Greenbone Vulnerability Management Libraries 22.8.0
Data Structures | Macros | Enumerations | Functions | Variables
cvss.c File Reference

CVSS utility functions. More...

#include "cvss.h"
#include <glib.h>
#include <math.h>
#include <strings.h>

Go to the source code of this file.

Data Structures

struct  impact_item
 Describe a CVSS impact element. More...
 
struct  cvss
 Describe a CVSS metrics. More...
 

Macros

#define G_LOG_DOMAIN   "libgvm base"
 GLib log domain.
 
#define AV_NETWORK   1.0
 AccessVector (AV) Constants.
 
#define AV_ADJACENT_NETWORK   0.646
 
#define AV_LOCAL   0.395
 
#define AC_LOW   0.71
 AccessComplexity (AC) Constants.
 
#define AC_MEDIUM   0.61
 
#define AC_HIGH   0.35
 
#define Au_MULTIPLE_INSTANCES   0.45
 Authentication (Au) Constants.
 
#define Au_SINGLE_INSTANCE   0.56
 
#define Au_NONE   0.704
 
#define C_NONE   0.0
 ConfidentialityImpact (C) Constants.
 
#define C_PARTIAL   0.275
 
#define C_COMPLETE   0.660
 
#define I_NONE   0.0
 IntegrityImpact (I) Constants.
 
#define I_PARTIAL   0.275
 
#define I_COMPLETE   0.660
 
#define A_NONE   0.0
 AvailabilityImpact (A) Constants.
 
#define A_PARTIAL   0.275
 
#define A_COMPLETE   0.660
 

Enumerations

enum  base_metrics {
  A , I , C , Au ,
  AC , AV
}
 Base metrics. More...
 

Functions

static double get_cvss_score_from_base_metrics_v3 (const char *cvss_str)
 Calculate CVSS Score.
 
static int toenum (const char *str, enum base_metrics *res)
 Determine base metric enumeration from a string.
 
static double get_impact_subscore (const struct cvss *cvss)
 Calculate Impact Sub Score.
 
static double get_exploitability_subscore (const struct cvss *cvss)
 Calculate Exploitability Sub Score.
 
static int set_impact_from_str (const char *value, enum base_metrics metric, struct cvss *cvss)
 Set impact score from string representation.
 
static double __get_cvss_score (struct cvss *cvss)
 Final CVSS score computation helper.
 
double get_cvss_score_from_base_metrics (const char *cvss_str)
 Calculate CVSS Score.
 
static double roundup (double cvss)
 Round final score as in spec.
 
static double v3_impact (const char *value)
 Get impact.
 

Variables

static const struct impact_item impact_map [][3]
 

Detailed Description

CVSS utility functions.

This file contains utility functions for handling CVSS v2 and v3. get_cvss_score_from_base_metrics calculates the CVSS base score from a CVSS base vector.

CVSS v3.1:

See equations at https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator and constants at https://www.first.org/cvss/v3.1/specification-document (section 7.4. Metric Values).

CVSS v3.0:

See equations at https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator and constants at https://www.first.org/cvss/v3.0/specification-document (section 8.4. Metric Levels).

CVSS v2:

The base equation is the foundation of CVSS scoring. The base equation is: BaseScore6 = round_to_1_decimal(((0.6*Impact)+(0.4*Exploitability)–1.5)*f(Impact))

Impact = 10.41*(1-(1-ConfImpact)*(1-IntegImpact)*(1-AvailImpact))

Exploitability = 20* AccessVector*AccessComplexity*Authentication

f(impact)= 0 if Impact=0, 1.176 otherwise AccessVector = case AccessVector of requires local access: 0.395 adjacent network accessible: 0.646 network accessible: 1.0 AccessComplexity = case AccessComplexity of high: 0.35 medium: 0.61 low: 0.71 Authentication = case Authentication of requires multiple instances of authentication: 0.45 requires single instance of authentication: 0.56 requires no authentication: 0.704 ConfImpact = case ConfidentialityImpact of none: 0.0 partial: 0.275 complete: 0.660 IntegImpact = case IntegrityImpact of none: 0.0 partial: 0.275 complete: 0.660 AvailImpact = case AvailabilityImpact of none: 0.0 partial: 0.275 complete: 0.660

Macro Definition Documentation

◆ A_COMPLETE

#define A_COMPLETE   0.660

Complete Availability Impact.

◆ A_NONE

#define A_NONE   0.0

AvailabilityImpact (A) Constants.

No Availability Impact.

◆ A_PARTIAL

#define A_PARTIAL   0.275

Partial Availability Impact.

◆ AC_HIGH

#define AC_HIGH   0.35

Access Complexity High.

◆ AC_LOW

#define AC_LOW   0.71

AccessComplexity (AC) Constants.

Access Complexity Low.

◆ AC_MEDIUM

#define AC_MEDIUM   0.61

Access Complexity Medium.

◆ Au_MULTIPLE_INSTANCES

#define Au_MULTIPLE_INSTANCES   0.45

Authentication (Au) Constants.

Authentication multiple instances.

◆ Au_NONE

#define Au_NONE   0.704

No Authentication.

◆ Au_SINGLE_INSTANCE

#define Au_SINGLE_INSTANCE   0.56

Authentication single instances.

◆ AV_ADJACENT_NETWORK

#define AV_ADJACENT_NETWORK   0.646

Access Vector Adjacent Network.

◆ AV_LOCAL

#define AV_LOCAL   0.395

Access Vector Local.

◆ AV_NETWORK

#define AV_NETWORK   1.0

AccessVector (AV) Constants.

Access Vector Network.

◆ C_COMPLETE

#define C_COMPLETE   0.660

Complete Confidentiality Impact.

◆ C_NONE

#define C_NONE   0.0

ConfidentialityImpact (C) Constants.

No Confidentiality Impact.

◆ C_PARTIAL

#define C_PARTIAL   0.275

Partial Confidentiality Impact.

◆ G_LOG_DOMAIN

#define G_LOG_DOMAIN   "libgvm base"

GLib log domain.

◆ I_COMPLETE

#define I_COMPLETE   0.660

Complete Integrity Impact.

◆ I_NONE

#define I_NONE   0.0

IntegrityImpact (I) Constants.

No Integrity Impact.

◆ I_PARTIAL

#define I_PARTIAL   0.275

Partial Integrity Impact.

Enumeration Type Documentation

◆ base_metrics

Base metrics.

Enumerator

Availability Impact.

Integrity Impact.

Confidentiality Impact.

Au 

Authentication.

AC 

Access Complexity.

AV 

Access Vector.

Function Documentation

◆ __get_cvss_score()

static double __get_cvss_score ( struct cvss * cvss)
static

Final CVSS score computation helper.

Parameters
[in]cvssThe CVSS structure that contains the different metrics and associated scores.
Returns
the CVSS score, as a double.

◆ get_cvss_score_from_base_metrics()

double get_cvss_score_from_base_metrics ( const char * cvss_str)

Calculate CVSS Score.

Parameters
cvss_strBase vector string from which to compute score.
Returns
The resulting score. -1 upon error during parsing.

◆ get_cvss_score_from_base_metrics_v3()

static double get_cvss_score_from_base_metrics_v3 ( const char * cvss_str)
static

Calculate CVSS Score.

Parameters
cvss_strVector from which to compute score, without prefix.
Returns
CVSS score, or -1 on error.

◆ get_exploitability_subscore()

static double get_exploitability_subscore ( const struct cvss * cvss)
static

Calculate Exploitability Sub Score.

Parameters
[in]cvssContains the subscores associated to the metrics.
Returns
The resulting subscore.

◆ get_impact_subscore()

static double get_impact_subscore ( const struct cvss * cvss)
static

Calculate Impact Sub Score.

Parameters
[in]cvssContains the subscores associated to the metrics.
Returns
The resulting subscore.

◆ roundup()

static double roundup ( double cvss)
static

Round final score as in spec.

Parameters
cvssCVSS score.
Returns
Rounded score.

◆ set_impact_from_str()

static int set_impact_from_str ( const char * value,
enum base_metrics metric,
struct cvss * cvss )
inlinestatic

Set impact score from string representation.

Parameters
[in]valueThe literal value associated to the metric.
[in]metricThe enumeration constant identifying the metric.
[out]cvssThe structure to update with the score.
Returns
0 on success, -1 on error.

◆ toenum()

static int toenum ( const char * str,
enum base_metrics * res )
static

Determine base metric enumeration from a string.

Parameters
[in]strBase metric in string form, for example "A".
[out]resWhere to write the desired value.
Returns
0 on success, -1 on error.

◆ v3_impact()

static double v3_impact ( const char * value)
static

Get impact.

Parameters
valueMetric value.
Returns
Impact.

Variable Documentation

◆ impact_map

const struct impact_item impact_map[][3]
static