Open SCAP Library
Loading...
Searching...
No Matches
Files | Data Structures | Enumerations | Functions
CVSS

Common Vulnerability Scoring System. More...

Files

file  cvss_score.h
 Interface to Common Vulnerability Scoring System Version 2.
 

Data Structures

struct  cvss_impact
 CVSS impact. More...
 
struct  cvss_metrics
 CVSS metrics. More...
 

Enumerations

enum  cvss_category { CVSS_NONE = 0x0000 , CVSS_BASE = 0x0100 , CVSS_TEMPORAL = 0x0200 , CVSS_ENVIRONMENTAL = 0x0300 }
 CVSS score category.
 
enum  cvss_access_vector {
  CVSS_AV_NOT_SET , CVSS_AV_LOCAL , CVSS_AV_ADJACENT_NETWORK , CVSS_AV_NETWORK ,
  CVSS_AV_END_
}
 CVSS access vector.
 
enum  cvss_access_complexity {
  CVSS_AC_NOT_SET , CVSS_AC_HIGH , CVSS_AC_MEDIUM , CVSS_AC_LOW ,
  CVSS_AC_END_
}
 CVSS access complexity.
 
enum  cvss_authentication {
  CVSS_AU_NOT_SET , CVSS_AU_MULTIPLE , CVSS_AU_SINGLE , CVSS_AU_NONE ,
  CVSS_AU_END_
}
 CVSS Authentication.
 
enum  cvss_cia_impact {
  CVSS_IMP_NOT_SET , CVSS_IMP_NONE , CVSS_IMP_PARTIAL , CVSS_IMP_COMPLETE ,
  CVSS_IMP_END_
}
 CVSS Confidentiality/Integrity/Availibility impact.
 
enum  cvss_exploitability {
  CVSS_E_NOT_DEFINED , CVSS_E_UNPROVEN , CVSS_E_PROOF_OF_CONCEPT , CVSS_E_FUNCTIONAL ,
  CVSS_E_HIGH , CVSS_E_END_
}
 CVSS Exploitability.
 
enum  cvss_remediation_level {
  CVSS_RL_NOT_DEFINED , CVSS_RL_OFFICIAL_FIX , CVSS_RL_TEMPORARY_FIX , CVSS_RL_WORKAROUND ,
  CVSS_RL_UNAVAILABLE , CVSS_RL_END_
}
 CVSS Remediation Level.
 
enum  cvss_report_confidence {
  CVSS_RC_NOT_DEFINED , CVSS_RC_UNCONFIRMED , CVSS_RC_UNCORROBORATED , CVSS_RC_CONFIRMED ,
  CVSS_RC_END_
}
 CVSS Report Confidence.
 
enum  cvss_collateral_damage_potential {
  CVSS_CDP_NOT_DEFINED , CVSS_CDP_NONE , CVSS_CDP_LOW , CVSS_CDP_LOW_MEDIUM ,
  CVSS_CDP_MEDIUM_HIGH , CVSS_CDP_HIGH , CVSS_CDP_END_
}
 CVSS Collateral Damage Potential.
 
enum  cvss_target_distribution {
  CVSS_TD_NOT_DEFINED , CVSS_TD_NONE , CVSS_TD_LOW , CVSS_TD_MEDIUM ,
  CVSS_TD_HIGH , CVSS_TD_END_
}
 CVSS Target Distribution.
 
enum  cvss_cia_requirement {
  CVSS_REQ_NOT_DEFINED , CVSS_REQ_LOW , CVSS_REQ_MEDIUM , CVSS_REQ_HIGH ,
  CVSS_REQ_END_
}
 CVSS Confidentiality/Integrity/Availibility requirement.
 

Functions

OSCAP_API const char * cvss_model_supported (void)
 Get supported version of CVSS XML.
 
OSCAP_API float cvss_round (float x)
 Round x to one decimal place as described in CVSS standard.
 
OSCAP_API struct cvss_impactcvss_impact::cvss_impact_new (void)
 
OSCAP_API struct cvss_impactcvss_impact::cvss_impact_new_from_vector (const char *cvss_vector)
 
OSCAP_API struct cvss_impactcvss_impact::cvss_impact_clone (const struct cvss_impact *impact)
 
OSCAP_API void cvss_impact::cvss_impact_free (struct cvss_impact *impact)
 
OSCAP_API void cvss_impact::cvss_impact_describe (const struct cvss_impact *impact, FILE *f)
 Write out a human-readable textual description of CVSS impact contents. More...
 
OSCAP_API struct cvss_metricscvss_impact::cvss_impact_get_base_metrics (const struct cvss_impact *impact)
 
OSCAP_API struct cvss_metricscvss_impact::cvss_impact_get_temporal_metrics (const struct cvss_impact *impact)
 
OSCAP_API struct cvss_metricscvss_impact::cvss_impact_get_environmental_metrics (const struct cvss_impact *impact)
 
OSCAP_API bool cvss_impact::cvss_impact_set_metrics (struct cvss_impact *impact, struct cvss_metrics *metrics)
 Set base, temporal, or environmental metrics (type is determined from the metrics itself)
 
OSCAP_API char * cvss_impact::cvss_impact_to_vector (const struct cvss_impact *impact)
 
OSCAP_API struct cvss_metricscvss_metrics::cvss_metrics_new (enum cvss_category category)
 
OSCAP_API struct cvss_metricscvss_metrics::cvss_metrics_clone (const struct cvss_metrics *metrics)
 
OSCAP_API void cvss_metrics::cvss_metrics_free (struct cvss_metrics *metrics)
 
OSCAP_API enum cvss_category cvss_metrics::cvss_metrics_get_category (const struct cvss_metrics *metrics)
 
OSCAP_API const char * cvss_metrics::cvss_metrics_get_source (const struct cvss_metrics *metrics)
 
OSCAP_API bool cvss_metrics::cvss_metrics_set_source (struct cvss_metrics *metrics, const char *new_source)
 
OSCAP_API const char * cvss_metrics::cvss_metrics_get_generated_on_datetime (const struct cvss_metrics *metrics)
 
OSCAP_API bool cvss_metrics::cvss_metrics_set_generated_on_datetime (struct cvss_metrics *metrics, const char *new_datetime)
 
OSCAP_API const char * cvss_metrics::cvss_metrics_get_upgraded_from_version (const struct cvss_metrics *metrics)
 
OSCAP_API bool cvss_metrics::cvss_metrics_set_upgraded_from_version (struct cvss_metrics *metrics, const char *new_upgraded_from_version)
 
OSCAP_API float cvss_metrics::cvss_metrics_get_score (const struct cvss_metrics *metrics)
 
OSCAP_API bool cvss_metrics::cvss_metrics_set_score (struct cvss_metrics *metrics, float score)
 
OSCAP_API bool cvss_metrics::cvss_metrics_is_valid (const struct cvss_metrics *metrics)
 Validate CVSS metrics completeness.
 

Score calculators

Functions to calculate CVSS score.

Functions return special float value of NAN on failure.

Particularly interesting are:

  • cvss_impact_base_score()
  • cvss_impact_temporal_score()
  • cvss_impact_environmental_score()
OSCAP_API float cvss_impact::cvss_impact_base_exploitability_subscore (const struct cvss_impact *impact)
 Calculate exploitability subscore of base score. More...
 
OSCAP_API float cvss_impact::cvss_impact_base_impact_subscore (const struct cvss_impact *impact)
 Calculate impact subscore of base score. More...
 
OSCAP_API float cvss_impact::cvss_impact_base_score (const struct cvss_impact *impact)
 Calculate base score. More...
 
OSCAP_API float cvss_impact::cvss_impact_temporal_multiplier (const struct cvss_impact *impact)
 Calculate temporal multiplier. More...
 
OSCAP_API float cvss_impact::cvss_impact_temporal_score (const struct cvss_impact *impact)
 Calculate temporal score. More...
 
OSCAP_API float cvss_impact::cvss_impact_base_adjusted_impact_subscore (const struct cvss_impact *impact)
 Calculate impact subscore of base score adjusted to particular environment. More...
 
OSCAP_API float cvss_impact::cvss_impact_adjusted_base_score (const struct cvss_impact *impact)
 Calculate base score adjusted to particular environment. More...
 
OSCAP_API float cvss_impact::cvss_impact_adjusted_temporal_score (const struct cvss_impact *impact)
 Calculate temporal score adjusted to particular environment. More...
 
OSCAP_API float cvss_impact::cvss_impact_environmental_score (const struct cvss_impact *impact)
 Calculate environmental score. More...
 

Vector values

Functions to get or set individual CVSS vector values.

Functions check for correct type of metrics (base/temporal/environmental). Setters return false and getters undefined/default value when attempted to query wrong type of metrics.

Todo:
Getters/setters for the "approximated" flag
OSCAP_API enum cvss_access_vector cvss_metrics::cvss_metrics_get_access_vector (const struct cvss_metrics *metrics)
 
OSCAP_API enum cvss_access_complexity cvss_metrics::cvss_metrics_get_access_complexity (const struct cvss_metrics *metrics)
 
OSCAP_API enum cvss_authentication cvss_metrics::cvss_metrics_get_authentication (const struct cvss_metrics *metrics)
 
OSCAP_API enum cvss_cia_impact cvss_metrics::cvss_metrics_get_confidentiality_impact (const struct cvss_metrics *metrics)
 
OSCAP_API enum cvss_cia_impact cvss_metrics::cvss_metrics_get_integrity_impact (const struct cvss_metrics *metrics)
 
OSCAP_API enum cvss_cia_impact cvss_metrics::cvss_metrics_get_availability_impact (const struct cvss_metrics *metrics)
 
OSCAP_API enum cvss_exploitability cvss_metrics::cvss_metrics_get_exploitability (const struct cvss_metrics *metrics)
 
OSCAP_API enum cvss_remediation_level cvss_metrics::cvss_metrics_get_remediation_level (const struct cvss_metrics *metrics)
 
OSCAP_API enum cvss_report_confidence cvss_metrics::cvss_metrics_get_report_confidence (const struct cvss_metrics *metrics)
 
OSCAP_API enum cvss_collateral_damage_potential cvss_metrics::cvss_metrics_get_collateral_damage_potential (const struct cvss_metrics *metrics)
 
OSCAP_API enum cvss_target_distribution cvss_metrics::cvss_metrics_get_target_distribution (const struct cvss_metrics *metrics)
 
OSCAP_API enum cvss_cia_requirement cvss_metrics::cvss_metrics_get_confidentiality_requirement (const struct cvss_metrics *metrics)
 
OSCAP_API enum cvss_cia_requirement cvss_metrics::cvss_metrics_get_integrity_requirement (const struct cvss_metrics *metrics)
 
OSCAP_API enum cvss_cia_requirement cvss_metrics::cvss_metrics_get_availability_requirement (const struct cvss_metrics *metrics)
 
OSCAP_API bool cvss_metrics::cvss_metrics_set_access_vector (struct cvss_metrics *metrics, enum cvss_access_vector)
 
OSCAP_API bool cvss_metrics::cvss_metrics_set_access_complexity (struct cvss_metrics *metrics, enum cvss_access_complexity)
 
OSCAP_API bool cvss_metrics::cvss_metrics_set_authentication (struct cvss_metrics *metrics, enum cvss_authentication)
 
OSCAP_API bool cvss_metrics::cvss_metrics_set_confidentiality_impact (struct cvss_metrics *metrics, enum cvss_cia_impact)
 
OSCAP_API bool cvss_metrics::cvss_metrics_set_integrity_impact (struct cvss_metrics *metrics, enum cvss_cia_impact)
 
OSCAP_API bool cvss_metrics::cvss_metrics_set_availability_impact (struct cvss_metrics *metrics, enum cvss_cia_impact)
 
OSCAP_API bool cvss_metrics::cvss_metrics_set_exploitability (struct cvss_metrics *metrics, enum cvss_exploitability)
 
OSCAP_API bool cvss_metrics::cvss_metrics_set_remediation_level (struct cvss_metrics *metrics, enum cvss_remediation_level)
 
OSCAP_API bool cvss_metrics::cvss_metrics_set_report_confidence (struct cvss_metrics *metrics, enum cvss_report_confidence)
 
OSCAP_API bool cvss_metrics::cvss_metrics_set_collateral_damage_potential (struct cvss_metrics *metrics, enum cvss_collateral_damage_potential)
 
OSCAP_API bool cvss_metrics::cvss_metrics_set_target_distribution (struct cvss_metrics *metrics, enum cvss_target_distribution)
 
OSCAP_API bool cvss_metrics::cvss_metrics_set_confidentiality_requirement (struct cvss_metrics *metrics, enum cvss_cia_requirement)
 
OSCAP_API bool cvss_metrics::cvss_metrics_set_integrity_requirement (struct cvss_metrics *metrics, enum cvss_cia_requirement)
 
OSCAP_API bool cvss_metrics::cvss_metrics_set_availability_requirement (struct cvss_metrics *metrics, enum cvss_cia_requirement)
 

Detailed Description

Common Vulnerability Scoring System.

Supported version: 2

Function Documentation

◆ cvss_impact_adjusted_base_score()

OSCAP_API float cvss_impact_adjusted_base_score ( const struct cvss_impact impact)

Calculate base score adjusted to particular environment.

Requires base and environmental metrics to be set.

See also
cvss_impact_base_score()

◆ cvss_impact_adjusted_temporal_score()

OSCAP_API float cvss_impact_adjusted_temporal_score ( const struct cvss_impact impact)

Calculate temporal score adjusted to particular environment.

Requires base, temporal and environmental metrics to be set.

See also
cvss_impact_temporal_score()

◆ cvss_impact_base_adjusted_impact_subscore()

OSCAP_API float cvss_impact_base_adjusted_impact_subscore ( const struct cvss_impact impact)

Calculate impact subscore of base score adjusted to particular environment.

Requires base and environmental metrics to be set.

See also
cvss_impact_base_impact_subscore()
cvss_impact_adjusted_base_score()

◆ cvss_impact_base_exploitability_subscore()

OSCAP_API float cvss_impact_base_exploitability_subscore ( const struct cvss_impact impact)

Calculate exploitability subscore of base score.

Requires base metrics to be set.

See also
cvss_impact_base_score()
cvss_impact_adjusted_base_score()

◆ cvss_impact_base_impact_subscore()

OSCAP_API float cvss_impact_base_impact_subscore ( const struct cvss_impact impact)

Calculate impact subscore of base score.

Requires base metrics to be set.

See also
cvss_impact_base_adjusted_impact_subscore()
cvss_impact_base_score()

◆ cvss_impact_base_score()

OSCAP_API float cvss_impact_base_score ( const struct cvss_impact impact)

Calculate base score.

The base metric group captures the characteristics of a vulnerability that are constant with time and across user environments.

Requires base metrics to be set.

See also
cvss_impact_base_exploitability_subscore()
cvss_impact_base_impact_subscore()
cvss_impact_base_adjusted_impact_subscore()

◆ cvss_impact_describe()

OSCAP_API void cvss_impact_describe ( const struct cvss_impact impact,
FILE *  f 
)

Write out a human-readable textual description of CVSS impact contents.

Parameters
impactImpact to describe
ffile handle to write the description to

◆ cvss_impact_environmental_score()

OSCAP_API float cvss_impact_environmental_score ( const struct cvss_impact impact)

Calculate environmental score.

Different environments can have an immense bearing on the risk that a vulnerability poses to an organization and its stakeholders. The CVSS environmental metric group captures the characteristics of a vulnerability that are associated with a user’s IT environment.

Requires base, temporal and environmental metrics to be set.

See also
cvss_impact_adjusted_temporal_score()

◆ cvss_impact_temporal_multiplier()

OSCAP_API float cvss_impact_temporal_multiplier ( const struct cvss_impact impact)

Calculate temporal multiplier.

Multiply base score by this number and round to one decimal place to get temporal score. This function is intended to get the multiplier itself. To calculate temporal score, use cvss_impact_temporal_score() or cvss_impact_adjusted_temporal_score() instead.

Requires temporal metrics to be set.

See also
cvss_impact_temporal_score()
cvss_impact_adjusted_temporal_score()

◆ cvss_impact_temporal_score()

OSCAP_API float cvss_impact_temporal_score ( const struct cvss_impact impact)

Calculate temporal score.

Temporal metrics capture how the threat posed by a vulnerability may change over time.

Requires base and temporal metrics to be set.

See also
cvss_impact_adjusted_temporal_score()