Greenbone Vulnerability Management Libraries 22.18.1
|
CVSS utility functions. More...
Go to the source code of this file.
Data Structures | |
struct | impact_item |
Describe a CVSS impact element. More... | |
struct | cvss |
Describe a CVSS metrics. More... | |
struct | cvss4_metric_def_t |
String to enum mapping and allowed values for a CVSS 4.0 metric. More... | |
struct | cvss4_macrovector_mapping_t |
Key-Value mappings of CVSS 4.0 macrovectors to scores. More... | |
Macros | |
#define | G_LOG_DOMAIN "libgvm base" |
GLib log domain. | |
#define | AV_NETWORK 1.0 |
AccessVector (AV) Constants. | |
#define | AV_ADJACENT_NETWORK 0.646 |
#define | AV_LOCAL 0.395 |
#define | AC_LOW 0.71 |
AccessComplexity (AC) Constants. | |
#define | AC_MEDIUM 0.61 |
#define | AC_HIGH 0.35 |
#define | Au_MULTIPLE_INSTANCES 0.45 |
Authentication (Au) Constants. | |
#define | Au_SINGLE_INSTANCE 0.56 |
#define | Au_NONE 0.704 |
#define | C_NONE 0.0 |
ConfidentialityImpact (C) Constants. | |
#define | C_PARTIAL 0.275 |
#define | C_COMPLETE 0.660 |
#define | I_NONE 0.0 |
IntegrityImpact (I) Constants. | |
#define | I_PARTIAL 0.275 |
#define | I_COMPLETE 0.660 |
#define | A_NONE 0.0 |
AvailabilityImpact (A) Constants. | |
#define | A_PARTIAL 0.275 |
#define | A_COMPLETE 0.660 |
#define | CVSS_METRICS_STR_BLANK "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX" |
Blank simplified CVSS 4.0 metrics string. | |
#define | CVSS_MACROVECTOR_BLANK "XXXXXX" |
Blank simplified CVSS 4.0 macrovector string. | |
Enumerations | |
enum | base_metrics { A , I , C , Au , AC , AV } |
CVSS v2 Base metrics. More... | |
enum | cvss4_metric_t { CVSS4_AV , CVSS4_AC , CVSS4_AT , CVSS4_PR , CVSS4_UI , CVSS4_VC , CVSS4_VI , CVSS4_VA , CVSS4_SC , CVSS4_SI , CVSS4_SA , CVSS4_E , CVSS4_CR , CVSS4_IR , CVSS4_AR , CVSS4_MAV , CVSS4_MAC , CVSS4_MAT , CVSS4_MPR , CVSS4_MUI , CVSS4_MVC , CVSS4_MVI , CVSS4_MVA , CVSS4_MSC , CVSS4_MSI , CVSS4_MSA , CVSS4_S , CVSS4_AU , CVSS4_R , CVSS4_V , CVSS4_RE , CVSS4_U , CVSS4_METRICS_MAX } |
CVSS 4.0 metrics. More... | |
Functions | |
static double | get_cvss_score_from_base_metrics_v3 (const char *cvss_str) |
Calculate CVSS Score. | |
static double | get_cvss_score_from_metrics_v4 (const char *cvss_str) |
Calculate CVSS 4.0 Score. | |
static int | toenum (const char *str, enum base_metrics *res) |
Determine base metric enumeration from a string. | |
static double | get_impact_subscore (const struct cvss *cvss) |
Calculate Impact Sub Score. | |
static double | get_exploitability_subscore (const struct cvss *cvss) |
Calculate Exploitability Sub Score. | |
static int | set_impact_from_str (const char *value, enum base_metrics metric, struct cvss *cvss) |
Set impact score from string representation. | |
static double | __get_cvss_score (struct cvss *cvss) |
Final CVSS score computation helper. | |
double | get_cvss_score_from_base_metrics (const char *cvss_str) |
Calculate CVSS Score. | |
static double | roundup (double cvss) |
Round final score as in spec. | |
static double | v3_impact (const char *value) |
Get impact. | |
static void | cvss4_init_macrovector_table () |
Initialize the CVSS 4.0 macrovector lookup table. | |
static double | cvss4_macrovector_score (const char *vector) |
Get the CVSS 4.0 score for a given macrovector string. | |
static char | cvss4_m (const char *simplified_vec, cvss4_metric_t metric) |
Get the effective value of a metric in a simplified CVSS4 vector. | |
static gchar * | simplify_cvss4_vector (const char *cvss_str) |
Simplify CVSS 4.0 base vector so metrics can be indexed by enum. | |
static gchar * | cvss4_vector_expand (const char *vec) |
Expands a simplified CVSS 4.0 vector into its full string form. | |
static gchar * | cvss4_macrovector (const char *vec) |
Calculate CVSS 4.0 macrovector from a simplified vector. | |
static void | cvss4_maximal_scoring_differences (const char *macrovector, double *available_distance_eq1, double *available_distance_eq2, double *available_distance_eq3eq6, double *available_distance_eq4, double *available_distance_eq5) |
Calulate the maximal scoring differences from a CVSS 4.0 macrovector. | |
static gchar ** | cvss4_max_vectors (const char *macrovector) |
Composes a list of max vectors for the given CVSS 4.0 macrovector. | |
static double | cvss4_metric_level (cvss4_metric_t metric, char value) |
Get the index of a CVSS 4.0 metric value for severity distances. | |
static double | cvss4_severity_distance (cvss4_metric_t metric, const char *vec, const char *max_vec) |
Calculate severity distance for a metric in two CVSS 4.0 vectors. | |
static void | cvss4_current_severity_distances (const char *vec, const char *macrovector, double *current_severity_distance_eq1, double *current_severity_distance_eq2, double *current_severity_distance_eq3eq6, double *current_severity_distance_eq4, double *current_severity_distance_eq5) |
Calculate current severity distances for given CVSS 4.0 vector. | |
static void | cvss4_max_severities (const char *macrovector, double *max_severity_eq1, double *max_severity_eq2, double *max_severity_eq3eq6, double *max_severity_eq4) |
Get the max severity values for a CVSS 4.0 macrovector. | |
Variables | |
static const struct impact_item | impact_map [][3] |
static cvss4_metric_def_t | cvss4_metric_defs [] |
String to enum mappings and allowed values for CVSS 4.0 metrics. | |
static const cvss4_macrovector_mapping_t | cvss4_macrovector_mappings [] |
CVSS 4.0 macrovector mappings. | |
static GHashTable * | cvss4_macrovector_table = NULL |
Hashtable for quick lookup of CVSS macrovector scores. | |
CVSS utility functions.
This file contains utility functions for handling CVSS v2, v3 and v4. get_cvss_score_from_base_metrics calculates the CVSS base score from a CVSS base vector.
CVSS v4.0:
See the CVSS v4 calculator reference implementation at https://github.com/FIRSTdotorg/cvss-v4-calculator and the CVSS 4.0 specification document at https://www.first.org/cvss/v4.0/specification-document (especially sections 7., 8.2 and 8.3).
CVSS v3.1:
See equations at https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator and constants at https://www.first.org/cvss/v3.1/specification-document (section 7.4. Metric Values).
CVSS v3.0:
See equations at https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator and constants at https://www.first.org/cvss/v3.0/specification-document (section 8.4. Metric Levels).
CVSS v2:
The base equation is the foundation of CVSS scoring. The base equation is: BaseScore6 = round_to_1_decimal(((0.6*Impact)+(0.4*Exploitability)–1.5)*f(Impact))
Impact = 10.41*(1-(1-ConfImpact)*(1-IntegImpact)*(1-AvailImpact))
Exploitability = 20* AccessVector*AccessComplexity*Authentication
f(impact)= 0 if Impact=0, 1.176 otherwise AccessVector = case AccessVector of requires local access: 0.395 adjacent network accessible: 0.646 network accessible: 1.0 AccessComplexity = case AccessComplexity of high: 0.35 medium: 0.61 low: 0.71 Authentication = case Authentication of requires multiple instances of authentication: 0.45 requires single instance of authentication: 0.56 requires no authentication: 0.704 ConfImpact = case ConfidentialityImpact of none: 0.0 partial: 0.275 complete: 0.660 IntegImpact = case IntegrityImpact of none: 0.0 partial: 0.275 complete: 0.660 AvailImpact = case AvailabilityImpact of none: 0.0 partial: 0.275 complete: 0.660
#define A_COMPLETE 0.660 |
Complete Availability Impact.
#define A_NONE 0.0 |
AvailabilityImpact (A) Constants.
No Availability Impact.
#define A_PARTIAL 0.275 |
Partial Availability Impact.
#define AC_HIGH 0.35 |
Access Complexity High.
#define AC_LOW 0.71 |
AccessComplexity (AC) Constants.
Access Complexity Low.
#define AC_MEDIUM 0.61 |
Access Complexity Medium.
#define Au_MULTIPLE_INSTANCES 0.45 |
Authentication (Au) Constants.
Authentication multiple instances.
#define Au_NONE 0.704 |
No Authentication.
#define Au_SINGLE_INSTANCE 0.56 |
Authentication single instances.
#define AV_ADJACENT_NETWORK 0.646 |
Access Vector Adjacent Network.
#define AV_LOCAL 0.395 |
Access Vector Local.
#define AV_NETWORK 1.0 |
AccessVector (AV) Constants.
Access Vector Network.
#define C_COMPLETE 0.660 |
Complete Confidentiality Impact.
#define C_NONE 0.0 |
ConfidentialityImpact (C) Constants.
No Confidentiality Impact.
#define C_PARTIAL 0.275 |
Partial Confidentiality Impact.
#define CVSS_MACROVECTOR_BLANK "XXXXXX" |
Blank simplified CVSS 4.0 macrovector string.
#define CVSS_METRICS_STR_BLANK "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX" |
Blank simplified CVSS 4.0 metrics string.
#define G_LOG_DOMAIN "libgvm base" |
GLib log domain.
#define I_COMPLETE 0.660 |
Complete Integrity Impact.
#define I_NONE 0.0 |
IntegrityImpact (I) Constants.
No Integrity Impact.
#define I_PARTIAL 0.275 |
Partial Integrity Impact.
enum base_metrics |
enum cvss4_metric_t |
CVSS 4.0 metrics.
|
static |
Final CVSS score computation helper.
[in] | cvss | The CVSS structure that contains the different metrics and associated scores. |
|
static |
Calculate current severity distances for given CVSS 4.0 vector.
[in] | vec | The vector in simplified form |
[in] | macrovector | Corresponding macrovector |
[out] | current_severity_distance_eq1 | Distance for EQ1 |
[out] | current_severity_distance_eq2 | Distance for EQ2 |
[out] | current_severity_distance_eq3eq6 | Distance for EQ3 and EQ6 |
[out] | current_severity_distance_eq4 | Distance for EQ4 |
[out] | current_severity_distance_eq5 | Distance for EQ5 |
|
static |
Initialize the CVSS 4.0 macrovector lookup table.
|
static |
Get the effective value of a metric in a simplified CVSS4 vector.
As this only returns the first character, the Provider Urgency metric (CVSS4_U) needs special handling to get the full string.
[in] | simplified_vec | The simplified vector string to get value from. |
[in] | metric | The metric to get the value of. |
|
inlinestatic |
Calculate CVSS 4.0 macrovector from a simplified vector.
[in] | vec | The simplified vector to get the macrovector of |
|
inlinestatic |
Get the CVSS 4.0 score for a given macrovector string.
[in] | vector | The macrovector to look up. |
|
static |
Get the max severity values for a CVSS 4.0 macrovector.
The values are the MaxSeverity values already multiplied by 0.1
[in] | macrovector | The macrovector to get the max severity values for |
[out] | max_severity_eq1 | Max severity for EQ1 |
[out] | max_severity_eq2 | Max severity for EQ2 |
[out] | max_severity_eq3eq6 | Max severity for EQ3 and EQ6 |
[out] | max_severity_eq4 | Max severity for EQ4 |
|
static |
Composes a list of max vectors for the given CVSS 4.0 macrovector.
[in] | macrovector | The macrovector to get the max vectors of. |
|
static |
Calulate the maximal scoring differences from a CVSS 4.0 macrovector.
[in] | macrovector | |
[out] | available_distance_eq1 | Maximal scoring diff. for EQ1 |
[out] | available_distance_eq2 | Maximal scoring diff. for EQ2 |
[out] | available_distance_eq3eq6 | Maximal scoring diff. for EQ3 and EQ6 |
[out] | available_distance_eq4 | Maximal scoring diff. for EQ4 |
[out] | available_distance_eq5 | Maximal scoring diff. for EQ5 |
|
static |
Get the index of a CVSS 4.0 metric value for severity distances.
[in] | metric | The metric to check. |
[in] | value | The value of the given metric. |
|
inlinestatic |
Calculate severity distance for a metric in two CVSS 4.0 vectors.
[in] | metric | The metric to calculate severity distance for. |
[in] | vec | The vector to be scored in simplified form. |
[in] | max_vec | The max vector to subtract in simplified form. |
|
static |
Expands a simplified CVSS 4.0 vector into its full string form.
[in] | vec | The simplified vector to expand |
double get_cvss_score_from_base_metrics | ( | const char * | cvss_str | ) |
Calculate CVSS Score.
cvss_str | Base vector string from which to compute score. |
|
static |
Calculate CVSS Score.
cvss_str | Vector from which to compute score, without prefix. |
|
static |
Calculate CVSS 4.0 Score.
cvss_str | Vector from which to compute score, without prefix. |
|
static |
Calculate Exploitability Sub Score.
[in] | cvss | Contains the subscores associated to the metrics. |
|
static |
Calculate Impact Sub Score.
[in] | cvss | Contains the subscores associated to the metrics. |
|
static |
Round final score as in spec.
cvss | CVSS score. |
|
inlinestatic |
Set impact score from string representation.
[in] | value | The literal value associated to the metric. |
[in] | metric | The enumeration constant identifying the metric. |
[out] | cvss | The structure to update with the score. |
|
static |
Simplify CVSS 4.0 base vector so metrics can be indexed by enum.
The vector is simplified to a strictly ordered character array with each character index corresponding to the cvss4_base_metrics enum value and using 'X' for undefined metric values.
This relies on all allowed values being single characters, or having unique first characters in case of the Provider Urgency metric.
[in] | cvss_str | The original vector without the prefix "CVSS:4.0/". |
|
static |
Determine base metric enumeration from a string.
[in] | str | Base metric in string form, for example "A". |
[out] | res | Where to write the desired value. |
|
static |
Get impact.
value | Metric value. |
|
static |
CVSS 4.0 macrovector mappings.
This list has been generated from the lookup table in the FIRST CVSS calculator reference implementation at https://github.com/FIRSTdotorg/cvss-v4-calculator/blob/main/cvss_lookup.js
|
static |
Hashtable for quick lookup of CVSS macrovector scores.
Macrovector scores should be looked up with cvss4_macrovector_score which ensures the table is initialized and returns the scores as double values instead of pointers.
|
static |
String to enum mappings and allowed values for CVSS 4.0 metrics.
Notes:
|
static |