cvss-draft
v0.0.1
Published
The Common Vulnerability Scoring System ([CVSS](https://www.first.org/cvss/)) [base](https://www.first.org/cvss/specification-document#Base-Metrics) [score](https://www.first.org/cvss/specification-document#1-2-Scoring) calculator and validator library wr
Downloads
11
Readme
cvss
The Common Vulnerability Scoring System (CVSS) base score calculator and validator library written in TypeScript.
Basics 🧾
CVSS outputs numerical scores, indicating severity of vulnerability, based on some principal technical vulnerability characteristics. Its outputs include numerical scores indicating the severity of a vulnerability relative to other vulnerabilities. Link
The CVSS v3 vector string begins with the label CVSS:
and a numeric representation of the version.
After version string it contains a set of /
-separated CVSS metrics.
Each metric consists of name and value (both abbreviated) separated with ':'.
Sample
Sample CVSS v3.1 vector string: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N
Current library limitations 🚧
CVSS specification defines three metric groups: Base
, Temporal
, and Environmental
, but only Base
metrics are supported by given library for now.
Supported CVSS versions: 3.0 and 3.1
Install 🚀
npm i --save @neuralegion/cvss
API
calculateBaseScore(cvssString): number
Calculates Base Score, which depends on sub-formulas for Impact Sub-Score (ISS), Impact, and Exploitability,
calculateIss(metricsMap): number
Calculates Impact Sub-Score (ISS)
calculateImpact(metricsMap, iss): number
Calculates Impact
calculateExploitability(metricsMap): number
Calculates Exploitability
validate(cvssString): void
Throws an Error if given CVSS string is either invalid or unsupported.
Error contains verbose message with error details. Sample error messages:
- CVSS vector must start with "CVSS:"
- Invalid CVSS string. Example: CVSS:3.0/AV:A/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:L
- Unsupported CVSS version: 2.0. Only 3.0 and 3.1 are supported
- Duplicated metric: "AC:L"
- Missing mandatory CVSS base metric C (Confidentiality)
- Unknown CVSS metric "X". Allowed metrics: AV, AC, PR, UI, S, C, I, A
- Invalid value for CVSS metric PR (Privileges Required): Y. Allowed values: N (None), L (Low), H (High)
humanizeBaseMetric(metric)
Return un-abbreviated metric name: e.g. 'Confidentiality' for input 'C'
humanizeBaseMetricValue(value, metric)
Return un-abbreviated metric value: e.g. 'Network' for input ('AV', 'N')
Usage
import { calculateBaseScore } from 'cvss';
console.log('score: ', calculateBaseScore('CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N'));
const cvss = require('cvss');
console.log(cvss.calculateBaseScore('CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N'));
usage.mjs
file:
import cvss from 'cvss';
console.log(cvss.calculateBaseScore('CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N'));
Running: node --experimental-modules ./usage.mjs
<script src="./node_modules/cvss/dist/bundle.umd.js"></script>
<script>
alert(`Score: ${cvss.calculateBaseScore('CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N')}`);
</script>
<script type="module">
import { calculateBaseScore } from './node_modules/cvss/dist/bundle.es.js';
alert(`Score: ${calculateBaseScore('CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N')}`);
</script>
Development 🛠
Issues and pull requests are highly welcome. 👍
Please, don't forget to lint (npm run lint
) and test (npm t
) the code.
License
Copyright © 2020 NeuraLegion.
This project is licensed under the MIT License - see the LICENSE file for details.