cvss-rescore

Rescore cvss3 and 3.1 results from any json file based on custom rules that you create.

These details have not been verified by PyPI

Project links

Project description

cvss_rescore

Rescore cvss3 and 3.1 results from any json file based on custom rules.

The Problem

Cvss scoring consists of three components: Base, Temporal, and Environmental.

When working with third-party dependency (SCA) vulnerabilities, nearly every tool reports it’s scores only using the base score. This is understandable, as the reporters of the vulnerabilities would only know about the vulnerabilities themselves. They would have no idea how the vulnerable package is actually used in your project. Do you have mitigating controls in place? Is it only a test project? Is it only in a protected CI/CD pipeline? All of these factors and more can impact the environmental score, which can lower the actual score of a vulnerability significantly.

How We Use This

Output-Agnostic

We use the cvss-rescore packate as a post-processor after our SCA scan has been run. Because the cvss-rescore package can take any json format output, it is tool-agnostic. We have tested it successfully using Dependabot and JFrog Xray, but there’s no reason any other tool can’t be used so long as the output is json.

Rules-Based

Because we leverage the Python rule-engine package as a dependency, users can create a rules_actions.json file in their root directory. Users can create as many rules as they need, modifying one or more cvss vector metrics per rule.

Requirements

Python 3.6 or higher
A working knowledge of CVSS calcuation. You can reference the calculator at

https://www.first.org/cvss/calculator/3.1
https://www.first.org/cvss/user-guide
https://www.first.org/cvss/v3.1/examples

Installation

You can find the package at pypi.org https://pypi.org/project/cvss-rescore/

To install, simply run ‘pip install cvss-rescore’ from the command line

Documentation

You can get the current documentation at https://cvss-rescore.readthedocs.io/en/latest/

Dependencies

rule-engine: https://pypi.org/project/rule-engine/

cvss: https://pypi.org/project/cvss/

Note

This project has been set up using PyScaffold 4.3.1. For details and usage information on PyScaffold see https://pyscaffold.org/.

Project details

These details have not been verified by PyPI

Project links

Release history Release notifications | RSS feed

This version

0.0.5

Jun 10, 2023

0.0.4

Feb 12, 2023

0.0.3

Feb 11, 2023

0.0.2

Feb 11, 2023

Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

cvss_rescore-0.0.5.tar.gz (28.7 kB view details)

Uploaded Jun 10, 2023 Source

Built Distribution

cvss_rescore-0.0.5-py3-none-any.whl (5.8 kB view details)

Uploaded Jun 10, 2023 Python 3

File details

Details for the file cvss_rescore-0.0.5.tar.gz.

File metadata

Download URL: cvss_rescore-0.0.5.tar.gz
Upload date: Jun 10, 2023
Size: 28.7 kB
Tags: Source
Uploaded using Trusted Publishing? No
Uploaded via: twine/4.0.2 CPython/3.9.5

File hashes

Hashes for cvss_rescore-0.0.5.tar.gz
Algorithm	Hash digest
SHA256	`9f48f94d75572996771fdcf66abfe1c160dbd7f37b79b58ba30dee4ebded3a50`
MD5	`e573b054165b17a55b2f78a3b3af6db7`
BLAKE2b-256	`5ff43103bbe844b01c29915e29af687cd24ba92bceb96a90bd50978ab3e7f26f`

See more details on using hashes here.

File details

Details for the file cvss_rescore-0.0.5-py3-none-any.whl.

File metadata

Download URL: cvss_rescore-0.0.5-py3-none-any.whl
Upload date: Jun 10, 2023
Size: 5.8 kB
Tags: Python 3
Uploaded using Trusted Publishing? No
Uploaded via: twine/4.0.2 CPython/3.9.5

File hashes

Hashes for cvss_rescore-0.0.5-py3-none-any.whl
Algorithm	Hash digest
SHA256	`7133b69383f09e860069bb4127c7a481bcaaa6fac6ca5be6feaf8c7339d40aaf`
MD5	`2ad57f6a496cdb00c5a7ff00a4204d6f`
BLAKE2b-256	`134ae1f5fb369fcc47ac8a74cfb5c908aa088db32544242e6d2d83528aeda38c`