cvss_v3 (cvss v0.1.1)
View SourceCVSS 3.0/3.1 parsing, composition, validation, and scoring.
Use this module when working with CVSS 3.x vectors directly. If the
version is not known ahead of time, use cvss instead.
Vector format: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Summary
Functions
Calculate the CVSS 3.x Base Score.
Compose a CVSS 3.x record into a vector string.
Calculate the CVSS 3.x Environmental Score. Returns the Temporal Score if no environmental metrics are present.
Parse a CVSS 3.0/3.1 vector string. Format: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Calculate the CVSS 3.x score. Returns the most relevant score: Environmental > Temporal > Base.
Calculate the CVSS 3.x Temporal Score. Returns the Base Score if no temporal metrics are present.
Check whether a CVSS 3.x value is valid.
Types
-type ac() :: low | high.
-type av() :: network | adjacent | local | physical.
-type cia() :: none | low | high.
-type cvss() :: #cvss_v3{version :: cvss_v3:version(), av :: cvss_v3:av(), ac :: cvss_v3:ac(), pr :: cvss_v3:pr(), ui :: cvss_v3:ui(), s :: cvss_v3:scope(), c :: cvss_v3:cia(), i :: cvss_v3:cia(), a :: cvss_v3:cia(), e :: cvss_v3:exploit_maturity() | undefined, rl :: cvss_v3:remediation_level() | undefined, rc :: cvss_v3:report_confidence() | undefined, cr :: cvss_v3:requirement() | undefined, ir :: cvss_v3:requirement() | undefined, ar :: cvss_v3:requirement() | undefined, mav :: cvss_v3:av() | not_defined | undefined, mac :: cvss_v3:ac() | not_defined | undefined, mpr :: cvss_v3:pr() | not_defined | undefined, mui :: cvss_v3:ui() | not_defined | undefined, ms :: cvss_v3:scope() | not_defined | undefined, mc :: cvss_v3:cia() | not_defined | undefined, mi :: cvss_v3:cia() | not_defined | undefined, ma :: cvss_v3:cia() | not_defined | undefined}.
-type exploit_maturity() :: unproven | poc | functional | high | not_defined.
-type pr() :: none | low | high.
-type remediation_level() :: official_fix | temporary_fix | workaround | unavailable | not_defined.
-type report_confidence() :: unknown | reasonable | confirmed | not_defined.
-type requirement() :: low | medium | high | not_defined.
-type scope() :: unchanged | changed.
-type ui() :: none | required.
-type version() :: '3.0' | '3.1'.
Functions
-spec base_score(cvss_v3:cvss()) -> cvss:score().
Calculate the CVSS 3.x Base Score.
> {ok, Cvss} = cvss_v3:parse(<<"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H">>).
> cvss_v3:base_score(Cvss).
9.8-spec compose(cvss_v3:cvss()) -> iolist().
Compose a CVSS 3.x record into a vector string.
> iolist_to_binary(cvss_v3:compose(#cvss_v3{version = '3.1', av = network, ac = low,
pr = none, ui = none, s = unchanged,
c = high, i = high, a = high})).
<<"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H">>-spec environmental_score(cvss_v3:cvss()) -> cvss:score().
Calculate the CVSS 3.x Environmental Score. Returns the Temporal Score if no environmental metrics are present.
> {ok, Cvss} = cvss_v3:parse(<<"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/MC:N/MI:N/MA:N">>).
> cvss_v3:environmental_score(Cvss).
0.0-spec parse(binary()) -> {ok, cvss_v3:cvss()} | {error, cvss:parse_error()}.
Parse a CVSS 3.0/3.1 vector string. Format: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
> cvss_v3:parse(<<"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H">>).
{ok, #cvss_v3{version = '3.1', av = network, ac = low, pr = none,
ui = none, s = unchanged, c = high, i = high, a = high}}
> cvss_v3:parse(<<"CVSS:3.0/AV:A/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:L">>).
{ok, #cvss_v3{version = '3.0', av = adjacent, ac = high, pr = low,
ui = required, s = changed, c = low, i = low, a = low}}
> cvss_v3:parse(<<"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:F/RL:W/RC:R">>).
{ok, #cvss_v3{version = '3.1', av = network, ac = low, pr = none,
ui = none, s = unchanged, c = high, i = high, a = high,
e = functional, rl = workaround, rc = reasonable}}
> cvss_v3:parse(<<"CVSS:3.1/AV:N/AC:L">>).
{error, {missing_required_metric, pr}}
> cvss_v3:parse(<<"not a vector">>).
{error, malformed_vector}-spec score(cvss_v3:cvss()) -> cvss:score().
Calculate the CVSS 3.x score. Returns the most relevant score: Environmental > Temporal > Base.
> {ok, Cvss} = cvss_v3:parse(<<"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H">>).
> cvss_v3:score(Cvss).
9.8
> {ok, Cvss2} = cvss_v3:parse(<<"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H">>).
> cvss_v3:score(Cvss2).
10.0
> {ok, Cvss3} = cvss_v3:parse(<<"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N">>).
> cvss_v3:score(Cvss3).
0.0-spec temporal_score(cvss_v3:cvss()) -> cvss:score().
Calculate the CVSS 3.x Temporal Score. Returns the Base Score if no temporal metrics are present.
> {ok, Cvss} = cvss_v3:parse(<<"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:U">>).
> cvss_v3:temporal_score(Cvss).
8.1-spec valid(iodata() | cvss_v3:cvss()) -> boolean().
Check whether a CVSS 3.x value is valid.
Accepts either a vector string or a parsed record.
> cvss_v3:valid(<<"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H">>).
true
> cvss_v3:valid(#cvss_v3{version = '3.1', av = network, ac = low,
pr = none, ui = none, s = unchanged,
c = high, i = high, a = high}).
true
> cvss_v3:valid(<<"CVSS:3.1/AV:X/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H">>).
false