CVSS - Perl extension for CVSS (Common Vulnerability Scoring System) 2.0/3.x/4.0

This module calculates the CVSS (Common Vulnerability Scoring System) scores (basic, temporal, and environmental), convert the "vector string" and returns the CVSS object in JSON or XML.

The Common Vulnerability Scoring System (CVSS) provides a way to capture the principal characteristics of a vulnerability and produce a numerical score reflecting its severity. The numerical score can then be translated into a qualitative representation (such as low, medium, high, and critical) to help organizations properly assess and prioritize their vulnerability management processes.

https://www.first.org/cvss/

Synopsis

use CVSS;

# OO-interface

# Method 1 - Use params

$cvss = CVSS->new(
  version => '3.1',
  metrics => {
      AV => 'A',
      AC => 'L',
      PR => 'L',
      UI => 'R',
      S => 'U',
      C => 'H',
      I => 'H',
      A => 'H',
  }
);


# Method 2 - Decode and parse the vector string

use CVSS;

$cvss = CVSS->from_vector_string('CVSS:3.1/AV:A/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H');

say $cvss->base_score; # 7.4


# Method 3 - Builder

use CVSS;

$cvss = CVSS->new(version => '3.1');
$cvss->attackVector('ADJACENT_NETWORK');
$cvss->attackComplexity('LOW');
$cvss->privilegesRequired('LOW');
$cvss->userInteraction('REQUIRED');
$cvss->scope('UNCHANGED');
$cvss->confidentialityImpact('HIGH');
$cvss->integrityImpact('HIGH');
$cvss->availabilityImpact('HIGH');

$cvss->calculate_score;

# Common methods

# Convert the CVSS object in "vector string"
say $cvss; # CVSS:3.1/AV:A/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H

# Get metric value
say $cvss->AV; # A
say $cvss->attackVector; # ADJACENT_NETWORK

# Get the base score
say $cvss->base_score; # 7.4

# Get all scores
say Dumper($cvss->scores);

# { "base"           => "7.4",
#   "exploitability" => "1.6",
#   "impact"         => "5.9" }

# Get the base severity
say $cvss->base_severity # HIGH

# Convert CVSS in XML in according of CVSS XML Schema Definition
$xml = $cvss->to_xml;

# Convert CVSS in JSON in according of CVSS JSON Schema
$json = encode_json($cvss);


# exported functions

use CVSS qw(decode_cvss encode_cvss)

$cvss = decode_cvss('CVSS:3.1/AV:A/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H');
say $cvss->base_score;  # 7.4

$vector_string = encode_cvss(version => '3.1', metrics => {...});
say $cvss_string; # CVSS:3.1/AV:A/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H

cvss command-line-interface

Get the base score:

$ cvss CVSS:3.1/AV:A/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H --base-score
7.4

Get the base severity:

$ cvss CVSS:3.1/AV:A/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H --base-severity
HIGH

Parses the provided vector string and returns the JSON representation:

$ cvss CVSS:3.1/AV:A/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H --json | jq
{
  "attackComplexity": "LOW",
  "attackVector": "ADJACENT_NETWORK",
  "availabilityImpact": "HIGH",
  "baseScore": 7.4,
  "baseSeverity": "HIGH",
  "confidentialityImpact": "HIGH",
  "integrityImpact": "HIGH",
  "privilegesRequired": "LOW",
  "scope": "UNCHANGED",
  "userInteraction": "REQUIRED",
  "vectorString": "CVSS:3.1/AV:A/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H",
  "version": "3.1"
}

Parses the provided vector string and returns the XML representation:

$ cvss CVSS:3.1/AV:A/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H --xml
<?xml version="1.0" encoding="UTF-8"?>
<cvssv3.1 xmlns="https://www.first.org/cvss/cvss-v3.1.xsd"
  xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
  xsi:schemaLocation="https://www.first.org/cvss/cvss-v3.1.xsd https://www.first.org/cvss/cvss-v3.1.xsd"
  >

  <base_metrics>
    <attack-vector>ADJACENT_NETWORK</attack-vector>
    <attack-complexity>LOW</attack-complexity>
    <privileges-required>LOW</privileges-required>
    <user-interaction>REQUIRED</user-interaction>
    <scope>UNCHANGED</scope>
    <confidentiality-impact>HIGH</confidentiality-impact>
    <integrity-impact>HIGH</integrity-impact>
    <availability-impact>HIGH</availability-impact>
    <base-score>7.4</base-score>
    <base-severity>HIGH</base-severity>
  </base_metrics>

</cvssv3.1>

Install

Using Makefile.PL:

To install CVSS distribution, run the following commands.

perl Makefile.PL
make
make test
make install

Using App::cpanminus:

cpanm CVSS

Acknowledgements

This module is listed in the CVSS v4.0 FAQ by FIRST.Org as a community CVSS calculator library.

Documentation

perldoc CVSS
https://metacpan.org/release/CVSS
[FIRST] CVSS Data Representations (https://www.first.org/cvss/data-representations)
[FIRST] CVSS v4.0 Specification (https://www.first.org/cvss/v4.0/specification-document)
[FIRST] CVSS v3.1 Specification (https://www.first.org/cvss/v3.1/specification-document)
[FIRST] CVSS v3.0 Specification (https://www.first.org/cvss/v3.0/specification-document)
[FIRST] CVSS v2.0 Complete Guide (https://www.first.org/cvss/v2/guide)

	Global
`s`	Focus search bar
`?`	Bring up this help dialog

	GitHub
`g` `p`	Go to pull requests
`g` `i`	Go to GitHub issues (only if GitHub is preferred repository)

	POD
`g` `a`	Go to author
`g` `c`	Go to changes
`g` `i`	Go to issues
`g` `d`	Go to dist
`g` `r`	Go to repository/SCM
`g` `s`	Go to source
`g` `b`	Go to file browse

Search terms
module: (e.g. module:Plugin)
distribution: (e.g. distribution:Dancer auth)
author: (e.g. author:SONGMU Redis)
version: (e.g. version:1.00)