ("CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:F/RL:O/RC:R", 9.8, CVSS.Critical) | |
| , ("CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:F/RL:O/RC:R", 8.7, CVSS.Critical) |
Using https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator
Actually the formula should be Roundup(9.8 x 0.97 x 0.95 x 0.96) = 8.7 (High)
There was a problem hiding this comment.
Right, what you describe is the formula for temporal score:
Roundup(BaseScore × ExploitCodeMaturity × RemediationLevel × ReportConfidence)
and it gives 8.7.
Current value 9.8 is a correct calculation of base score. I wanted to show example of current behavior and
I was not sure if I should add temporalScore, envionmentalScore and modify cvssScore in this PR.
There was a problem hiding this comment.
I looked around - it looks like overall score not base score is used:
cvssV3_1 {'score': 8, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H/E:F/RL:O/RC:R'}
Score: 8 High
computations:
CVSS Base Score: 9.0
Impact Subscore: 6.0
Exploitability Subscore: 2.2
CVSS Temporal Score: 8.0
CVSS Environmental Score: NA
Modified Impact Subscore: NA
Overall CVSS Score: 8.0
SCORE 6.7
SEVERITY MEDIUM
VECTOR CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N/E:F/RL:O/RC:R
computations:
CVSS Base Score: 7.5
Impact Subscore: 3.6
Exploitability Subscore: 3.9
CVSS Temporal Score: 6.7
CVSS Environmental Score: NA
Modified Impact Subscore: NA
Overall CVSS Score: 6.7
I think the design should be:
cvss31baseScore :: [Metric] -> (Rating, Float) -- current cvss31score
cvss31temporalScore :: [Metric] -> (Rating, Float)
cvss31environmentalScore :: [Metric] -> (Rating, Float)
Then cvss31score could be computed as
cvss31environmentalScore if present otherwise
cvss31temporalScore if present otherwise
cvss31baseScore.
And then the tests will be expect (8.7, High)
|
|
||
| gm :: Text -> Float | ||
| gm = getMetricValue cvss31 metrics scope | ||
|
|
There was a problem hiding this comment.
-- FUTUREWORK: The 'scope' parameter is always the base Scope metric. Once
-- environmental scoring is implemented, Modified Privileges Required (MPR)
-- use Modified Scope (MS) instead of base Scope per spec Section 4.2:
-- "if Scope / Modified Scope is Changed". The caller (or this function) will
-- need to resolve MS when looking up scope-dependent values for MPR.
There was a problem hiding this comment.
Added this comment.
Co-authored-by: Gautier DI FOLCO <gautier.difolco@gmail.com>
|
Added computing EnvironmentalScore and TemporalScore |
2 participants
Fix #226
CVSS.parseCVSSandCVSS.cvssVectorStringcvssScoreis not changedMany environmental metrics are modified base metrics - I reused code - hence lots of changes.
Advisory
hsec-toolshsec-tools