75#define G_LOG_DOMAIN "libgvm base"
89#define AV_ADJACENT_NETWORK 0.646
102#define Au_MULTIPLE_INSTANCES 0.45
103#define Au_SINGLE_INSTANCE 0.56
110#define C_PARTIAL 0.275
111#define C_COMPLETE 0.660
117#define I_PARTIAL 0.275
118#define I_COMPLETE 0.660
124#define A_PARTIAL 0.275
125#define A_COMPLETE 0.660
215 if (g_strcmp0 (str,
"A") == 0)
217 else if (g_strcmp0 (str,
"I") == 0)
219 else if (g_strcmp0 (str,
"C") == 0)
221 else if (g_strcmp0 (str,
"Au") == 0)
223 else if (g_strcmp0 (str,
"AU") == 0)
225 else if (g_strcmp0 (str,
"AV") == 0)
227 else if (g_strcmp0 (str,
"AC") == 0)
282 for (i = 0; i < 3; i++)
288 if (g_strcmp0 (impact->
name, value) == 0)
336 double impact = 1.176;
338 double exploitability_sub;
343 if (impact_sub < 0.1)
346 return (((0.6 * impact_sub) + (0.4 * exploitability_sub) - 1.5) * impact)
363 if (cvss_str == NULL)
366 if (g_str_has_prefix (cvss_str,
"CVSS:3.1/")
367 || g_str_has_prefix (cvss_str,
"CVSS:3.0/"))
369 + strlen (
"CVSS:3.X/"));
371 memset (&
cvss, 0x00,
sizeof (
struct cvss));
373 base_str =
base_metrics = g_strdup_printf (
"%s/", cvss_str);
378 char *metric_name = token2;
385 if (metric_name == NULL)
388 metric_value = strtok (NULL,
":");
390 if (metric_value == NULL)
393 rc =
toenum (metric_name, &mval);
434 trim = round (
cvss * 100000);
435 if ((trim % 10000) == 0)
436 return ((
double) trim) / 100000;
437 return (floor (trim / 10000) + 1) / 10.0;
450 if (strcasecmp (value,
"N") == 0)
452 if (strcasecmp (value,
"L") == 0)
454 if (strcasecmp (value,
"H") == 0)
469 gchar **split, **point;
471 double impact_conf, impact_integ, impact_avail;
472 double vector, complexity, privilege, user;
473 double isc_base, impact, exploitability, base;
490 split = g_strsplit (cvss_str,
"/", 0);
495 if (strncasecmp (
"S:", *point, 2) == 0)
497 if (strcasecmp (*point + 2,
"U") == 0)
499 else if (strcasecmp (*point + 2,
"C") == 0)
504 if (strncasecmp (
"C:", *point, 2) == 0)
508 if (strncasecmp (
"I:", *point, 2) == 0)
512 if (strncasecmp (
"A:", *point, 2) == 0)
516 if (strncasecmp (
"AV:", *point, 3) == 0)
518 if (strcasecmp (*point + 3,
"N") == 0)
520 else if (strcasecmp (*point + 3,
"A") == 0)
522 else if (strcasecmp (*point + 3,
"L") == 0)
524 else if (strcasecmp (*point + 3,
"P") == 0)
529 if (strncasecmp (
"AC:", *point, 3) == 0)
531 if (strcasecmp (*point + 3,
"L") == 0)
533 else if (strcasecmp (*point + 3,
"H") == 0)
538 if (strncasecmp (
"PR:", *point, 3) == 0)
540 if (strcasecmp (*point + 3,
"N") == 0)
542 else if (strcasecmp (*point + 3,
"L") == 0)
544 else if (strcasecmp (*point + 3,
"H") == 0)
551 if (strncasecmp (
"UI:", *point, 3) == 0)
553 if (strcasecmp (*point + 3,
"N") == 0)
555 else if (strcasecmp (*point + 3,
"R") == 0)
566 if (scope_changed == -1 || impact_conf == -1.0 || impact_integ == -1.0
567 || impact_avail == -1.0 || vector == -1.0 || complexity == -1.0
568 || privilege == -1.0 || user == -1.0)
573 if (scope_changed && privilege == 0.62)
575 else if (scope_changed && privilege == 0.27)
580 isc_base = 1 - ((1 - impact_conf) * (1 - impact_integ) * (1 - impact_avail));
583 impact = 7.52 * (isc_base - 0.029) - 3.25 * pow ((isc_base - 0.02), 15);
585 impact = 6.42 * isc_base;
592 exploitability = 8.22 * vector * complexity * privilege * user;
597 base = 1.08 * (impact + exploitability);
599 base = impact + exploitability;
#define C_COMPLETE
Definition cvss.c:111
static int set_impact_from_str(const char *value, enum base_metrics metric, struct cvss *cvss)
Set impact score from string representation.
Definition cvss.c:277
#define AV_LOCAL
Definition cvss.c:90
static double get_exploitability_subscore(const struct cvss *cvss)
Calculate Exploitability Sub Score.
Definition cvss.c:261
#define Au_SINGLE_INSTANCE
Definition cvss.c:103
#define A_PARTIAL
Definition cvss.c:124
static int toenum(const char *str, enum base_metrics *res)
Determine base metric enumeration from a string.
Definition cvss.c:211
#define C_NONE
ConfidentialityImpact (C) Constants.
Definition cvss.c:109
#define I_PARTIAL
Definition cvss.c:117
static double v3_impact(const char *value)
Get impact.
Definition cvss.c:448
#define AV_NETWORK
AccessVector (AV) Constants.
Definition cvss.c:88
#define C_PARTIAL
Definition cvss.c:110
#define A_COMPLETE
Definition cvss.c:125
#define Au_MULTIPLE_INSTANCES
Authentication (Au) Constants.
Definition cvss.c:102
static double get_impact_subscore(const struct cvss *cvss)
Calculate Impact Sub Score.
Definition cvss.c:244
#define AC_LOW
AccessComplexity (AC) Constants.
Definition cvss.c:95
#define I_NONE
IntegrityImpact (I) Constants.
Definition cvss.c:116
static const struct impact_item impact_map[][3]
Definition cvss.c:163
base_metrics
Base metrics.
Definition cvss.c:132
@ AC
Definition cvss.c:137
@ Au
Definition cvss.c:136
@ AV
Definition cvss.c:138
static double get_cvss_score_from_base_metrics_v3(const char *)
Calculate CVSS Score.
Definition cvss.c:467
#define A_NONE
AvailabilityImpact (A) Constants.
Definition cvss.c:123
double get_cvss_score_from_base_metrics(const char *cvss_str)
Calculate CVSS Score.
Definition cvss.c:358
static double __get_cvss_score(struct cvss *cvss)
Final CVSS score computation helper.
Definition cvss.c:334
#define I_COMPLETE
Definition cvss.c:118
#define AC_MEDIUM
Definition cvss.c:96
#define AV_ADJACENT_NETWORK
Definition cvss.c:89
static double roundup(double cvss)
Round final score as in spec.
Definition cvss.c:421
#define AC_HIGH
Definition cvss.c:97
#define Au_NONE
Definition cvss.c:104
Protos for CVSS utility functions.
Describe a CVSS metrics.
Definition cvss.c:154
double integ_impact
Definition cvss.c:156
double access_vector
Definition cvss.c:158
double avail_impact
Definition cvss.c:157
double authentication
Definition cvss.c:160
double access_complexity
Definition cvss.c:159
double conf_impact
Definition cvss.c:155
Describe a CVSS impact element.
Definition cvss.c:145
const char * name
Definition cvss.c:146
double nvalue
Definition cvss.c:147