add support for calculating CVSS score from the CVSS vector

Reference: aboutcode-org#713 Signed-off-by: Ziad <[email protected]> resolve conflicts requirements.txt Signed-off-by: Ziad <[email protected]>
ziadhany · Sep 12, 2022 · 3797be8 · 3797be8
1 parent 377826e
commit 3797be8
Show file tree

Hide file tree

Showing 2 changed files with 14 additions and 3 deletions.
diff --git a/setup.cfg b/setup.cfg
@@ -78,6 +78,7 @@ install_requires =
     defusedxml>=0.7.1
     Markdown>=3.3.0
     dateparser>=1.1.1
+    cvss>=2.4
 
     # networking
     GitPython>=3.1.17

diff --git a/vulnerabilities/severity_systems.py b/vulnerabilities/severity_systems.py
@@ -8,6 +8,10 @@
 #
 
 import dataclasses
+from decimal import Decimal
+
+from cvss import CVSS2
+from cvss import CVSS3
 
 """
 Vulnerability scoring systems define scales, values and approach to score a
@@ -17,7 +21,6 @@
 
 @dataclasses.dataclass(order=True)
 class ScoringSystem:
-
     # a short identifier for the scoring system.
     identifier: str
     # a name which represents the scoring system such as `RedHat bug severity`.
@@ -28,13 +31,20 @@ class ScoringSystem:
     # notes about that scoring system
     notes: str = ""
 
-    def as_score(self, value):
+    def as_score(self, value) -> Decimal:
         """
         Return a normalized numeric score for this scoring system  given a raw
         value. For instance this can be used to convert a CVSS vector to a base
         score.
         """
-        raise NotImplementedError
+        if self.identifier == "cvssv2_vector":
+            c = CVSS2(value)
+            return c.base_score
+        elif self.identifier in ["cvssv3_vector", "cvssv3.1_vector"]:
+            c = CVSS3(value)
+            return c.base_score
+        else:
+            raise NotImplementedError
 
 
 CVSSV2 = ScoringSystem(