cvss 2.2.0

Common Vulnerability Scoring System parser/serializer
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158

//! Confidentiality Requirements (CR)

use crate::{
    Error, Result,
    v4::metric::{Metric, MetricType},
};
use alloc::borrow::ToOwned;
use core::{fmt, str::FromStr};

/// Confidentiality Requirements (CR) - CVSS v4.0 Environmental Metric Group
///
/// Described in CVSS v4.0 Specification: Section 4.1
///
/// > These metrics enable the consumer to customize the assessment depending on
/// > the importance of the affected IT asset to the analyst’s organization,
/// > measured in terms of Confidentiality, Integrity, and Availability. That
/// > is, if an IT asset supports a business function for which Availability is
/// > most important, the analyst can assign a greater value to Availability
/// > metrics relative to Confidentiality and Integrity. Each Security
/// > Requirement has three possible values: Low, Medium, or High, or the
/// > default value of Not Defined (X).
/// >
/// > The full effect on the environmental score is determined by the
/// > corresponding Modified Base Impact metrics. Following the concept of
/// > assuming “reasonable worst case”, in absence of explicit values, these
/// > metrics are set to the default value of Not Defined (X), which is
/// > equivalent to the metric value of High (H).
#[derive(Copy, Clone, Debug, Eq, PartialEq, PartialOrd, Ord)]
pub enum ConfidentialityRequirements {
    /// Not Defined (X)
    ///
    /// > This is the default value. Assigning this value indicates there is
    /// > insufficient information to choose one of the other values. This has
    /// > the same effect as assigning High as the worst case.
    NotDefined,
    /// Low (L)
    ///
    /// > Loss of Confidentiality is likely to have only a limited adverse
    /// > effect on the organization or individuals associated with the
    /// > organization (e.g., employees, customers).
    Low,
    /// Medium (M)
    ///
    /// > Loss of Confidentiality is likely to have a serious adverse effect on
    /// > the organization or individuals associated with the organization
    /// > (e.g., employees, customers).
    Medium,
    /// High (H)
    ///
    /// > Loss of Confidentiality is likely to have a catastrophic adverse
    /// > effect on the organization or individuals associated with the
    /// > organization (e.g., employees, customers).
    High,
}

impl Default for ConfidentialityRequirements {
    fn default() -> Self {
        Self::NotDefined
    }
}

impl Metric for ConfidentialityRequirements {
    const TYPE: MetricType = MetricType::CR;

    fn as_str(self) -> &'static str {
        match self {
            ConfidentialityRequirements::NotDefined => "X",
            ConfidentialityRequirements::Low => "L",
            ConfidentialityRequirements::Medium => "M",
            ConfidentialityRequirements::High => "H",
        }
    }
}

impl fmt::Display for ConfidentialityRequirements {
    fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
        write!(f, "{}:{}", Self::name(), self.as_str())
    }
}

impl FromStr for ConfidentialityRequirements {
    type Err = Error;

    fn from_str(s: &str) -> Result<Self> {
        match s {
            "X" => Ok(ConfidentialityRequirements::NotDefined),
            "L" => Ok(ConfidentialityRequirements::Low),
            "M" => Ok(ConfidentialityRequirements::Medium),
            "H" => Ok(ConfidentialityRequirements::High),
            _ => Err(Error::InvalidMetricV4 {
                metric_type: Self::TYPE,
                value: s.to_owned(),
            }),
        }
    }
}

#[cfg(feature = "std")]
pub(crate) mod merge {
    use super::*;
    use crate::{
        Error,
        v4::{MetricType, metric::MetricLevel},
    };
    use alloc::borrow::ToOwned;
    use core::str::FromStr;

    #[derive(Copy, Clone, Debug, Eq, PartialEq, PartialOrd, Ord)]
    pub(crate) enum MergedConfidentialityRequirements {
        Low,
        Medium,
        High,
    }

    impl Default for MergedConfidentialityRequirements {
        fn default() -> Self {
            Self::High
        }
    }

    impl FromStr for MergedConfidentialityRequirements {
        type Err = Error;

        fn from_str(s: &str) -> Result<Self> {
            match s {
                "L" => Ok(MergedConfidentialityRequirements::Low),
                "M" => Ok(MergedConfidentialityRequirements::Medium),
                "H" => Ok(MergedConfidentialityRequirements::High),
                _ => Err(Error::InvalidMetricV4 {
                    metric_type: MetricType::CR,
                    value: s.to_owned(),
                }),
            }
        }
    }

    impl ConfidentialityRequirements {
        pub(crate) fn merge(self) -> MergedConfidentialityRequirements {
            match self {
                Self::High => MergedConfidentialityRequirements::High,
                Self::Medium => MergedConfidentialityRequirements::Medium,
                Self::Low => MergedConfidentialityRequirements::Low,
                Self::NotDefined => MergedConfidentialityRequirements::High,
            }
        }
    }

    impl MetricLevel for MergedConfidentialityRequirements {
        fn level(self) -> f64 {
            // CR_levels = {'H': 0.0, 'M': 0.1, 'L': 0.2}
            match self {
                Self::High => 0.0,
                Self::Medium => 0.1,
                Self::Low => 0.2,
            }
        }
    }
}