/* Copyright (c) 2019, FIRST.ORG, INC.
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without modification, are permitted provided that the
* following conditions are met:
* 1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following
* disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the
* following disclaimer in the documentation and/or other materials provided with the distribution.
* 3. Neither the name of the copyright holder nor the names of its contributors may be used to endorse or promote
* products derived from this software without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES,
* INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
* DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
* SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
* WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
* OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*/
/* This JavaScript contains two main functions. Both take CVSS metric values and calculate CVSS scores for Base,
* Temporal and Environmental metric groups, their associated severity ratings, and an overall Vector String.
*
* Use CVSS31.calculateCVSSFromMetrics if you wish to pass metric values as individual parameters.
* Use CVSS31.calculateCVSSFromVector if you wish to pass metric values as a single Vector String.
*
* Changelog
*
* 2019-06-01 Darius Wiles Updates for CVSS version 3.1:
*
* 1) The CVSS31.roundUp1 function now performs rounding using integer arithmetic to
* eliminate problems caused by tiny errors introduced during JavaScript math
* operations. Thanks to Stanislav Kontar of Red Hat for suggesting and testing
* various implementations.
*
* 2) Environmental formulas changed to prevent the Environmental Score decreasing when
* the value of an Environmental metric is raised. The problem affected a small
* percentage of CVSS v3.0 metrics. The change is to the modifiedImpact
* formula, but only affects scores where the Modified Scope is Changed (or the
* Scope is Changed if Modified Scope is Not Defined).
*
* 3) The JavaScript object containing everything in this file has been renamed from
* "CVSS" to "CVSS31" to allow both objects to be included without causing a
* naming conflict.
*
* 4) Variable names and code order have changed to more closely reflect the formulas
* in the CVSS v3.1 Specification Document.
*
* 5) A successful call to calculateCVSSFromMetrics now returns sub-formula values.
*
* Note that some sets of metrics will produce different scores between CVSS v3.0 and
* v3.1 as a result of changes 1 and 2. See the explanation of changes between these
* two standards in the CVSS v3.1 User Guide for more details.
*
* 2018-02-15 Darius Wiles Added a missing pair of parentheses in the Environmental score, specifically
* in the code setting envScore in the main clause (not the else clause). It was changed
* from "min (...), 10" to "min ((...), 10)". This correction does not alter any final
* Environmental scores.
*
* 2015-08-04 Darius Wiles Added CVSS.generateXMLFromMetrics and CVSS.generateXMLFromVector functions to return
* XML string representations of: a set of metric values; or a Vector String respectively.
* Moved all constants and functions to an object named "CVSS" to
* reduce the chance of conflicts in global variables when this file is combined with
* other JavaScript code. This will break all existing code that uses this file until
* the string "CVSS." is prepended to all references. The "Exploitability" metric has been
* renamed "Exploit Code Maturity" in the specification, so the same change has been made
* in the code in this file.
*
* 2015-04-24 Darius Wiles Environmental formula modified to eliminate undesirable behavior caused by subtle
* differences in rounding between Temporal and Environmental formulas that often
* caused the latter to be 0.1 lower than than the former when all Environmental
* metrics are "Not defined". Also added a RoundUp1 function to simplify formulas.
*
* 2015-04-09 Darius Wiles Added calculateCVSSFromVector function, license information, cleaned up code and improved
* comments.
*
* 2014-12-12 Darius Wiles Initial release for CVSS 3.0 Preview 2.
*/
// Constants used in the formula. They are not declared as "const" to avoid problems in older browsers.
var CVSS31 = {};
CVSS31.CVSSVersionIdentifier = 'CVSS:3.1';
CVSS31.exploitabilityCoefficient = 8.22;
CVSS31.scopeCoefficient = 1.08;
// A regular expression to validate that a CVSS 3.1 vector string is well formed. It checks metrics and metric
// values. It does not check that a metric is specified more than once and it does not check that all base
// metrics are present. These checks need to be performed separately.
CVSS31.vectorStringRegex_31 =
/^CVSS:3\.[01]\/((AV:[NALP]|AC:[LH]|PR:[UNLH]|UI:[NR]|S:[UC]|[CIA]:[NLH]|E:[XUPFH]|RL:[XOTWU]|RC:[XURC]|[CIA]R:[XLMH]|MAV:[XNALP]|MAC:[XLH]|MPR:[XUNLH]|MUI:[XNR]|MS:[XUC]|M[CIA]:[XNLH])\/)*(AV:[NALP]|AC:[LH]|PR:[UNLH]|UI:[NR]|S:[UC]|[CIA]:[NLH]|E:[XUPFH]|RL:[XOTWU]|RC:[XURC]|[CIA]R:[XLMH]|MAV:[XNALP]|MAC:[XLH]|MPR:[XUNLH]|MUI:[XNR]|MS:[XUC]|M[CIA]:[XNLH])$/;
// Associative arrays mapping each metric value to the constant defined in the CVSS scoring formula in the CVSS v3.1
// specification.
CVSS31.Weight = {
AV: { N: 0.85, A: 0.62, L: 0.55, P: 0.2 },
AC: { H: 0.44, L: 0.77 },
PR: {
U: { N: 0.85, L: 0.62, H: 0.27 }, // These values are used if Scope is Unchanged
C: { N: 0.85, L: 0.68, H: 0.5 },
}, // These values are used if Scope is Changed
UI: { N: 0.85, R: 0.62 },
S: { U: 6.42, C: 7.52 }, // Note: not defined as constants in specification
CIA: { N: 0, L: 0.22, H: 0.56 }, // C, I and A have the same weights
E: { X: 1, U: 0.91, P: 0.94, F: 0.97, H: 1 },
RL: { X: 1, O: 0.95, T: 0.96, W: 0.97, U: 1 },
RC: { X: 1, U: 0.92, R: 0.96, C: 1 },
CIAR: { X: 1, L: 0.5, M: 1, H: 1.5 }, // CR, IR and AR have the same weights
};
// Severity rating bands, as defined in the CVSS v3.1 specification.
CVSS31.severityRatings = [
{ name: 'None', bottom: 0.0, top: 0.0 },
{ name: 'Low', bottom: 0.1, top: 3.9 },
{ name: 'Medium', bottom: 4.0, top: 6.9 },
{ name: 'High', bottom: 7.0, top: 8.9 },
{ name: 'Critical', bottom: 9.0, top: 10.0 },
];
/* ** CVSS31.calculateCVSSFromMetrics **
*
* Takes Base, Temporal and Environmental metric values as individual parameters. Their values are in the short format
* defined in the CVSS v3.1 standard definition of the Vector String. For example, the AttackComplexity parameter
* should be either "H" or "L".
*
* Returns Base, Temporal and Environmental scores, severity ratings, and an overall Vector String. All Base metrics
* are required to generate this output. All Temporal and Environmental metric values are optional. Any that are not
* passed default to "X" ("Not Defined").
*
* The output is an object which always has a property named "success".
*
* If no errors are encountered, success is Boolean "true", and the following other properties are defined containing
* scores, severities and a vector string:
* baseMetricScore, baseSeverity,
* temporalMetricScore, temporalSeverity,
* environmentalMetricScore, environmentalSeverity,
* vectorString
*
* The following properties are also defined, and contain sub-formula values:
* baseISS, baseImpact, baseExploitability,
* environmentalMISS, environmentalModifiedImpact, environmentalModifiedExploitability
*
*
* If errors are encountered, success is Boolean "false", and the following other properties are defined:
* errorType - a string indicating the error. Either:
* "MissingBaseMetric", if at least one Base metric has not been defined; or
* "UnknownMetricValue", if at least one metric value is invalid.
* errorMetrics - an array of strings representing the metrics at fault. The strings are abbreviated versions of the
* metrics, as defined in the CVSS v3.1 standard definition of the Vector String.
*/
CVSS31.calculateCVSSFromMetrics = function (
AttackVector,
AttackComplexity,
PrivilegesRequired,
UserInteraction,
Scope,
Confidentiality,
Integrity,
Availability,
ExploitCodeMaturity,
RemediationLevel,
ReportConfidence,
ConfidentialityRequirement,
IntegrityRequirement,
AvailabilityRequirement,
ModifiedAttackVector,
ModifiedAttackComplexity,
ModifiedPrivilegesRequired,
ModifiedUserInteraction,
ModifiedScope,
ModifiedConfidentiality,
ModifiedIntegrity,
ModifiedAvailability,
) {
// If input validation fails, this array is populated with strings indicating which metrics failed validation.
var badMetrics = [];
// ENSURE ALL BASE METRICS ARE DEFINED
//
// We need values for all Base Score metrics to calculate scores.
// If any Base Score parameters are undefined, create an array of missing metrics and return it with an error.
if (typeof AttackVector === 'undefined' || AttackVector === '') {
badMetrics.push('AV');
}
if (typeof AttackComplexity === 'undefined' || AttackComplexity === '') {
badMetrics.push('AC');
}
if (typeof PrivilegesRequired === 'undefined' || PrivilegesRequired === '') {
badMetrics.push('PR');
}
if (typeof UserInteraction === 'undefined' || UserInteraction === '') {
badMetrics.push('UI');
}
if (typeof Scope === 'undefined' || Scope === '') {
badMetrics.push('S');
}
if (typeof Confidentiality === 'undefined' || Confidentiality === '') {
badMetrics.push('C');
}
if (typeof Integrity === 'undefined' || Integrity === '') {
badMetrics.push('I');
}
if (typeof Availability === 'undefined' || Availability === '') {
badMetrics.push('A');
}
if (badMetrics.length > 0) {
return {
success: false,
errorType: 'MissingBaseMetric',
errorMetrics: badMetrics,
};
}
// STORE THE METRIC VALUES THAT WERE PASSED AS PARAMETERS
//
// Temporal and Environmental metrics are optional, so set them to "X" ("Not Defined") if no value was passed.
var AV = AttackVector;
var AC = AttackComplexity;
var PR = PrivilegesRequired;
var UI = UserInteraction;
var S = Scope;
var C = Confidentiality;
var I = Integrity;
var A = Availability;
var E = ExploitCodeMaturity || 'X';
var RL = RemediationLevel || 'X';
var RC = ReportConfidence || 'X';
var CR = ConfidentialityRequirement || 'X';
var IR = IntegrityRequirement || 'X';
var AR = AvailabilityRequirement || 'X';
var MAV = ModifiedAttackVector || 'X';
var MAC = ModifiedAttackComplexity || 'X';
var MPR = ModifiedPrivilegesRequired || 'X';
var MUI = ModifiedUserInteraction || 'X';
var MS = ModifiedScope || 'X';
var MC = ModifiedConfidentiality || 'X';
var MI = ModifiedIntegrity || 'X';
var MA = ModifiedAvailability || 'X';
// CHECK VALIDITY OF METRIC VALUES
//
// Use the Weight object to ensure that, for every metric, the metric value passed is valid.
// If any invalid values are found, create an array of their metrics and return it with an error.
//
// The Privileges Required (PR) weight depends on Scope, but when checking the validity of PR we must not assume
// that the given value for Scope is valid. We therefore always look at the weights for Unchanged Scope when
// performing this check. The same applies for validation of Modified Privileges Required (MPR).
//
// The Weights object does not contain "X" ("Not Defined") values for Environmental metrics because we replace them
// with their Base metric equivalents later in the function. For example, an MAV of "X" will be replaced with the
// value given for AV. We therefore need to explicitly allow a value of "X" for Environmental metrics.
if (!CVSS31.Weight.AV.hasOwnProperty(AV)) {
badMetrics.push('AV');
}
if (!CVSS31.Weight.AC.hasOwnProperty(AC)) {
badMetrics.push('AC');
}
if (!CVSS31.Weight.PR.U.hasOwnProperty(PR)) {
badMetrics.push('PR');
}
if (!CVSS31.Weight.UI.hasOwnProperty(UI)) {
badMetrics.push('UI');
}
if (!CVSS31.Weight.S.hasOwnProperty(S)) {
badMetrics.push('S');
}
if (!CVSS31.Weight.CIA.hasOwnProperty(C)) {
badMetrics.push('C');
}
if (!CVSS31.Weight.CIA.hasOwnProperty(I)) {
badMetrics.push('I');
}
if (!CVSS31.Weight.CIA.hasOwnProperty(A)) {
badMetrics.push('A');
}
if (!CVSS31.Weight.E.hasOwnProperty(E)) {
badMetrics.push('E');
}
if (!CVSS31.Weight.RL.hasOwnProperty(RL)) {
badMetrics.push('RL');
}
if (!CVSS31.Weight.RC.hasOwnProperty(RC)) {
badMetrics.push('RC');
}
if (!(CR === 'X' || CVSS31.Weight.CIAR.hasOwnProperty(CR))) {
badMetrics.push('CR');
}
if (!(IR === 'X' || CVSS31.Weight.CIAR.hasOwnProperty(IR))) {
badMetrics.push('IR');
}
if (!(AR === 'X' || CVSS31.Weight.CIAR.hasOwnProperty(AR))) {
badMetrics.push('AR');
}
if (!(MAV === 'X' || CVSS31.Weight.AV.hasOwnProperty(MAV))) {
badMetrics.push('MAV');
}
if (!(MAC === 'X' || CVSS31.Weight.AC.hasOwnProperty(MAC))) {
badMetrics.push('MAC');
}
if (!(MPR === 'X' || CVSS31.Weight.PR.U.hasOwnProperty(MPR))) {
badMetrics.push('MPR');
}
if (!(MUI === 'X' || CVSS31.Weight.UI.hasOwnProperty(MUI))) {
badMetrics.push('MUI');
}
if (!(MS === 'X' || CVSS31.Weight.S.hasOwnProperty(MS))) {
badMetrics.push('MS');
}
if (!(MC === 'X' || CVSS31.Weight.CIA.hasOwnProperty(MC))) {
badMetrics.push('MC');
}
if (!(MI === 'X' || CVSS31.Weight.CIA.hasOwnProperty(MI))) {
badMetrics.push('MI');
}
if (!(MA === 'X' || CVSS31.Weight.CIA.hasOwnProperty(MA))) {
badMetrics.push('MA');
}
if (badMetrics.length > 0) {
return {
success: false,
errorType: 'UnknownMetricValue',
errorMetrics: badMetrics,
};
}
// GATHER WEIGHTS FOR ALL METRICS
var metricWeightAV = CVSS31.Weight.AV[AV];
var metricWeightAC = CVSS31.Weight.AC[AC];
var metricWeightPR = CVSS31.Weight.PR[S][PR]; // PR depends on the value of Scope (S).
var metricWeightUI = CVSS31.Weight.UI[UI];
var metricWeightS = CVSS31.Weight.S[S];
var metricWeightC = CVSS31.Weight.CIA[C];
var metricWeightI = CVSS31.Weight.CIA[I];
var metricWeightA = CVSS31.Weight.CIA[A];
var metricWeightE = CVSS31.Weight.E[E];
var metricWeightRL = CVSS31.Weight.RL[RL];
var metricWeightRC = CVSS31.Weight.RC[RC];
// For metrics that are modified versions of Base Score metrics, e.g. Modified Attack Vector, use the value of
// the Base Score metric if the modified version value is "X" ("Not Defined").
var metricWeightCR = CVSS31.Weight.CIAR[CR];
var metricWeightIR = CVSS31.Weight.CIAR[IR];
var metricWeightAR = CVSS31.Weight.CIAR[AR];
var metricWeightMAV = CVSS31.Weight.AV[MAV !== 'X' ? MAV : AV];
var metricWeightMAC = CVSS31.Weight.AC[MAC !== 'X' ? MAC : AC];
var metricWeightMPR =
CVSS31.Weight.PR[MS !== 'X' ? MS : S][MPR !== 'X' ? MPR : PR]; // Depends on MS.
var metricWeightMUI = CVSS31.Weight.UI[MUI !== 'X' ? MUI : UI];
var metricWeightMS = CVSS31.Weight.S[MS !== 'X' ? MS : S];
var metricWeightMC = CVSS31.Weight.CIA[MC !== 'X' ? MC : C];
var metricWeightMI = CVSS31.Weight.CIA[MI !== 'X' ? MI : I];
var metricWeightMA = CVSS31.Weight.CIA[MA !== 'X' ? MA : A];
// CALCULATE THE CVSS BASE SCORE
var iss; /* Impact Sub-Score */
var impact;
var exploitability;
var baseScore;
iss = 1 - (1 - metricWeightC) * (1 - metricWeightI) * (1 - metricWeightA);
if (S === 'U') {
impact = metricWeightS * iss;
} else {
impact = metricWeightS * (iss - 0.029) - 3.25 * Math.pow(iss - 0.02, 15);
}
exploitability =
CVSS31.exploitabilityCoefficient *
metricWeightAV *
metricWeightAC *
metricWeightPR *
metricWeightUI;
if (impact <= 0) {
baseScore = 0;
} else {
if (S === 'U') {
baseScore = CVSS31.roundUp1(Math.min(exploitability + impact, 10));
} else {
baseScore = CVSS31.roundUp1(
Math.min(CVSS31.scopeCoefficient * (exploitability + impact), 10),
);
}
}
// CALCULATE THE CVSS TEMPORAL SCORE
var temporalScore = CVSS31.roundUp1(
baseScore * metricWeightE * metricWeightRL * metricWeightRC,
);
// CALCULATE THE CVSS ENVIRONMENTAL SCORE
//
// - modifiedExploitability recalculates the Base Score Exploitability sub-score using any modified values from the
// Environmental metrics group in place of the values specified in the Base Score, if any have been defined.
// - modifiedImpact recalculates the Base Score Impact sub-score using any modified values from the
// Environmental metrics group in place of the values specified in the Base Score, and any additional weightings
// given in the Environmental metrics group.
var miss; /* Modified Impact Sub-Score */
var modifiedImpact;
var envScore;
var modifiedExploitability;
miss = Math.min(
1 -
(1 - metricWeightMC * metricWeightCR) *
(1 - metricWeightMI * metricWeightIR) *
(1 - metricWeightMA * metricWeightAR),
0.915,
);
if (MS === 'U' || (MS === 'X' && S === 'U')) {
modifiedImpact = metricWeightMS * miss;
} else {
modifiedImpact =
metricWeightMS * (miss - 0.029) -
3.25 * Math.pow(miss * 0.9731 - 0.02, 13);
}
modifiedExploitability =
CVSS31.exploitabilityCoefficient *
metricWeightMAV *
metricWeightMAC *
metricWeightMPR *
metricWeightMUI;
if (modifiedImpact <= 0) {
envScore = 0;
} else if (MS === 'U' || (MS === 'X' && S === 'U')) {
envScore = CVSS31.roundUp1(
CVSS31.roundUp1(Math.min(modifiedImpact + modifiedExploitability, 10)) *
metricWeightE *
metricWeightRL *
metricWeightRC,
);
} else {
envScore = CVSS31.roundUp1(
CVSS31.roundUp1(
Math.min(
CVSS31.scopeCoefficient * (modifiedImpact + modifiedExploitability),
10,
),
) *
metricWeightE *
metricWeightRL *
metricWeightRC,
);
}
// CONSTRUCT THE VECTOR STRING
var vectorString =
CVSS31.CVSSVersionIdentifier +
'/AV:' +
AV +
'/AC:' +
AC +
'/PR:' +
PR +
'/UI:' +
UI +
'/S:' +
S +
'/C:' +
C +
'/I:' +
I +
'/A:' +
A;
if (E !== 'X') {
vectorString = vectorString + '/E:' + E;
}
if (RL !== 'X') {
vectorString = vectorString + '/RL:' + RL;
}
if (RC !== 'X') {
vectorString = vectorString + '/RC:' + RC;
}
if (CR !== 'X') {
vectorString = vectorString + '/CR:' + CR;
}
if (IR !== 'X') {
vectorString = vectorString + '/IR:' + IR;
}
if (AR !== 'X') {
vectorString = vectorString + '/AR:' + AR;
}
if (MAV !== 'X') {
vectorString = vectorString + '/MAV:' + MAV;
}
if (MAC !== 'X') {
vectorString = vectorString + '/MAC:' + MAC;
}
if (MPR !== 'X') {
vectorString = vectorString + '/MPR:' + MPR;
}
if (MUI !== 'X') {
vectorString = vectorString + '/MUI:' + MUI;
}
if (MS !== 'X') {
vectorString = vectorString + '/MS:' + MS;
}
if (MC !== 'X') {
vectorString = vectorString + '/MC:' + MC;
}
if (MI !== 'X') {
vectorString = vectorString + '/MI:' + MI;
}
if (MA !== 'X') {
vectorString = vectorString + '/MA:' + MA;
}
// Return an object containing the scores for all three metric groups, and an overall vector string.
// Sub-formula values are also included.
return {
success: true,
baseMetricScore: baseScore.toFixed(1),
baseSeverity: CVSS31.severityRating(baseScore.toFixed(1)),
baseISS: iss,
baseImpact: impact,
baseExploitability: exploitability,
temporalMetricScore: temporalScore.toFixed(1),
temporalSeverity: CVSS31.severityRating(temporalScore.toFixed(1)),
environmentalMetricScore: envScore.toFixed(1),
environmentalSeverity: CVSS31.severityRating(envScore.toFixed(1)),
environmentalMISS: miss,
environmentalModifiedImpact: modifiedImpact,
environmentalModifiedExploitability: modifiedExploitability,
vectorString: vectorString,
};
};
/* ** CVSS31.calculateCVSSFromVector **
*
* Takes Base, Temporal and Environmental metric values as a single string in the Vector String format defined
* in the CVSS v3.1 standard definition of the Vector String.
*
* Returns Base, Temporal and Environmental scores, severity ratings, and an overall Vector String. All Base metrics
* are required to generate this output. All Temporal and Environmental metric values are optional. Any that are not
* passed default to "X" ("Not Defined").
*
* See the comment for the CVSS31.calculateCVSSFromMetrics function for details on the function output. In addition to
* the error conditions listed for that function, this function can also return:
* "MalformedVectorString", if the Vector String passed does not conform to the format in the standard; or
* "MultipleDefinitionsOfMetric", if the Vector String is well formed but defines the same metric (or metrics),
* more than once.
*/
CVSS31.calculateCVSSFromVector = function (vectorString) {
var metricValues = {
AV: undefined,
AC: undefined,
PR: undefined,
UI: undefined,
S: undefined,
C: undefined,
I: undefined,
A: undefined,
E: undefined,
RL: undefined,
RC: undefined,
CR: undefined,
IR: undefined,
AR: undefined,
MAV: undefined,
MAC: undefined,
MPR: undefined,
MUI: undefined,
MS: undefined,
MC: undefined,
MI: undefined,
MA: undefined,
};
// If input validation fails, this array is populated with strings indicating which metrics failed validation.
var badMetrics = [];
if (!CVSS31.vectorStringRegex_31.test(vectorString)) {
return { success: false, errorType: 'MalformedVectorString' };
}
var metricNameValue = vectorString
.substring(CVSS31.CVSSVersionIdentifier.length)
.split('/');
for (var i in metricNameValue) {
if (metricNameValue.hasOwnProperty(i)) {
var singleMetric = metricNameValue[i].split(':');
if (typeof metricValues[singleMetric[0]] === 'undefined') {
metricValues[singleMetric[0]] = singleMetric[1];
} else {
badMetrics.push(singleMetric[0]);
}
}
}
if (badMetrics.length > 0) {
return {
success: false,
errorType: 'MultipleDefinitionsOfMetric',
errorMetrics: badMetrics,
};
}
return CVSS31.calculateCVSSFromMetrics(
metricValues.AV,
metricValues.AC,
metricValues.PR,
metricValues.UI,
metricValues.S,
metricValues.C,
metricValues.I,
metricValues.A,
metricValues.E,
metricValues.RL,
metricValues.RC,
metricValues.CR,
metricValues.IR,
metricValues.AR,
metricValues.MAV,
metricValues.MAC,
metricValues.MPR,
metricValues.MUI,
metricValues.MS,
metricValues.MC,
metricValues.MI,
metricValues.MA,
);
};
/* ** CVSS31.roundUp1 **
*
* Rounds up its parameter to 1 decimal place and returns the result.
*
* Standard JavaScript errors thrown when arithmetic operations are performed on non-numbers will be returned if the
* given input is not a number.
*
* Implementation note: Tiny representation errors in floating point numbers makes rounding complex. For example,
* consider calculating Math.ceil((1-0.58)*100) by hand. It can be simplified to Math.ceil(0.42*100), then
* Math.ceil(42), and finally 42. Most JavaScript implementations give 43. The problem is that, on many systems,
* 1-0.58 = 0.42000000000000004, and the tiny error is enough to push ceil up to the next integer. The implementation
* below avoids such problems by performing the rounding using integers. The input is first multiplied by 100,000
* and rounded to the nearest integer to consider 6 decimal places of accuracy, so 0.000001 results in 0.0, but
* 0.000009 results in 0.1.
*
* A more elegant solution may be possible, but the following gives answers consistent with results from an arbitrary
* precision library.
*/
CVSS31.roundUp1 = function Roundup(input) {
var int_input = Math.round(input * 100000);
if (int_input % 10000 === 0) {
return int_input / 100000;
} else {
return (Math.floor(int_input / 10000) + 1) / 10;
}
};
/* ** CVSS31.severityRating **
*
* Given a CVSS score, returns the name of the severity rating as defined in the CVSS standard.
* The input needs to be a number between 0.0 to 10.0, to one decimal place of precision.
*
* The following error values may be returned instead of a severity rating name:
* NaN (JavaScript "Not a Number") - if the input is not a number.
* undefined - if the input is a number that is not within the range of any defined severity rating.
*/
CVSS31.severityRating = function (score) {
var severityRatingLength = CVSS31.severityRatings.length;
var validatedScore = Number(score);
if (isNaN(validatedScore)) {
return validatedScore;
}
for (var i = 0; i < severityRatingLength; i++) {
if (
score >= CVSS31.severityRatings[i].bottom &&
score <= CVSS31.severityRatings[i].top
) {
return CVSS31.severityRatings[i].name;
}
}
return undefined;
};
///////////////////////////////////////////////////////////////////////////
// DATA AND FUNCTIONS FOR CREATING AN XML REPRESENTATION OF A CVSS SCORE //
///////////////////////////////////////////////////////////////////////////
// A mapping between abbreviated metric values and the string used in the XML representation.
// For example, a Remediation Level (RL) abbreviated metric value of "W" maps to "WORKAROUND".
// For brevity, every Base metric shares its definition with its equivalent Environmental metric. This is possible
// because the metric values are same between these groups, except that the latter have an additional metric value
// of "NOT_DEFINED".
CVSS31.XML_MetricNames = {
E: {
X: 'NOT_DEFINED',
U: 'UNPROVEN',
P: 'PROOF_OF_CONCEPT',
F: 'FUNCTIONAL',
H: 'HIGH',
},
RL: {
X: 'NOT_DEFINED',
O: 'OFFICIAL_FIX',
T: 'TEMPORARY_FIX',
W: 'WORKAROUND',
U: 'UNAVAILABLE',
},
RC: { X: 'NOT_DEFINED', U: 'UNKNOWN', R: 'REASONABLE', C: 'CONFIRMED' },
CIAR: { X: 'NOT_DEFINED', L: 'LOW', M: 'MEDIUM', H: 'HIGH' }, // CR, IR and AR use the same values
MAV: {
N: 'NETWORK',
A: 'ADJACENT_NETWORK',
L: 'LOCAL',
P: 'PHYSICAL',
X: 'NOT_DEFINED',
},
MAC: { H: 'HIGH', L: 'LOW', X: 'NOT_DEFINED' },
MPR: { N: 'NONE', L: 'LOW', H: 'HIGH', X: 'NOT_DEFINED' },
MUI: { N: 'NONE', R: 'REQUIRED', X: 'NOT_DEFINED' },
MS: { U: 'UNCHANGED', C: 'CHANGED', X: 'NOT_DEFINED' },
MCIA: { N: 'NONE', L: 'LOW', H: 'HIGH', X: 'NOT_DEFINED' }, // C, I and A use the same values
};
/* ** CVSS31.generateXMLFromMetrics **
*
* Takes Base, Temporal and Environmental metric values as individual parameters. Their values are in the short format
* defined in the CVSS v3.1 standard definition of the Vector String. For example, the AttackComplexity parameter
* should be either "H" or "L".
*
* Returns a single string containing the metric values in XML form. All Base metrics are required to generate this
* output. All Temporal and Environmental metric values are optional. Any that are not passed will be represented in
* the XML as NOT_DEFINED. The function returns a string for simplicity. It is arguably better to return the XML as
* a DOM object, but at the time of writing this leads to complexity due to older browsers using different JavaScript
* interfaces to do this. Also for simplicity, all Temporal and Environmental metrics are included in the string,
* even though those with a value of "Not Defined" do not need to be included.
*
* The output of this function is an object which always has a property named "success".
*
* If no errors are encountered, success is Boolean "true", and the "xmlString" property contains the XML string
* representation.
*
* If errors are encountered, success is Boolean "false", and other properties are defined as per the
* CVSS31.calculateCVSSFromMetrics function. Refer to the comment for that function for more details.
*/
CVSS31.generateXMLFromMetrics = function (
AttackVector,
AttackComplexity,
PrivilegesRequired,
UserInteraction,
Scope,
Confidentiality,
Integrity,
Availability,
ExploitCodeMaturity,
RemediationLevel,
ReportConfidence,
ConfidentialityRequirement,
IntegrityRequirement,
AvailabilityRequirement,
ModifiedAttackVector,
ModifiedAttackComplexity,
ModifiedPrivilegesRequired,
ModifiedUserInteraction,
ModifiedScope,
ModifiedConfidentiality,
ModifiedIntegrity,
ModifiedAvailability,
) {
// A string containing the XML we wish to output, with placeholders for the CVSS metrics we will substitute for
// their values, based on the inputs passed to this function.
var xmlTemplate =
'<?xml version="1.0" encoding="UTF-8"?>\n' +
'<cvssv3.1 xmlns="https://www.first.org/cvss/cvss-v3.1.xsd"\n' +
' xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"\n' +
' xsi:schemaLocation="https://www.first.org/cvss/cvss-v3.1.xsd https://www.first.org/cvss/cvss-v3.1.xsd"\n' +
' >\n' +
'\n' +
' <base_metrics>\n' +
' <attack-vector>__AttackVector__</attack-vector>\n' +
' <attack-complexity>__AttackComplexity__</attack-complexity>\n' +
' <privileges-required>__PrivilegesRequired__</privileges-required>\n' +
' <user-interaction>__UserInteraction__</user-interaction>\n' +
' <scope>__Scope__</scope>\n' +
' <confidentiality-impact>__Confidentiality__</confidentiality-impact>\n' +
' <integrity-impact>__Integrity__</integrity-impact>\n' +
' <availability-impact>__Availability__</availability-impact>\n' +
' <base-score>__BaseScore__</base-score>\n' +
' <base-severity>__BaseSeverityRating__</base-severity>\n' +
' </base_metrics>\n' +
'\n' +
' <temporal_metrics>\n' +
' <exploit-code-maturity>__ExploitCodeMaturity__</exploit-code-maturity>\n' +
' <remediation-level>__RemediationLevel__</remediation-level>\n' +
' <report-confidence>__ReportConfidence__</report-confidence>\n' +
' <temporal-score>__TemporalScore__</temporal-score>\n' +
' <temporal-severity>__TemporalSeverityRating__</temporal-severity>\n' +
' </temporal_metrics>\n' +
'\n' +
' <environmental_metrics>\n' +
' <confidentiality-requirement>__ConfidentialityRequirement__</confidentiality-requirement>\n' +
' <integrity-requirement>__IntegrityRequirement__</integrity-requirement>\n' +
' <availability-requirement>__AvailabilityRequirement__</availability-requirement>\n' +
' <modified-attack-vector>__ModifiedAttackVector__</modified-attack-vector>\n' +
' <modified-attack-complexity>__ModifiedAttackComplexity__</modified-attack-complexity>\n' +
' <modified-privileges-required>__ModifiedPrivilegesRequired__</modified-privileges-required>\n' +
' <modified-user-interaction>__ModifiedUserInteraction__</modified-user-interaction>\n' +
' <modified-scope>__ModifiedScope__</modified-scope>\n' +
' <modified-confidentiality-impact>__ModifiedConfidentiality__</modified-confidentiality-impact>\n' +
' <modified-integrity-impact>__ModifiedIntegrity__</modified-integrity-impact>\n' +
' <modified-availability-impact>__ModifiedAvailability__</modified-availability-impact>\n' +
' <environmental-score>__EnvironmentalScore__</environmental-score>\n' +
' <environmental-severity>__EnvironmentalSeverityRating__</environmental-severity>\n' +
' </environmental_metrics>\n' +
'\n' +
'</cvssv3.1>\n';
// Call CVSS31.calculateCVSSFromMetrics to validate all the parameters and generate scores and severity ratings.
// If that function returns an error, immediately return it to the caller of this function.
var result = CVSS31.calculateCVSSFromMetrics(
AttackVector,
AttackComplexity,
PrivilegesRequired,
UserInteraction,
Scope,
Confidentiality,
Integrity,
Availability,
ExploitCodeMaturity,
RemediationLevel,
ReportConfidence,
ConfidentialityRequirement,
IntegrityRequirement,
AvailabilityRequirement,
ModifiedAttackVector,
ModifiedAttackComplexity,
ModifiedPrivilegesRequired,
ModifiedUserInteraction,
ModifiedScope,
ModifiedConfidentiality,
ModifiedIntegrity,
ModifiedAvailability,
);
if (result.success !== true) {
return result;
}
var xmlOutput = xmlTemplate;
xmlOutput = xmlOutput.replace(
'__AttackVector__',
CVSS31.XML_MetricNames['MAV'][AttackVector],
);
xmlOutput = xmlOutput.replace(
'__AttackComplexity__',
CVSS31.XML_MetricNames['MAC'][AttackComplexity],
);
xmlOutput = xmlOutput.replace(
'__PrivilegesRequired__',
CVSS31.XML_MetricNames['MPR'][PrivilegesRequired],
);
xmlOutput = xmlOutput.replace(
'__UserInteraction__',
CVSS31.XML_MetricNames['MUI'][UserInteraction],
);
xmlOutput = xmlOutput.replace(
'__Scope__',
CVSS31.XML_MetricNames['MS'][Scope],
);
xmlOutput = xmlOutput.replace(
'__Confidentiality__',
CVSS31.XML_MetricNames['MCIA'][Confidentiality],
);
xmlOutput = xmlOutput.replace(
'__Integrity__',
CVSS31.XML_MetricNames['MCIA'][Integrity],
);
xmlOutput = xmlOutput.replace(
'__Availability__',
CVSS31.XML_MetricNames['MCIA'][Availability],
);
xmlOutput = xmlOutput.replace('__BaseScore__', result.baseMetricScore);
xmlOutput = xmlOutput.replace('__BaseSeverityRating__', result.baseSeverity);
xmlOutput = xmlOutput.replace(
'__ExploitCodeMaturity__',
CVSS31.XML_MetricNames['E'][ExploitCodeMaturity || 'X'],
);
xmlOutput = xmlOutput.replace(
'__RemediationLevel__',
CVSS31.XML_MetricNames['RL'][RemediationLevel || 'X'],
);
xmlOutput = xmlOutput.replace(
'__ReportConfidence__',
CVSS31.XML_MetricNames['RC'][ReportConfidence || 'X'],
);
xmlOutput = xmlOutput.replace(
'__TemporalScore__',
result.temporalMetricScore,
);
xmlOutput = xmlOutput.replace(
'__TemporalSeverityRating__',
result.temporalSeverity,
);
xmlOutput = xmlOutput.replace(
'__ConfidentialityRequirement__',
CVSS31.XML_MetricNames['CIAR'][ConfidentialityRequirement || 'X'],
);
xmlOutput = xmlOutput.replace(
'__IntegrityRequirement__',
CVSS31.XML_MetricNames['CIAR'][IntegrityRequirement || 'X'],
);
xmlOutput = xmlOutput.replace(
'__AvailabilityRequirement__',
CVSS31.XML_MetricNames['CIAR'][AvailabilityRequirement || 'X'],
);
xmlOutput = xmlOutput.replace(
'__ModifiedAttackVector__',
CVSS31.XML_MetricNames['MAV'][ModifiedAttackVector || 'X'],
);
xmlOutput = xmlOutput.replace(
'__ModifiedAttackComplexity__',
CVSS31.XML_MetricNames['MAC'][ModifiedAttackComplexity || 'X'],
);
xmlOutput = xmlOutput.replace(
'__ModifiedPrivilegesRequired__',
CVSS31.XML_MetricNames['MPR'][ModifiedPrivilegesRequired || 'X'],
);
xmlOutput = xmlOutput.replace(
'__ModifiedUserInteraction__',
CVSS31.XML_MetricNames['MUI'][ModifiedUserInteraction || 'X'],
);
xmlOutput = xmlOutput.replace(
'__ModifiedScope__',
CVSS31.XML_MetricNames['MS'][ModifiedScope || 'X'],
);
xmlOutput = xmlOutput.replace(
'__ModifiedConfidentiality__',
CVSS31.XML_MetricNames['MCIA'][ModifiedConfidentiality || 'X'],
);
xmlOutput = xmlOutput.replace(
'__ModifiedIntegrity__',
CVSS31.XML_MetricNames['MCIA'][ModifiedIntegrity || 'X'],
);
xmlOutput = xmlOutput.replace(
'__ModifiedAvailability__',
CVSS31.XML_MetricNames['MCIA'][ModifiedAvailability || 'X'],
);
xmlOutput = xmlOutput.replace(
'__EnvironmentalScore__',
result.environmentalMetricScore,
);
xmlOutput = xmlOutput.replace(
'__EnvironmentalSeverityRating__',
result.environmentalSeverity,
);
return { success: true, xmlString: xmlOutput };
};
/* ** CVSS31.generateXMLFromVector **
*
* Takes Base, Temporal and Environmental metric values as a single string in the Vector String format defined
* in the CVSS v3.1 standard definition of the Vector String.
*
* Returns an XML string representation of this input. See the comment for CVSS31.generateXMLFromMetrics for more
* detail on inputs, return values and errors. In addition to the error conditions listed for that function, this
* function can also return:
* "MalformedVectorString", if the Vector String passed is does not conform to the format in the standard; or
* "MultipleDefinitionsOfMetric", if the Vector String is well formed but defines the same metric (or metrics),
* more than once.
*/
CVSS31.generateXMLFromVector = function (vectorString) {
var metricValues = {
AV: undefined,
AC: undefined,
PR: undefined,
UI: undefined,
S: undefined,
C: undefined,
I: undefined,
A: undefined,
E: undefined,
RL: undefined,
RC: undefined,
CR: undefined,
IR: undefined,
AR: undefined,
MAV: undefined,
MAC: undefined,
MPR: undefined,
MUI: undefined,
MS: undefined,
MC: undefined,
MI: undefined,
MA: undefined,
};
// If input validation fails, this array is populated with strings indicating which metrics failed validation.
var badMetrics = [];
if (!CVSS31.vectorStringRegex_31.test(vectorString)) {
return { success: false, errorType: 'MalformedVectorString' };
}
var metricNameValue = vectorString
.substring(CVSS31.CVSSVersionIdentifier.length)
.split('/');
for (var i in metricNameValue) {
if (metricNameValue.hasOwnProperty(i)) {
var singleMetric = metricNameValue[i].split(':');
if (typeof metricValues[singleMetric[0]] === 'undefined') {
metricValues[singleMetric[0]] = singleMetric[1];
} else {
badMetrics.push(singleMetric[0]);
}
}
}
if (badMetrics.length > 0) {
return {
success: false,
errorType: 'MultipleDefinitionsOfMetric',
errorMetrics: badMetrics,
};
}
return CVSS31.generateXMLFromMetrics(
metricValues.AV,
metricValues.AC,
metricValues.PR,
metricValues.UI,
metricValues.S,
metricValues.C,
metricValues.I,
metricValues.A,
metricValues.E,
metricValues.RL,
metricValues.RC,
metricValues.CR,
metricValues.IR,
metricValues.AR,
metricValues.MAV,
metricValues.MAC,
metricValues.MPR,
metricValues.MUI,
metricValues.MS,
metricValues.MC,
metricValues.MI,
metricValues.MA,
);
};
module.exports = CVSS31;