Crate polycvss

Crate polycvss 

Source
Expand description

CVSS v2, v3, and v4 vector string parser and score calculator.

Parse a vector string:

let vec: Vector = "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H".parse()?;

Calculate vector score:

let score = Score::from(vec);

Get score severity:

let severity = Severity::from(score);

Vectors, scores, and severities are very small (see “Internal Representation”):

assert_eq!(size_of::<Score>(), size_of::<u8>()); // 1 byte
assert_eq!(size_of::<Severity>(), size_of::<u8>()); // 1 byte
assert_eq!(size_of::<Vector>(), size_of::<u64>()); // 8 bytes

§Examples

Parse vector strings:

// parse CVSS v2 vector string
let v2: Vector = "AV:N/AC:L/Au:N/C:C/I:C/A:C".parse()?;

// parse CVSS v3 vector string
let v3: Vector = "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H".parse()?;

// parse CVSS v4 vector string
let v4: Vector = "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H".parse()?;

Get vector score:

// parse CVSS v4 vector string
let v: Vector = "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H".parse()?;

// get score
let score = Score::from(v);

// check result
assert_eq!(score, Score::from(10.0));

Compare scores:

let a = Score::from(1.2); // first score
let b = Score::from(3.5); // second score
assert!(a < b); // compare scores

Get score severity:

let severity = Severity::from(Score::from(2.3));
assert_eq!(severity, Severity::Low);

Compare severities:

let a = Severity::Low; // first severity
let b = Severity::High; // second severity
assert!(a < b); // compare severities

Get metric from vector by name:

// parse CVSS v4 vector string
let v: Vector = "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H".parse()?;

// get metric
let metric = v.get(Name::V4(v4::Name::AttackVector))?;

// check result
assert_eq!(metric, Metric::V4(v4::Metric::AttackVector(v4::AttackVector::Network)));

Iterate over vector metrics:

// parse CVSS v4 vector string
let v: Vector = "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H".parse()?;

// print metrics
for m in v {
  println!("metric: {m}");
}

§Internal Representation

A Vector is represented internally as a bit field within a u64. Metric values are packed in the lower 60 bits and the CVSS version is packed in the in the upper 4 bits:

Bit RangeDescription
0..60Metric values
60..64CVSS version

The lower bit packing varies by CVSS version and is documented in the following modules:

Modules§

encode
Data structures for encoding CVSS metrics in a bit field.
v2
CVSS v2 parser and score calculator.
v3
CVSS v3 parser and score calculator.
v4
CVSS v4 parser and score calculator.

Structs§

Score
CVSS score.
Vector
CVSS vector.

Enums§

Err
Parse or conversion error.
Metric
Vector component.
Name
Metric name.
Severity
Qualitative severity rating.
VectorIterator
Vector iterator.
Version
CVSS version.