Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add CVSSv4 Calculator #387

Closed

Conversation

domwhewell-sage
Copy link
Contributor

Working PR to add CVSSv4 calculator onto the findings views as requested in #356.

The CVSSv4 calculator should appear as a optional tab once you click the "CVSS Calculator" accordion.
So as to minimize changes in future all Metrics are included.

@domwhewell-sage
Copy link
Contributor Author

The calculator at https://www.first.org/cvss/calculator/4.0 is slightly different to previous cvss versions in that it is being distributed as a vue.js application. https://github.com/FIRSTdotorg/cvss-v4-calculator

To avoid in inaccurate calculations by converting the vue.js app to javascript and mirror the existing cvss-v3 calculator it might make sense to fork the github project into the /static folder and display it within an iframe (Like first.org is doing). The only custom code will be extracting the final score and vector from the iframe and placing them into the cvss_score and cvss_vector fields.

@domwhewell-sage domwhewell-sage marked this pull request as ready for review February 4, 2024 16:58
@chrismaddalena chrismaddalena self-assigned this Feb 13, 2024
@felix-caboff
Copy link

Hi Team,

Is there anything I can do to move this particular pull request along? Not sure what your process is, whether you need someone to do some testing or similar. (We are desperate for it, don't worry if you have a plan, just trying to be helpful)

It looks like the CodeFactor checks failed because of the third-party library. I would suggest that these failures are ignored as that code is not a GW specific element.

Thanks!

@chrismaddalena
Copy link
Collaborator

@felix-caboff Once we wrap-up some features that have been in-flight for v4.1, we'll take a look at this. The big question is how easy it is for someone to choose the calculator they want to use. Some people still want CVSS v3. Others are asking for CVSS v3.1. Another group wants CVSS v4. The ideal end state is they're all available and you can pick which one to use.

In the meantime, checking out this PR and providing feedback is very helpful.

@felix-caboff felix-caboff mentioned this pull request Jun 17, 2024
Copy link

codecov bot commented Aug 24, 2024

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 91.97%. Comparing base (0616f4e) to head (2fa5754).
Report is 165 commits behind head on master.

Additional details and impacted files
@@            Coverage Diff             @@
##           master     #387      +/-   ##
==========================================
+ Coverage   91.95%   91.97%   +0.01%     
==========================================
  Files         314      318       +4     
  Lines       18158    18176      +18     
==========================================
+ Hits        16698    16717      +19     
+ Misses       1460     1459       -1     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

@felix-caboff
Copy link

@domwhewell-sage wow this looks like a lot has happened! Thank you for prepping it for testing. Unless you say otherwise I will try and test it this afternoon (UK time).

@felix-caboff
Copy link

For anyone reading this, please also see a competing PR #509

@SecurityPingu
Copy link

Awesome work! Any update on when this will be merged?

@felix-caboff
Copy link

Hey, you are probably best looking at the original issue that was raised: #356

@chrismaddalena
Copy link
Collaborator

Alex has implemented this PR along with some related feedback/requests from other issues in PR #509. I think the PRs are essentially identical in the basic functionality of offering CVSS v3 and v4 calculators. You can switch from one to the other on the fly.

I want to get this feature merged in so I'm looking to reconcile the two PRs. Is there anything missing from #509 that is in this PR?

Here is an example of the calc in PR #509:

image

@domwhewell-sage
Copy link
Contributor Author

Hi @chrismaddalena, #509 is only including the base score, and is missing the Supplemental Metrics, Environmental (Modified Base Metrics), Environmental (Security Requirements) and Threat Metrics.
If you are the consumer those additional metrics are pretty essential to be added onto the vector, to take into account the consumers specific environment the system is deployed in.

The CVSSv3 calculator is missing the Temporal Score and Environmental Score (I know they didn't exist in the base branch anyway)

@chrismaddalena
Copy link
Collaborator

@domwhewell-sage We should add supplemental metrics to the calculator. That shouldn't be difficult.

@chrismaddalena
Copy link
Collaborator

This has been addressed in #509! I have to zoom out to show the whole calc now, but that's OK. I think we'll want some way to close the calc without scrolling back up to click the header. It could also become a modal later on. There are pros and cons to both user experiences.

Everyone has put a lot of work into this, which I appreciate, so I want to make sure this covers all the needs. Is there anything missing at this point? @felix-caboff @SecurityPingu @domwhewell-sage

image image

@felix-caboff
Copy link

This looks shiny to me!

Not immediately important, but related.... Do the changes made in this PR open up the ability for GW to have other scoring systems in the future? Like for example, could we do the CWSS? (_W_eakenss not _V_ulnerability)? It looks to me that so long as there is a scope and a vector that isn't using wildly different character sets we are good.

@chrismaddalena
Copy link
Collaborator

@felix-caboff Probably. The calculators are built with JavaScript, so it seems feasible to allow you to switch to more than just CVSS v3 or v4. A quick search didn't return any readily available CWSS calculators for JavaScript, so the most significant lift would probably be developing that.

@SecurityPingu
Copy link

SecurityPingu commented Sep 30, 2024

Nice work! I'm currently doing some light changes (mainly around reporting) but at some point I will be looking to implement an impact x likelihood = risk scoring matrix.

https://github.com/hknio/severity-formula

@felix-caboff
Copy link

@chrismaddalena If I prep that CWSS JS, how do you want me to provide it? I'm not in a position to implement / test integration to GW at the moment but I think I can probably provide a basic HTML / JS demonstrator in the next couple of days?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
Status: Released
Development

Successfully merging this pull request may close these issues.

4 participants