cvss_v1 (cvss v0.1.1)

View Source

CVSS 1.0 parsing, composition, validation, and scoring.

Use this module when working with CVSS 1.0 vectors directly. If the version is not known ahead of time, use cvss instead.

Vector format: AV:R/AC:L/Au:NR/C:C/I:C/A:C

See: https://www.first.org/cvss/v1/guide

Summary

Types

ac()
au()
av()
cdp()
cvss()
exploitability()
impact()
impact_bias()
remediation_level()
report_confidence()
td()

Functions

base_score/1

Calculate the CVSS 1.0 Base Score.

compose/1

Compose a CVSS 1.0 record into a vector string.

environmental_score/1

Calculate the CVSS 1.0 Environmental Score. Returns the Temporal Score if no environmental metrics are present.

parse(Vector)

Parse a CVSS 1.0 vector string. Format: AV:R/AC:L/Au:NR/C:C/I:C/A:C

score/1

Calculate the CVSS 1.0 score. Returns the most relevant score: Environmental > Temporal > Base.

temporal_score/1

Calculate the CVSS 1.0 Temporal Score. Returns the Base Score if no temporal metrics are present.

valid/1

Check whether a CVSS 1.0 value is valid.

Types

ac()

-type ac() :: high | low.

au()

-type au() :: required | not_required.

av()

-type av() :: local | remote.

cdp()

-type cdp() :: none | low | medium | high.

cvss()

-type cvss() ::
          #cvss_v1{av :: cvss_v1:av(),
                   ac :: cvss_v1:ac(),
                   au :: cvss_v1:au(),
                   c :: cvss_v1:impact(),
                   i :: cvss_v1:impact(),
                   a :: cvss_v1:impact(),
                   ib :: cvss_v1:impact_bias(),
                   e :: cvss_v1:exploitability() | undefined,
                   rl :: cvss_v1:remediation_level() | undefined,
                   rc :: cvss_v1:report_confidence() | undefined,
                   cdp :: cvss_v1:cdp() | undefined,
                   td :: cvss_v1:td() | undefined}.

exploitability()

-type exploitability() :: unproven | proof_of_concept | functional | high.

impact()

-type impact() :: none | partial | complete.

impact_bias()

-type impact_bias() :: normal | confidentiality | integrity | availability.

remediation_level()

-type remediation_level() :: official_fix | temporary_fix | workaround | unavailable.

report_confidence()

-type report_confidence() :: unconfirmed | uncorroborated | confirmed.

td()

-type td() :: none | low | medium | high.

Functions

base_score/1

-spec base_score(cvss_v1:cvss()) -> cvss:score().

Calculate the CVSS 1.0 Base Score.

> {ok, Cvss} = cvss_v1:parse(<<"AV:R/AC:L/Au:NR/C:C/I:C/A:C">>).
> cvss_v1:base_score(Cvss).
10.0

compose/1

-spec compose(cvss_v1:cvss()) -> iolist().

Compose a CVSS 1.0 record into a vector string.

> iolist_to_binary(cvss_v1:compose(#cvss_v1{av = remote, ac = low, au = not_required,
                                           c = complete, i = complete, a = complete,
                                           ib = normal})).
<<"AV:R/AC:L/Au:NR/C:C/I:C/A:C">>

> iolist_to_binary(cvss_v1:compose(#cvss_v1{av = remote, ac = low, au = not_required,
                                           c = complete, i = complete, a = complete,
                                           ib = normal,
                                           e = high, rl = unavailable, rc = confirmed})).
<<"AV:R/AC:L/Au:NR/C:C/I:C/A:C/E:H/RL:U/RC:C">>

environmental_score/1

-spec environmental_score(cvss_v1:cvss()) -> cvss:score().

Calculate the CVSS 1.0 Environmental Score. Returns the Temporal Score if no environmental metrics are present.

> {ok, Cvss} = cvss_v1:parse(<<"AV:R/AC:L/Au:NR/C:C/I:C/A:C/CDP:L/TD:L">>).
> cvss_v1:environmental_score(Cvss).
2.5

parse(Vector)

-spec parse(binary()) -> {ok, cvss_v1:cvss()} | {error, cvss:parse_error()}.

Parse a CVSS 1.0 vector string. Format: AV:R/AC:L/Au:NR/C:C/I:C/A:C

> cvss_v1:parse(<<"AV:R/AC:L/Au:NR/C:C/I:C/A:C">>).
{ok, #cvss_v1{av = remote, ac = low, au = not_required,
              c = complete, i = complete, a = complete}}

> cvss_v1:parse(<<"AV:L/AC:H/Au:R/C:P/I:P/A:N">>).
{ok, #cvss_v1{av = local, ac = high, au = required,
              c = partial, i = partial, a = none}}

> cvss_v1:parse(<<"AV:R/AC:L/Au:NR/C:C/I:C/A:C/E:H/RL:U/RC:C">>).
{ok, #cvss_v1{av = remote, ac = low, au = not_required,
              c = complete, i = complete, a = complete,
              e = high, rl = unavailable, rc = confirmed}}

> cvss_v1:parse(<<"AV:X/AC:L/Au:NR/C:C/I:C/A:C">>).
{error, {invalid_metric, <<"AV">>, <<"X">>}}

> cvss_v1:parse(<<"AC:L/Au:NR/C:C/I:C/A:C">>).
{error, {missing_required_metric, av}}

score/1

-spec score(cvss_v1:cvss()) -> cvss:score().

Calculate the CVSS 1.0 score. Returns the most relevant score: Environmental > Temporal > Base.

> {ok, Cvss} = cvss_v1:parse(<<"AV:R/AC:L/Au:NR/C:C/I:C/A:C">>).
> cvss_v1:score(Cvss).
10.0

> {ok, Cvss2} = cvss_v1:parse(<<"AV:L/AC:H/Au:NR/C:C/I:C/A:C">>).
> cvss_v1:score(Cvss2).
5.6

> {ok, Cvss3} = cvss_v1:parse(<<"AV:L/AC:H/Au:R/C:N/I:N/A:N">>).
> cvss_v1:score(Cvss3).
0.0

temporal_score/1

-spec temporal_score(cvss_v1:cvss()) -> cvss:score().

Calculate the CVSS 1.0 Temporal Score. Returns the Base Score if no temporal metrics are present.

> {ok, Cvss} = cvss_v1:parse(<<"AV:R/AC:L/Au:NR/C:C/I:C/A:C/E:U/RL:OF/RC:UC">>).
> cvss_v1:temporal_score(Cvss).
6.7

valid/1

-spec valid(iodata() | cvss_v1:cvss()) -> boolean().

Check whether a CVSS 1.0 value is valid.

Accepts either a vector string or a parsed record.

> cvss_v1:valid(<<"AV:R/AC:L/Au:NR/C:C/I:C/A:C">>).
true

> cvss_v1:valid(#cvss_v1{av = remote, ac = low, au = not_required,
                         c = complete, i = complete, a = complete,
                         ib = normal}).
true

> cvss_v1:valid(<<"AV:X/AC:L/Au:NR/C:C/I:C/A:C">>).
false