Skip to content

A tiny JavaScript library to work with CVSS vectors

License

Notifications You must be signed in to change notification settings

turingsecure/cvss.js

Repository files navigation

cvss.js by turingpoint.

Version License: MIT

A tiny library to work with CVSS vectors (v3.0, v3.1 and v4.0) in JavaScript. The Common Vulnerability Scoring System (CVSS) is a free and open standard. It is owned and managed by FIRST.Org.

Installation

Install the @turingpointde/cvss.js package:

# use yarn or npm
yarn add @turingpointde/cvss.js

Import the library to use it in your code:

const CVSS = require("@turingpointde/cvss.js");
// or
import CVSS from "@turingpointde/cvss.js";

You can also use the library directly from the CDN (instead of yarn or npm):

<script src="https://unpkg.com/@turingpointde/cvss.js@latest/dist/production.min.js"></script>

Usage

After importing the library, the CVSS function must first be called with the vector as parameter.

// Vector only with base score
const vector1 = CVSS("CVSS:3.0/AV:N/AC:H/PR:L/UI:R/S:C/C:N/I:L/A:L");
// Vector with temporal score
const vector2 = CVSS(
    "CVSS:3.0/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:L/E:U/RL:T/RC:R"
);
// Vector with environmental score
const vector3 = CVSS(
    "CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/CR:M/IR:H/AR:M/MAV:N/MAC:H/MPR:L/MUI:N/MS:C/MC:N/MI:L/MA:L"
);

It is possible to pass in an object as well

const vectorObject = {
    CVSS: "3.0",
    AV: "N",
    AC: "H",
    PR: "H",
    UI: "R",
    S: "U",
    C: "H",
    I: "N",
    A: "N",
};

console.log(CVSS(vectorObject).vector); // "CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:N/A:N"

To get the scores, simply call the respective function.

// Create a vector
const vector = CVSS(
    "CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/CR:M/IR:H/AR:M/MAV:N/MAC:H/MPR:L/MUI:N/MS:C/MC:N/MI:L/MA:L"
);

console.log(vector.getScore()); // 3.6
console.log(vector.getTemporalScore()); // 3.3
console.log(vector.getEnvironmentalScore()); // 5.1
console.log(vector.getImpactSubScore()); // 2.5
console.log(vector.getExploitabilitySubScore()); // 1

Sometimes it is useful to get a qualitative rating of a score

const vector = CVSS("CVSS:3.0/AV:N/AC:H/PR:L/UI:R/S:C/C:N/I:L/A:L");

console.log(vector.getRating()); // Medium
console.log(vector.getTemporalRating()); // Medium
console.log(vector.getEnvironmentalRating()); // Low

A few useful variables/functions to work with the vectors:

const vector = CVSS("CVSS:3.0/AV:N/AC:H/PR:L/UI:R/S:C/C:N/I:L/A:L");

console.log(vector.isValid); // true
console.log(vector.vector); // CVSS:3.0/AV:N/AC:H/PR:L/UI:R/S:C/C:N/I:L/A:L
console.log(vector.getVersion()); // "3.0"

The following functions are suitable for displaying the vector in a human-readable form or for performing your own calculations with the vector

const vector = CVSS(
    "CVSS:3.0/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:L/E:U/RL:T/RC:R/MAC:X/MUI:X/MA:X/MI:X"
);

console.log(vector.getVectorObject()); // { CVSS: "3.0", AV: "N", AC: "H", PR: "L", UI: "R", S: "C", C: "L", I: "L", A: "L", E: "U", RL: "T", RC: "R", CR: "X", IR: "X", AR: "X", MAV: "X", MAC: "X", MPR: "X", MUI: "X", MS: "X" , MC: "X", MI: "X", MA: "X" }
console.log(vector.getCleanVectorString()); // "CVSS:3.0/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:L/E:U/RL:T/RC:R"
console.log(vector.getDetailedVectorObject()); // see spoiler below
Output of vector.getDetailedVectorObject
  {
    CVSS: '3.0',
    metrics: {
      AV: {
        name: 'Attack Vector',
        abbr: 'AV',
        fullName: 'Attack Vector (AV)',
        value: 'Network',
        valueAbbr: 'N'
      },
      AC: {
        name: 'Attack Complexity',
        abbr: 'AC',
        fullName: 'Attack Complexity (AC)',
        value: 'High',
        valueAbbr: 'H'
      },
      PR: {
        name: 'Privileges Required',
        abbr: 'PR',
        fullName: 'Privileges Required (PR)',
        value: 'Low',
        valueAbbr: 'L'
      },
      UI: {
        name: 'User Interaction',
        abbr: 'UI',
        fullName: 'User Interaction (UI)',
        value: 'Required',
        valueAbbr: 'R'
      },
      S: {
        name: 'Scope',
        abbr: 'S',
        fullName: 'Scope (S)',
        value: 'Changed',
        valueAbbr: 'C'
      },
      C: {
        name: 'Confidentiality',
        abbr: 'C',
        fullName: 'Confidentiality (C)',
        value: 'Low',
        valueAbbr: 'L'
      },
      I: {
        name: 'Integrity',
        abbr: 'I',
        fullName: 'Integrity (I)',
        value: 'Low',
        valueAbbr: 'L'
      },
      A: {
        name: 'Availability',
        abbr: 'A',
        fullName: 'Availability (A)',
        value: 'Low',
        valueAbbr: 'L'
      },
      E: {
        name: 'Exploit Code Maturity',
        abbr: 'E',
        fullName: 'Exploit Code Maturity (E)',
        value: 'Unproven',
        valueAbbr: 'U'
      },
      RL: {
        name: 'Remediation Level',
        abbr: 'RL',
        fullName: 'Remediation Level (RL)',
        value: 'Temporary Fix',
        valueAbbr: 'T'
      },
      RC: {
        name: 'Report Confidence',
        abbr: 'RC',
        fullName: 'Report Confidence (RC)',
        value: 'Reasonable',
        valueAbbr: 'R'
      },
      MAC: {
        name: 'Modified Attack Complexity',
        abbr: 'MAC',
        fullName: 'Modified Attack Complexity (MAC)',
        value: 'Not Defined',
        valueAbbr: 'X'
      },
      MUI: {
        name: 'Modified User Interaction',
        abbr: 'MUI',
        fullName: 'Modified User Interaction (MUI)',
        value: 'Not Defined',
        valueAbbr: 'X'
      },
      MA: {
        name: 'Modified Availability',
        abbr: 'MA',
        fullName: 'Modified Availability (MA)',
        value: 'Not Defined',
        valueAbbr: 'X'
      },
      MI: {
        name: 'Modified Integrity',
        abbr: 'MI',
        fullName: 'Modified Integrity (MI)',
        value: 'Not Defined',
        valueAbbr: 'X'
      }
    }
  }

To update a vector's metric:

const vector = CVSS(
    "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N/RL:X/RC:X"
).updateVectorValue("AV", "L");
console.log(vector); // "CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N"

Contributing

Contributions, issues and feature requests are welcome. Feel free to check out the issues page if you want to contribute.

License

Copyright © 2024 turingpoint GmbH. This project is MIT licensed.