Merge pull request #6 from spiegel-im-spiegel/add-cvss-report-for-env…

…ironmental-metrics

Add cvss report for environmental metrics

.github/workflows/codeql-analysis.yml

@@ -36,18 +36,13 @@ jobs:
         # a pull request then we can checkout the head.
         fetch-depth: 2
 
-    # If this run was triggered by a pull request event, then checkout
-    # the head of the pull request instead of the merge commit.
-    - run: git checkout HEAD^2
-      if: ${{ github.event_name == 'pull_request' }}
-
     # Initializes the CodeQL tools for scanning.
     - name: Initialize CodeQL
       uses: github/codeql-action/init@v1
       with:
         languages: ${{ matrix.language }}
         # If you wish to specify custom queries, you can do so here or in a config file.
-        # By default, queries listed here will override any specified in a config file. 
+        # By default, queries listed here will override any specified in a config file.
         # Prefix the list here with "+" to use these queries and those in the config file.
         # queries: ./path/to/local/query, your-org/your-repo/queries@main
 

.github/workflows/lint.yml

@@ -1,25 +1,24 @@
 name: lint
 on:
   push:
-    tags:
-      - v*
     branches:
       - master
   pull_request:
 jobs:
   golangci:
-    strategy:
-      matrix:
-        go-version: [1.15.x]
-        os: [ubuntu-latest]
     name: lint
-    runs-on: ${{ matrix.os }}
+    runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v2
+      - uses: actions/setup-go@v2
+        with:
+          go-version: ^1.17
       - name: golangci-lint
         uses: golangci/golangci-lint-action@v2
         with:
           # Required: the version of golangci-lint is required and must be specified without patch version: we always use the latest patch version.
           version: latest
+          # Optional: golangci-lint command line arguments.
+          args: --enable gosec
       - name: testing
-        run: go test ./...
+        run: go test -shuffle on ./...

.github/workflows/vulns.yml

@@ -14,7 +14,7 @@ jobs:
       - uses: actions/checkout@v2
       - uses: actions/setup-go@v2
         with:
-          go-version: ^1.13
+          go-version: ^1.17
       - name: WriteGoList
         run: go list -json -m all > go.list
       - name: Nancy

.task/checksum/nancy

@@ -0,0 +1 @@
+8cac9f506f3e6183c8b5ed2ba7ed048e

.task/checksum/test

@@ -0,0 +1 @@
+8cac9f506f3e6183c8b5ed2ba7ed048e

Taskfile.yml

@@ -0,0 +1,31 @@
+version: '3'
+
+tasks:
+  default:
+    cmds:
+      - task: clean
+      - task: test
+      - task: nancy
+
+  test:
+    desc: Test and lint.
+    cmds:
+      - go mod verify
+      - go test -shuffle on ./...
+      - docker run --rm -v $(pwd):/app -w /app golangci/golangci-lint:v1.44.2 golangci-lint run --enable gosec --timeout 3m0s ./...
+    sources:
+      - ./go.mod
+      - '**/*.go'
+
+  nancy:
+    desc: Check vulnerability of external packages with Nancy.
+    cmds:
+      - depm list -j | docker run --rm -i sonatypecommunity/nancy:latest sleuth -n
+    sources:
+      - ./go.mod
+      - '**/*.go'
+
+  clean:
+    desc: Initialize module and build cache, and remake go.sum file.
+    cmds:
+      - go mod tidy -v -go=1.17

go.mod

@@ -1,8 +1,8 @@
 module github.com/spiegel-im-spiegel/go-cvss
 
-go 1.15
+go 1.17
 
 require (
-	github.com/spiegel-im-spiegel/errs v1.0.2
-	golang.org/x/text v0.3.3
+	github.com/spiegel-im-spiegel/errs v1.0.5
+	golang.org/x/text v0.3.7
 )

go.sum

@@ -1,5 +1,5 @@
-github.com/spiegel-im-spiegel/errs v1.0.2 h1:v4amEwRDqRWjKHOILQnJSovYhZ4ZttEnBBXNXEzS6Sc=
-github.com/spiegel-im-spiegel/errs v1.0.2/go.mod h1:UoasJYYujMcdkbT9USv8dfZWoMyaY3btqQxoLJImw0A=
-golang.org/x/text v0.3.3 h1:cokOdA+Jmi5PJGXLlLllQSgYigAEfHXJAERHVMaCc2k=
-golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
+github.com/spiegel-im-spiegel/errs v1.0.5 h1:5qAUEXPZgF4ZIUmw2vpe7OgDP0C8DIV67BKwjfLidJI=
+github.com/spiegel-im-spiegel/errs v1.0.5/go.mod h1:mOsWcUc9hpRXjwdgJqJ3E2n6ibkYFvhNck1QD0ZVGOM=
+golang.org/x/text v0.3.7 h1:olpwvP2KacW1ZWvsR7uQhoyTYvKAupfQrRGBFM352Gk=
+golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ=
 golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=

sample/base/sample.go

@@ -1,3 +1,6 @@
+//go:build run
+// +build run
+
 package main
 
 import (

sample/environmental/sample.go

@@ -0,0 +1,28 @@
+//go:build run
+// +build run
+
+package main
+
+import (
+	"fmt"
+	"os"
+
+	"github.com/spiegel-im-spiegel/go-cvss/v3/metric"
+)
+
+func main() {
+	em, err := metric.NewEnvironmental().Decode("CVSS:3.1/AV:P/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H/E:F/RL:U/RC:C/CR:M/IR:H/AR:M/MAV:L/MAC:H/MPR:L/MUI:R/MS:U/MC:L/MI:H/MA:L") //Random CVSS Vector
+	if err != nil {
+		fmt.Fprintln(os.Stderr, err)
+		return
+	}
+	fmt.Printf("Base Severity: %v (%v)\n", em.BaseMetrics().Severity(), em.BaseMetrics().Score())
+	fmt.Printf("Temporal Severity: %v (%v)\n", em.TemporalMetrics().Severity(), em.TemporalMetrics().Score())
+	fmt.Printf("Environmental Severity: %v (%v)\n", em.Severity(), em.Score())
+	// Output:
+	// Base Severity: Critical (6.1)
+	// Temporal Severity: Critical (6)
+	// Environmental Severity: Critical (6.5)
+}
+
+/* Copyright 2022 thejohnbrown */

sample/sample.go

@@ -1,3 +1,6 @@
+//go:build run
+// +build run
+
 package main
 
 import (
@@ -38,15 +41,33 @@ var template = `- CVSS Version {{ .Version }}
 | {{ .EName }} | {{ .EValue }} |
 | {{ .RLName }} | {{ .RLValue }} |
 | {{ .RCName }} | {{ .RCValue }} |
+
+## Environmental Metrics
+
+- {{ .SeverityName }}: {{ .SeverityValue }} ({{ .EnvironmentalScore }})
+
+| {{ .EnvironmentalMetrics }} | {{ .EnvironmentalMetricValue }} |
+|--------|-------|
+| {{ .CRName }} | {{ .CRValue }} |
+| {{ .IRName }} | {{ .IRValue }} |
+| {{ .ARName }} | {{ .ARValue }} |
+| {{ .MAVName }} | {{ .MAVValue }} |
+| {{ .MACName }} | {{ .MACValue }} |
+| {{ .MPRName }} | {{ .MPRValue }} |
+| {{ .MUIName }} | {{ .MUIValue }} |
+| {{ .MSName }}  | {{ .MSValue }} |
+| {{ .MCName }}  | {{ .MCValue }} |
+| {{ .MIName }}  | {{ .MIValue }} |
+| {{ .MAName }}  | {{ .MAValue }} |
 `
 
 func main() {
-	tm, err := metric.NewTemporal().Decode("CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/E:F/RL:W/RC:R") //CVE-2020-1472: ZeroLogon
+	em, err := metric.NewEnvironmental().Decode("CVSS:3.1/AV:P/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H/E:F/RL:U/RC:C/CR:M/IR:H/AR:M/MAV:L/MAC:H/MPR:L/MUI:R/MS:U/MC:L/MI:H/MA:L") //Random CVSS Vector
 	if err != nil {
 		fmt.Fprintln(os.Stderr, err)
 		return
 	}
-	r, err := report.NewTemporal(tm).ExportWith(strings.NewReader(template))
+	r, err := report.NewEnvironmental(em).ExportWith(strings.NewReader(template))
 	if err != nil {
 		fmt.Fprintln(os.Stderr, err)
 		return
@@ -56,33 +77,51 @@ func main() {
 	}
 	// Output:
 	// - CVSS Version 3.1
-	// - Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/E:F/RL:W/RC:R
+	// - Vector: CVSS:3.1/AV:P/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H/CR:M/IR:H/AR:M/MAV:L/MAC:H/MPR:L/MUI:R/MS:U/MC:L/MI:H/MA:L
 	//
 	// ## Base Metrics
 	//
-	// - Base Score: 10
+	// - Base Score: 6.1
 	//
 	// | Base Metrics | Metric Value |
 	// |--------|-------|
-	// | Attack Vector | Network |
-	// | Attack Complexity | Low |
-	// | Privileges Required | None |
+	// | Attack Vector | Physical |
+	// | Attack Complexity | High |
+	// | Privileges Required | High |
 	// | User Interaction | None |
-	// | Scope | Changed |
+	// | Scope | Unchanged |
 	// | Confidentiality Impact | High |
 	// | Integrity Impact | High |
 	// | Availability Impact | High |
 	//
 	// ## Temporal Metrics
 	//
-	// - Temporal Score: 9.1
-	// - Severity: Critical
+	// - Temporal Score: 6
+	// - Severity: Medium
 	//
 	// | Temporal Metrics | Metric Value |
 	// |--------|-------|
 	// | Exploit Code Maturity | Functional |
-	// | Remediation Level | Workaround |
-	// | Report Confidence | Reasonable |
+	// | Remediation Level | Unavailable |
+	// | Report Confidence | Confirmed |
+	//
+	// ## Environmental Metrics
+	//
+	// - Severity: Medium (6.5)
+	//
+	// | Environmental Metrics | Metric Value |
+	// |--------|-------|
+	// | Confidentiality Requirement | Medium |
+	// | Integrity Requirement | High |
+	// | Availability Requirement | Medium |
+	// | Modified Attack Vector | Local |
+	// | Modified Attack Complexity | High |
+	// | Modified Privileges Required | Low |
+	// | Modified User Interaction | Required |
+	// | Modified Scope  | Unchanged |
+	// | Modified Confidentiality Impact  | Low |
+	// | Modified Integrity Impact  | High |
+	// | Modified Availability Impact  | Low |
 }
 
 /* Copyright 2018-2020 Spiegel

sample/temporal/sample.go

@@ -1,3 +1,6 @@
+//go:build run
+// +build run
+
 package main
 
 import (

v3/base/metric-ar.go

@@ -58,17 +58,4 @@ func (ar AvailabilityRequirement) IsDefined() bool {
 	return ar != AvailabilityRequirementNotDefined
 }
 
-/* Copyright 2018 Spiegel
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- * 	http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
+/* Copyright 2022 thejohnbrown */

v3/base/metric-cr.go

@@ -58,17 +58,4 @@ func (cr ConfidentialityRequirement) IsDefined() bool {
 	return cr != ConfidentialityRequirementNotDefined
 }
 
-/* Copyright 2018 Spiegel
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- * 	http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
+/* Copyright 2022 thejohnbrown */

v3/base/metric-ir.go

@@ -58,17 +58,4 @@ func (ir IntegrityRequirement) IsDefined() bool {
 	return ir != IntegrityRequirementNotDefined
 }
 
-/* Copyright 2018 Spiegel
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- * 	http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
+/* Copyright 2022 thejohnbrown */

v3/base/metric-ma.go

@@ -57,17 +57,4 @@ func (mai ModifiedAvailabilityImpact) IsDefined() bool {
 	return mai != ModifiedAvailabilityImpactNotDefined
 }
 
-/* Copyright 2018 Spiegel
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- * 	http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
+/* Copyright 2022 thejohnbrown */

v3/base/metric-mac.go

@@ -54,17 +54,4 @@ func (mac ModifiedAttackComplexity) IsDefined() bool {
 	return mac != ModifiedAttackComplexityNotDefined
 }
 
-/* Copyright 2018 Spiegel
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- * 	http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
+/* Copyright 2022 thejohnbrown */

v3/base/metric-mav.go

@@ -61,17 +61,4 @@ func (mav ModifiedAttackVector) IsDefined() bool {
 	return mav != ModifiedAttackVectorNotDefined
 }
 
-/* Copyright 2018 Spiegel
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- * 	http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
+/* Copyright 2022 thejohnbrown */