cvss_v4 (cvss v0.1.1)
View SourceCVSS 4.0 parsing, composition, validation, and scoring.
Use this module when working with CVSS 4.0 vectors directly. If the
version is not known ahead of time, use cvss instead.
Vector format: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H
Summary
Functions
Calculate the CVSS 4.0 Base Score (CVSS-B). Only considers base metrics; threat and environmental metrics are ignored.
Compose a CVSS 4.0 record into a vector string.
Calculate the CVSS 4.0 Environmental Score (CVSS-BE). Considers base and environmental metrics; threat metrics are ignored.
Parse a CVSS 4.0 vector string.
Calculate the CVSS 4.0 score (CVSS-BTE). Uses all present metrics (Base + Threat + Environmental). Metrics not explicitly set default per the CVSS 4.0 specification.
Calculate the CVSS 4.0 Threat Score (CVSS-BT). Considers base and threat metrics; environmental metrics are ignored.
Check whether a CVSS 4.0 value is valid.
Types
-type ac() :: low | high.
-type at() :: none | present.
-type automatable() :: no | yes.
-type av() :: network | adjacent | local | physical.
-type cia() :: none | low | high.
-type cvss() :: #cvss_v4{av :: cvss_v4:av(), ac :: cvss_v4:ac(), at :: cvss_v4:at(), pr :: cvss_v4:pr(), ui :: cvss_v4:ui(), vc :: cvss_v4:cia(), vi :: cvss_v4:cia(), va :: cvss_v4:cia(), sc :: cvss_v4:cia(), si :: cvss_v4:si_sa(), sa :: cvss_v4:si_sa(), e :: cvss_v4:exploit_maturity() | undefined, cr :: cvss_v4:requirement() | undefined, ir :: cvss_v4:requirement() | undefined, ar :: cvss_v4:requirement() | undefined, mav :: cvss_v4:av() | undefined, mac :: cvss_v4:ac() | undefined, mat :: cvss_v4:at() | undefined, mpr :: cvss_v4:pr() | undefined, mui :: cvss_v4:ui() | undefined, mvc :: cvss_v4:cia() | undefined, mvi :: cvss_v4:cia() | undefined, mva :: cvss_v4:cia() | undefined, msc :: cvss_v4:cia() | undefined, msi :: cvss_v4:si_sa() | undefined, msa :: cvss_v4:si_sa() | undefined, safety :: cvss_v4:safety() | undefined, automatable :: cvss_v4:automatable() | undefined, recovery :: cvss_v4:recovery() | undefined, value_density :: cvss_v4:value_density() | undefined, response_effort :: cvss_v4:response_effort() | undefined, urgency :: cvss_v4:urgency() | undefined}.
-type exploit_maturity() :: attacked | poc | unreported | not_defined.
-type pr() :: none | low | high.
-type recovery() :: automatic | user | irrecoverable.
-type requirement() :: low | medium | high | not_defined.
-type response_effort() :: low | moderate | high.
-type safety() :: negligible | present.
-type si_sa() :: none | low | high | safety.
-type ui() :: none | passive | active.
-type urgency() :: clear | green | amber | red.
-type value_density() :: diffuse | concentrated.
Functions
-spec base_score(cvss_v4:cvss()) -> cvss:score().
Calculate the CVSS 4.0 Base Score (CVSS-B). Only considers base metrics; threat and environmental metrics are ignored.
> {ok, Cvss} = cvss_v4:parse(<<"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H">>).
> cvss_v4:base_score(Cvss).
10.0-spec compose(cvss_v4:cvss()) -> iolist().
Compose a CVSS 4.0 record into a vector string.
> iolist_to_binary(cvss_v4:compose(#cvss_v4{av = network, ac = low, at = none,
pr = none, ui = none,
vc = high, vi = high, va = high,
sc = high, si = high, sa = high})).
<<"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H">>-spec environmental_score(cvss_v4:cvss()) -> cvss:score().
Calculate the CVSS 4.0 Environmental Score (CVSS-BE). Considers base and environmental metrics; threat metrics are ignored.
> {ok, Cvss} = cvss_v4:parse(<<"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/MVC:N/MVI:N/MVA:N/MSC:N/MSI:N/MSA:N">>).
> cvss_v4:environmental_score(Cvss).
0.0-spec parse(binary()) -> {ok, cvss_v4:cvss()} | {error, cvss:parse_error()}.
Parse a CVSS 4.0 vector string.
> cvss_v4:parse(<<"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H">>).
{ok, #cvss_v4{av = network, ac = low, at = none, pr = none, ui = none,
vc = high, vi = high, va = high, sc = high, si = high, sa = high}}
> cvss_v4:parse(<<"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:A">>).
{ok, #cvss_v4{av = network, ac = low, at = none, pr = none, ui = none,
vc = high, vi = high, va = high, sc = high, si = high, sa = high,
e = attacked}}
> cvss_v4:parse(<<"CVSS:4.0/AV:P/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:S/SA:S">>).
{ok, #cvss_v4{av = physical, ac = low, at = none, pr = none, ui = none,
vc = high, vi = high, va = high, sc = high, si = safety, sa = safety}}
> cvss_v4:parse(<<"CVSS:4.0/AV:N">>).
{error, {missing_required_metric, ac}}-spec score(cvss_v4:cvss()) -> cvss:score().
Calculate the CVSS 4.0 score (CVSS-BTE). Uses all present metrics (Base + Threat + Environmental). Metrics not explicitly set default per the CVSS 4.0 specification.
> {ok, Cvss} = cvss_v4:parse(<<"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H">>).
> cvss_v4:score(Cvss).
10.0
> {ok, Cvss2} = cvss_v4:parse(<<"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:N/SA:N">>).
> cvss_v4:score(Cvss2).
0.0-spec threat_score(cvss_v4:cvss()) -> cvss:score().
Calculate the CVSS 4.0 Threat Score (CVSS-BT). Considers base and threat metrics; environmental metrics are ignored.
> {ok, Cvss} = cvss_v4:parse(<<"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:A">>).
> cvss_v4:threat_score(Cvss).
10.0-spec valid(iodata() | cvss_v4:cvss()) -> boolean().
Check whether a CVSS 4.0 value is valid.
Accepts either a vector string or a parsed record.
> cvss_v4:valid(<<"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H">>).
true
> cvss_v4:valid(#cvss_v4{av = network, ac = low, at = none, pr = none, ui = none,
vc = high, vi = high, va = high,
sc = high, si = high, sa = high}).
true
> cvss_v4:valid(<<"CVSS:4.0/AV:X">>).
false