[go: up one dir, main page]
More Web Proxy on the site http://driver.im/

CVSS logo

Common Vulnerability Scoring System v3.1: Calculator Use & Design

This guide covers the following aspects of the CVSS Calculator:

Calculator Use

The CVSS calculator implements the formula defined in the CVSS version 3.1 standard, generating scores based on the metric values you enter. You should refer to the standard for details of the metrics to ensure you pick the correct values for a given vulnerability. Hovering your mouse pointer over metric group names, metric names and metric values displays a summary of the information in the standard. This feature is not available on devices with no pointer, such as touchscreen devices.

The standard only defines scores when all Base metrics have values. If one or more Base metrics have no value set, no score is displayed and a reminder that all values first need to be set is shown. Select values for all Base metrics to enable scoring.

The standard defines a concise representation of the metric values forming a CVSS score, known as a Vector String. When you have chosen a value for every Base metric, the Vector String will be displayed beneath the Base score. This will be updated as you make further changes to metric values. Right-clicking on the Vector String selects the entire string, making it easier to copy.

A Vector String can be passed on the URL to set the calculator metric buttons to the values given in the URL. The Vector String must conform to the format specified in the CVSS v3.1 standard. As per the standard, it must include all Base metrics. Temporal and Environmental metrics are optional and will default to "Not Defined (X)" if not included in the Vector String. It is permissible to include some but not all Temporal and Environmental metrics. An example URL is: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:A/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:L

When all Base metrics are chosen, the Vector String is added to the URL (if it wasn't already present), and updated if further metric changes are made. This enables the whole URL to be copied and used to link to the calculator in a way that restores the current metric values and scores.

The calculator may not work correctly with Microsoft Internet Explorer.

Changelog

The following changes have been made to the CVSS Calculator since it was first made available. The changes are listed starting with the most recent.

10 June 2019
  • Created the CVSS v3.1 Calculator based on the CVSS v3.0 Calculator code, updated with the changes made between the CVSS v3.0 and CVSS v3.1 standards, mainly changes to metric descriptions and minor modifications to the underlying formulas.

CVSS Calculator Technical Design

This section explains the CVSS Calculator's implementation. This may be useful if you wish to implement your own CVSS calculator based on FIRST's code. Each file is listed with an explanation of how it may be useful in your CVSS calculator implementation.

JavaScript Functions in cvsscalc31.js

The following is a summary of available functions. The comments preceding the function definitions in the source code provide more detail.

CVSS.calculateCVSSFromMetrics

Takes Base, Temporal and Environmental metric values as individual parameters and returns: scores for each, severity ratings for each, and a complete Vector String. The input parameters are:

Parameter values are passed in the short format defined in the CVSS v3.1 standard definition of the Vector String. For example, the AttackComplexity parameter should be either "H" or "L". All Base metrics are mandatory; Temporal and Environmental metrics are optional. The function returns an object. The object always has a Boolean property named "success" that will be "true" if no error occurred. Assuming this to be the case, the following properties are also defined:

Each "Score" property contains a number representing the score, each "Severity" property contains a string with the associated severity rating, and the "vectorString" property is a complete Vector String.

An example of a call to this function is:

var output = CVSS31.calculateCVSSFromMetrics('N','L','N','R','C','L','L','N');

var result;
if (output.success === true) {
  result =
    "Base score is " + output.baseMetricScore + ". " +
    "Base severity is " + output.baseSeverity + ". " +
    "Temporal score is " + output.temporalMetricScore + ". " +
    "Temporal severity is " + output.temporalSeverity + ". " +
    "Environmental score is " + output.environmentalMetricScore + ". " +
    "Environmental severity is " + output.environmentalSeverity + ". " +
    "Vector string is " + output.vectorString + ". ";
} else {
  result =
    "An error occurred. The error type is '" + errorType +
    "' and the metrics with errors are " + errorMetrics + ".";
}

alert (result);

This displays an alert box with the contents:

Base score is 6.1. Base severity is Medium. Temporal score is 6.1. Temporal severity is Medium. Environmental score is 6.1. Environmental severity is Medium. Vector string is CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N.

Refer to the source code for more details on how errors are returned.

CVSS.calculateCVSSFromVector

This is similar to the previous function except that it takes a Vector String as input. Outputs are the same, except that additional error types are defined to handle problems in the format of the Vector String.

var output = CVSS31.calculateCVSSFromVector("CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N/RL:O/CR:L");

var result;
if (output.success === true) {
  result =
    "Base score is " + output.baseMetricScore + ". " +
    "Base severity is " + output.baseSeverity + ". " +
    "Temporal score is " + output.temporalMetricScore + ". " +
    "Temporal severity is " + output.temporalSeverity + ". " +
    "Environmental score is " + output.environmentalMetricScore + ". " +
    "Environmental severity is " + output.environmentalSeverity + ". " +
    "Vector string is " + output.vectorString + ". ";
} else {
  result =
    "An error occurred. The error type is '" + output.errorType +
    "' and the metrics with errors are " + output.errorMetrics + ".";
}

alert (result);

This displays an alert box with the contents:

Base score is 8.6. Base severity is High. Temporal score is 8.2. Temporal severity is High. Environmental score is 6.0. Environmental severity is Medium. Vector string is CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N/RL:O/CR:L.

CVSS.roundUp1

Takes an integer as input and returns it rounded up to one decimal place. An example of a call to this function is:

alert (CVSS31.roundUp1(3.141));

This displays an alert box with the contents:

3.2

CVSS.severityRating

Takes a CVSS score as input and returns the severity rating name associated with that score. An example of a call to this function is:

var rating = CVSS31.severityRating(4.8);

var result;
if (typeof rating === 'string') {
  result = "Returned severity rating is " + rating;
} else if (typeof rating === 'undefined') {
  result = "The input is not within the range of any defined severity rating.";
} else {
  result = "The input is not recognized as a number.";
}

alert (result);

This displays an alert box with the contents:

Returned severity rating is Medium.

CVSS.generateXMLFromMetrics

This is a rudimentary function to demonstrate how an XML representation of a given set of metric values can be generated. The inputs and errors are the same as for the CVSS.calculateCVSSFromMetrics function. The output is a string containing an XML representation of the metric values passed. If no error occurs, the string will be available in the xmlString property of the returned object.

An example of a call to this function is:

var output = CVSS31.generateXMLFromMetrics('N','L','N','R','C','L','L','N',undefined,'W');

var result;
if (output.success === true) {
  result = output.xmlString;
} else {
  result =
    "An error occurred. The error type is '" + errorType +
    "' and the metrics with errors are " + errorMetrics + ".";
}

alert (result);

This displays an alert box whose contents begin with:

<?xml version="1.0" encoding="UTF-8"?>
<cvssv3.1 xmlns="https://www.first.org/cvss/cvss-v3.1.xsd"
  xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
  xsi:schemaLocation="https://www.first.org/cvss/cvss-v3.1.xsd https://www.first.org/cvss/cvss-v3.1.xsd"
  >

  <base_metrics>
    <attack-vector>NETWORK</attack-vector>
    <attack-complexity>LOW</attack-complexity>
    <privileges-required>NONE</privileges-required>
    …

Refer to the source code for more details on how errors are returned.

CVSS.generateXMLFromVector

This is a rudimentary function to demonstrate how an XML representation of a given Vector String can be generated. It is similar to the previous function except that it takes a Vector String as input. Outputs are the same, except that additional error types are defined to handle problems in the format of the Vector String.

An example of a call to this function is:

var output = CVSS31.generateXMLFromVector('CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/RL:W');

var result;
if (output.success === true) {
  result = output.xmlString;
} else {
  result =
    "An error occurred. The error type is '" + errorType +
    "' and the metrics with errors are " + errorMetrics + ".";
}

alert (result);

This displays an alert box whose contents begin with:

<?xml version="1.0" encoding="UTF-8"?>
<cvssv3.1 xmlns="https://www.first.org/cvss/cvss-v3.1.xsd"
  xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
  xsi:schemaLocation="https://www.first.org/cvss/cvss-v3.1.xsd https://www.first.org/cvss/cvss-v3.1.xsd"
  >

  <base_metrics>
    <attack-vector>NETWORK</attack-vector>
    <attack-complexity>LOW</attack-complexity>
    <privileges-required>NONE</privileges-required>
    …

Refer to the source code for more details on how errors are returned.

XML Schema Definition

It is sometimes useful to represent the CVSS metric values and scores for a vulnerability in XML format, e.g. to transfer CVSS data between systems. CVSS v3.1 has an XML Schema Definition (XSD) that defines an XML format for CVSS v3.1 vulnerabilities. The CVSS.generateXMLFromMetrics and CVSS.generateXMLFromVector functions output a given set of CVSS metrics in this XML format, and maybe a useful starting point if you wish to use XML. The following XSD files are available: