Skip to main content

CVSS 2/3 utilities

Project description

CVSSlib Main workflow

A Python 3 library for calculating CVSS v2, CVSS v3 and CVSS v3.1 vectors, with tests. Examples on how to use the library is shown below, and there is some documentation on the internals within the docs directory. The library is designed to be completely extendable, so it is possible to implement your own custom scoring systems (or those of your clients) and have it work with the same API, and with the same bells and whistles.

Python 3 only

API

It's pretty simple to use. cvsslib has a cvss2, cvss3 and cvss31 sub modules that contains all of the enums and calculation code. There are also some functions to manipulate vectors that take these cvss modules as arguments. E.G:

from cvsslib import cvss2, cvss31, calculate_vector

vector_v2 = "AV:L/AC:M/Au:S/C:N/I:P/A:C/E:U/RL:OF/RC:UR/CDP:N/TD:L/CR:H/IR:H/AR:H"
calculate_vector(vector_v2, cvss2)
>> (5, 3.5, 1.2)

vector_v3 = "CVSS:3.0/AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:N/A:H/MPR:N"
calculate_vector(vector_v3, cvss31)
>> (5.8, 5.8, 7.1)

You can access every CVSS enum through the cvss2, cvss3 or cvss31 modules:

from cvsslib import cvss2
# In this case doing from 'cvsslib.cvss2.enums import *' might be less verbose.
value = cvss2.ReportConfidence.CONFIRMED

if value != cvss2.ReportConfidence.NOT_DEFINED:
    do_something()

There are some powerful mixin functions if you need a class with CVSS members. These functions take a cvss version and return a base class you can inherit from. This class hassome utility functions like to_vector() and from_vector() you can use.

from cvsslib import cvss3, class_mixin

BaseClass = class_mixin(cvss3)  # Can pass cvss2 module instead

class SomeObject(BaseClass):
    def print_stats(self):
        for item, value in self.enums:
            print("{0} is {1}".format(item, value)
 
state = SomeObject()
print("\n".join(state.debug()))
print(state.calculate())
state.from_vector("CVSS:3.0/AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:N/A:H/MPR:N")
print("Vector: " + state.to_vector())

# Access members:
if state.report_confidence == ReportConfidence.NOT_DEFINED:
    do_something()

It also supports Django models. Requires the django-enumfields package.

from cvsslib.contrib.django_model import django_mixin
from cvsslib import cvss2
from django.db import models

CVSSBase = django_mixin(cvss2)

class CVSSModel(models.Model, metaclass=CVSSBase)
    pass
    
# CVSSModel now has lots of enum you can use
x = CVSSModel()
x.save()
x.exploitability

If you want it to work with django Migrations you need to give an attribute name to the django_mixin function. This should match the attribute name it is being assigned to:

CVSSBase = django_mixin(cvss2, attr_name="CVSSBase")

And there is a command line tool available:

> cvss CVSS:3.0/AV:L/AC:H/PR:H/UI:N/S:C/C:N/I:H/A:N/E:P/RL:U/RC:U/CR:H/IR:L/AR:H/MAV:L/MUI:R/MS:C/MC:N/MI:L/MA:N
Base Score:     5.3
Temporal:       4.6
Environment:    1.3

Custom Scoring Systems

Creating a new scoring system is very simple. First create a Python file with the correct name, e.g super_scores.py. Next create some enums with the correct values for your system:

 from cvsslib.base_enum import BaseEnum
 
 
 class Risk(BaseEnum):
     """
     Vector: S
     """
     HIGH = 1
     MEDIUM = 2
     LOW = 3
     
 class Difficulty(BaseEnum):
     """
     Vector: D
     """
     DIFFICULT = 1
     MODERATE = 2
     EASY = 3

And lastly add a calculate function in the module that accepts some vector values and returns a result of some kind:

def calculate(difficulty: Difficulty, risk: Risk):
   if difficulty == Difficulty.EASY and risk == Risk.CRITICAL:
       return "oh nuts you're screwed"
   
   return "You're probs ok m8"

Once you define this you can pass your super_scores module to any cvsslib function like calculate_vector or django_mixin and it will all just work. You can even serialize the data to and from a vector if you define the correct vector: X in the enum docstrings.

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

cvsslib-1.0.0.tar.gz (15.6 kB view details)

Uploaded Source

Built Distribution

cvsslib-1.0.0-py3-none-any.whl (19.6 kB view details)

Uploaded Python 3

File details

Details for the file cvsslib-1.0.0.tar.gz.

File metadata

  • Download URL: cvsslib-1.0.0.tar.gz
  • Upload date:
  • Size: 15.6 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? No
  • Uploaded via: poetry/1.0.5 CPython/3.7.6 Darwin/19.3.0

File hashes

Hashes for cvsslib-1.0.0.tar.gz
Algorithm Hash digest
SHA256 435d201db37aa59dbd321619a63eae61051b1735a1a19bde66b8460ec5b9adad
MD5 e9f45c40fe0fef43d65719177f554fd9
BLAKE2b-256 c18a1f26cf24ad993dd01c4ce42f3e15d1ed09e5263fdacdaa5776f3e6c43adb

See more details on using hashes here.

File details

Details for the file cvsslib-1.0.0-py3-none-any.whl.

File metadata

  • Download URL: cvsslib-1.0.0-py3-none-any.whl
  • Upload date:
  • Size: 19.6 kB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? No
  • Uploaded via: poetry/1.0.5 CPython/3.7.6 Darwin/19.3.0

File hashes

Hashes for cvsslib-1.0.0-py3-none-any.whl
Algorithm Hash digest
SHA256 1a81a1735084927df2850140c552b4c08c0eecb2b909234d7e68eb7a431ebff4
MD5 fb6b3d76d44a89f070bd09f4d11051d8
BLAKE2b-256 a5c71b45ca70b2f32ec3f3802dc50e6145426cd9f67600646963e801b83c4ab0

See more details on using hashes here.

Supported by

AWS AWS Cloud computing and Security Sponsor Datadog Datadog Monitoring Fastly Fastly CDN Google Google Download Analytics Microsoft Microsoft PSF Sponsor Pingdom Pingdom Monitoring Sentry Sentry Error logging StatusPage StatusPage Status page