npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2024 – Pkg Stats / Ryan Hefner

vuln-vects

v1.1.0

Published

A powerful, flexible CVSS parser, calculator and validator written for JavaScript/TypeScript.

Downloads

571,257

Readme

Vuln/Vects

CI

A powerful, flexible CVSS parser, calculator and validator written for JavaScript/TypeScript.

Logo

Overview

Vuln/Vects is a library written in TypeScript, targeting JavaScript (server-side Node.js or browser) that aims to provide all the generation, validation, scoring and manipulation functionality you could ever need when working with CVSS (common vulnerability scoring system) vectors of any version. CVSS v2, v3.0 and v3.1 are currently supported.

Installing

Installing the project is very straightforward via npm:

npm install --save vuln-vects

If you're working in TypeScript and need type annotations etc. you might also want to run:

npm install --save @types/vuln-vects

Building

It's only necessary to build the project if you're doing development work on it. There's no need to do so if you're just installing it to use as a library. Ensure that Node.js v14.x and npm is installed and run:

npm run build

Build output is to /dist. To build accompanying documentation, you need the following command:

npm run docs

Documentation is generated using TypeDoc and rendered as HTML to /docs/api.

Bundling

You'll need to bundle the library if you want to use it in-browser (remember to build it first):

npm run build && npm run bundle

This will give you a single file in /bundle that you can import into your webpages (see Usage section).

Running tests

Tests are on Mocha and Chai. You can run them like so:

npm run test

Usage

Usage of the library will vary, depending on whether you want to run in-browser or as part of a server-side Node.js project. In any case, you'll need to begin by installing the library:

npm install --save vuln-vects

If you want to do a deep dive on the functionality of the library, take a look at the full API documentation.

In the browser

Usage in the browser is super straightforward. After installation, simply import the bundled library into your webpage like so:

<script src="node_modules/vuln-vects/bundle/vuln-vects.js"></script>

You'll then get a VulnVects object in the global namespace through which you can use the library:

<script>
    alert(VulnVects.parseCvss2Vector('CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N').baseScore); // Shows '5.0'.
</script>

On the server

Importing and invoking the library is slightly different on the server side.

import { parseCvss2Vector } from 'vuln-vects';

console.log(parseCvss2Vector('CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N').baseScore); // Prints '5.0'.

Aside from this, the API is identical. There is a lot more you can do with the library aside from just the above. See Features for more details.

Features

The library provides 4 main features: validation, scoring, rendering and mocking. If there's anything else you'd like to see, please consider opening an issue.

Validating

Validation of CVSS vectors of any currently supported version is possible. Convenience methods offer the simplest API for this:

import {
    validateCvss2Vector,
    validateCvss3Vector,
    validateCvssVector
} from 'vuln-vects';

// Will be true on validation success, false on failure.
const isValidCvss2Vector = validateCvss2Vector('(AV:N/AC:L/Au:N/C:P/I:N/A:N)'); // For CVSS v2.
const isValidCvss3Vector = validateCvss3Vector('AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N'); // For CVSS v3.x.
const isValidCvssVector = validateCvssVector('AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N'); // Version-agnostic.

Validation, in this context, means that CVSS vectors must be both well-formed and contain all required fields. If a CVSS vector is not well-formed (e.g. is missing separators as in AV:NAC:LPR:NUI:NS:UC:NI:LA:N) or does not contain all required fields to compute a score (e.g. does not contain a confidentiality impact as in AV:N/AC:L/PR:N/UI:N/S:U/I:L/A:N) validation will fail.

To get more detail about exactly why a vector failed validation, you can use the scoring API. For CVSS v2 vectors for example:

import {
    Cvss2VectorParser
} from 'vuln-vects';

const parser = new Cvss2VectorParser();
const scoringEngine = parser.generateScoringEngine('AV:N/AC:L/Au:N/C:P/I:N'); // Missing availability impact.

const isValid = scoringEngine.isValid(); // Will be true on validation success, false on failure.
const errors = scoringEngine.validate(); // Will return a list of human-readable validation errors.

Scoring

Scoring CVSS vectors (i.e. converting them into a CVSS score from 1-10) is the most common use-case for the library, and as such has been designed to be very convenient to use via helper methods:

import {
    parseCvss2Vector,
    parseCvss3Vector,
    parseCvssVector
} from 'vuln-vects';

// Will yield score objects.
const cvss2VectorScore = parseCvss2Vector('(AV:N/AC:L/Au:N/C:P/I:N/A:N)'); // For CVSS v2.
const cvss3VectorScore = parseCvss3Vector('AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N'); // For CVSS v3.x.
const cvssVectorScore = parseCvssVector('AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N'); // Version-agnostic.

// The resulting score objects contain several subscores, but you probably want base score or overall score.
console.log(cvss2VectorScore.baseScore);
console.log(cvss2VectorScore.overallScore);

Rendering

Rendering CVSS vectors refers to the process of generating CVSS vector strings from a set of metrics. This is a bit more involved, but still not especially complex:

import {
    Cvss2ScoringEngine,
    Cvss2VectorRenderer,
    Cvss2VectorPrefixOption,
    cvss2, // Enums specific to CVSS v2.
} from 'vuln-vects';

// Set up and configure a scoring engine.
const scoringEngine = new Cvss2ScoringEngine();
scoringEngine.accessVector = cvss2.AccessVector.NETWORK;
scoringEngine.accessComplexity = cvss2.AccessComplexity.MEDIUM;
scoringEngine.authentication = cvss2.Authentication.NONE;
scoringEngine.confidentialityImpact = cvss2.Impact.NONE;
scoringEngine.integrityImpact = cvss2.AccessVector.COMPLETE;
scoringEngine.availabilityImpact = cvss2.AccessVector.NONE;

// Feed this to an appropriate vector renderer.
const vectorRenderer = new Cvss2VectorRenderer(Cvss2VectorPrefixOption.BRACKETED);
console.log(vectorRenderer.render(scoringEngine));

Mocking

The ability to randomly generate (i.e. mock) CVSS vectors for use in unit testing application that consume them can be very useful. Convenience methods are provided for this purpose:

import {
    randomCvss2Vector,
    randomCvss3Vector,
    Cvss2VectorPrefixOption
} from 'vuln-vects';

// Shows a random CVSS v2 and v3.x vector.
console.log(randomCvss2Vector());
console.log(randomCvss3Vector());

// Temporal/environmental scores and any valid prefixing scheme are supported:
console.log(randomCvss2Vector(true, true, Cvss2VectorPrefixOption.BRACKETED));

Acknowledgements

The main contributors to this project so far are as follows: