Skip to main content

Metric

polycvss::v4

Enum Metric 

Source 
pub enum Metric {

Show 32 variants    AttackVector(AttackVector),
    AttackComplexity(AttackComplexity),
    AttackRequirements(AttackRequirements),
    PrivilegesRequired(PrivilegesRequired),
    UserInteraction(UserInteraction),
    VulnerableSystemConfidentialityImpact(Impact),
    VulnerableSystemIntegrityImpact(Impact),
    VulnerableSystemAvailabilityImpact(Impact),
    SubsequentSystemConfidentialityImpact(Impact),
    SubsequentSystemIntegrityImpact(Impact),
    SubsequentSystemAvailabilityImpact(Impact),
    ExploitMaturity(ExploitMaturity),
    ConfidentialityRequirement(Requirement),
    IntegrityRequirement(Requirement),
    AvailabilityRequirement(Requirement),
    ModifiedAttackVector(ModifiedAttackVector),
    ModifiedAttackComplexity(ModifiedAttackComplexity),
    ModifiedAttackRequirements(ModifiedAttackRequirements),
    ModifiedPrivilegesRequired(ModifiedPrivilegesRequired),
    ModifiedUserInteraction(ModifiedUserInteraction),
    ModifiedVulnerableSystemConfidentiality(ModifiedImpact),
    ModifiedVulnerableSystemIntegrity(ModifiedImpact),
    ModifiedVulnerableSystemAvailability(ModifiedImpact),
    ModifiedSubsequentSystemConfidentiality(ModifiedImpact),
    ModifiedSubsequentSystemIntegrity(ModifiedSubsequentImpact),
    ModifiedSubsequentSystemAvailability(ModifiedSubsequentImpact),
    Safety(Safety),
    Automatable(Automatable),
    Recovery(Recovery),
    ValueDensity(ValueDensity),
    VulnerabilityResponseEffort(VulnerabilityResponseEffort),
    ProviderUrgency(ProviderUrgency),

}
Expand description

Vector component.

§Examples

Parse string as metric:

// parse string as metric
let metric: Metric = "AV:N".parse()?;

// check result
assert_eq!(metric, Metric::AttackVector(AttackVector::Network));

Convert metric to string:

// convert metric to string
let s = Metric::AttackVector(AttackVector::Adjacent).to_string();

// check result
assert_eq!(s, "AV:A");

Get metric name:

// get metric name
let name = Name::from(Metric::AttackVector(AttackVector::Local));

// check result
assert_eq!(name, Name::AttackVector);

Variants§

§

AttackVector(AttackVector)

Attack Vector (AV) metric.

§Description

This metric reflects the context by which vulnerability exploitation is possible. This metric value (and consequently the resulting severity) will be larger the more remote (logically, and physically) an attacker can be in order to exploit the vulnerable system. The assumption is that the number of potential attackers for a vulnerability that could be exploited from across a network is larger than the number of potential attackers that could exploit a vulnerability requiring physical access to a device, and therefore warrants a greater severity.

§Properties

§Examples

Parse string as metric and check it:

// parse string as metric
let metric: Metric = "AV:N".parse()?;

// check result
assert_eq!(metric, Metric::AttackVector(AttackVector::Network));

Convert metric to string:

// convert metric to string
let s = Metric::AttackVector(AttackVector::Adjacent).to_string();

// check result
assert_eq!(s, "AV:A");

Get metric name:

// get metric name
let name = Name::from(Metric::AttackVector(AttackVector::Local));

// check result
assert_eq!(name, Name::AttackVector);
§

AttackComplexity(AttackComplexity)

Attack Complexity (AC) metric.

§Description

This metric captures measurable actions that must be taken by the attacker to actively evade or circumvent existing built-in security-enhancing conditions in order to obtain a working exploit. These are conditions whose primary purpose is to increase security and/or increase exploit engineering complexity. A vulnerability exploitable without a target-specific variable has a lower complexity than a vulnerability that would require non-trivial customization. This metric is meant to capture security mechanisms utilized by the vulnerable system, and does not relate to the amount of time or attempts it would take for an attacker to succeed, e.g. a race condition. If the attacker does not take action to overcome these conditions, the attack will always fail.

The evasion or satisfaction of authentication mechanisms or requisites is included in the Privileges Required assessment and is not considered here as a factor of relevance for Attack Complexity.

§Properties

§Examples

Parse string as metric:

// parse string as metric
let metric: Metric = "AC:L".parse()?;

// check result
assert_eq!(metric, Metric::AttackComplexity(AttackComplexity::Low));

Convert metric to string:

// convert metric to string
let s = Metric::AttackComplexity(AttackComplexity::High).to_string();

// check result
assert_eq!(s, "AC:H");

Get metric name

// get metric name
let name = Name::from(Metric::AttackComplexity(AttackComplexity::High));

// check result
assert_eq!(name, Name::AttackComplexity);
§

AttackRequirements(AttackRequirements)

Attack Requirements (AT) metric.

§Description

This metric captures the prerequisite deployment and execution conditions or variables of the vulnerable system that enable the attack. These differ from security-enhancing techniques/technologies (ref Attack Complexity) as the primary purpose of these conditions is not to explicitly mitigate attacks, but rather, emerge naturally as a consequence of the deployment and execution of the vulnerable system. If the attacker does not take action to overcome these conditions, the attack may succeed only occasionally or not succeed at all.

§Properties

§Examples

Parse string as metric:

// parse string as metric
let metric: Metric = "AT:N".parse()?;

// check result
assert_eq!(metric, Metric::AttackRequirements(AttackRequirements::None));

Convert metric to string:

// convert metric to string
let s = Metric::AttackRequirements(AttackRequirements::Present).to_string();

// check result
assert_eq!(s, "AT:P");

Get metric name:

// get metric name
let name = Name::from(Metric::AttackRequirements(AttackRequirements::None));

// check result
assert_eq!(name, Name::AttackRequirements);
§

PrivilegesRequired(PrivilegesRequired)

Privileges Required (PR) metric.

§Description

This metric describes the level of privileges an attacker must possess prior to successfully exploiting the vulnerability. The method by which the attacker obtains privileged credentials prior to the attack (e.g., free trial accounts), is outside the scope of this metric. Generally, self-service provisioned accounts do not constitute a privilege requirement if the attacker can grant themselves privileges as part of the attack.

The resulting score is greatest if no privileges are required.

§Properties

§Examples

Parse string as metric:

// parse string as metric
let metric: Metric = "PR:N".parse()?;

// check result
assert_eq!(metric, Metric::PrivilegesRequired(PrivilegesRequired::None));

Convert metric to string:

// convert metric to string
let s = Metric::PrivilegesRequired(PrivilegesRequired::Low).to_string();

// check result
assert_eq!(s, "PR:L");

Get metric name:

// get metric name
let name = Name::from(Metric::PrivilegesRequired(PrivilegesRequired::High));

// check result
assert_eq!(name, Name::PrivilegesRequired);
§

UserInteraction(UserInteraction)

User Interaction (UI) metric.

§Description

This metric captures the requirement for a human user, other than the attacker, to participate in the successful compromise of the vulnerable system. This metric determines whether the vulnerability can be exploited solely at the will of the attacker, or whether a separate user (or user-initiated process) must participate in some manner. The resulting score is greatest when no user interaction is required.

§Properties

§Examples

Parse string as metric:

// parse string as metric
let metric: Metric = "UI:N".parse()?;

// check result
assert_eq!(metric, Metric::UserInteraction(UserInteraction::None));

Convert metric to string:

// convert metric to string
let s = Metric::UserInteraction(UserInteraction::Passive).to_string();

// check result
assert_eq!(s, "UI:P");

Get metric name:

// get metric name
let name = Name::from(Metric::UserInteraction(UserInteraction::Active));

// check result
assert_eq!(name, Name::UserInteraction);
§

VulnerableSystemConfidentialityImpact(Impact)

Vulnerable System Confidentiality Impact (VC) metric.

§Description

This metric measures the impact to the confidentiality of the information managed by the system due to a successfully exploited vulnerability. Confidentiality refers to limiting information access and disclosure to only authorized users, as well as preventing access by, or disclosure to, unauthorized ones. The resulting score is greatest when the loss to the system is highest.

§Properties

§Examples

Parse string as metric:

// parse string as metric
let metric: Metric = "VC:H".parse()?;

// check result
assert_eq!(metric, Metric::VulnerableSystemConfidentialityImpact(Impact::High));

Convert metric to string:

// convert metric to string
let s = Metric::VulnerableSystemConfidentialityImpact(Impact::Low).to_string();

// check result
assert_eq!(s, "VC:L");

Get metric name:

// get metric name
let name = Name::from(Metric::VulnerableSystemConfidentialityImpact(Impact::None));

// check result
assert_eq!(name, Name::VulnerableSystemConfidentialityImpact);
§

VulnerableSystemIntegrityImpact(Impact)

Vulnerable System Integrity Impact (VI) metric.

§Description

This metric measures the impact to integrity of a successfully exploited vulnerability. Integrity refers to the trustworthiness and veracity of information. Integrity of a system is impacted when an attacker causes unauthorized modification of system data. Integrity is also impacted when a system user can repudiate critical actions taken in the context of the system (e.g. due to insufficient logging).

The resulting score is greatest when the consequence to the system is highest.

§Properties

§Examples

Parse string as metric:

// parse string as metric
let metric: Metric = "VI:H".parse()?;

// check result
assert_eq!(metric, Metric::VulnerableSystemIntegrityImpact(Impact::High));

Convert metric to string:

// convert metric to string
let s = Metric::VulnerableSystemIntegrityImpact(Impact::Low).to_string();

// check result
assert_eq!(s, "VI:L");

Get metric name:

// get metric name
let name = Name::from(Metric::VulnerableSystemIntegrityImpact(Impact::None));

// check result
assert_eq!(name, Name::VulnerableSystemIntegrityImpact);
§

VulnerableSystemAvailabilityImpact(Impact)

Vulnerable System Availability Impact (VA) metric.

§Description

This metric measures the impact to the availability of the impacted system resulting from a successfully exploited vulnerability. While the Confidentiality and Integrity impact metrics apply to the loss of confidentiality or integrity of data (e.g., information, files) used by the system, this metric refers to the loss of availability of the impacted system itself, such as a networked service (e.g., web, database, email). Since availability refers to the accessibility of information resources, attacks that consume network bandwidth, processor cycles, or disk space all impact the availability of a system. The resulting score is greatest when the consequence to the system is highest.

§Properties

§Examples

Parse string as metric:

// parse string as metric
let metric: Metric = "VA:H".parse()?;

// check result
assert_eq!(metric, Metric::VulnerableSystemAvailabilityImpact(Impact::High));

Convert metric to string:

// convert metric to string
let s = Metric::VulnerableSystemAvailabilityImpact(Impact::Low).to_string();

// check result
assert_eq!(s, "VA:L");

Get metric name:

// get metric name
let name = Name::from(Metric::VulnerableSystemAvailabilityImpact(Impact::None));

// check result
assert_eq!(name, Name::VulnerableSystemAvailabilityImpact);
§

SubsequentSystemConfidentialityImpact(Impact)

Subsequent System Confidentiality Impact (SC) metric.

§Description

This metric measures the impact to the confidentiality of the information managed by the system due to a successfully exploited vulnerability. Confidentiality refers to limiting information access and disclosure to only authorized users, as well as preventing access by, or disclosure to, unauthorized ones. The resulting score is greatest when the loss to the system is highest.

§Properties

§Examples

Parse string as metric:

// parse string as metric
let metric: Metric = "SC:H".parse()?;

// check result
assert_eq!(metric, Metric::SubsequentSystemConfidentialityImpact(Impact::High));

Convert metric to string:

// convert metric to string
let s = Metric::SubsequentSystemConfidentialityImpact(Impact::Low).to_string();

// check result
assert_eq!(s, "SC:L");

Get metric name:

// get metric name
let name = Name::from(Metric::SubsequentSystemConfidentialityImpact(Impact::None));

// check result
assert_eq!(name, Name::SubsequentSystemConfidentialityImpact);
§

SubsequentSystemIntegrityImpact(Impact)

Subsequent System Integrity Impact (SI) metric.

§Description

This metric measures the impact to integrity of a successfully exploited vulnerability. Integrity refers to the trustworthiness and veracity of information. Integrity of a system is impacted when an attacker causes unauthorized modification of system data. Integrity is also impacted when a system user can repudiate critical actions taken in the context of the system (e.g. due to insufficient logging).

The resulting score is greatest when the consequence to the system is highest.

§Properties

§Examples

Parse string as metric:

// parse string as metric
let metric: Metric = "SI:H".parse()?;

// check result
assert_eq!(metric, Metric::SubsequentSystemIntegrityImpact(Impact::High));

Convert metric to string:

// convert metric to string
let s = Metric::SubsequentSystemIntegrityImpact(Impact::Low).to_string();

// check result
assert_eq!(s, "SI:L");

Get metric name:

// get metric name
let name = Name::from(Metric::SubsequentSystemIntegrityImpact(Impact::None));

// check result
assert_eq!(name, Name::SubsequentSystemIntegrityImpact);
§

SubsequentSystemAvailabilityImpact(Impact)

Subsequent System Availability Impact (SA) metric.

§Description

This metric measures the impact to the availability of the impacted system resulting from a successfully exploited vulnerability. While the Confidentiality and Integrity impact metrics apply to the loss of confidentiality or integrity of data (e.g., information, files) used by the system, this metric refers to the loss of availability of the impacted system itself, such as a networked service (e.g., web, database, email). Since availability refers to the accessibility of information resources, attacks that consume network bandwidth, processor cycles, or disk space all impact the availability of a system. The resulting score is greatest when the consequence to the system is highest.

§Properties

§Examples

Parse string as metric:

// parse string as metric
let metric: Metric = "SA:H".parse()?;

// check result
assert_eq!(metric, Metric::SubsequentSystemAvailabilityImpact(Impact::High));

Convert metric to string:

// convert metric to string
let s = Metric::SubsequentSystemAvailabilityImpact(Impact::Low).to_string();

// check result
assert_eq!(s, "SA:L");

Get metric name:

// get metric name
let name = Name::from(Metric::SubsequentSystemAvailabilityImpact(Impact::None));

// check result
assert_eq!(name, Name::SubsequentSystemAvailabilityImpact);
§

ExploitMaturity(ExploitMaturity)

Exploit Maturity (E) metric.

§Description

This metric measures the likelihood of the vulnerability being attacked, and is based on the current state of exploit techniques, exploit code availability, or active, “in-the-wild” exploitation. Public availability of easy-to-use exploit code or exploitation instructions increases the number of potential attackers by including those who are unskilled. Initially, real-world exploitation may only be theoretical. Publication of proof-of-concept exploit code, functional exploit code, or sufficient technical details necessary to exploit the vulnerability may follow. Furthermore, the available exploit code or instructions may progress from a proof-of-concept demonstration to exploit code that is successful in exploiting the vulnerability consistently. In severe cases, it may be delivered as the payload of a network-based worm or virus or other automated attack tools.

It is the responsibility of the CVSS consumer to populate the values of Exploit Maturity (E) based on information regarding the availability of exploitation code/processes and the state of exploitation techniques. This information will be referred to as “threat intelligence” throughout this document.

Operational Recommendation: Threat intelligence sources that provide Exploit Maturity information for all vulnerabilities should be preferred over those with only partial coverage. Also, it is recommended to use multiple sources of threat intelligence as many are not comprehensive. This information should be updated as frequently as possible and its application to CVSS assessment should be automated.

§Properties

§Examples

Parse string as metric:

// parse string as metric
let metric: Metric = "E:A".parse()?;

// check result
assert_eq!(metric, Metric::ExploitMaturity(ExploitMaturity::Attacked));

Convert metric to string:

// convert metric to string
let s = Metric::ExploitMaturity(ExploitMaturity::ProofOfConcept).to_string();

// check result
assert_eq!(s, "E:P");

Get metric name:

// get metric name
let name = Name::from(Metric::ExploitMaturity(ExploitMaturity::Unreported));

// check result
assert_eq!(name, Name::ExploitMaturity);
§

ConfidentialityRequirement(Requirement)

Confidentiality Requirement (CR) metric.

§Description

These metrics enable the consumer to customize the assessment depending on the importance of the affected IT asset to the analyst’s organization, measured in terms of Confidentiality, Integrity, and Availability. That is, if an IT asset supports a business function for which Availability is most important, the analyst can assign a greater value to Availability metrics relative to Confidentiality and Integrity. Each Security Requirement has three possible values: Low, Medium, or High, or the default value of Not Defined (X).

The full effect on the environmental score is determined by the corresponding Modified Base Impact metrics. Following the concept of assuming “reasonable worst case”, in absence of explicit values, these metrics are set to the default value of Not Defined (X), which is equivalent to the metric value of High (H).

§Properties

§Examples

// parse string as metric
let metric: Metric = "CR:H".parse()?;

// check result
assert_eq!(metric, Metric::ConfidentialityRequirement(Requirement::High));

Convert metric to string:

// convert metric to string
let s = Metric::ConfidentialityRequirement(Requirement::Low).to_string();

// check result
assert_eq!(s, "CR:L");

Get metric name:

// get metric name
let name = Name::from(Metric::ConfidentialityRequirement(Requirement::Medium));

// check result
assert_eq!(name, Name::ConfidentialityRequirement);
§

IntegrityRequirement(Requirement)

Integrity Requirement (IR) metric.

§Description

These metrics enable the consumer to customize the assessment depending on the importance of the affected IT asset to the analyst’s organization, measured in terms of Confidentiality, Integrity, and Availability. That is, if an IT asset supports a business function for which Availability is most important, the analyst can assign a greater value to Availability metrics relative to Confidentiality and Integrity. Each Security Requirement has three possible values: Low, Medium, or High, or the default value of Not Defined (X).

The full effect on the environmental score is determined by the corresponding Modified Base Impact metrics. Following the concept of assuming “reasonable worst case”, in absence of explicit values, these metrics are set to the default value of Not Defined (X), which is equivalent to the metric value of High (H).

§Properties

§Examples

// parse string as metric
let metric: Metric = "IR:H".parse()?;

// check result
assert_eq!(metric, Metric::IntegrityRequirement(Requirement::High));

Convert metric to string:

// convert metric to string
let s = Metric::IntegrityRequirement(Requirement::Low).to_string();

// check result
assert_eq!(s, "IR:L");

Get metric name:

// get metric name
let name = Name::from(Metric::IntegrityRequirement(Requirement::Medium));

// check result
assert_eq!(name, Name::IntegrityRequirement);
§

AvailabilityRequirement(Requirement)

Availability Requirement (AR) metric.

§Description

These metrics enable the consumer to customize the assessment depending on the importance of the affected IT asset to the analyst’s organization, measured in terms of Confidentiality, Integrity, and Availability. That is, if an IT asset supports a business function for which Availability is most important, the analyst can assign a greater value to Availability metrics relative to Confidentiality and Integrity. Each Security Requirement has three possible values: Low, Medium, or High, or the default value of Not Defined (X).

The full effect on the environmental score is determined by the corresponding Modified Base Impact metrics. Following the concept of assuming “reasonable worst case”, in absence of explicit values, these metrics are set to the default value of Not Defined (X), which is equivalent to the metric value of High (H).

§Properties

§Examples

// parse string as metric
let metric: Metric = "AR:H".parse()?;

// check result
assert_eq!(metric, Metric::AvailabilityRequirement(Requirement::High));

Convert metric to string:

// convert metric to string
let s = Metric::AvailabilityRequirement(Requirement::Low).to_string();

// check result
assert_eq!(s, "AR:L");

Get metric name:

// get metric name
let name = Name::from(Metric::AvailabilityRequirement(Requirement::Medium));

// check result
assert_eq!(name, Name::AvailabilityRequirement);
§

ModifiedAttackVector(ModifiedAttackVector)

Modified Attack Vector (MAV) metric.

§Description

Metric value which overrides the base Metric::AttackVector (AV) metric value.

§Properties

§Examples

Parse string as metric and check it:

// parse string as metric
let metric: Metric = "MAV:N".parse()?;

// check result
assert_eq!(metric, Metric::ModifiedAttackVector(ModifiedAttackVector::Network));

Convert metric to string:

// convert metric to string
let s = Metric::ModifiedAttackVector(ModifiedAttackVector::Adjacent).to_string();

// check result
assert_eq!(s, "MAV:A");

Get metric name:

// get metric name
let name = Name::from(Metric::ModifiedAttackVector(ModifiedAttackVector::Local));

// check result
assert_eq!(name, Name::ModifiedAttackVector);
§

ModifiedAttackComplexity(ModifiedAttackComplexity)

Modified Attack Complexity (MAC) metric.

§Description

Metric value which overrides the base Metric::AttackComplexity (AC) metric value.

§Properties

§Examples

Parse string as metric:

// parse string as metric
let metric: Metric = "MAC:L".parse()?;

// check result
assert_eq!(metric, Metric::ModifiedAttackComplexity(ModifiedAttackComplexity::Low));

Convert metric to string:

// convert metric to string
let s = Metric::ModifiedAttackComplexity(ModifiedAttackComplexity::High).to_string();

// check result
assert_eq!(s, "MAC:H");

Get metric name:

// get metric name
let name = Name::from(Metric::ModifiedAttackComplexity(ModifiedAttackComplexity::High));

// check result
assert_eq!(name, Name::ModifiedAttackComplexity);
§

ModifiedAttackRequirements(ModifiedAttackRequirements)

Modified Attack Requirements (MAT) metric.

§Description

Metric value which overrides the base Metric::AttackRequirements (AT) metric value.

§Properties

§Examples

Parse string as metric:

// parse string as metric
let metric: Metric = "MAT:N".parse()?;

// check result
assert_eq!(metric, Metric::ModifiedAttackRequirements(ModifiedAttackRequirements::None));

Convert metric to string:

// convert metric to string
let s = Metric::ModifiedAttackRequirements(ModifiedAttackRequirements::Present).to_string();

// check result
assert_eq!(s, "MAT:P");

Get metric name:

// get metric name
let name = Name::from(Metric::ModifiedAttackRequirements(ModifiedAttackRequirements::None));

// check result
assert_eq!(name, Name::ModifiedAttackRequirements);
§

ModifiedPrivilegesRequired(ModifiedPrivilegesRequired)

Modified Privileges Required (MPR) metric.

§Description

Metric value which overrides the base Metric::PrivilegesRequired (PR) metric value.

§Properties

§Examples

Parse string as metric:

// parse string as metric
let metric: Metric = "MPR:N".parse()?;

// check result
assert_eq!(metric, Metric::ModifiedPrivilegesRequired(ModifiedPrivilegesRequired::None));

Convert metric to string:

// convert metric to string
let s = Metric::ModifiedPrivilegesRequired(ModifiedPrivilegesRequired::Low).to_string();

// check result
assert_eq!(s, "MPR:L");

Get metric name:

// get metric name
let name = Name::from(Metric::ModifiedPrivilegesRequired(ModifiedPrivilegesRequired::High));

// check result
assert_eq!(name, Name::ModifiedPrivilegesRequired);
§

ModifiedUserInteraction(ModifiedUserInteraction)

Modified User Interaction (MUI) metric.

§Description

Metric value which overrides the base Metric::UserInteraction (UI) metric value.

§Properties

§Examples

Parse string as metric:

// parse string as metric
let metric: Metric = "MUI:N".parse()?;

// check result
assert_eq!(metric, Metric::ModifiedUserInteraction(ModifiedUserInteraction::None));

Convert metric to string:

// convert metric to string
let s = Metric::ModifiedUserInteraction(ModifiedUserInteraction::Passive).to_string();

// check result
assert_eq!(s, "MUI:P");

Get metric name:

// get metric name
let name = Name::from(Metric::ModifiedUserInteraction(ModifiedUserInteraction::Active));

// check result
assert_eq!(name, Name::ModifiedUserInteraction);
§

ModifiedVulnerableSystemConfidentiality(ModifiedImpact)

Modified Vulnerable System Confidentiality (MVC) metric.

§Description

Metric value which overrides the base Metric::VulnerableSystemConfidentialityImpact (VC) metric value.

§Properties

§Examples

Parse string as metric:

// parse string as metric
let metric: Metric = "MVC:H".parse()?;

// check result
assert_eq!(metric, Metric::ModifiedVulnerableSystemConfidentiality(ModifiedImpact::High));

Convert metric to string:

// convert metric to string
let s = Metric::ModifiedVulnerableSystemConfidentiality(ModifiedImpact::Low).to_string();

// check result
assert_eq!(s, "MVC:L");

Get metric name:

// get metric name
let name = Name::from(Metric::ModifiedVulnerableSystemConfidentiality(ModifiedImpact::None));

// check result
assert_eq!(name, Name::ModifiedVulnerableSystemConfidentiality);
§

ModifiedVulnerableSystemIntegrity(ModifiedImpact)

Modified Vulnerable System Integrity (MVI) metric.

§Description

Metric value which overrides the base Metric::VulnerableSystemIntegrityImpact (VI) metric value.

§Properties

§Examples

Parse string as metric:

// parse string as metric
let metric: Metric = "MVI:H".parse()?;

// check result
assert_eq!(metric, Metric::ModifiedVulnerableSystemIntegrity(ModifiedImpact::High));

Convert metric to string:

// convert metric to string
let s = Metric::ModifiedVulnerableSystemIntegrity(ModifiedImpact::Low).to_string();

// check result
assert_eq!(s, "MVI:L");

Get metric name:

// get metric name
let name = Name::from(Metric::ModifiedVulnerableSystemIntegrity(ModifiedImpact::None));

// check result
assert_eq!(name, Name::ModifiedVulnerableSystemIntegrity);
§

ModifiedVulnerableSystemAvailability(ModifiedImpact)

Modified Vulnerable System Availability (MVA) metric.

§Description

Metric value which overrides the base Metric::VulnerableSystemAvailabilityImpact (VA) metric value.

§Properties

§Examples

Parse string as metric:

// parse string as metric
let metric: Metric = "MVA:H".parse()?;

// check result
assert_eq!(metric, Metric::ModifiedVulnerableSystemAvailability(ModifiedImpact::High));

Convert metric to string:

// convert metric to string
let s = Metric::ModifiedVulnerableSystemAvailability(ModifiedImpact::Low).to_string();

// check result
assert_eq!(s, "MVA:L");

Get metric name:

// get metric name
let name = Name::from(Metric::ModifiedVulnerableSystemAvailability(ModifiedImpact::None));

// check result
assert_eq!(name, Name::ModifiedVulnerableSystemAvailability);
§

ModifiedSubsequentSystemConfidentiality(ModifiedImpact)

Modified Subsequent System Confidentiality (MSC) metric.

§Description

Metric value which overrides the base Metric::SubsequentSystemConfidentialityImpact (SC) metric value.

§Properties

§Examples

Parse string as metric:

// parse string as metric
let metric: Metric = "MSC:H".parse()?;

// check result
assert_eq!(metric, Metric::ModifiedSubsequentSystemConfidentiality(ModifiedImpact::High));

Convert metric to string:

// convert metric to string
let s = Metric::ModifiedSubsequentSystemConfidentiality(ModifiedImpact::Low).to_string();

// check result
assert_eq!(s, "MSC:L");

Get metric name:

// get metric name
let name = Name::from(Metric::ModifiedSubsequentSystemConfidentiality(ModifiedImpact::None));

// check result
assert_eq!(name, Name::ModifiedSubsequentSystemConfidentiality);
§

ModifiedSubsequentSystemIntegrity(ModifiedSubsequentImpact)

Modified Subsequent System Integrity (MSI) metric.

§Description

Metric value which overrides the base Metric::SubsequentSystemIntegrityImpact (SI) metric value.

§Properties

§Examples

Parse string as metric:

// parse string as metric
let metric: Metric = "MSI:H".parse()?;

// check result
assert_eq!(metric, Metric::ModifiedSubsequentSystemIntegrity(ModifiedSubsequentImpact::High));

Convert metric to string:

// convert metric to string
let s = Metric::ModifiedSubsequentSystemIntegrity(ModifiedSubsequentImpact::Low).to_string();

// check result
assert_eq!(s, "MSI:L");

Get metric name:

// get metric name
let name = Name::from(Metric::ModifiedSubsequentSystemIntegrity(ModifiedSubsequentImpact::None));

// check result
assert_eq!(name, Name::ModifiedSubsequentSystemIntegrity);
§

ModifiedSubsequentSystemAvailability(ModifiedSubsequentImpact)

Modified Subsequent System Availability (MSA) metric.

§Description

Metric value which overrides the base Metric::SubsequentSystemAvailabilityImpact (SA) metric value.

§Properties

§Examples

Parse string as metric:

// parse string as metric
let metric: Metric = "MSA:H".parse()?;

// check result
assert_eq!(metric, Metric::ModifiedSubsequentSystemAvailability(ModifiedSubsequentImpact::High));

Convert metric to string:

// convert metric to string
let s = Metric::ModifiedSubsequentSystemAvailability(ModifiedSubsequentImpact::Low).to_string();

// check result
assert_eq!(s, "MSA:L");

Get metric name:

// get metric name
let name = Name::from(Metric::ModifiedSubsequentSystemAvailability(ModifiedSubsequentImpact::None));

// check result
assert_eq!(name, Name::ModifiedSubsequentSystemAvailability);
§

Safety(Safety)

Safety (S) metric.

§Description

The Safety supplemental metric value indicates the degree of impact to the Safety of a human actor or participant that can be predictably injured as a result of the vulnerability being exploited.

Note that Safety metrics are defined in both Environmental and Supplemental contexts, although the vector string values differ. As a Supplemental metric, and consistent with the IEC 61508 Definitions table below, Safety can be described with metric values of S:X, S:P, or S:N.

§Properties

§IEC 61508 Definitions
CategoryDefinition
CatastrophicMultiple loss of life
CriticalLoss of a single life
MarginalMajor injuries to one or more persons
NegligibleMinor injuries at worst

§Examples

Parse string as metric:

// parse string as metric
let metric: Metric = "S:P".parse()?;

// check result
assert_eq!(metric, Metric::Safety(Safety::Present));

Convert metric to string:

// convert metric to string
let s = Metric::Safety(Safety::Negligible).to_string();

// check result
assert_eq!(s, "S:N");

Get metric name:

// get metric name
let name = Name::from(Metric::Safety(Safety::NotDefined));

// check result
assert_eq!(name, Name::Safety);
§

Automatable(Automatable)

Automatable (AU) metric.

§Description

The “Automatable” metric captures the answer to the question ”Can an attacker automate exploitation events for this vulnerability across multiple targets?” based on steps 1-4 of the kill chain2 [Hutchins et al., 2011]. These steps are reconnaissance, weaponization, delivery, and exploitation. If evaluated, the metric can take the values no or yes.

§Properties

§Examples

Parse string as metric:

// parse string as metric
let metric: Metric = "AU:N".parse()?;

// check result
assert_eq!(metric, Metric::Automatable(Automatable::No));

Convert metric to string:

// convert metric to string
let s = Metric::Automatable(Automatable::Yes).to_string();

// check result
assert_eq!(s, "AU:Y");

Get metric name:

// get metric name
let name = Name::from(Metric::Automatable(Automatable::NotDefined));

// check result
assert_eq!(name, Name::Automatable);
§

Recovery(Recovery)

Recovery (R) metric.

§Description

Recovery describes the resilience of a system to recover services, in terms of performance and availability, after an attack has been performed.

§Properties

§Examples

Parse string as metric:

// parse string as metric
let metric: Metric = "R:A".parse()?;

// check result
assert_eq!(metric, Metric::Recovery(Recovery::Automatic));

Convert metric to string:

// convert metric to string
let s = Metric::Recovery(Recovery::User).to_string();

// check result
assert_eq!(s, "R:U");

Get metric name:

// get metric name
let name = Name::from(Metric::Recovery(Recovery::Irrecoverable));

// check result
assert_eq!(name, Name::Recovery);
§

ValueDensity(ValueDensity)

Value Density (V) metric.

§Description

Value Density describes the resources that the attacker will gain control over with a single exploitation event. It has two possible values, diffuse and concentrated:

§Properties

§Examples

Parse string as metric:

// parse string as metric
let metric: Metric = "V:D".parse()?;

// check result
assert_eq!(metric, Metric::ValueDensity(ValueDensity::Diffuse));

Convert metric to string:

// convert metric to string
let s = Metric::ValueDensity(ValueDensity::Concentrated).to_string();

// check result
assert_eq!(s, "V:C");

Get metric name:

// get metric name
let name = Name::from(Metric::ValueDensity(ValueDensity::NotDefined));

// check result
assert_eq!(name, Name::ValueDensity);
§

VulnerabilityResponseEffort(VulnerabilityResponseEffort)

Vulnerability Reqponse Effort (RE) metric.

§Description

The intention of the Vulnerability Response Effort metric is to provide supplemental information on how difficult it is for consumers to provide an initial response to the impact of vulnerabilities for deployed products and services in their infrastructure. The consumer can then take this additional information on effort required into consideration when applying mitigations and/or scheduling remediation.

When calculating Vulnerability Response Effort, the effort required to deploy the quickest available response should be considered.

§Properties

§Examples

Parse string as metric:

// parse string as metric
let metric: Metric = "RE:L".parse()?;

// check result
assert_eq!(metric, Metric::VulnerabilityResponseEffort(VulnerabilityResponseEffort::Low));

Convert metric to string:

// convert metric to string
let s = Metric::VulnerabilityResponseEffort(VulnerabilityResponseEffort::Moderate).to_string();

// check result
assert_eq!(s, "RE:M");

Get metric name:

// get metric name
let name = Name::from(Metric::VulnerabilityResponseEffort(VulnerabilityResponseEffort::NotDefined));

// check result
assert_eq!(name, Name::VulnerabilityResponseEffort);
§

ProviderUrgency(ProviderUrgency)

Provider Urgency (U) metric.

§Description

Many vendors currently provide supplemental severity ratings to consumers via product security advisories. Other vendors publish Qualitative Severity Ratings from the CVSS Specification Document in their advisories.

To facilitate a standardized method to incorporate additional provider-supplied assessment, an optional “pass-through” Supplemental Metric called Provider Urgency is available.

Note: While any assessment provider along the product supply chain may provide a Provider Urgency rating:

Library Maintainer → OS/Distro Maintainer → Provider 1 … Provider n (PPP) → Consumer

The Penultimate Product Provider (PPP) is best positioned to provide a direct assessment of Provider Urgency.

§Properties

§Examples

Parse string as metric:

// parse string as metric
let metric: Metric = "U:Red".parse()?;

// check result
assert_eq!(metric, Metric::ProviderUrgency(ProviderUrgency::Red));

Convert metric to string:

// convert metric to string
let s = Metric::ProviderUrgency(ProviderUrgency::Amber).to_string();

// check result
assert_eq!(s, "U:Amber");

Get metric name:

// get metric name
let name = Name::from(Metric::ProviderUrgency(ProviderUrgency::NotDefined));

// check result
assert_eq!(name, Name::ProviderUrgency);

Trait Implementations§

Source§

impl Clone for Metric

Source§

fn clone(&self) -> Metric

Returns a duplicate of the value. Read more
1.0.0 · Source§

fn clone_from(&mut self, source: &Self)

Performs copy-assignment from source. Read more
Source§

impl Debug for Metric

Source§

fn fmt(&self, f: &mut Formatter<'_>) -> Result

Formats the value using the given formatter. Read more
Source§

impl Display for Metric

Source§

fn fmt(&self, f: &mut Formatter<'_>) -> Result<(), Error>

Formats the value using the given formatter. Read more
Source§

impl From<Metric> for Metric

Source§

fn from(m: Metric) -> Metric

Converts to this type from the input type.
Source§

impl From<Metric> for Name

Source§

fn from(c: Metric) -> Name

Converts to this type from the input type.
Source§

impl From<Metric> for Name

Source§

fn from(m: Metric) -> Name

Converts to this type from the input type.
Source§

impl FromStr for Metric

Source§

type Err = Err

The associated error which can be returned from parsing.
Source§

fn from_str(s: &str) -> Result<Self, Self::Err>

Parses a string s to return a value of this type. Read more
Source§

impl PartialEq for Metric

Source§

fn eq(&self, other: &Metric) -> bool

Tests for self and other values to be equal, and is used by ==.
1.0.0 · Source§

fn ne(&self, other: &Rhs) -> bool

Tests for !=. The default implementation is almost always sufficient, and should not be overridden without very good reason.
Source§

impl TryFrom<String> for Metric

Source§

type Error = Err

The type returned in the event of a conversion error.
Source§

fn try_from(s: String) -> Result<Self, Self::Error>

Performs the conversion.
Source§

impl Copy for Metric

Source§

impl Eq for Metric

Source§

impl StructuralPartialEq for Metric

Auto Trait Implementations§

Blanket Implementations§

Source§

impl<T> Any for T
where T: 'static + ?Sized,

Source§

fn type_id(&self) -> TypeId

Gets the TypeId of self. Read more
Source§

impl<T> Borrow<T> for T
where T: ?Sized,

Source§

fn borrow(&self) -> &T

Immutably borrows from an owned value. Read more
Source§

impl<T> BorrowMut<T> for T
where T: ?Sized,

Source§

fn borrow_mut(&mut self) -> &mut T

Mutably borrows from an owned value. Read more
Source§

impl<T> CloneToUninit for T
where T: Clone,

Source§

unsafe fn clone_to_uninit(&self, dest: *mut u8)

🔬This is a nightly-only experimental API. (clone_to_uninit)
Performs copy-assignment from self to dest. Read more
Source§

impl<T> From<T> for T

Source§

fn from(t: T) -> T

Returns the argument unchanged.

Source§

impl<T, U> Into<U> for T
where U: From<T>,

Source§

fn into(self) -> U

Calls U::from(self).

That is, this conversion is whatever the implementation of From<T> for U chooses to do.

Source§

impl<T> ToOwned for T
where T: Clone,

Source§

type Owned = T

The resulting type after obtaining ownership.
Source§

fn to_owned(&self) -> T

Creates owned data from borrowed data, usually by cloning. Read more
Source§

fn clone_into(&self, target: &mut T)

Uses borrowed data to replace owned data, usually by cloning. Read more
Source§

impl<T> ToString for T
where T: Display + ?Sized,

Source§

fn to_string(&self) -> String

Converts the given value to a String. Read more
Source§

impl<T, U> TryFrom<U> for T
where U: Into<T>,

Source§

type Error = Infallible

The type returned in the event of a conversion error.
Source§

fn try_from(value: U) -> Result<T, <T as TryFrom<U>>::Error>

Performs the conversion.
Source§

impl<T, U> TryInto<U> for T
where U: TryFrom<T>,

Source§

type Error = <U as TryFrom<T>>::Error

The type returned in the event of a conversion error.
Source§

fn try_into(self) -> Result<U, <U as TryFrom<T>>::Error>

Performs the conversion.