1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98
//! Availability Impact (A) use crate::{ error::{Error, ErrorKind}, v3::Metric, }; use std::{fmt, str::FromStr}; /// Availability Impact (A) - CVSS v3.1 Base Metric Group /// /// Described in CVSS v3.1 Specification: Section 2.3.3: /// <https://www.first.org/cvss/specification-document#t6> /// /// > This metric measures the impact to the availability of the impacted /// > component resulting from a successfully exploited vulnerability. /// > While the Confidentiality and Integrity impact metrics apply to the /// > loss of confidentiality or integrity of data (e.g., information, /// > files) used by the impacted component, this metric refers to the loss /// > of availability of the impacted component itself, such as a networked /// > service (e.g., web, database, email). Since availability refers to the /// > accessibility of information resources, attacks that consume network /// > bandwidth, processor cycles, or disk space all impact the availability /// > of an impacted component. The Base Score is greatest when the /// > consequence to the impacted component is highest. #[derive(Copy, Clone, Debug, Eq, PartialEq, PartialOrd, Ord)] pub enum Availability { /// None (N) /// /// > There is no impact to availability within the impacted component. None, /// Low (L) /// /// > Performance is reduced or there are interruptions in resource /// > availability. Even if repeated exploitation of the vulnerability /// > is possible, the attacker does not have the ability to completely /// > deny service to legitimate users. The resources in the impacted /// > component are either partially available all of the time, or fully /// > available only some of the time, but overall there is no direct, /// > serious consequence to the impacted component. Low, /// High (H) /// /// > There is a total loss of availability, resulting in the attacker /// > being able to fully deny access to resources in the impacted /// > component; this loss is either sustained (while the attacker /// > continues to deliver the attack) or persistent (the condition /// > persists even after the attack has completed). Alternatively, /// > the attacker has the ability to deny some availability, but /// > the loss of availability presents a direct, serious consequence /// > to the impacted component (e.g., the attacker cannot disrupt /// > existing connections, but can prevent new connections; the /// > attacker can repeatedly exploit a vulnerability that, in each /// > instance of a successful attack, leaks a only small amount of /// > memory, but after repeated exploitation causes a service to become /// > completely unavailable). High, } impl Metric for Availability { const NAME: &'static str = "A"; fn score(self) -> f64 { match self { Availability::None => 0.0, Availability::Low => 0.22, Availability::High => 0.56, } } fn as_str(self) -> &'static str { match self { Availability::None => "N", Availability::Low => "L", Availability::High => "H", } } } impl fmt::Display for Availability { fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result { write!(f, "{}:{}", Self::NAME, self.as_str()) } } impl FromStr for Availability { type Err = Error; fn from_str(s: &str) -> Result<Self, Error> { match s { "N" => Ok(Availability::None), "L" => Ok(Availability::Low), "H" => Ok(Availability::High), other => fail!(ErrorKind::Parse, "invalid A (Base): {}", other), } } }