Skip to content

Commit

Permalink
Merge pull request #12 from goark/debug-and-refactoring
Browse files Browse the repository at this point in the history 
Fixed name:value validation in CVSS vector string
  • Loading branch information
@spiegel-im-spiegel
spiegel-im-spiegel authored Jan 24, 2023
2 parents 0c5bb2a + f443f72 commit 742c132
Show file tree
Hide file tree
Showing 8 changed files with 78 additions and 18 deletions.
16 changes: 15 additions & 1 deletion v2/base/base.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -47,7 +47,7 @@ func Decode(vector string) (*Metrics, error) {
metrics := NewMetrics()
for _, value := range values {
metric := strings.Split(value, ":")
if len(metric) != 2 {
if len(metric) != 2 || len(metric[0]) == 0 || len(metric[1]) == 0 {
return nil, errs.Wrap(cvsserr.ErrInvalidVector, errs.WithContext("vector", vector))
}
switch strings.ToUpper(metric[0]) {
Expand Down Expand Up @@ -154,3 +154,17 @@ func (m *Metrics) TemporalScore() float64 {
}

/* Copyright 2022 luxifer */
/* Copyright 2023 Spiegel
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
18 changes: 9 additions & 9 deletions v3/base/base.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -10,7 +10,7 @@ import (
"github.com/goark/go-cvss/v3/version"
)

//Metrics is Base Metrics for CVSSv3
// Metrics is Base Metrics for CVSSv3
type Metrics struct {
Ver version.Num
AV AttackVector
Expand All @@ -37,7 +37,7 @@ type Metrics struct {
MA ModifiedAvailabilityImpact
}

//NewMetrics returns Metrics instance
// NewMetrics returns Metrics instance
func NewMetrics() *Metrics {
return &Metrics{
Ver: version.Unknown,
Expand Down Expand Up @@ -66,7 +66,7 @@ func NewMetrics() *Metrics {
}
}

//Decode returns Metrics instance by CVSSv3 vector
// Decode returns Metrics instance by CVSSv3 vector
func Decode(vector string) (*Metrics, error) {
values := strings.Split(vector, "/")
if len(values) < 9 {
Expand All @@ -85,7 +85,7 @@ func Decode(vector string) (*Metrics, error) {
metrics.Ver = num
for _, value := range values[1:] {
metric := strings.Split(value, ":")
if len(metric) != 2 {
if len(metric) != 2 || len(metric[0]) == 0 || len(metric[1]) == 0 {
return nil, errs.Wrap(cvsserr.ErrInvalidVector, errs.WithContext("vector", vector))
}
switch strings.ToUpper(metric[0]) {
Expand Down Expand Up @@ -150,7 +150,7 @@ func checkVersion(ver string) (version.Num, error) {
return version.Get(v[1]), nil
}

//Encode returns CVSSv3 vector string
// Encode returns CVSSv3 vector string
func (m *Metrics) Encode() (string, error) {
if err := m.GetError(); err != nil {
return "", err
Expand Down Expand Up @@ -225,7 +225,7 @@ func (m *Metrics) Encode() (string, error) {
return r.String(), nil
}

//GetError returns error instance if undefined metric
// GetError returns error instance if undefined metric
func (m *Metrics) GetError() error {
if m == nil {
return errs.Wrap(cvsserr.ErrUndefinedMetric)
Expand All @@ -238,7 +238,7 @@ func (m *Metrics) GetError() error {
}
}

//Score returns score of Base metrics
// Score returns score of Base metrics
func (m *Metrics) Score() float64 {
if err := m.GetError(); err != nil {
return 0.0
Expand All @@ -263,7 +263,7 @@ func (m *Metrics) Score() float64 {
return score
}

//GetSeverity returns severity by score of Base metrics
// GetSeverity returns severity by score of Base metrics
func (m *Metrics) GetSeverity() Severity {
score := m.Score()
switch true {
Expand Down Expand Up @@ -322,7 +322,7 @@ func roundUp(input float64) float64 {
}

/* Contributed by Florent Viel, 2020 */
/* Copyright 2018-2020 Spiegel
/* Copyright 2018-2023 Spiegel
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
Expand Down
4 changes: 2 additions & 2 deletions v3/metric/base.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -70,7 +70,7 @@ func (bm *Base) Decode(vector string) (*Base, error) {
}
func (bm *Base) decodeOne(str string) error {
m := strings.Split(str, ":")
if len(m) != 2 || len(m[1]) == 0 {
if len(m) != 2 || len(m[0]) == 0 || len(m[1]) == 0 {
return errs.Wrap(cvsserr.ErrInvalidVector, errs.WithContext("metric", str))
}
switch strings.ToUpper(m[0]) {
Expand Down Expand Up @@ -166,7 +166,7 @@ func (bm *Base) BaseMetrics() *Base {
return bm
}

/* Copyright 2018-2020 Spiegel
/* Copyright 2018-2023 Spiegel
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
Expand Down
4 changes: 3 additions & 1 deletion v3/metric/base_test.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -20,6 +20,8 @@ func TestDecodeError(t *testing.T) {
{vector: "CVSS3.1/AV:X/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:N", err: cvsserr.ErrInvalidVector},
{vector: "CVSS:3.1/AV:P/AC:H/PR:H/UI:R/S:U/C:N/I:N/A-N", err: cvsserr.ErrInvalidVector},
{vector: "CVSS:3.1/AV:P/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:", err: cvsserr.ErrInvalidVector},
{vector: "CVSS:3.1/AV:P/AC:H/PR:H/UI:R/S:U/C:N/I:N/:N", err: cvsserr.ErrInvalidVector},
{vector: "CVSS:3.1/AV:P/AC:H/PR:H/UI:R/S:U/C:N/I:N/:", err: cvsserr.ErrInvalidVector},
{vector: "CVSS:3.1/AV:P/AC:H/PR:H/UI:R/S:U/C:N/I:N/X:N", err: cvsserr.ErrNotSupportMetric},
{vector: "CVSS:3.1/AV:P/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:X", err: cvsserr.ErrUndefinedMetric},
{vector: "CVSS:3.1/AV:P/AC:H/PR:H/UI:R/S:U/C:N/I:X/A:N", err: cvsserr.ErrUndefinedMetric},
Expand Down Expand Up @@ -134,7 +136,7 @@ func TestScore(t *testing.T) {
}

/* Contributed by Florent Viel, 2020 */
/* Copyright 2018-2020 Spiegel
/* Copyright 2023 Spiegel
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
Expand Down
16 changes: 15 additions & 1 deletion v3/metric/environmental.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -83,7 +83,7 @@ func (em *Environmental) decodeOne(str string) error {
return nil
}
m := strings.Split(str, ":")
if len(m) != 2 || len(m[1]) == 0 {
if len(m) != 2 || len(m[0]) == 0 || len(m[1]) == 0 {
return errs.Wrap(cvsserr.ErrInvalidVector, errs.WithContext("metric", str))
}
switch strings.ToUpper(m[0]) {
Expand Down Expand Up @@ -217,3 +217,17 @@ func (em *Environmental) TemporalMetrics() *Temporal {
}

/* Copyright 2022 thejohnbrown */
/* Copyright 2023 Spiegel
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
17 changes: 16 additions & 1 deletion v3/metric/environmental_test.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -20,6 +20,8 @@ func TestEnvironmentalScore(t *testing.T) {
{vector: "CVSS:3.0/S:U/AV:N/AC:L/PR:H/UI:N/C:L/I:L/X:N", err: cvsserr.ErrNotSupportMetric, score: 0, sav: SeverityNone},
{vector: "CVSS:3.1/AV:A/AC:H/PR:L/UI:N/S:C/C:H/I:L/A:L/RC:", err: cvsserr.ErrInvalidVector, score: 0, sav: SeverityNone},
{vector: "CVSS:3.1/AV:A/AC:H/PR:L/UI:N/S:C/C:H/I:L/A:L/MC:", err: cvsserr.ErrInvalidVector, score: 0, sav: SeverityNone},
{vector: "CVSS:3.1/AV:A/AC:H/PR:L/UI:N/S:C/C:H/I:L/A:L/:X", err: cvsserr.ErrInvalidVector, score: 0, sav: SeverityNone},
{vector: "CVSS:3.1/AV:A/AC:H/PR:L/UI:N/S:C/C:H/I:L/A:L/:", err: cvsserr.ErrInvalidVector, score: 0, sav: SeverityNone},
{vector: "CVSS:3.0/S:U/AV:N/AC:L/PR:H/UI:N/C:L/I:L/A:N", err: nil, score: 3.8, sav: SeverityLow},
{vector: "CVSS:3.1/AV:A/AC:H/PR:L/UI:N/S:C/C:L/I:H/A:L/E:P/RL:O/RC:U/CR:L/IR:M/AR:L/MAV:P/MAC:L/MPR:L/MUI:R/MS:C/MC:H/MI:H/MA:H", err: nil, score: 5.5, sav: SeverityMedium},
{vector: "CVSS:3.1/S:U/AV:N/AC:L/PR:H/UI:N/C:L/I:L/A:N/E:F", err: nil, score: 3.7, sav: SeverityLow},
Expand Down Expand Up @@ -49,4 +51,17 @@ func TestEnvironmentalScore(t *testing.T) {
}

/* Copyright 2022 thejohnbrown */
/* Copyright 2023 Spiegel */
/* Copyright 2023 Spiegel
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
17 changes: 15 additions & 2 deletions v3/metric/temporal.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -66,7 +66,7 @@ func (tm *Temporal) decodeOne(str string) error {
return nil
}
m := strings.Split(str, ":")
if len(m) != 2 || len(m[1]) == 0 {
if len(m) != 2 || len(m[0]) == 0 || len(m[1]) == 0 {
return errs.Wrap(cvsserr.ErrInvalidVector, errs.WithContext("metric", str))
}
switch strings.ToUpper(m[0]) {
Expand Down Expand Up @@ -137,4 +137,17 @@ func (tm *Temporal) BaseMetrics() *Base {
}

/* Copyright by Florent Viel, 2020 */
/* Contributed by Spiegel, 2020 */
/* Copyright 2020-2023 Spiegel
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
4 changes: 3 additions & 1 deletion v3/metric/temporal_test.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -19,6 +19,8 @@ func TestTemporalScore(t *testing.T) {
{vector: "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/C:L/I:L/A:N", err: cvsserr.ErrInvalidVector, score: 0, sav: SeverityNone},
{vector: "CVSS:3.0/S:U/AV:N/AC:L/PR:H/UI:N/C:L/I:L/X:N", err: cvsserr.ErrNotSupportMetric, score: 0, sav: SeverityNone},
{vector: "CVSS:3.0/S:U/AV:N/AC:L/PR:H/UI:N/C:L/I:L/RC:", err: cvsserr.ErrInvalidVector, score: 0, sav: SeverityNone},
{vector: "CVSS:3.0/S:U/AV:N/AC:L/PR:H/UI:N/C:L/I:L/:X", err: cvsserr.ErrInvalidVector, score: 0, sav: SeverityNone},
{vector: "CVSS:3.0/S:U/AV:N/AC:L/PR:H/UI:N/C:L/I:L/:", err: cvsserr.ErrInvalidVector, score: 0, sav: SeverityNone},
{vector: "CVSS:3.0/S:U/AV:N/AC:L/PR:H/UI:N/C:L/I:L/A:N", err: nil, score: 3.8, sav: SeverityLow},
{vector: "CVSS:3.1/S:U/AV:N/AC:L/PR:H/UI:N/C:L/I:L/A:N", err: nil, score: 3.8, sav: SeverityLow},
{vector: "CVSS:3.1/S:U/AV:N/AC:L/PR:H/UI:N/C:L/I:L/A:N/E:F", err: nil, score: 3.7, sav: SeverityLow},
Expand All @@ -43,7 +45,7 @@ func TestTemporalScore(t *testing.T) {
}

/* Contributed by Florent Viel, 2020 */
/* Copyright 2018-2020 Spiegel
/* Copyright 2018-2023 Spiegel
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
Expand Down

0 comments on commit 742c132

Please sign in to comment.