Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/neuralegion/cvss

The Common Vulnerability Scoring System (CVSS) base score calculator and validator library written in TypeScript.
https://github.com/neuralegion/cvss

cvss cvss3 cvssv3 score security typescript

Last synced: about 1 month ago
JSON representation

The Common Vulnerability Scoring System (CVSS) base score calculator and validator library written in TypeScript.

Host: GitHub
URL: https://github.com/neuralegion/cvss
Owner: NeuraLegion
License: mit
Created: 2020-07-02T16:50:23.000Z (over 4 years ago)
Default Branch: master
Last Pushed: 2024-02-08T18:17:49.000Z (11 months ago)
Last Synced: 2024-11-20T15:25:03.229Z (about 1 month ago)
Topics: cvss, cvss3, cvssv3, score, security, typescript
Language: TypeScript
Homepage:
Size: 586 KB
Stars: 14
Watchers: 14
Forks: 3
Open Issues: 3
Metadata Files:
- Readme: README.md
- License: LICENSE

Awesome Lists containing this project

README

        # cvss

The Common Vulnerability Scoring System ([CVSS](https://www.first.org/cvss/)) [base](https://www.first.org/cvss/specification-document#Base-Metrics) [score](https://www.first.org/cvss/specification-document#1-2-Scoring) calculator and validator library written in [TypeScript](https://www.typescriptlang.org/).

## Basics 🧾

CVSS outputs numerical scores, indicating severity of vulnerability, based on some principal technical vulnerability characteristics.

Its outputs include numerical scores indicating the severity of a vulnerability relative to other vulnerabilities. [Link](https://www.first.org/cvss/v3.1/specification-document#Introduction)

The CVSS v3 vector string begins with the label `CVSS:` and numeric representation of the version.

After version string, it contains a set of `/`-separated CVSS metrics.

Each metric consists of name and value (both abbreviated) separated with ':'.

### Sample

Sample CVSS v3.1 vector string: `CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N`

Score is: [3.8](https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N), severity: [Low](https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N)

### Current library limitations 🚧

CVSS specification defines three metric groups: `Base`, `Temporal`, and `Environmental`, but only `Base` metrics are supported by given library for now.

Supported CVSS versions: [3.0](https://www.first.org/cvss/v3-0/) and [3.1](https://www.first.org/cvss/v3-1/)

## Install 🚀

`npm i --save @neuralegion/cvss`

## API

Score Calculator

`calculateBaseScore(cvssString): number`

Calculates [Base Score](https://www.first.org/cvss/v3.1/specification-document#7-1-Base-Metrics-Equations),

which depends on sub-formulas for Impact Sub-Score (ISS), Impact, and Exploitability,

`calculateIss(metricsMap): number`

Calculates [Impact Sub-Score (ISS)](https://www.first.org/cvss/v3.1/specification-document#7-1-Base-Metrics-Equations)

`calculateImpact(metricsMap, iss): number`

Calculates [Impact](https://www.first.org/cvss/v3.1/specification-document#7-1-Base-Metrics-Equations)

`calculateExploitability(metricsMap): number`

Calculates [Exploitability](https://www.first.org/cvss/v3.1/specification-document#7-1-Base-Metrics-Equations)

Validator

`validate(cvssString): void`

Throws an Error if given CVSS string is either invalid or unsupported.

Error contains verbose message with error details. Sample error messages:

- CVSS vector must start with "CVSS:"

- Invalid CVSS string. Example: CVSS:3.0/AV:A/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:L

- Unsupported CVSS version: 2.0. Only 3.0 and 3.1 are supported

- Duplicated metric: "AC:L"

- Missing mandatory CVSS base metric C (Confidentiality)

- Unknown CVSS metric "X". Allowed metrics: AV, AC, PR, UI, S, C, I, A

- Invalid value for CVSS metric PR (Privileges Required): Y. Allowed values: N (None), L (Low), H (High)

Humanizer

`humanizeBaseMetric(metric)`

Return un-abbreviated metric name: e.g. 'Confidentiality' for input 'C'

`humanizeBaseMetricValue(value, metric)`

Return un-abbreviated metric value: e.g. 'Network' for input ('AV', 'N')

## Usage

ECMAScript 2015, Typescript modules

```

import { calculateBaseScore } from '@neuralegion/cvss';

console.log('score: ', calculateBaseScore('CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N'));

```

NodeJS (CommonJS module)

```

const cvss = require('@neuralegion/cvss');

console.log(cvss.calculateBaseScore('CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N'));

```

NodeJS (experimental ESM support)

`usage.mjs` file:

```

import cvss from '@neuralegion/cvss';

console.log(cvss.calculateBaseScore('CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N'));

```

Running: `node --experimental-modules ./usage.mjs`

Browser (globals from umd bundle)

```

  alert(`Score: ${cvss.calculateBaseScore('CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N')}`);

```

Browser (ES modules)

```

  import { calculateBaseScore } from './node_modules/@neuralegion/cvss/dist/bundle.es.js';

  alert(`Score: ${calculateBaseScore('CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N')}`);

```

## Development 🛠

Issues and pull requests are highly welcome. 👍

Please, don't forget to lint (`npm run lint`) and test (`npm t`) the code.

## License

Copyright © 2020 [NeuraLegion](https://github.com/NeuraLegion).

This project is licensed under the MIT License - see the [LICENSE file](LICENSE) for details.