cvss 2.2.0

Common Vulnerability Scoring System parser/serializer
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153

//! Attack Requirements (AT)

use crate::{
    Error, Result,
    v4::metric::{Metric, MetricType},
};
use alloc::borrow::ToOwned;
use core::{fmt, str::FromStr};

/// Attack Requirements (AT) - CVSS v4.0 Base Metric Group
///
/// Described in CVSS v4.0 Specification: Section 2.1.3
///
/// > This metric captures the prerequisite **deployment and execution
/// > conditions or variables** of the vulnerable system that enable the attack.
/// > These differ from security-enhancing techniques/technologies (ref _Attack
/// > Complexity_) as the primary purpose of these conditions is **not** to
/// > explicitly mitigate attacks, but rather, emerge naturally as a consequence
/// > of the deployment and execution of the vulnerable system. If the attacker
/// > does not take action to overcome these conditions, the attack may succeed
/// > only occasionally or not succeed at all.
#[derive(Copy, Clone, Debug, Eq, PartialEq, PartialOrd, Ord)]
pub enum AttackRequirements {
    /// Present (P)
    ///
    /// > The successful attack depends on the presence of specific deployment
    /// > and execution conditions of the vulnerable system that enable the
    /// > attack. These include: A **race condition** must be won to
    /// > successfully exploit the vulnerability. The successfulness of the
    /// > attack is conditioned on execution conditions that are not under full
    /// > control of the attacker. The attack may need to be launched multiple
    /// > times against a single target before being successful. Network
    /// > injection. The attacker must inject themselves into the logical
    /// > network path between the target and the resource requested by the
    /// > victim (e.g. vulnerabilities requiring an on-path attacker).
    Present,

    /// None (N)
    ///
    /// > The successful attack does not depend on the deployment and execution
    /// > conditions of the vulnerable system. The attacker can expect to be
    /// > able to reach the vulnerability and execute the exploit under all or
    /// > most instances of the vulnerability.
    None,
}

impl Default for AttackRequirements {
    fn default() -> Self {
        Self::None
    }
}

impl Metric for AttackRequirements {
    const TYPE: MetricType = MetricType::AT;

    fn as_str(self) -> &'static str {
        match self {
            AttackRequirements::Present => "P",
            AttackRequirements::None => "N",
        }
    }
}

impl fmt::Display for AttackRequirements {
    fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
        write!(f, "{}:{}", Self::name(), self.as_str())
    }
}

impl FromStr for AttackRequirements {
    type Err = Error;

    fn from_str(s: &str) -> Result<Self> {
        match s {
            "P" => Ok(AttackRequirements::Present),
            "N" => Ok(AttackRequirements::None),
            _ => Err(Error::InvalidMetricV4 {
                metric_type: Self::TYPE,
                value: s.to_owned(),
            }),
        }
    }
}

#[cfg(feature = "std")]
pub(crate) mod merge {
    use super::*;
    use crate::{
        Error,
        v4::{
            MetricType,
            metric::{MetricLevel, environmental::ModifiedAttackRequirements},
        },
    };
    use alloc::borrow::ToOwned;
    use core::str::FromStr;

    /// Result of the merging of the base and modified metrics.
    ///
    /// Used in scoring.
    #[derive(Copy, Clone, Debug, Eq, PartialEq, PartialOrd, Ord)]
    pub(crate) enum MergedAttackRequirements {
        Present,
        None,
    }

    impl Default for MergedAttackRequirements {
        fn default() -> Self {
            Self::None
        }
    }

    impl FromStr for MergedAttackRequirements {
        type Err = Error;

        fn from_str(s: &str) -> Result<Self> {
            match s {
                "P" => Ok(MergedAttackRequirements::Present),
                "N" => Ok(MergedAttackRequirements::None),
                _ => Err(Error::InvalidMetricV4 {
                    metric_type: MetricType::AT,
                    value: s.to_owned(),
                }),
            }
        }
    }

    impl MetricLevel for MergedAttackRequirements {
        fn level(self) -> f64 {
            // AT_levels = {'N': 0.0, 'P': 0.1}
            match self {
                Self::Present => 0.1,
                Self::None => 0.0,
            }
        }
    }

    impl AttackRequirements {
        pub(crate) fn merge(
            self,
            value: Option<ModifiedAttackRequirements>,
        ) -> MergedAttackRequirements {
            match value {
                Some(ModifiedAttackRequirements::NotDefined) | None => match self {
                    Self::Present => MergedAttackRequirements::Present,
                    Self::None => MergedAttackRequirements::None,
                },
                Some(ModifiedAttackRequirements::Present) => MergedAttackRequirements::Present,
                Some(ModifiedAttackRequirements::None) => MergedAttackRequirements::None,
            }
        }
    }
}