def get_cvss3(stringCVSS3):
# Returns FLOAT CVSS3 Score...
# It accepts:
# AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N
# CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N
return calculate_vector(stringCVSS3, cvss3)[0]
def transform_cvssv2_to_cvssv3(cve: dict):
"""
Transform CVSSv2 vector and score of given CVE to CVSSv3
"""
# Conversion incentives are taken from: https://security.stackexchange.com/questions/127335/how-to-convert-risk-scores-cvssv1-cvssv2-cvssv3-owasp-risk-severity
converted_cvssv3_vector = ""
vector_fields = cve["vector_short"].split(
"/") # remove left and right parenthesis
for vector_field in vector_fields:
key, val = vector_field.split(":")
# straightforware value conversion
if key == "AC":
if val == "M":
val = "L"
elif key == "Au":
if val == "S":
val = "L"
elif val == "M":
val = "H"
key = "PR"
elif key in ("C", "I", "A"):
if val == "C":
val = "H"
elif val == "P":
val = "H"
elif val == "N":
val = "N"
elif key == "RL":
if val == "OF":
val = "O"
elif val == "TF":
val = "T"
elif val == "ND":
val = "X"
elif key == "RC":
if val == "UR":
val = "R"
elif val == "UC":
val = "U"
elif val == "ND":
val = "X"
converted_cvssv3_vector += "%s:%s/" % (key, val)
# always declare Scope as "unchanged"
converted_cvssv3_vector += "S:U/"
# derive value for user interaction from access complexity metric
if "AC:H" in cve["vector_short"] or "AC:M" in cve["vector_short"]:
converted_cvssv3_vector += "UI:R/"
else:
converted_cvssv3_vector += "UI:N/"
converted_cvssv3_vector = converted_cvssv3_vector[:-1] # remove trailing /
# backup the original CVSSv2 information and add the CVSSv3 information
if "vector_detail" in cve:
del cve["vector_detail"]
cve["orig_cvssv2"] = cve["cvssv2"]
del cve["cvssv2"]
cve["orig_cvssv2_vector"] = cve["vector_short"]
del cve["vector_short"]
cve["vector_short"] = ("CVSS:3.0/%s" % converted_cvssv3_vector).replace(
"(", "")
vector_v3 = "CVSS:3.0/" + converted_cvssv3_vector
cvssv3 = calculate_vector(
vector_v3, cvss3)[0] # get base score of cvssv3 score vector
cve["cvssv3"] = cvssv3
def compute(self):
def getname(obj, name):
_val = None
if hasattr(obj, name):
_val = getattr(obj, name, None)
if _val is None:
return _val
# handling for values from a method
if isinstance(_val, str):
return _val
try:
if _val.isdynamic:
raise ValueError('Cvssv2 plugin cannot process %s because it contains a dynamic class' % name)
except AttributeError:
raise TypeError('Expected an attribute but got a %s' % type(_val))
if _val.issingleton():
_ret = '%s' % _val[0].raw()
else:
raise ValueError('Cvssv2 method plugin specified in user defined class %s '
'only works on singleton attributes' % striptoclassname(type(self.targetobject)))
return _ret
attrid = (p.Literal('@') | p.Literal('!')).suppress() + p.Word(p.alphanums)
attrexpr = attrid.setResultsName('attribute')
parseresult = attrexpr.parseString(self.config)
_attrname = parseresult.get('attribute', None)[0]
if _attrname is None:
raise ValueError('The configuration string provided to the Cvssv2 method '
'plugin in user defined class %s does not contain an '
'identifiable attribute. Please provide a configuration '
'string in the form of \'@attribute[#:#]\'' % striptoclassname(type(self.targetobject)))
self.vector = getname(self.targetobject, _attrname)
if isinstance(self.vector, str):
self.computable = True
if self.computable:
try:
_score = calculate_vector(self.vector, cvss2)
_index = len([c for c in _score if c is not None]) - 1
self.__result__ = _score[_index]
#self.__result__ = ', '.join(str(i) for i in _score)
except Exception as err:
raise Exception('When the Cvssv2 method plugin used in '
'the %s class attempted to process the provided '
'vector string from %s in %s, the following '
'error occured: %s' %
(
striptoclassname(type(self.targetobject)),
_attrname,
self.targetobject.__context__['file'],
err
))
def CVSS_modscore(vector):
# Return base score for given CVSS vector string
score = calculate_vector(vector, cvss31)
# Returned list order is base score, temporal score, environmental score
return score[2]
from cvsslib import cvss2, cvss3, rvss, calculate_vector
# vector_v2 = "AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N"
# "AV:L/AC:M/Au:S/C:N/I:P/A:C/E:U/RL:OF/RC:UR/CDP:N/TD:L/CR:H/IR:H/AR:H"
vector = "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N"
# print(calculate_vector(vector_v2, cvss2))
vector_v3 = "CVSS:3.0/AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:N/A:H/MPR:N"
# print("base_score, temporal_score and environment_score: "+str(calculate_vector(vector, cvss3)))
print("base_score, temporal_score and environment_score: " +
str(calculate_vector(vector, rvss)))
def _refresh_vprating(vuln_id, asset_metadata={}):
from vulns.serializers import VulnSerializer
vpr = VPRating.objects.filter(vuln_id=vuln_id).first()
if vpr is None:
vpr = VPRating()
# vuln = vpr.vuln.__dict__
vuln = VulnSerializer(vpr.vuln).data
# exploits = vuln.exploitmetata_set.all()
vpr.data = {
'vuln': {
'published': vuln.get('published', None),
'modified': vuln.get('modified', None),
'cvss': vuln.get('cvss', None),
'cvss_time': vuln.get('cvss_time', None),
'cvss_vector': vuln.get('cvss_vector', None),
'access': vuln.get('access', None),
'impact': vuln.get('impact', None),
'is_confirmed': vuln.get('is_confirmed', None)
},
"threats": {
'is_exploitable': vuln.get('is_exploitable', None),
'is_in_the_wild': vuln.get('is_in_the_wild', None),
'is_in_the_news': vuln.get('is_in_the_news', None)
},
'asset': {
'criticality': asset_metadata.get('criticality', None),
'exposure': asset_metadata.get('exposure', None),
'distribution': asset_metadata.get('distribution', None),
}
}
vpr.vector = vpr.data['vuln']['cvss_vector']
# AdjustTemporal Score
# if vpr.data['exploit']['is_exploitable'] not in [None, False]:
if vpr.data['threats']['is_exploitable'] not in [None, False]:
vpr.vector += "/E:H"
if vpr.data['bulletin']['is_confirmed'] not in [None, False]:
vpr.vector += "/RC:C"
# Adjust Environmental Score
if vpr.data['asset']['criticality'] is not None:
if vpr.data['asset']['criticality'] == "high":
vpr.vector += "/CDP:H"
elif vpr.data['asset']['criticality'] == "medium":
vpr.vector += "/CDP:MH"
elif vpr.data['asset']['criticality'] == "low":
vpr.vector += "/CDP:LM"
if vpr.data['asset']['exposure'] is not None:
if vpr.data['asset']['exposure'] == "internet":
vpr.vector += "/TD:H"
elif vpr.data['asset']['exposure'] == "internal":
vpr.vector += "/TD:M"
elif vpr.data['asset']['exposure'] == "dmz":
vpr.vector += "/TD:L"
adjusted_cvss2_scores = calculate_vector(vpr.vector, cvss2)
# print("adjusted_cvss2_scores:", adjusted_cvss2_scores)
# vpr.cvssv2adj = adjusted_cvss2_scores
vpr.save()
return vpr
def _calc_vprating(vuln, asset_metadata={}, save=False, org=None):
# print("_calc_vprating():", vuln)
# print("_calc_vprating():", org)
vpr = VPRating(vuln=vuln)
v = vuln.__dict__
vpr.data = {
'vulnerability': {
'published': v.get('published', None),
'modified': v.get('modified', None),
'cvss': v.get('cvss', 5.0),
'cvss_time': v.get('cvss_time', None),
'cvss_vector': v.get('cvss_vector', None),
'access': v.get('access', {None}),
'impact': v.get('impact', {None}),
'is_confirmed': v.get('is_confirmed', False),
'remediation': v.get('remediation', False) # TODO
},
"threat": {
'is_exploitable': v.get('is_exploitable', False),
'is_in_the_wild': v.get('is_in_the_wild', False),
'is_in_the_news': v.get('is_in_the_news', False)
},
'asset': {
'criticality': asset_metadata.get('criticality', None),
'exposure': asset_metadata.get('exposure', None),
'distribution': asset_metadata.get('distribution', None),
}
}
cvss2adj_vector = ""
if vpr.data['vulnerability']['cvss_vector'] is not None:
cvss2adj_vector = vpr.data['vulnerability']['cvss_vector']
# AdjustTemporal Score
if vpr.data['threat']['is_exploitable'] not in [None, False]:
cvss2adj_vector += "/E:H"
if vpr.data['vulnerability']['is_confirmed'] not in [None, False]:
cvss2adj_vector += "/RC:C"
# Adjust Environmental Score
if vpr.data['asset']['criticality'] is not None:
if vpr.data['asset']['criticality'] == "high":
cvss2adj_vector += "/CDP:H"
elif vpr.data['asset']['criticality'] == "medium":
cvss2adj_vector += "/CDP:MH"
elif vpr.data['asset']['criticality'] == "low":
cvss2adj_vector += "/CDP:LM"
if vpr.data['asset']['exposure'] is not None:
if vpr.data['asset']['exposure'] == "internet":
cvss2adj_vector += "/TD:H"
elif vpr.data['asset']['exposure'] == "internal":
cvss2adj_vector += "/TD:M"
elif vpr.data['asset']['exposure'] == "dmz":
cvss2adj_vector += "/TD:L"
vpr.cvssv2adj = calculate_vector(cvss2adj_vector, cvss2)
vpr.vector = cvss2adj_vector
vpr.calc_score(org=org)
if save is True:
vpr.save()
# print("END: CVSSv2 Adjusted:", vpr.cvssv2adj, "VPRating:", vpr.score)
return vpr
def cvss_v3_score(self):
try:
return calculate_vector(self.cvss_v3_vector, cvss3)[0]
except:
return 0