protected double MetricScore(Metric metric)
{
var metricAbbreviation = metric.Abbreviation;
if (ExtractedMetrics.ContainsKey(metricAbbreviation) && ExtractedMetrics[metricAbbreviation] == NotDefined)
{
switch (metricAbbreviation)
{
case "MAV":
metricAbbreviation = "AV";
break;
case "MAC":
metricAbbreviation = "AC";
break;
case "MPR":
metricAbbreviation = "PR";
break;
case "MUI":
metricAbbreviation = "UI";
break;
case "MS":
metricAbbreviation = "S";
break;
case "MC":
metricAbbreviation = "C";
break;
case "MI":
metricAbbreviation = "I";
break;
case "MA":
metricAbbreviation = "A";
break;
}
}
if (ExtractedMetrics.ContainsKey(metricAbbreviation))
{
return(metric.Values.Single(item => item.Abbreviation == ExtractedMetrics[metricAbbreviation]).Score);
}
else
{
return(metric.Values.Single(item => item.Abbreviation == NotDefined).Score);
}
}
internal override double Score()
{
//If (Modified Impact Sub score =< 0) 0 else,
//If Modified Scope Unchanged Round up(Round up (Minimum [
// (M.Impact + M.Exploitability), 10])
// × Exploit Code Maturity
// × Remediation Level
// × Report Confidence)
//If Modified Scope Changed Round up(Round up (Minimum [1.08
// × (M.Impact + M.Exploitability), 10])
// × Exploit Code Maturity
// × Remediation Level
// × Report Confidence)
//And the modified Impact sub score is defined as,
//If Modified Scope Unchanged 6.42 × [ISCModified]
//If Modified Scope Changed 7.52 × [ISCModified−0.029] - 3.25 × [ISCModified−0.02]15
//Where,
//ISCModified = Minimum[[1−(1−M.IConf × CR)×(1−M.IInteg × IR)×(1−M.IAvail × AR)],0.915]
//The Modified Exploitability sub score is,
//8.22 × M.AttackVector × M.AttackComplexity × M.PrivilegeRequired × M.UserInteraction
if (!ExtractedMetrics.ContainsKey("MS"))
{
return(TemporalMetric.Score());
}
var modifiedPrivilegesRequired = MetricScore(Metrics.ModifiedPrivilegesRequired);
if (IsModifiedScopeChanged())
{
if (MetricScore(Metrics.ModifiedPrivilegesRequired) == 0.62)
{
modifiedPrivilegesRequired = 0.68;
}
if (MetricScore(Metrics.ModifiedPrivilegesRequired) == 0.27)
{
modifiedPrivilegesRequired = 0.50;
}
}
var exploitability = 8.22 * MetricScore(Metrics.ModifiedAttackVector) * MetricScore(Metrics.ModifiedAttackComplexity) * modifiedPrivilegesRequired * MetricScore(Metrics.ModifiedUserInteraction);
var iscModified = Math.Min(1 - (
(1 - MetricScore(Metrics.ModifiedConfidentialityImpact) * MetricScore(Metrics.ConfidentialityRequirement)) *
(1 - MetricScore(Metrics.ModifiedIntegrityImpact) * MetricScore(Metrics.IntegrityRequirement)) *
(1 - MetricScore(Metrics.ModifiedAvailabilityImpact) * MetricScore(Metrics.AvailabilityRequirement))
), 0.915);
var modifiedImpact = 0.0;
if (IsModifiedScopeChanged())
{
modifiedImpact = 7.52 * (iscModified - 0.029) - 3.25 * Math.Pow(iscModified * 0.9731 - 0.02, 13);
}
else
{
modifiedImpact = 6.42 * iscModified;
}
if (modifiedImpact <= 0)
{
return(0.0);
}
else if (IsModifiedScopeChanged())
{
return((Math.Min(10, 1.08 * (modifiedImpact + exploitability)).RoundUp31() * TemporalMetric.ScoreWithoutBase()).RoundUp31());
}
else
{
return((Math.Min(10, modifiedImpact + exploitability).RoundUp31() * TemporalMetric.ScoreWithoutBase()).RoundUp31());
}
}
