NAME

CVSS - Perl extension for CVSS (Common Vulnerability Scoring System) 2.0/3.x/4.0

SYNOPSIS

use CVSS;

# OO-interface

# Method 1 - Use params

$cvss = CVSS->new(
  version => '3.1',
  metrics => {
      AV => 'A',
      AC => 'L',
      PR => 'L',
      UI => 'R',
      S => 'U',
      C => 'H',
      I => 'H',
      A => 'H',
  }
);


# Method 2 - Decode and parse the vector string

use CVSS;

$cvss = CVSS->from_vector_string('CVSS:3.1/AV:A/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H');

say $cvss->base_score; # 7.4


# Method 3 - Builder

use CVSS 

$cvss = CVSS->new(version => '3.1');
$cvss->attackVector('ADJACENT_NETWORK');
$cvss->attackComplexity('LOW');
$cvss->privilegesRequired('LOW');
$cvss->userInteraction('REQUIRED');
$cvss->scope('UNCHANGED');
$cvss->confidentialityImpact('HIGH');
$cvss->integrityImpact('HIGH');
$cvss->availabilityImpact('HIGH');

$cvss->calculate_score;


# Common methods

# Convert the CVSS object in "vector string"
say $cvss; # CVSS:3.1/AV:A/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H

# Get metric value
say $cvss->AV; # A
say $cvss->attackVector; # ADJACENT_NETWORK

# Get the base score
say $cvss->base_score; # 7.4

# Get all scores
say Dumper($cvss->scores);

# { "base"           => "7.4",
#   "exploitability" => "1.6",
#   "impact"         => "5.9" }

# Get the base severity
say $cvss->base_severity # HIGH

# Convert CVSS in XML in according of CVSS XML Schema Definition
$xml = $cvss->to_xml;

# Convert CVSS in JSON in according of CVSS JSON Schema
$json = encode_json($cvss);


# exported functions

use CVSS qw(decode_cvss encode_cvss)

$cvss = decode_cvss('CVSS:3.1/AV:A/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H');
say $cvss->base_score;  # 7.4

$vector_string = encode_cvss(version => '3.1', metrics => {...});
say $cvss_string; # CVSS:3.1/AV:A/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H

DESCRIPTION

This module calculates the CVSS (Common Vulnerability Scoring System) scores (basic, temporal, and environmental), convert the "vector string" and returns the CVSS object in JSON or XML.

The Common Vulnerability Scoring System (CVSS) provides a way to capture the principal characteristics of a vulnerability and produce a numerical score reflecting its severity. The numerical score can then be translated into a qualitative representation (such as low, medium, high, and critical) to help organizations properly assess and prioritize their vulnerability management processes.

https://www.first.org/cvss/

FUNCTIONAL INTERFACE

They are exported by default:

$vector_string = encode_cvss(%params)

Converts the given CVSS params to "vector string". Croaks on error.

This function call is functionally identical to:

$vector_string = CVSS->new(%params)->to_string;
$cvss = decode_cvss($vector_string)

Converts the given "vector string" to CVSS. Croaks on error.

This function call is functionally identical to:

$cvss = CVSS->from_vector_string($vector_string);
$xml = cvss_to_xml($vector_string)

Convert the given "vector string" to XML. Croaks on error.

This function call is functionally identical to:

$xml = $cvss->to_xml;

OBJECT-ORIENTED INTERFACE

$cvss = CVSS->new(%params)

Creates a new CVSS instance using the provided parameters (version, metric or vector_string) and returns the CVSS subclass that matches the selected CVSS version (2.0, 3.0, 3.1 or 4.0):

+--------------+----------+
| CVSS version | Class    |
+--------------+----------+
| 2.0          | CVSS::v2 |
| 3.0          | CVSS::v3 |
| 3.1          | CVSS::v3 |
| 4.0          | CVSS::v4 |
+--------------+----------+
$cvss = CVSS->from_vector_string($vector_string);

Converts the given "vector string" to CVSS. Croaks on error

SEE ALSO

CVSS::Base, CVSS::v2, CVSS::v3, CVSS::v4

[FIRST] CVSS Data Representations (https://www.first.org/cvss/data-representations)
[FIRST] CVSS v4.0 Specification (https://www.first.org/cvss/v4.0/specification-document)
[FIRST] CVSS v3.1 Specification (https://www.first.org/cvss/v3.1/specification-document)
[FIRST] CVSS v3.0 Specification (https://www.first.org/cvss/v3.0/specification-document)
[FIRST] CVSS v2.0 Complete Guide (https://www.first.org/cvss/v2/guide)

SUPPORT

Bugs / Feature Requests

Please report any bugs or feature requests through the issue tracker at https://github.com/giterlizzi/perl-CVSS/issues. You will be notified automatically of any progress on your issue.

Source Code

This is open source software. The code repository is available for public review and contribution under the terms of the license.

https://github.com/giterlizzi/perl-CVSS

git clone https://github.com/giterlizzi/perl-CVSS.git

AUTHOR

  • Giuseppe Di Terlizzi <gdt@cpan.org>

LICENSE AND COPYRIGHT

This software is copyright (c) 2023-2024 by Giuseppe Di Terlizzi.

This is free software; you can redistribute it and/or modify it under the same terms as the Perl 5 programming language system itself.