CVSS
view release on metacpan or search on metacpan
lib/CVSS/v4.pm view on Meta::CPAN
$eq1 = 0 if ($self->M('AV') eq 'N' && $self->M('PR') eq 'N' && $self->M('UI') eq 'N');
$eq1 = 1
if (($self->M('AV') eq 'N' || $self->M('PR') eq 'N' || $self->M('UI') eq 'N')
&& !($self->M('AV') eq 'N' && $self->M('PR') eq 'N' && $self->M('UI') eq 'N')
&& !($self->M('AV') eq 'P'));
$eq1 = 2 if ($self->M('AV') eq 'P' || !($self->M('AV') eq 'N' || $self->M('PR') eq 'N' || $self->M('UI') eq 'N'));
DEBUG and say STDERR "-- MacroVector - EQ1 : $eq1";
# EQ2 (Table 25)
# Levels Constraints
# 0 AC:L and AT:N
# 1 not (AC:L and AT:N)
$eq2 = 0 if ($self->M('AC') eq 'L' && $self->M('AT') eq 'N');
$eq2 = 1 if (!($self->M('AC') eq 'L' && $self->M('AT') eq 'N'));
DEBUG and say STDERR "-- MacroVector - EQ2 : $eq2";
# EQ3 (Table 26)
# Levels Constraints
# 0 VC:H and VI:H
# 1 not (VC:H and VI:H) and (VC:H or VI:H or VA:H)
# 2 not (VC:H or VI:H or VA:H)
$eq3 = 0 if ($self->M('VC') eq 'H' && $self->M('VI') eq 'H');
$eq3 = 1
if (!($self->M('VC') eq 'H' && $self->M('VI') eq 'H')
&& ($self->M('VC') eq 'H' || $self->M('VI') eq 'H' || $self->M('VA') eq 'H'));
$eq3 = 2 if (!($self->M('VC') eq 'H' || $self->M('VI') eq 'H' || $self->M('VA') eq 'H'));
DEBUG and say STDERR "-- MacroVector - EQ3 : $eq3";
# EQ4 (Table 27)
# Levels Constraints
# 0 MSI:S or MSA:S
# 1 not (MSI:S or MSA:S) and (SC:H or SI:H or SA:H)
# 2 not (MSI:S or MSA:S) and not (SC:H or SI:H or SA:H)
$eq4 = 0 if ($self->M('MSI') eq 'S' || $self->M('MSA') eq 'S');
$eq4 = 1
if (!($self->M('MSI') eq 'S' || $self->M('MSA') eq 'S')
&& ($self->M('SC') eq 'H' || $self->M('SI') eq 'H' || $self->M('SA') eq 'H'));
$eq4 = 2
if (!($self->M('MSI') eq 'S' || $self->M('MSA') eq 'S')
&& !(($self->M('SC') eq 'H' || $self->M('SI') eq 'H' || $self->M('SA') eq 'H')));
DEBUG and say STDERR "-- MacroVector - EQ4 : $eq4";
# EQ5 (Table 28)
# Levels Constraints
# 0 E:A
# 1 E:P
# 2 E:U
$eq5 = 0 if ($self->M('E') eq 'A');
$eq5 = 1 if ($self->M('E') eq 'P');
$eq5 = 2 if ($self->M('E') eq 'U');
DEBUG and say STDERR "-- MacroVector - EQ5 : $eq5";
# EQ6 (Table 29)
# Levels Constraints
# 0 (CR:H and VC:H) or (IR:H and VI:H) or (AR:H and VA:H)
# 1 not (CR:H and VC:H) and not (IR:H and VI:H) and not (AR:H and VA:H)
$eq6 = 0
if (($self->M('CR') eq 'H' && $self->M('VC') eq 'H')
|| ($self->M('IR') eq 'H' && $self->M('VI') eq 'H')
|| ($self->M('AR') eq 'H' && $self->M('VA') eq 'H'));
$eq6 = 1
if (!($self->M('CR') eq 'H' && $self->M('VC') eq 'H')
&& !($self->M('IR') eq 'H' && $self->M('VI') eq 'H')
&& !($self->M('AR') eq 'H' && $self->M('VA') eq 'H'));
DEBUG and say STDERR "-- MacroVector - EQ6 : $eq6";
my @macro_vector = ($eq1, $eq2, $eq3, $eq4, $eq5, $eq6);
my $macro_vector = join '', @macro_vector;
DEBUG and say STDERR "-- MacroVector : $macro_vector";
my $SEVERITY = {0 => 'HIGH', 1 => 'MEDIUM', 2 => 'LOW'};
$self->{exploitability} = $SEVERITY->{$eq1};
DEBUG and say STDERR "-- MacroVector EQ1 - Exploitability : $self->{exploitability}";
$self->{complexity} = $SEVERITY->{$eq2};
DEBUG and say STDERR "-- MacroVector EQ2 - Complexity : $self->{complexity}";
$self->{vulnerable_system} = $SEVERITY->{$eq3};
DEBUG and say STDERR "-- MacroVector EQ3 - Vulnerable System : $self->{vulnerable_system}";
$self->{subsequent_system} = $SEVERITY->{$eq4};
DEBUG and say STDERR "-- MacroVector EQ4 - Subsequent System : $self->{subsequent_system}";
$self->{exploitation} = $SEVERITY->{$eq5};
DEBUG and say STDERR "-- MacroVector EQ5 - Exploitation : $self->{exploitation}";
$self->{security_requirements} = $SEVERITY->{$eq6};
DEBUG and say STDERR "-- MacroVector EQ6 - Security Requirements : $self->{security_requirements}";
return wantarray ? @macro_vector : "$macro_vector";
}
sub exploitability { shift->{exploitability} }
sub complexity { shift->{complexity} }
sub vulnerable_system { shift->{vulnerable_system} }
sub subsequent_system { shift->{subsequent_system} }
sub exploitation { shift->{exploitation} }
lib/CVSS/v4.pm view on Meta::CPAN
$self->metrics->{S} //= 'X';
$self->metrics->{AU} //= 'X';
$self->metrics->{R} //= 'X';
$self->metrics->{V} //= 'X';
$self->metrics->{RE} //= 'X';
$self->metrics->{U} //= 'X';
# The following defines the index of each metric's values.
# It is used when looking for the highest vector part of the
# combinations produced by the MacroVector respective highest vectors.
my $AV_levels = {N => 0.0, A => 0.1, L => 0.2, P => 0.3};
my $PR_levels = {N => 0.0, L => 0.1, H => 0.2};
my $UI_levels = {N => 0.0, P => 0.1, A => 0.2};
my $AC_levels = {L => 0.0, H => 0.1};
my $AT_levels = {N => 0.0, P => 0.1};
my $VC_levels = {H => 0.0, L => 0.1, N => 0.2};
my $VI_levels = {H => 0.0, L => 0.1, N => 0.2};
my $VA_levels = {H => 0.0, L => 0.1, N => 0.2};
lib/CVSS/v4.pm view on Meta::CPAN
}
else {
$score_eq3eq6_next_lower_macro = $CVSS_LOOKUP_GLOBAL->{$eq3eq6_next_lower_macro} || 'NaN';
}
my $score_eq4_next_lower_macro = $CVSS_LOOKUP_GLOBAL->{$eq4_next_lower_macro} || 'NaN';
my $score_eq5_next_lower_macro = $CVSS_LOOKUP_GLOBAL->{$eq5_next_lower_macro} || 'NaN';
# b. The severity distance of the to-be scored vector from a
# highest severity vector in the same MacroVector is determined.
my $eq1_maxes = $MAX_COMPOSED->{eq1}->{$eq1};
my $eq2_maxes = $MAX_COMPOSED->{eq2}->{$eq2};
my $eq3_eq6_maxes = $MAX_COMPOSED->{eq3}->{$eq3}->{$eq6};
my $eq4_maxes = $MAX_COMPOSED->{eq4}->{$eq4};
my $eq5_maxes = $MAX_COMPOSED->{eq5}->{$eq5};
# compose them
my @max_vectors = ();
for my $eq1_max (@{$eq1_maxes}) {
for my $eq2_max (@{$eq2_maxes}) {
lib/CVSS/v4.pm view on Meta::CPAN
# multiply by step because distance is pure
my $max_severity_eq1 = $MAX_SEVERITY->{eq1}->{$eq1} * $step;
my $max_severity_eq2 = $MAX_SEVERITY->{eq2}->{$eq2} * $step;
my $max_severity_eq3eq6 = $MAX_SEVERITY->{eq3eq6}->{$eq3}->{$eq6} * $step;
my $max_severity_eq4 = $MAX_SEVERITY->{eq4}->{$eq4} * $step;
# c. The proportion of the distance is determined by dividing
# the severity distance of the to-be-scored vector by the depth
# of the MacroVector.
# d. The maximal scoring difference is multiplied by the proportion of
# distance.
my $n_existing_lower = 0;
if (!isNaN($available_distance_eq1) && $available_distance_eq1 >= 0) {
$n_existing_lower += 1;
$percent_to_next_eq1_severity = ($current_severity_distance_eq1) / $max_severity_eq1;
$normalized_severity_eq1 = $available_distance_eq1 * $percent_to_next_eq1_severity;
}
lib/CVSS/v4.pm view on Meta::CPAN
+ $normalized_severity_eq3eq6
+ $normalized_severity_eq4
+ $normalized_severity_eq5)
/ $n_existing_lower;
}
# /
DEBUG and say STDERR "-- Value: $value - MeanDistance: $mean_distance";
# 3. The score of the vector is the score of the MacroVector
# (i.e. the score of the highest severity vector) minus the mean
# distance so computed. This score is rounded to one decimal place.
$value -= $mean_distance;
DEBUG and say STDERR "-- Value $value";
$value = max(0.0, $value);
$value = min(10.0, $value);
my $base_score = sprintf('%.1f', $value);
( run in 0.503 second using v1.01-cache-2.11-cpan-49f99fa48dc )