Skip to content

The Common Vulnerability Scoring System (CVSS) base score calculator and validator library written in TypeScript.

License

Notifications You must be signed in to change notification settings

NeuraLegion/cvss

Repository files navigation

cvss

The Common Vulnerability Scoring System (CVSS) base score calculator and validator library written in TypeScript.

Basics 🧾

CVSS outputs numerical scores, indicating severity of vulnerability, based on some principal technical vulnerability characteristics. Its outputs include numerical scores indicating the severity of a vulnerability relative to other vulnerabilities. Link

The CVSS v3 vector string begins with the label CVSS: and numeric representation of the version. After version string, it contains a set of /-separated CVSS metrics. Each metric consists of name and value (both abbreviated) separated with ':'.

Sample

Sample CVSS v3.1 vector string: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N

Score is: 3.8, severity: Low

Current library limitations 🚧

CVSS specification defines three metric groups: Base, Temporal, and Environmental, but only Base metrics are supported by given library for now.

Supported CVSS versions: 3.0 and 3.1

Install 🚀

npm i --save @neuralegion/cvss

API

Score Calculator

calculateBaseScore(cvssString): number

Calculates Base Score, which depends on sub-formulas for Impact Sub-Score (ISS), Impact, and Exploitability,

calculateIss(metricsMap): number

Calculates Impact Sub-Score (ISS)

calculateImpact(metricsMap, iss): number

Calculates Impact

calculateExploitability(metricsMap): number

Calculates Exploitability

Validator

validate(cvssString): void

Throws an Error if given CVSS string is either invalid or unsupported.

Error contains verbose message with error details. Sample error messages:

  • CVSS vector must start with "CVSS:"
  • Invalid CVSS string. Example: CVSS:3.0/AV:A/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:L
  • Unsupported CVSS version: 2.0. Only 3.0 and 3.1 are supported
  • Duplicated metric: "AC:L"
  • Missing mandatory CVSS base metric C (Confidentiality)
  • Unknown CVSS metric "X". Allowed metrics: AV, AC, PR, UI, S, C, I, A
  • Invalid value for CVSS metric PR (Privileges Required): Y. Allowed values: N (None), L (Low), H (High)
Humanizer

humanizeBaseMetric(metric)

Return un-abbreviated metric name: e.g. 'Confidentiality' for input 'C'

humanizeBaseMetricValue(value, metric)

Return un-abbreviated metric value: e.g. 'Network' for input ('AV', 'N')

Usage

ECMAScript 2015, Typescript modules
import { calculateBaseScore } from '@neuralegion/cvss';

console.log('score: ', calculateBaseScore('CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N'));
NodeJS (CommonJS module)
const cvss = require('@neuralegion/cvss');

console.log(cvss.calculateBaseScore('CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N'));
NodeJS (experimental ESM support)

usage.mjs file:

import cvss from '@neuralegion/cvss';

console.log(cvss.calculateBaseScore('CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N'));

Running: node --experimental-modules ./usage.mjs

Browser (globals from umd bundle)
<script src="./node_modules/@neuralegion/cvss/dist/bundle.umd.js"></script>
<script>
  alert(`Score: ${cvss.calculateBaseScore('CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N')}`);
</script>
Browser (ES modules)
<script type="module">
  import { calculateBaseScore } from './node_modules/@neuralegion/cvss/dist/bundle.es.js';
  alert(`Score: ${calculateBaseScore('CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N')}`);
</script>

Development 🛠

Issues and pull requests are highly welcome. 👍

Please, don't forget to lint (npm run lint) and test (npm t) the code.

License

Copyright © 2020 NeuraLegion.

This project is licensed under the MIT License - see the LICENSE file for details.