cvss.c File Reference

CVSS utility functions. More...

#include "cvss.h"
#include <glib.h>
#include <math.h>
#include <strings.h>

Include dependency graph for cvss.c:

This graph shows which files directly or indirectly include this file:

Go to the source code of this file.

Data Structures
struct	impact_item
	Describe a CVSS impact element. More...
struct	cvss
	Describe a CVSS metrics. More...

Macros
#define	G_LOG_DOMAIN   "libgvm base"
	GLib log domain. More...
#define	AV_NETWORK   1.0
	AccessVector (AV) Constants. More...
#define	AV_ADJACENT_NETWORK   0.646
#define	AV_LOCAL   0.395
#define	AC_LOW   0.71
	AccessComplexity (AC) Constants. More...
#define	AC_MEDIUM   0.61
#define	AC_HIGH   0.35
#define	Au_MULTIPLE_INSTANCES   0.45
	Authentication (Au) Constants. More...
#define	Au_SINGLE_INSTANCE   0.56
#define	Au_NONE   0.704
#define	C_NONE   0.0
	ConfidentialityImpact (C) Constants. More...
#define	C_PARTIAL   0.275
#define	C_COMPLETE   0.660
#define	I_NONE   0.0
	IntegrityImpact (I) Constants. More...
#define	I_PARTIAL   0.275
#define	I_COMPLETE   0.660
#define	A_NONE   0.0
	AvailabilityImpact (A) Constants. More...
#define	A_PARTIAL   0.275
#define	A_COMPLETE   0.660

Enumerations
enum	base_metrics {   A, I, C, Au,   AC, AV }
	Base metrics. More...

Functions
static double	get_cvss_score_from_base_metrics_v3 (const char *cvss_str)
	Calculate CVSS Score. More...
static int	toenum (const char *str, enum base_metrics *res)
	Determine base metric enumeration from a string. More...
static double	get_impact_subscore (const struct cvss *cvss)
	Calculate Impact Sub Score. More...
static double	get_exploitability_subscore (const struct cvss *cvss)
	Calculate Exploitability Sub Score. More...
static int	set_impact_from_str (const char *value, enum base_metrics metric, struct cvss *cvss)
	Set impact score from string representation. More...
static double	__get_cvss_score (struct cvss *cvss)
	Final CVSS score computation helper. More...
double	get_cvss_score_from_base_metrics (const char *cvss_str)
	Calculate CVSS Score. More...
static double	roundup (double cvss)
	Round final score as in spec. More...
static double	v3_impact (const char *value)
	Get impact. More...

Variables
static const struct impact_item	impact_map [][3]

Detailed Description

CVSS utility functions.

This file contains utility functions for handling CVSS v2 and v3. get_cvss_score_from_base_metrics calculates the CVSS base score from a CVSS base vector.

CVSS v3.1:

See equations at https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator and constants at https://www.first.org/cvss/v3.1/specification-document (section 7.4. Metric Values).

CVSS v3.0:

See equations at https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator and constants at https://www.first.org/cvss/v3.0/specification-document (section 8.4. Metric Levels).

CVSS v2:

The base equation is the foundation of CVSS scoring. The base equation is: BaseScore6 = round_to_1_decimal(((0.6*Impact)+(0.4*Exploitability)–1.5)*f(Impact))

Impact = 10.41*(1-(1-ConfImpact)*(1-IntegImpact)*(1-AvailImpact))

Exploitability = 20* AccessVector*AccessComplexity*Authentication

f(impact)= 0 if Impact=0, 1.176 otherwise AccessVector = case AccessVector of requires local access: 0.395 adjacent network accessible: 0.646 network accessible: 1.0 AccessComplexity = case AccessComplexity of high: 0.35 medium: 0.61 low: 0.71 Authentication = case Authentication of requires multiple instances of authentication: 0.45 requires single instance of authentication: 0.56 requires no authentication: 0.704 ConfImpact = case ConfidentialityImpact of none: 0.0 partial: 0.275 complete: 0.660 IntegImpact = case IntegrityImpact of none: 0.0 partial: 0.275 complete: 0.660 AvailImpact = case AvailabilityImpact of none: 0.0 partial: 0.275 complete: 0.660

Definition in file cvss.c.

Macro Definition Documentation

A_COMPLETE

#define A_COMPLETE   0.660

Complete Availability Impact.

Definition at line 125 of file cvss.c.

A_NONE

#define A_NONE   0.0

AvailabilityImpact (A) Constants.

No Availability Impact.

Definition at line 123 of file cvss.c.

A_PARTIAL

#define A_PARTIAL   0.275

Partial Availability Impact.

Definition at line 124 of file cvss.c.

AC_HIGH

#define AC_HIGH   0.35

Access Complexity High.

Definition at line 97 of file cvss.c.

AC_LOW

#define AC_LOW   0.71

AccessComplexity (AC) Constants.

Access Complexity Low.

Definition at line 95 of file cvss.c.

AC_MEDIUM

#define AC_MEDIUM   0.61

Access Complexity Medium.

Definition at line 96 of file cvss.c.

Au_MULTIPLE_INSTANCES

#define Au_MULTIPLE_INSTANCES   0.45

Authentication (Au) Constants.

Authentication multiple instances.

Definition at line 102 of file cvss.c.

Au_NONE

#define Au_NONE   0.704

No Authentication.

Definition at line 104 of file cvss.c.

Au_SINGLE_INSTANCE

#define Au_SINGLE_INSTANCE   0.56

Authentication single instances.

Definition at line 103 of file cvss.c.

AV_ADJACENT_NETWORK

#define AV_ADJACENT_NETWORK   0.646

Access Vector Adjacent Network.

Definition at line 89 of file cvss.c.

AV_LOCAL

#define AV_LOCAL   0.395

Access Vector Local.

Definition at line 90 of file cvss.c.

AV_NETWORK

#define AV_NETWORK   1.0

AccessVector (AV) Constants.

Access Vector Network.

Definition at line 88 of file cvss.c.

C_COMPLETE

#define C_COMPLETE   0.660

Complete Confidentiality Impact.

Definition at line 111 of file cvss.c.

C_NONE

#define C_NONE   0.0

ConfidentialityImpact (C) Constants.

No Confidentiality Impact.

Definition at line 109 of file cvss.c.

C_PARTIAL

#define C_PARTIAL   0.275

Partial Confidentiality Impact.

Definition at line 110 of file cvss.c.

G_LOG_DOMAIN

#define G_LOG_DOMAIN   "libgvm base"

GLib log domain.

Definition at line 75 of file cvss.c.

I_COMPLETE

#define I_COMPLETE   0.660

Complete Integrity Impact.

Definition at line 118 of file cvss.c.

I_NONE

#define I_NONE   0.0

IntegrityImpact (I) Constants.

No Integrity Impact.

Definition at line 116 of file cvss.c.

I_PARTIAL

#define I_PARTIAL   0.275

Partial Integrity Impact.

Definition at line 117 of file cvss.c.

Enumeration Type Documentation

base_metrics

enum base_metrics

Base metrics.

Enumerator
A	Availability Impact.
I	Integrity Impact.
C	Confidentiality Impact.
Au	Authentication.
AC	Access Complexity.
AV	Access Vector.

Definition at line 131 of file cvss.c.

{
  A,  
  I,  
  C,  
  Au, 
  AC, 
  AV  
};

Function Documentation

__get_cvss_score()

static double __get_cvss_score ( struct cvss *  cvss )

static

Final CVSS score computation helper.

Parameters

[in]

cvss

The CVSS structure that contains the different metrics and associated scores.

Returns

the CVSS score, as a double.

Definition at line 334 of file cvss.c.

{
  double impact = 1.176;
  double impact_sub;
  double exploitability_sub;
 
  impact_sub = get_impact_subscore (cvss);
  exploitability_sub = get_exploitability_subscore (cvss);
 
  if (impact_sub < 0.1)
    impact = 0.0;
 
  return (((0.6 * impact_sub) + (0.4 * exploitability_sub) - 1.5) * impact)
         + 0.0;
}

References get_exploitability_subscore(), and get_impact_subscore().

Referenced by get_cvss_score_from_base_metrics().

Here is the call graph for this function:

Here is the caller graph for this function:

get_cvss_score_from_base_metrics()

double get_cvss_score_from_base_metrics

(

const char *

cvss_str

)

Calculate CVSS Score.

Parameters

cvss_str

Base vector string from which to compute score.

Returns

The resulting score. -1 upon error during parsing.

Definition at line 358 of file cvss.c.

{
  struct cvss cvss;
  char *token, *base_str, *base_metrics;
 
  if (cvss_str == NULL)
    return -1.0;
 
  if (g_str_has_prefix (cvss_str, "CVSS:3.1/")
      || g_str_has_prefix (cvss_str, "CVSS:3.0/"))
    return get_cvss_score_from_base_metrics_v3 (cvss_str
                                                + strlen ("CVSS:3.X/"));
 
  memset (&cvss, 0x00, sizeof (struct cvss));
 
  base_str = base_metrics = g_strdup_printf ("%s/", cvss_str);
 
  while ((token = strchr (base_metrics, '/')) != NULL)
    {
      char *token2 = strtok (base_metrics, ":");
      char *metric_name = token2;
      char *metric_value;
      enum base_metrics mval;
      int rc;
 
      *token++ = '\0';
 
      if (metric_name == NULL)
        goto ret_err;
 
      metric_value = strtok (NULL, ":");
 
      if (metric_value == NULL)
        goto ret_err;
 
      rc = toenum (metric_name, &mval);
      if (rc)
        goto ret_err;
 
      if (set_impact_from_str (metric_value, mval, &cvss))
        goto ret_err;
 
      base_metrics = token;
    }
 
  g_free (base_str);
  return __get_cvss_score (&cvss);
 
ret_err:
  g_free (base_str);
  return (double) -1;
}

References __get_cvss_score(), get_cvss_score_from_base_metrics_v3(), set_impact_from_str(), and toenum().

Referenced by Ensure().

Here is the call graph for this function:

Here is the caller graph for this function:

get_cvss_score_from_base_metrics_v3()

static double get_cvss_score_from_base_metrics_v3 ( const char *  cvss_str )

static

Calculate CVSS Score.

Parameters

cvss_str

Vector from which to compute score, without prefix.

Returns

CVSS score, or -1 on error.

Definition at line 467 of file cvss.c.

{
  gchar **split, **point;
  int scope_changed;
  double impact_conf, impact_integ, impact_avail;
  double vector, complexity, privilege, user;
  double isc_base, impact, exploitability, base;
 
  /* https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator
   * https://www.first.org/cvss/v3.1/specification-document
   * https://www.first.org/cvss/v3.0/specification-document */
 
  scope_changed = -1;
  impact_conf = -1.0;
  impact_integ = -1.0;
  impact_avail = -1.0;
  vector = -1.0;
  complexity = -1.0;
  privilege = -1.0;
  user = -1.0;
 
  /* AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N */
 
  split = g_strsplit (cvss_str, "/", 0);
  point = split;
  while (*point)
    {
      /* Scope. */
      if (strncasecmp ("S:", *point, 2) == 0)
        {
          if (strcasecmp (*point + 2, "U") == 0)
            scope_changed = 0;
          else if (strcasecmp (*point + 2, "C") == 0)
            scope_changed = 1;
        }
 
      /* Confidentiality. */
      if (strncasecmp ("C:", *point, 2) == 0)
        impact_conf = v3_impact (*point + 2);
 
      /* Integrity. */
      if (strncasecmp ("I:", *point, 2) == 0)
        impact_integ = v3_impact (*point + 2);
 
      /* Availability. */
      if (strncasecmp ("A:", *point, 2) == 0)
        impact_avail = v3_impact (*point + 2);
 
      /* Attack Vector. */
      if (strncasecmp ("AV:", *point, 3) == 0)
        {
          if (strcasecmp (*point + 3, "N") == 0)
            vector = 0.85;
          else if (strcasecmp (*point + 3, "A") == 0)
            vector = 0.62;
          else if (strcasecmp (*point + 3, "L") == 0)
            vector = 0.55;
          else if (strcasecmp (*point + 3, "P") == 0)
            vector = 0.2;
        }
 
      /* Attack Complexity. */
      if (strncasecmp ("AC:", *point, 3) == 0)
        {
          if (strcasecmp (*point + 3, "L") == 0)
            complexity = 0.77;
          else if (strcasecmp (*point + 3, "H") == 0)
            complexity = 0.44;
        }
 
      /* Privileges Required. */
      if (strncasecmp ("PR:", *point, 3) == 0)
        {
          if (strcasecmp (*point + 3, "N") == 0)
            privilege = 0.85;
          else if (strcasecmp (*point + 3, "L") == 0)
            privilege = 0.62;
          else if (strcasecmp (*point + 3, "H") == 0)
            privilege = 0.27;
          else
            privilege = -1.0;
        }
 
      /* User Interaction. */
      if (strncasecmp ("UI:", *point, 3) == 0)
        {
          if (strcasecmp (*point + 3, "N") == 0)
            user = 0.85;
          else if (strcasecmp (*point + 3, "R") == 0)
            user = 0.62;
        }
 
      point++;
    }
 
  g_strfreev (split);
 
  /* All of the base metrics are required. */
 
  if (scope_changed == -1 || impact_conf == -1.0 || impact_integ == -1.0
      || impact_avail == -1.0 || vector == -1.0 || complexity == -1.0
      || privilege == -1.0 || user == -1.0)
    return -1.0;
 
  /* Privileges Required has a special case for S:C. */
 
  if (scope_changed && privilege == 0.62)
    privilege = 0.68;
  else if (scope_changed && privilege == 0.27)
    privilege = 0.5;
 
  /* Impact. */
 
  isc_base = 1 - ((1 - impact_conf) * (1 - impact_integ) * (1 - impact_avail));
 
  if (scope_changed)
    impact = 7.52 * (isc_base - 0.029) - 3.25 * pow ((isc_base - 0.02), 15);
  else
    impact = 6.42 * isc_base;
 
  if (impact <= 0)
    return 0.0;
 
  /* Exploitability. */
 
  exploitability = 8.22 * vector * complexity * privilege * user;
 
  /* Final. */
 
  if (scope_changed)
    base = 1.08 * (impact + exploitability);
  else
    base = impact + exploitability;
 
  if (base > 10.0)
    return 10.0;
 
  return roundup (base);
}

References roundup(), and v3_impact().

Referenced by get_cvss_score_from_base_metrics().

Here is the call graph for this function:

Here is the caller graph for this function:

get_exploitability_subscore()

static double get_exploitability_subscore ( const struct cvss *  cvss )

static

Calculate Exploitability Sub Score.

Parameters

[in]

cvss

Contains the subscores associated to the metrics.

Returns

The resulting subscore.

Definition at line 261 of file cvss.c.

{
  return 20 * cvss->access_vector * cvss->access_complexity
         * cvss->authentication;
}

References cvss::access_complexity, cvss::access_vector, and cvss::authentication.

Referenced by __get_cvss_score().

Here is the caller graph for this function:

get_impact_subscore()

static double get_impact_subscore ( const struct cvss *  cvss )

static

Calculate Impact Sub Score.

Parameters

[in]

cvss

Contains the subscores associated to the metrics.

Returns

The resulting subscore.

Definition at line 244 of file cvss.c.

{
  return 10.41
         * (1
            - (1 - cvss->conf_impact) * (1 - cvss->integ_impact)
                * (1 - cvss->avail_impact));
}

References cvss::avail_impact, cvss::conf_impact, and cvss::integ_impact.

Referenced by __get_cvss_score().

Here is the caller graph for this function:

roundup()

static double roundup ( double  cvss )

static

Round final score as in spec.

Parameters

cvss	CVSS score.

Returns

Rounded score.

Definition at line 421 of file cvss.c.

{
  int trim;
 
  /* "Roundup returns the smallest number, specified to 1 decimal place,
   *  that is equal to or higher than its input. For example, Roundup (4.02)
   *  returns 4.1; and Roundup (4.00) returns 4.0." */
 
  /* 3.020000000 => 3.1 */
  /* 3.000000001 => 3.0 */
  /* 5.299996    => 5.3 */
  /* 5.500320    => 5.6 */
 
  trim = round (cvss * 100000);
  if ((trim % 10000) == 0)
    return ((double) trim) / 100000;
  return (floor (trim / 10000) + 1) / 10.0;
}

Referenced by Ensure(), and get_cvss_score_from_base_metrics_v3().

Here is the caller graph for this function:

set_impact_from_str()

static int set_impact_from_str ( const char *  value, enum base_metrics  metric, struct cvss *  cvss  )

inlinestatic

Set impact score from string representation.

Parameters

[in]	value	The literal value associated to the metric.
[in]	metric	The enumeration constant identifying the metric.
[out]	cvss	The structure to update with the score.

Returns

0 on success, -1 on error.

Definition at line 277 of file cvss.c.

{
  int i;
 
  for (i = 0; i < 3; i++)
    {
      const struct impact_item *impact;
 
      impact = &impact_map[metric][i];
 
      if (g_strcmp0 (impact->name, value) == 0)
        {
          switch (metric)
            {
            case A:
              cvss->avail_impact = impact->nvalue;
              break;
 
            case I:
              cvss->integ_impact = impact->nvalue;
              break;
 
            case C:
              cvss->conf_impact = impact->nvalue;
              break;
 
            case Au:
              cvss->authentication = impact->nvalue;
              break;
 
            case AV:
              cvss->access_vector = impact->nvalue;
              break;
 
            case AC:
              cvss->access_complexity = impact->nvalue;
              break;
 
            default:
              return -1;
            }
          return 0;
        }
    }
  return -1;
}

References A, AC, cvss::access_complexity, cvss::access_vector, Au, cvss::authentication, AV, cvss::avail_impact, C, cvss::conf_impact, I, impact_map, cvss::integ_impact, impact_item::name, and impact_item::nvalue.

Referenced by get_cvss_score_from_base_metrics().

Here is the caller graph for this function:

toenum()

static int toenum ( const char *  str, enum base_metrics *  res  )

static

Determine base metric enumeration from a string.

Parameters

[in]	str	Base metric in string form, for example "A".
[out]	res	Where to write the desired value.

Returns

0 on success, -1 on error.

Definition at line 211 of file cvss.c.

{
  int rc = 0; /* let's be optimistic */
 
  if (g_strcmp0 (str, "A") == 0)
    *res = A;
  else if (g_strcmp0 (str, "I") == 0)
    *res = I;
  else if (g_strcmp0 (str, "C") == 0)
    *res = C;
  else if (g_strcmp0 (str, "Au") == 0)
    *res = Au;
  else if (g_strcmp0 (str, "AU") == 0)
    *res = Au;
  else if (g_strcmp0 (str, "AV") == 0)
    *res = AV;
  else if (g_strcmp0 (str, "AC") == 0)
    *res = AC;
  else
    rc = -1;
 
  return rc;
}

References A, AC, Au, AV, C, and I.

Referenced by get_cvss_score_from_base_metrics().

Here is the caller graph for this function:

v3_impact()

static double v3_impact ( const char *  value )

static

Get impact.

Parameters

value

Metric value.

Returns

Impact.

Definition at line 448 of file cvss.c.

{
  if (strcasecmp (value, "N") == 0)
    return 0.0;
  if (strcasecmp (value, "L") == 0)
    return 0.22;
  if (strcasecmp (value, "H") == 0)
    return 0.56;
  return -1.0;
}

Referenced by get_cvss_score_from_base_metrics_v3().

Here is the caller graph for this function:

Variable Documentation

impact_map

const struct impact_item impact_map[][3]

static

Definition at line 80 of file cvss.c.

Referenced by set_impact_from_str().