Metric

polycvss::v2

Enum Metric 

Source 
pub enum Metric {

Show 14 variants    AccessVector(AccessVector),
    AccessComplexity(AccessComplexity),
    Authentication(Authentication),
    Confidentiality(Impact),
    Integrity(Impact),
    Availability(Impact),
    Exploitability(Exploitability),
    RemediationLevel(RemediationLevel),
    ReportConfidence(ReportConfidence),
    CollateralDamagePotential(CollateralDamagePotential),
    TargetDistribution(TargetDistribution),
    ConfidentialityRequirement(Requirement),
    IntegrityRequirement(Requirement),
    AvailabilityRequirement(Requirement),

}
Expand description

Vector component.

§Examples

Parse string as metric and check it:

// parse string as metric
let metric: Metric = "AV:N".parse()?;

// check result
assert_eq!(metric, Metric::AccessVector(AccessVector::Network));

Convert metric to string:

// convert metric to string
let s = Metric::AccessVector(AccessVector::AdjacentNetwork).to_string();

// check result
assert_eq!(s, "AV:A");

Get metric name:

// get metric name
let name = Name::from(Metric::AccessVector(AccessVector::Local));

// check result
assert_eq!(name, Name::AccessVector);

Variants§

§

AccessVector(AccessVector)

Access Vector (AV) metric.

§Description

This metric reflects how the vulnerability is exploited. The more remote an attacker can be to attack a host, the greater the vulnerability score.

§Properties

§Examples

Parse string as metric and check it:

// parse string as metric
let metric: Metric = "AV:N".parse()?;

// check result
assert_eq!(metric, Metric::AccessVector(AccessVector::Network));

Convert metric to string:

// convert metric to string
let s = Metric::AccessVector(AccessVector::AdjacentNetwork).to_string();

// check result
assert_eq!(s, "AV:A");

Get metric name:

// get metric name
let name = Name::from(Metric::AccessVector(AccessVector::Local));

// check result
assert_eq!(name, Name::AccessVector);
§

AccessComplexity(AccessComplexity)

Access Complexity (AC) metric.

§Description

This metric measures the complexity of the attack required to exploit the vulnerability once an attacker has gained access to the target system. For example, consider a buffer overflow in an Internet service: once the target system is located, the attacker can launch an exploit at will.

Other vulnerabilities, however, may require additional steps in order to be exploited. For example, a vulnerability in an email client is only exploited after the user downloads and opens a tainted attachment. The possible values for this metric are listed in Table 2. The lower the required complexity, the higher the vulnerability score.

§Properties

§Examples

Parse string as metric:

// parse string as metric
let metric: Metric = "AC:L".parse()?;

// check result
assert_eq!(metric, Metric::AccessComplexity(AccessComplexity::Low));

Convert metric to string:

// convert metric to string
let s = Metric::AccessComplexity(AccessComplexity::High).to_string();

// check result
assert_eq!(s, "AC:H");

Get metric name:

// get metric name
let name = Name::from(Metric::AccessComplexity(AccessComplexity::High));

// check result
assert_eq!(name, Name::AccessComplexity);
§

Authentication(Authentication)

Authentication (Au) metric.

§Description

This metric measures the number of times an attacker must authenticate to a target in order to exploit a vulnerability. This metric does not gauge the strength or complexity of the authentication process, only that an attacker is required to provide credentials before an exploit may occur. The fewer authentication instances that are required, the higher the vulnerability score.

§Properties

§Examples

Parse string as metric:

// parse string as metric
let metric: Metric = "Au:M".parse()?;

// check result
assert_eq!(metric, Metric::Authentication(Authentication::Multiple));

Convert metric to string:

// convert metric to string
let s = Metric::Authentication(Authentication::Single).to_string();

// check result
assert_eq!(s, "Au:S");

Get metric name:

// get metric name
let name = Name::from(Metric::Authentication(Authentication::None));

// check result
assert_eq!(name, Name::Authentication);
§

Confidentiality(Impact)

Confidentiality Impact (C) metric.

§Description

This metric measures the impact on confidentiality of a successfully exploited vulnerability. Confidentiality refers to limiting information access and disclosure to only authorized users, as well as preventing access by, or disclosure to, unauthorized ones. Increased confidentiality impact increases the vulnerability score.

§Properties

§Examples

Parse string as metric:

// parse string as metric
let metric: Metric = "C:C".parse()?;

// check result
assert_eq!(metric, Metric::Confidentiality(Impact::Complete));

Convert metric to string:

// convert metric to string
let s = Metric::Confidentiality(Impact::Partial).to_string();

// check result
assert_eq!(s, "C:P");

Get metric name:

// get metric name
let name = Name::from(Metric::Confidentiality(Impact::None));

// check result
assert_eq!(name, Name::Confidentiality);
§

Integrity(Impact)

Integrity Impact (I) metric.

§Documentation

This metric measures the impact to integrity of a successfully exploited vulnerability. Integrity refers to the trustworthiness and guaranteed veracity of information. Increased integrity impact increases the vulnerability score.

§Properties

§Examples

Parse string as metric:

// parse string as metric
let metric: Metric = "I:C".parse()?;

// check result
assert_eq!(metric, Metric::Integrity(Impact::Complete));

Convert metric to string:

// convert metric to string
let s = Metric::Integrity(Impact::Partial).to_string();

// check result
assert_eq!(s, "I:P");

Get metric name:

// get metric name
let name = Name::from(Metric::Integrity(Impact::None));

// check result
assert_eq!(name, Name::Integrity);
§

Availability(Impact)

Availability Impact (A) metric.

§Documentation

This metric measures the impact to availability of a successfully exploited vulnerability. Availability refers to the accessibility of information resources. Attacks that consume network bandwidth, processor cycles, or disk space all impact the availability of a system. Increased availability impact increases the vulnerability score.

§Properties

§Examples

Parse string as metric:

// parse string as metric
let metric: Metric = "A:C".parse()?;

// check result
assert_eq!(metric, Metric::Availability(Impact::Complete));

Convert metric to string:

// convert metric to string
let s = Metric::Availability(Impact::Partial).to_string();

// check result
assert_eq!(s, "A:P");

Get metric name:

// get metric name
let name = Name::from(Metric::Availability(Impact::None));

// check result
assert_eq!(name, Name::Availability);
§

Exploitability(Exploitability)

Exploitability (E) metric.

§Description

This metric measures the current state of exploit techniques or code availability. Public availability of easy-to-use exploit code increases the number of potential attackers by including those who are unskilled, thereby increasing the severity of the vulnerability.

Initially, real-world exploitation may only be theoretical. Publication of proof of concept code, functional exploit code, or sufficient technical details necessary to exploit the vulnerability may follow. Furthermore, the exploit code available may progress from a proof-of-concept demonstration to exploit code that is successful in exploiting the vulnerability consistently. In severe cases, it may be delivered as the payload of a network-based worm or virus. The more easily a vulnerability can be exploited, the higher the vulnerability score.

§Properties

§Examples

Parse string as metric:

// parse string as metric
let metric: Metric = "E:H".parse()?;

// check result
assert_eq!(metric, Metric::Exploitability(Exploitability::High));

Convert metric to string:

// convert metric to string
let s = Metric::Exploitability(Exploitability::Functional).to_string();

// check result
assert_eq!(s, "E:F");

Get metric name:

// get metric name
let name = Name::from(Metric::Exploitability(Exploitability::ProofOfConcept));

// check result
assert_eq!(name, Name::Exploitability);
§

RemediationLevel(RemediationLevel)

Remediation Level (RL) metric.

§Description

The remediation level of a vulnerability is an important factor for prioritization. The typical vulnerability is unpatched when initially published. Workarounds or hotfixes may offer interim remediation until an official patch or upgrade is issued. Each of these respective stages adjusts the temporal score downwards, reflecting the decreasing urgency as remediation becomes final. The less official and permanent a fix, the higher the vulnerability score is.

§Properties

§Examples

Parse string as metric:

// parse string as metric
let metric: Metric = "RL:U".parse()?;

// check result
assert_eq!(metric, Metric::RemediationLevel(RemediationLevel::Unavailable));

Convert metric to string:

// convert metric to string
let s = Metric::RemediationLevel(RemediationLevel::Workaround).to_string();

// check result
assert_eq!(s, "RL:W");

Get metric name:

// get metric name
let name = Name::from(Metric::RemediationLevel(RemediationLevel::TemporaryFix));

// check result
assert_eq!(name, Name::RemediationLevel);
§

ReportConfidence(ReportConfidence)

Report Confidence (RC) metric.

§Description

This metric measures the degree of confidence in the existence of the vulnerability and the credibility of the known technical details. Sometimes, only the existence of vulnerabilities are publicized, but without specific details. The vulnerability may later be corroborated and then confirmed through acknowledgement by the author or vendor of the affected technology. The urgency of a vulnerability is higher when a vulnerability is known to exist with certainty. This metric also suggests the level of technical knowledge available to would-be attackers. The more a vulnerability is validated by the vendor or other reputable sources, the higher the score.

§Properties

§Examples

Parse string as metric:

// parse string as metric
let metric: Metric = "RC:C".parse()?;

// check result
assert_eq!(metric, Metric::ReportConfidence(ReportConfidence::Confirmed));

Convert metric to string:

// convert metric to string
let s = Metric::ReportConfidence(ReportConfidence::Uncorroborated).to_string();

// check result
assert_eq!(s, "RC:UR");

Get metric name:

// get metric name
let name = Name::from(Metric::ReportConfidence(ReportConfidence::Unconfirmed));

// check result
assert_eq!(name, Name::ReportConfidence);
§

CollateralDamagePotential(CollateralDamagePotential)

Collateral Damage Potential (CDP) metric.

§Description

This metric measures the potential for loss of life or physical assets through damage or theft of property or equipment. The metric may also measure economic loss of productivity or revenue. Naturally, the greater the damage potential, the higher the vulnerability score.

§Properties

§Examples

Parse string as metric:

// parse string as metric
let metric: Metric = "CDP:H".parse()?;

// check result
assert_eq!(metric, Metric::CollateralDamagePotential(CollateralDamagePotential::High));

Convert metric to string:

// convert metric to string
let s = Metric::CollateralDamagePotential(CollateralDamagePotential::MediumHigh).to_string();

// check result
assert_eq!(s, "CDP:MH");

Get metric name:

// get metric name
let name = Name::from(Metric::CollateralDamagePotential(CollateralDamagePotential::LowMedium));

// check result
assert_eq!(name, Name::CollateralDamagePotential);
§

TargetDistribution(TargetDistribution)

Target Distribution (TD) metric.

§Description

This metric measures the proportion of vulnerable systems. It is meant as an environment-specific indicator in order to approximate the percentage of systems that could be affected by the vulnerability. The greater the proportion of vulnerable systems, the higher the score.

§Properties

§Examples

Parse string as metric:

// parse string as metric
let metric: Metric = "TD:H".parse()?;

// check result
assert_eq!(metric, Metric::TargetDistribution(TargetDistribution::High));

Convert metric to string:

// convert metric to string
let s = Metric::TargetDistribution(TargetDistribution::Medium).to_string();

// check result
assert_eq!(s, "TD:M");

Get metric name:

// get metric name
let name = Name::from(Metric::TargetDistribution(TargetDistribution::Low));

// check result
assert_eq!(name, Name::TargetDistribution);
§

ConfidentialityRequirement(Requirement)

Confidentiality Requirement (CR) metric.

§Description

These metrics enable the analyst to customize the CVSS score depending on the importance of the affected IT asset to a users organization, measured in terms of confidentiality, integrity, and availability, That is, if an IT asset supports a business function for which availability is most important, the analyst can assign a greater value to availability, relative to confidentiality and integrity. Each security requirement has three possible values: low, medium, or high.

The full effect on the environmental score is determined by the corresponding base impact metrics (please note that the base confidentiality, integrity and availability impact metrics, themselves, are not changed). That is, these metrics modify the environmental score by reweighting the (base) confidentiality, integrity, and availability impact metrics. For example, the confidentiality impact (C) metric has increased weight if the confidentiality requirement (CR) is high. Likewise, the confidentiality impact metric has decreased weight if the confidentiality requirement is low. The confidentiality impact metric weighting is neutral if the confidentiality requirement is medium. This same logic is applied to the integrity and availability requirements.

Note that the confidentiality requirement will not affect the environmental score if the (base) confidentiality impact is set to none. Also, increasing the confidentiality requirement from medium to high will not change the environmental score when the (base) impact metrics are set to complete. This is because the impact sub score (part of the base score that calculates impact) is already at a maximum value of 10.

The possible values for the security requirements are listed in Table 12. For brevity, the same table is used for all three metrics. The greater the security requirement, the higher the score (remember that medium is considered the default). These metrics will modify the score as much as plus or minus 2.5.

§Properties

§Examples

Parse string as metric:

// parse string as metric
let metric: Metric = "CR:H".parse()?;

// check result
assert_eq!(metric, Metric::ConfidentialityRequirement(Requirement::High));

Convert metric to string:

// convert metric to string
let s = Metric::ConfidentialityRequirement(Requirement::Medium).to_string();

// check result
assert_eq!(s, "CR:M");

Get metric name:

// get metric name
let name = Name::from(Metric::ConfidentialityRequirement(Requirement::Low));

// check result
assert_eq!(name, Name::ConfidentialityRequirement);
§

IntegrityRequirement(Requirement)

Integrity Requirement (IR) metric.

§Description

These metrics enable the analyst to customize the CVSS score depending on the importance of the affected IT asset to a users organization, measured in terms of confidentiality, integrity, and availability, That is, if an IT asset supports a business function for which availability is most important, the analyst can assign a greater value to availability, relative to confidentiality and integrity. Each security requirement has three possible values: low, medium, or high.

The full effect on the environmental score is determined by the corresponding base impact metrics (please note that the base confidentiality, integrity and availability impact metrics, themselves, are not changed). That is, these metrics modify the environmental score by reweighting the (base) confidentiality, integrity, and availability impact metrics. For example, the confidentiality impact (C) metric has increased weight if the confidentiality requirement (CR) is high. Likewise, the confidentiality impact metric has decreased weight if the confidentiality requirement is low. The confidentiality impact metric weighting is neutral if the confidentiality requirement is medium. This same logic is applied to the integrity and availability requirements.

Note that the confidentiality requirement will not affect the environmental score if the (base) confidentiality impact is set to none. Also, increasing the confidentiality requirement from medium to high will not change the environmental score when the (base) impact metrics are set to complete. This is because the impact sub score (part of the base score that calculates impact) is already at a maximum value of 10.

The possible values for the security requirements are listed in Table 12. For brevity, the same table is used for all three metrics. The greater the security requirement, the higher the score (remember that medium is considered the default). These metrics will modify the score as much as plus or minus 2.5.

§Properties

§Examples

Parse string as metric:

// parse string as metric
let metric: Metric = "IR:H".parse()?;

// check result
assert_eq!(metric, Metric::IntegrityRequirement(Requirement::High));

Convert metric to string:

// convert metric to string
let s = Metric::IntegrityRequirement(Requirement::Medium).to_string();

// check result
assert_eq!(s, "IR:M");

Get metric name:

// get metric name
let name = Name::from(Metric::IntegrityRequirement(Requirement::Low));

// check result
assert_eq!(name, Name::IntegrityRequirement);
§

AvailabilityRequirement(Requirement)

Availability Requirement (AR) metric.

§Description

These metrics enable the analyst to customize the CVSS score depending on the importance of the affected IT asset to a users organization, measured in terms of confidentiality, integrity, and availability, That is, if an IT asset supports a business function for which availability is most important, the analyst can assign a greater value to availability, relative to confidentiality and integrity. Each security requirement has three possible values: low, medium, or high.

The full effect on the environmental score is determined by the corresponding base impact metrics (please note that the base confidentiality, integrity and availability impact metrics, themselves, are not changed). That is, these metrics modify the environmental score by reweighting the (base) confidentiality, integrity, and availability impact metrics. For example, the confidentiality impact (C) metric has increased weight if the confidentiality requirement (CR) is high. Likewise, the confidentiality impact metric has decreased weight if the confidentiality requirement is low. The confidentiality impact metric weighting is neutral if the confidentiality requirement is medium. This same logic is applied to the integrity and availability requirements.

Note that the confidentiality requirement will not affect the environmental score if the (base) confidentiality impact is set to none. Also, increasing the confidentiality requirement from medium to high will not change the environmental score when the (base) impact metrics are set to complete. This is because the impact sub score (part of the base score that calculates impact) is already at a maximum value of 10.

The possible values for the security requirements are listed in Table 12. For brevity, the same table is used for all three metrics. The greater the security requirement, the higher the score (remember that medium is considered the default). These metrics will modify the score as much as plus or minus 2.5.

§Properties

§Examples

Parse string as metric:

// parse string as metric
let metric: Metric = "AR:H".parse()?;

// check result
assert_eq!(metric, Metric::AvailabilityRequirement(Requirement::High));

Convert metric to string:

// convert metric to string
let s = Metric::AvailabilityRequirement(Requirement::Medium).to_string();

// check result
assert_eq!(s, "AR:M");

Get metric name:

// get metric name
let name = Name::from(Metric::AvailabilityRequirement(Requirement::Low));

// check result
assert_eq!(name, Name::AvailabilityRequirement);

Trait Implementations§

Source§

impl Clone for Metric

Source§

fn clone(&self) -> Metric

Returns a duplicate of the value. Read more
1.0.0 · Source§

fn clone_from(&mut self, source: &Self)

Performs copy-assignment from source. Read more
Source§

impl Debug for Metric

Source§

fn fmt(&self, f: &mut Formatter<'_>) -> Result

Formats the value using the given formatter. Read more
Source§

impl Display for Metric

Source§

fn fmt(&self, f: &mut Formatter<'_>) -> Result<(), Error>

Formats the value using the given formatter. Read more
Source§

impl From<Metric> for Metric

Source§

fn from(m: Metric) -> Metric

Converts to this type from the input type.
Source§

impl From<Metric> for Name

Source§

fn from(m: Metric) -> Name

Converts to this type from the input type.
Source§

impl From<Metric> for Name

Source§

fn from(m: Metric) -> Name

Converts to this type from the input type.
Source§

impl FromStr for Metric

Source§

type Err = Err

The associated error which can be returned from parsing.
Source§

fn from_str(s: &str) -> Result<Self, Self::Err>

Parses a string s to return a value of this type. Read more
Source§

impl PartialEq for Metric

Source§

fn eq(&self, other: &Metric) -> bool

Tests for self and other values to be equal, and is used by ==.
1.0.0 · Source§

fn ne(&self, other: &Rhs) -> bool

Tests for !=. The default implementation is almost always sufficient, and should not be overridden without very good reason.
Source§

impl TryFrom<String> for Metric

Source§

type Error = Err

The type returned in the event of a conversion error.
Source§

fn try_from(s: String) -> Result<Self, Self::Error>

Performs the conversion.
Source§

impl Copy for Metric

Source§

impl Eq for Metric

Source§

impl StructuralPartialEq for Metric

Auto Trait Implementations§

§

impl Freeze for Metric

§

impl RefUnwindSafe for Metric

§

impl Send for Metric

§

impl Sync for Metric

§

impl Unpin for Metric

§

impl UnwindSafe for Metric

Blanket Implementations§

Source§

impl<T> Any for T
where T: 'static + ?Sized,

Source§

fn type_id(&self) -> TypeId

Gets the TypeId of self. Read more
Source§

impl<T> Borrow<T> for T
where T: ?Sized,

Source§

fn borrow(&self) -> &T

Immutably borrows from an owned value. Read more
Source§

impl<T> BorrowMut<T> for T
where T: ?Sized,

Source§

fn borrow_mut(&mut self) -> &mut T

Mutably borrows from an owned value. Read more
Source§

impl<T> CloneToUninit for T
where T: Clone,

Source§

unsafe fn clone_to_uninit(&self, dest: *mut u8)

🔬This is a nightly-only experimental API. (clone_to_uninit)
Performs copy-assignment from self to dest. Read more
Source§

impl<T> From<T> for T

Source§

fn from(t: T) -> T

Returns the argument unchanged.

Source§

impl<T, U> Into<U> for T
where U: From<T>,

Source§

fn into(self) -> U

Calls U::from(self).

That is, this conversion is whatever the implementation of From<T> for U chooses to do.

Source§

impl<T> ToOwned for T
where T: Clone,

Source§

type Owned = T

The resulting type after obtaining ownership.
Source§

fn to_owned(&self) -> T

Creates owned data from borrowed data, usually by cloning. Read more
Source§

fn clone_into(&self, target: &mut T)

Uses borrowed data to replace owned data, usually by cloning. Read more
Source§

impl<T> ToString for T
where T: Display + ?Sized,

Source§

fn to_string(&self) -> String

Converts the given value to a String. Read more
Source§

impl<T, U> TryFrom<U> for T
where U: Into<T>,

Source§

type Error = Infallible

The type returned in the event of a conversion error.
Source§

fn try_from(value: U) -> Result<T, <T as TryFrom<U>>::Error>

Performs the conversion.
Source§

impl<T, U> TryInto<U> for T
where U: TryFrom<T>,

Source§

type Error = <U as TryFrom<T>>::Error

The type returned in the event of a conversion error.
Source§

fn try_into(self) -> Result<U, <U as TryFrom<T>>::Error>

Performs the conversion.