Greenbone Vulnerability Management Libraries 22.10.0
cvss.c File Reference

CVSS utility functions. More...

#include "cvss.h"
#include <glib.h>
#include <math.h>
#include <strings.h>

Go to the source code of this file.

Data Structures

struct  impact_item
 Describe a CVSS impact element. More...
 
struct  cvss
 Describe a CVSS metrics. More...
 
struct  cvss4_metric_def_t
 String to enum mapping and allowed values for a CVSS 4.0 metric. More...
 
struct  cvss4_macrovector_mapping_t
 Key-Value mappings of CVSS 4.0 macrovectors to scores. More...
 

Macros

#define G_LOG_DOMAIN   "libgvm base"
 GLib log domain.
 
#define AV_NETWORK   1.0
 AccessVector (AV) Constants.
 
#define AV_ADJACENT_NETWORK   0.646
 
#define AV_LOCAL   0.395
 
#define AC_LOW   0.71
 AccessComplexity (AC) Constants.
 
#define AC_MEDIUM   0.61
 
#define AC_HIGH   0.35
 
#define Au_MULTIPLE_INSTANCES   0.45
 Authentication (Au) Constants.
 
#define Au_SINGLE_INSTANCE   0.56
 
#define Au_NONE   0.704
 
#define C_NONE   0.0
 ConfidentialityImpact (C) Constants.
 
#define C_PARTIAL   0.275
 
#define C_COMPLETE   0.660
 
#define I_NONE   0.0
 IntegrityImpact (I) Constants.
 
#define I_PARTIAL   0.275
 
#define I_COMPLETE   0.660
 
#define A_NONE   0.0
 AvailabilityImpact (A) Constants.
 
#define A_PARTIAL   0.275
 
#define A_COMPLETE   0.660
 
#define CVSS_METRICS_STR_BLANK   "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"
 Blank simplified CVSS 4.0 metrics string.
 
#define CVSS_MACROVECTOR_BLANK   "XXXXXX"
 Blank simplified CVSS 4.0 macrovector string.
 

Enumerations

enum  base_metrics {
  A , I , C , Au ,
  AC , AV
}
 CVSS v2 Base metrics. More...
 
enum  cvss4_metric_t {
  CVSS4_AV , CVSS4_AC , CVSS4_AT , CVSS4_PR ,
  CVSS4_UI , CVSS4_VC , CVSS4_VI , CVSS4_VA ,
  CVSS4_SC , CVSS4_SI , CVSS4_SA , CVSS4_E ,
  CVSS4_CR , CVSS4_IR , CVSS4_AR , CVSS4_MAV ,
  CVSS4_MAC , CVSS4_MAT , CVSS4_MPR , CVSS4_MUI ,
  CVSS4_MVC , CVSS4_MVI , CVSS4_MVA , CVSS4_MSC ,
  CVSS4_MSI , CVSS4_MSA , CVSS4_S , CVSS4_AU ,
  CVSS4_R , CVSS4_V , CVSS4_RE , CVSS4_U ,
  CVSS4_METRICS_MAX
}
 CVSS 4.0 metrics. More...
 

Functions

static double get_cvss_score_from_base_metrics_v3 (const char *cvss_str)
 Calculate CVSS Score.
 
static double get_cvss_score_from_metrics_v4 (const char *cvss_str)
 Calculate CVSS 4.0 Score.
 
static int toenum (const char *str, enum base_metrics *res)
 Determine base metric enumeration from a string.
 
static double get_impact_subscore (const struct cvss *cvss)
 Calculate Impact Sub Score.
 
static double get_exploitability_subscore (const struct cvss *cvss)
 Calculate Exploitability Sub Score.
 
static int set_impact_from_str (const char *value, enum base_metrics metric, struct cvss *cvss)
 Set impact score from string representation.
 
static double __get_cvss_score (struct cvss *cvss)
 Final CVSS score computation helper.
 
double get_cvss_score_from_base_metrics (const char *cvss_str)
 Calculate CVSS Score.
 
static double roundup (double cvss)
 Round final score as in spec.
 
static double v3_impact (const char *value)
 Get impact.
 
static void cvss4_init_macrovector_table ()
 Initialize the CVSS 4.0 macrovector lookup table.
 
static double cvss4_macrovector_score (const char *vector)
 Get the CVSS 4.0 score for a given macrovector string.
 
static char cvss4_m (const char *simplified_vec, cvss4_metric_t metric)
 Get the effective value of a metric in a simplified CVSS4 vector.
 
static gchar * simplify_cvss4_vector (const char *cvss_str)
 Simplify CVSS 4.0 base vector so metrics can be indexed by enum.
 
static gchar * cvss4_vector_expand (const char *vec)
 Expands a simplified CVSS 4.0 vector into its full string form.
 
static gchar * cvss4_macrovector (const char *vec)
 Calculate CVSS 4.0 macrovector from a simplified vector.
 
static void cvss4_maximal_scoring_differences (const char *macrovector, double *available_distance_eq1, double *available_distance_eq2, double *available_distance_eq3eq6, double *available_distance_eq4, double *available_distance_eq5)
 Calulate the maximal scoring differences from a CVSS 4.0 macrovector.
 
static gchar ** cvss4_max_vectors (const char *macrovector)
 Composes a list of max vectors for the given CVSS 4.0 macrovector.
 
static double cvss4_metric_level (cvss4_metric_t metric, char value)
 Get the index of a CVSS 4.0 metric value for severity distances.
 
static double cvss4_severity_distance (cvss4_metric_t metric, const char *vec, const char *max_vec)
 Calculate severity distance for a metric in two CVSS 4.0 vectors.
 
static void cvss4_current_severity_distances (const char *vec, const char *macrovector, double *current_severity_distance_eq1, double *current_severity_distance_eq2, double *current_severity_distance_eq3eq6, double *current_severity_distance_eq4, double *current_severity_distance_eq5)
 Calculate current severity distances for given CVSS 4.0 vector.
 
static void cvss4_max_severities (const char *macrovector, double *max_severity_eq1, double *max_severity_eq2, double *max_severity_eq3eq6, double *max_severity_eq4)
 Get the max severity values for a CVSS 4.0 macrovector.
 

Variables

static const struct impact_item impact_map [][3]
 
static cvss4_metric_def_t cvss4_metric_defs []
 String to enum mappings and allowed values for CVSS 4.0 metrics.
 
static const cvss4_macrovector_mapping_t cvss4_macrovector_mappings []
 CVSS 4.0 macrovector mappings.
 
static GHashTable * cvss4_macrovector_table = NULL
 Hashtable for quick lookup of CVSS macrovector scores.
 

Detailed Description

CVSS utility functions.

This file contains utility functions for handling CVSS v2, v3 and v4. get_cvss_score_from_base_metrics calculates the CVSS base score from a CVSS base vector.

CVSS v4.0:

See the CVSS v4 calculator reference implementation at https://github.com/FIRSTdotorg/cvss-v4-calculator and the CVSS 4.0 specification document at https://www.first.org/cvss/v4.0/specification-document (especially sections 7., 8.2 and 8.3).

CVSS v3.1:

See equations at https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator and constants at https://www.first.org/cvss/v3.1/specification-document (section 7.4. Metric Values).

CVSS v3.0:

See equations at https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator and constants at https://www.first.org/cvss/v3.0/specification-document (section 8.4. Metric Levels).

CVSS v2:

The base equation is the foundation of CVSS scoring. The base equation is: BaseScore6 = round_to_1_decimal(((0.6*Impact)+(0.4*Exploitability)–1.5)*f(Impact))

Impact = 10.41*(1-(1-ConfImpact)*(1-IntegImpact)*(1-AvailImpact))

Exploitability = 20* AccessVector*AccessComplexity*Authentication

f(impact)= 0 if Impact=0, 1.176 otherwise AccessVector = case AccessVector of requires local access: 0.395 adjacent network accessible: 0.646 network accessible: 1.0 AccessComplexity = case AccessComplexity of high: 0.35 medium: 0.61 low: 0.71 Authentication = case Authentication of requires multiple instances of authentication: 0.45 requires single instance of authentication: 0.56 requires no authentication: 0.704 ConfImpact = case ConfidentialityImpact of none: 0.0 partial: 0.275 complete: 0.660 IntegImpact = case IntegrityImpact of none: 0.0 partial: 0.275 complete: 0.660 AvailImpact = case AvailabilityImpact of none: 0.0 partial: 0.275 complete: 0.660

Macro Definition Documentation

◆ A_COMPLETE

#define A_COMPLETE   0.660

Complete Availability Impact.

◆ A_NONE

#define A_NONE   0.0

AvailabilityImpact (A) Constants.

No Availability Impact.

◆ A_PARTIAL

#define A_PARTIAL   0.275

Partial Availability Impact.

◆ AC_HIGH

#define AC_HIGH   0.35

Access Complexity High.

◆ AC_LOW

#define AC_LOW   0.71

AccessComplexity (AC) Constants.

Access Complexity Low.

◆ AC_MEDIUM

#define AC_MEDIUM   0.61

Access Complexity Medium.

◆ Au_MULTIPLE_INSTANCES

#define Au_MULTIPLE_INSTANCES   0.45

Authentication (Au) Constants.

Authentication multiple instances.

◆ Au_NONE

#define Au_NONE   0.704

No Authentication.

◆ Au_SINGLE_INSTANCE

#define Au_SINGLE_INSTANCE   0.56

Authentication single instances.

◆ AV_ADJACENT_NETWORK

#define AV_ADJACENT_NETWORK   0.646

Access Vector Adjacent Network.

◆ AV_LOCAL

#define AV_LOCAL   0.395

Access Vector Local.

◆ AV_NETWORK

#define AV_NETWORK   1.0

AccessVector (AV) Constants.

Access Vector Network.

◆ C_COMPLETE

#define C_COMPLETE   0.660

Complete Confidentiality Impact.

◆ C_NONE

#define C_NONE   0.0

ConfidentialityImpact (C) Constants.

No Confidentiality Impact.

◆ C_PARTIAL

#define C_PARTIAL   0.275

Partial Confidentiality Impact.

◆ CVSS_MACROVECTOR_BLANK

#define CVSS_MACROVECTOR_BLANK   "XXXXXX"

Blank simplified CVSS 4.0 macrovector string.

◆ CVSS_METRICS_STR_BLANK

#define CVSS_METRICS_STR_BLANK   "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"

Blank simplified CVSS 4.0 metrics string.

◆ G_LOG_DOMAIN

#define G_LOG_DOMAIN   "libgvm base"

GLib log domain.

◆ I_COMPLETE

#define I_COMPLETE   0.660

Complete Integrity Impact.

◆ I_NONE

#define I_NONE   0.0

IntegrityImpact (I) Constants.

No Integrity Impact.

◆ I_PARTIAL

#define I_PARTIAL   0.275

Partial Integrity Impact.

Enumeration Type Documentation

◆ base_metrics

CVSS v2 Base metrics.

Enumerator

Availability Impact.

Integrity Impact.

Confidentiality Impact.

Au 

Authentication.

AC 

Access Complexity.

AV 

Access Vector.

◆ cvss4_metric_t

CVSS 4.0 metrics.

Enumerator
CVSS4_AV 

Attack Vector

CVSS4_AC 

Attack Complexity

CVSS4_AT 

Attack Requirements

CVSS4_PR 

Privileges Required

CVSS4_UI 

User Interaction

CVSS4_VC 

Confidentiality Impact to the Vulnerable System

CVSS4_VI 

Integrity Impact to the Vulnerable System

CVSS4_VA 

Availability Impact to the Vulnerable System

CVSS4_SC 

Confidentiality Impact to the Subsequent System

CVSS4_SI 

Integrity Impact to the Subsequent System

CVSS4_SA 

Availability Impact to the Subsequent System

CVSS4_E 

Exploit Maturity

CVSS4_CR 

Confidentiality Requirement

CVSS4_IR 

Integrity Requirement

CVSS4_AR 

Availability Requirement

CVSS4_MAV 

Modified Attack Vector

CVSS4_MAC 

Modified Attack Complexity

CVSS4_MAT 

Modified Attack Requirements

CVSS4_MPR 

Modified Privileges Required

CVSS4_MUI 

Modified User Interaction

CVSS4_MVC 

Modified Confidentiality Impact to the Vulnerable System

CVSS4_MVI 

Modified Integrity Impact to the Vulnerable System

CVSS4_MVA 

Modified Availability Impact to the Vulnerable System

CVSS4_MSC 

Modified Confidentiality Impact to the Subsequent System

CVSS4_MSI 

Modified Integrity Impact to the Subsequent System

CVSS4_MSA 

Modified Availability Impact to the Subsequent System

CVSS4_S 

Safety

CVSS4_AU 

Automatable

CVSS4_R 

Recovery

CVSS4_V 

Value Density

CVSS4_RE 

Vulnerability Response Effort

CVSS4_U 

Provider Urgency

CVSS4_METRICS_MAX 

Maximum number of metrics

Function Documentation

◆ __get_cvss_score()

static double __get_cvss_score ( struct cvss * cvss)
static

Final CVSS score computation helper.

Parameters
[in]cvssThe CVSS structure that contains the different metrics and associated scores.
Returns
the CVSS score, as a double.

◆ cvss4_current_severity_distances()

static void cvss4_current_severity_distances ( const char * vec,
const char * macrovector,
double * current_severity_distance_eq1,
double * current_severity_distance_eq2,
double * current_severity_distance_eq3eq6,
double * current_severity_distance_eq4,
double * current_severity_distance_eq5 )
static

Calculate current severity distances for given CVSS 4.0 vector.

Parameters
[in]vecThe vector in simplified form
[in]macrovectorCorresponding macrovector
[out]current_severity_distance_eq1Distance for EQ1
[out]current_severity_distance_eq2Distance for EQ2
[out]current_severity_distance_eq3eq6Distance for EQ3 and EQ6
[out]current_severity_distance_eq4Distance for EQ4
[out]current_severity_distance_eq5Distance for EQ5

◆ cvss4_init_macrovector_table()

static void cvss4_init_macrovector_table ( )
static

Initialize the CVSS 4.0 macrovector lookup table.

◆ cvss4_m()

static char cvss4_m ( const char * simplified_vec,
cvss4_metric_t metric )
static

Get the effective value of a metric in a simplified CVSS4 vector.

As this only returns the first character, the Provider Urgency metric (CVSS4_U) needs special handling to get the full string.

Parameters
[in]simplified_vecThe simplified vector string to get value from.
[in]metricThe metric to get the value of.
Returns
The metric value as a single character.

◆ cvss4_macrovector()

static gchar * cvss4_macrovector ( const char * vec)
inlinestatic

Calculate CVSS 4.0 macrovector from a simplified vector.

Parameters
[in]vecThe simplified vector to get the macrovector of
Returns
The macrovector.

◆ cvss4_macrovector_score()

static double cvss4_macrovector_score ( const char * vector)
inlinestatic

Get the CVSS 4.0 score for a given macrovector string.

Parameters
[in]vectorThe macrovector to look up.
Returns
The score of the given vector or -1.0 if the macrovector is invalid.

◆ cvss4_max_severities()

static void cvss4_max_severities ( const char * macrovector,
double * max_severity_eq1,
double * max_severity_eq2,
double * max_severity_eq3eq6,
double * max_severity_eq4 )
static

Get the max severity values for a CVSS 4.0 macrovector.

The values are the MaxSeverity values already multiplied by 0.1

Parameters
[in]macrovectorThe macrovector to get the max severity values for
[out]max_severity_eq1Max severity for EQ1
[out]max_severity_eq2Max severity for EQ2
[out]max_severity_eq3eq6Max severity for EQ3 and EQ6
[out]max_severity_eq4Max severity for EQ4

◆ cvss4_max_vectors()

static gchar ** cvss4_max_vectors ( const char * macrovector)
static

Composes a list of max vectors for the given CVSS 4.0 macrovector.

Parameters
[in]macrovectorThe macrovector to get the max vectors of.
Returns
NULL-terminated array of vectors in simplified form.

◆ cvss4_maximal_scoring_differences()

static void cvss4_maximal_scoring_differences ( const char * macrovector,
double * available_distance_eq1,
double * available_distance_eq2,
double * available_distance_eq3eq6,
double * available_distance_eq4,
double * available_distance_eq5 )
static

Calulate the maximal scoring differences from a CVSS 4.0 macrovector.

Parameters
[in]macrovector
[out]available_distance_eq1Maximal scoring diff. for EQ1
[out]available_distance_eq2Maximal scoring diff. for EQ2
[out]available_distance_eq3eq6Maximal scoring diff. for EQ3 and EQ6
[out]available_distance_eq4Maximal scoring diff. for EQ4
[out]available_distance_eq5Maximal scoring diff. for EQ5

◆ cvss4_metric_level()

static double cvss4_metric_level ( cvss4_metric_t metric,
char value )
static

Get the index of a CVSS 4.0 metric value for severity distances.

Parameters
[in]metricThe metric to check.
[in]valueThe value of the given metric.
Returns
The index value

◆ cvss4_severity_distance()

static double cvss4_severity_distance ( cvss4_metric_t metric,
const char * vec,
const char * max_vec )
inlinestatic

Calculate severity distance for a metric in two CVSS 4.0 vectors.

Parameters
[in]metricThe metric to calculate severity distance for.
[in]vecThe vector to be scored in simplified form.
[in]max_vecThe max vector to subtract in simplified form.
Returns
The severity distance.

◆ cvss4_vector_expand()

static gchar * cvss4_vector_expand ( const char * vec)
static

Expands a simplified CVSS 4.0 vector into its full string form.

Parameters
[in]vecThe simplified vector to expand
Returns
The full vector, including the "CVSS:4.0/" prefix

◆ get_cvss_score_from_base_metrics()

double get_cvss_score_from_base_metrics ( const char * cvss_str)

Calculate CVSS Score.

Parameters
cvss_strBase vector string from which to compute score.
Returns
The resulting score. -1 upon error during parsing.

◆ get_cvss_score_from_base_metrics_v3()

static double get_cvss_score_from_base_metrics_v3 ( const char * cvss_str)
static

Calculate CVSS Score.

Parameters
cvss_strVector from which to compute score, without prefix.
Returns
CVSS score, or -1 on error.

◆ get_cvss_score_from_metrics_v4()

static double get_cvss_score_from_metrics_v4 ( const char * cvss_str)
static

Calculate CVSS 4.0 Score.

Parameters
cvss_strVector from which to compute score, without prefix.
Returns
CVSS score, or -1 on error.

◆ get_exploitability_subscore()

static double get_exploitability_subscore ( const struct cvss * cvss)
static

Calculate Exploitability Sub Score.

Parameters
[in]cvssContains the subscores associated to the metrics.
Returns
The resulting subscore.

◆ get_impact_subscore()

static double get_impact_subscore ( const struct cvss * cvss)
static

Calculate Impact Sub Score.

Parameters
[in]cvssContains the subscores associated to the metrics.
Returns
The resulting subscore.

◆ roundup()

static double roundup ( double cvss)
static

Round final score as in spec.

Parameters
cvssCVSS score.
Returns
Rounded score.

◆ set_impact_from_str()

static int set_impact_from_str ( const char * value,
enum base_metrics metric,
struct cvss * cvss )
inlinestatic

Set impact score from string representation.

Parameters
[in]valueThe literal value associated to the metric.
[in]metricThe enumeration constant identifying the metric.
[out]cvssThe structure to update with the score.
Returns
0 on success, -1 on error.

◆ simplify_cvss4_vector()

static gchar * simplify_cvss4_vector ( const char * cvss_str)
static

Simplify CVSS 4.0 base vector so metrics can be indexed by enum.

The vector is simplified to a strictly ordered character array with each character index corresponding to the cvss4_base_metrics enum value and using 'X' for undefined metric values.

This relies on all allowed values being single characters, or having unique first characters in case of the Provider Urgency metric.

Parameters
[in]cvss_strThe original vector without the prefix "CVSS:4.0/".
Returns
A simplified vector string as described above or NULL on error.

◆ toenum()

static int toenum ( const char * str,
enum base_metrics * res )
static

Determine base metric enumeration from a string.

Parameters
[in]strBase metric in string form, for example "A".
[out]resWhere to write the desired value.
Returns
0 on success, -1 on error.

◆ v3_impact()

static double v3_impact ( const char * value)
static

Get impact.

Parameters
valueMetric value.
Returns
Impact.

Variable Documentation

◆ cvss4_macrovector_mappings

const cvss4_macrovector_mapping_t cvss4_macrovector_mappings[]
static

CVSS 4.0 macrovector mappings.

This list has been generated from the lookup table in the FIRST CVSS calculator reference implementation at https://github.com/FIRSTdotorg/cvss-v4-calculator/blob/main/cvss_lookup.js

◆ cvss4_macrovector_table

GHashTable* cvss4_macrovector_table = NULL
static

Hashtable for quick lookup of CVSS macrovector scores.

Macrovector scores should be looked up with cvss4_macrovector_score which ensures the table is initialized and returns the scores as double values instead of pointers.

◆ cvss4_metric_defs

cvss4_metric_def_t cvss4_metric_defs[]
static

String to enum mappings and allowed values for CVSS 4.0 metrics.

Notes:

  • The Provider Urgency metric can be longer than one character, so it needs special handling.
  • The orginal specification only lists the value S (Safety) for the modified metrics MSI and MSA, but the calculator reference implementation also uses it for the unmodified ones, SI and SA.

◆ impact_map

const struct impact_item impact_map[][3]
static