Documentation ¶
Overview ¶
Package cvss implements v2.0, v3.0, v3.1, and v4.0 CVSS vectors and scoring.
The primary purpose of this package is to parse CVSS vectors then use the parsed representation to calculate the numerical score and produce the canonicalized representation of the vector.
CVSS v2.0 ¶
Metrics and scoring is implemented as laid out in the v2.0 specification.
CVSS v3.0 ¶
Metrics and scoring is implemented as laid out in the v3.0 specification.
CVSS v3.1 ¶
Metrics and scoring is implemented as laid out in the v3.1 specification.
CVSS v4.0 ¶
Metrics and scoring is implemented as laid out in the v4.0 specification. The ordering emitted is as specified in revision 1.1, not 1.0.
The v4 scoring system is very complicated and under-specified. This package's implementation is built to mirror the Javascript implementation where ever the specification is unclear.
There are outstanding issues in the specification as of 2024-01-02; see the "Bugs" section of this documentation for details.
Index ¶
Constants ¶
const ValueInvalid = Value(255)
ValueInvalid is reported when the packed representation in a Vector is invalid.
const ValueUnset = Value(0)
ValueUnset is reported when the packed representation in a Vector is not set.
Methods returning values may translate this into a specification-defined Unset/Not Defined/Undefined Value.
Variables ¶
var ErrMalformedVector = errors.New("malformed vector")
ErrMalformedVector is reported when a vector is invalid in some way.
Functions ¶
func UnparseV2Value ¶
UnparseV2Value unpacks the Value v into the specification's abbreviation.
Invalid values are returned as-is.
Types ¶
type Qualitative ¶
type Qualitative int
Qualitative is the "Qualitative Severity" of a Vector.
const ( None Qualitative Low Medium High Critical )
The specified qualitative severities.
func QualitativeScore ¶
func QualitativeScore[M Metric, V Vector[M]](v V) (q Qualitative)
QualitativeScore returns the qualitative severity of the provided Vector "v".
There is no defined mapping for v2. The mapping defined for the other versions is used.
func (Qualitative) String ¶
func (i Qualitative) String() string
type V2 ¶
type V2 struct {
// contains filtered or unexported fields
}
V2 is a CVSS version 2 score.
func (*V2) Environmental ¶
Environmental reports if the vector has "Environmental" metrics.
func (*V2) MarshalText ¶
MarshalText implements encoding.TextMarshaler.
func (*V2) String ¶
String implements fmt.Stringer.
Calling this method on an invalid instance results in an invalid vector string.
func (*V2) UnmarshalText ¶
UnmarshalText implements encoding.TextUnmarshaler.
type V2Metric ¶
type V2Metric int
V2Metric is a metric in a v2 vector.
const ( V2AccessVector V2Metric = iota // AV V2AccessComplexity // AC V2Authentication // Au V2Confidentiality // C V2Integrity // I V2Availability // A V2Exploitability // E V2RemediationLevel // RL V2ReportConfidence // RC V2CollateralDamagePotential // CDP V2TargetDistribution // TD V2ConfidentialityRequirement // CR V2IntegrityRequirement // IR V2AvailabilityRequirement // AR )
These are the metrics defined in the specification.
type V3 ¶
type V3 struct {
// contains filtered or unexported fields
}
V3 is a CVSS version 3 score.
func (*V3) Environmental ¶
Environmental reports if the vector has "Environmental" metrics.
func (*V3) MarshalText ¶
MarshalText implements encoding.TextMarshaler.
func (*V3) Score ¶
Score implements Vector.
The reported score is always a "Temporal" score, and uses the "Environmental" equations when Environmental metrics are present.
func (*V3) String ¶
String implements fmt.Stringer.
Calling this method on an invalid instance results in an invalid vector string.
func (*V3) UnmarshalText ¶
UnmarshalText implements encoding.TextUnmarshaler.
type V3Metric ¶
type V3Metric int
V3Metric is a metric in a v3 vector.
const ( V3AttackVector V3Metric = iota // AV V3AttackComplexity // AC V3PrivilegesRequired // PR V3UserInteraction // UI V3Scope // S V3Confidentiality // C V3Integrity // I V3Availability // A V3ExploitMaturity // E V3RemediationLevel // RL V3ReportConfidence // RC V3ConfidentialityRequirement // CR V3IntegrityRequirement // IR V3AvailabilityRequirement // AR V3ModifiedAttackVector // MAV V3ModifiedAttackComplexity // MAC V3ModifiedPrivilegesRequired // MPR V3ModifiedUserInteraction // MUI V3ModifiedScope // MS V3ModifiedConfidentiality // MC V3ModifiedIntegrity // MI V3ModifiedAvailability // MA )
These are the metrics defined in the specification.
type V4 ¶
type V4 struct {
// contains filtered or unexported fields
}
V4 is a CVSS version 4 score.
func (*V4) Environmental ¶
Environmental reports if the vector has "Environmental" metrics.
func (*V4) MarshalText ¶
MarshalText implements encoding.TextMarshaler.
func (*V4) Score ¶
Score implements Vector.
Unlike V2.Score and V3.Score, there's not a set of scores for a given vector, there's only one.
func (*V4) String ¶
String implements fmt.Stringer.
Calling this method on an invalid instance results in an invalid vector string.
func (*V4) Supplemental ¶
Supplemental reports if the vector has "Supplemental" metrics.
func (*V4) UnmarshalText ¶
UnmarshalText implements encoding.TextUnmarshaler.
type V4Metric ¶
type V4Metric int
V4Metric is a metric in a v4 vector.
const ( V4AttackVector V4Metric = iota // AV V4AttackComplexity // AC V4AttackRequirements // AT V4PrivilegesRequired // PR V4UserInteraction // UI V4VulnerableSystemConfidentiality // VC V4VulnerableSystemIntegrity // VI V4VulnerableSystemAvailability // VA V4SubsequentSystemConfidentiality // SC V4SubsequentSystemIntegrity // SI V4SubsequentSystemAvailability // SA V4ExploitMaturity // E V4ConfidentialityRequirement // CR V4IntegrityRequirement // IR V4AvailabilityRequirement // AR V4ModifiedAttackVector // MAV V4ModifiedAttackComplexity // MAC V4ModifiedAttackRequirements // MAT V4ModifiedPrivilegesRequired // MPR V4ModifiedUserInteraction // MUI V4ModifiedVulnerableSystemConfidentiality // MVC V4ModifiedVulnerableSystemIntegrity // MVI V4ModifiedVulnerableSystemAvailability // MVA V4ModifiedSubsequentSystemConfidentiality // MSC V4ModifiedSubsequentSystemIntegrity // MSI V4ModifiedSubsequentSystemAvailability // MSA V4Safety // S V4Automatable // AU V4Recovery // R V4ValueDensity // V V4VulnerabilityResponseEffort // RE V4ProviderUrgency // U )
These are the metrics defined in the specification.
type Value ¶
type Value byte
Value is a "packed" representation of the value of a metric.
When possible, this is the first byte of the abbreviated form in the relevant specification. This is not possible with v2 vectors, so users may need to use UnparseV2Value in that case.
type Vector ¶
type Vector[M Metric] interface { encoding.TextUnmarshaler encoding.TextMarshaler fmt.Stringer // Get reports the Value for the supplied Metric. // // V2 vectors require calling [UnparseV2Value] to convert the value to the // spec-defined abbreviation. Get(M) Value // Score reports the score for the Vector. The exact formula used depends on // what metrics are present. Score() float64 // Environmental reports if the vector contains environmental metrics. Environmental() bool // contains filtered or unexported methods }
Vector is a CVSS vector of any version.
Notes ¶
Bugs ¶
The spec prescribes the invalid value "Safety (S)" for the "Integrity Impact to the Subsequent System (SI)" and "Availability Impact to the Subsequent System (SA)" metrics for use in the scoring algorithm. These values are only defined for "Modified Subsequent System Integrity (MSI)" and "Modified Subsequent System Availability (MSA)" and so are not accepted for inputs.