From 3797be88e67b0c1e4bb34d29241b095eae827b9f Mon Sep 17 00:00:00 2001 From: Ziad Date: Sat, 21 May 2022 13:44:35 +0200 Subject: [PATCH] add support for calculating CVSS score from the CVSS vector Reference: #713 Signed-off-by: Ziad resolve conflicts requirements.txt Signed-off-by: Ziad --- setup.cfg | 1 + vulnerabilities/severity_systems.py | 16 +++++++++++++--- 2 files changed, 14 insertions(+), 3 deletions(-) diff --git a/setup.cfg b/setup.cfg index ee9d34239..0d21feb33 100644 --- a/setup.cfg +++ b/setup.cfg @@ -78,6 +78,7 @@ install_requires = defusedxml>=0.7.1 Markdown>=3.3.0 dateparser>=1.1.1 + cvss>=2.4 # networking GitPython>=3.1.17 diff --git a/vulnerabilities/severity_systems.py b/vulnerabilities/severity_systems.py index dfc6412ab..8a0c2e781 100644 --- a/vulnerabilities/severity_systems.py +++ b/vulnerabilities/severity_systems.py @@ -8,6 +8,10 @@ # import dataclasses +from decimal import Decimal + +from cvss import CVSS2 +from cvss import CVSS3 """ Vulnerability scoring systems define scales, values and approach to score a @@ -17,7 +21,6 @@ @dataclasses.dataclass(order=True) class ScoringSystem: - # a short identifier for the scoring system. identifier: str # a name which represents the scoring system such as `RedHat bug severity`. @@ -28,13 +31,20 @@ class ScoringSystem: # notes about that scoring system notes: str = "" - def as_score(self, value): + def as_score(self, value) -> Decimal: """ Return a normalized numeric score for this scoring system given a raw value. For instance this can be used to convert a CVSS vector to a base score. """ - raise NotImplementedError + if self.identifier == "cvssv2_vector": + c = CVSS2(value) + return c.base_score + elif self.identifier in ["cvssv3_vector", "cvssv3.1_vector"]: + c = CVSS3(value) + return c.base_score + else: + raise NotImplementedError CVSSV2 = ScoringSystem(