Esempio n. 1
0
        private string BuildNormalizedVector(bool addEmptyValues)
        {
            var param = new List <string>
            {
                $"AV:{AttackVector.StringValue()}",
                $"AC:{AttackComplexity.StringValue()}",
                $"PR:{PrivilegesRequired.StringValue()}",
                $"UI:{UserInteraction.StringValue()}",
                $"S:{Scope.StringValue()}",
                $"C:{ConfidentialityImpact.StringValue()}",
                $"I:{IntegrityImpact.StringValue()}",
                $"A:{AvailabilityImpact.StringValue()}"
            };

            void AddConditional(string key, string value)
            {
                if (!string.IsNullOrEmpty(value))
                {
                    param.Add($"{key}:{value}");
                }
                else if (addEmptyValues)
                {
                    param.Add($"{key}:X");
                }
            }

            AddConditional("E", ExploitCodeMaturity?.StringValue());
            AddConditional("RL", RemediationLevel?.StringValue());
            AddConditional("RC", ReportConfidence?.StringValue());

            AddConditional("CR", ConfidentialityRequirement?.StringValue());
            AddConditional("IR", IntegrityRequirement?.StringValue());
            AddConditional("AR", AvailabilityRequirement?.StringValue());
            AddConditional("MAV", ModifiedAttackVector?.StringValue());
            AddConditional("MAC", ModifiedAttackComplexity?.StringValue());
            AddConditional("MPR", ModifiedPrivilegesRequired?.StringValue());
            AddConditional("MUI", ModifiedUserInteraction?.StringValue());
            AddConditional("MS", ModifiedScope?.StringValue());
            AddConditional("MC", ModifiedConfidentialityImpact?.StringValue());
            AddConditional("MI", ModifiedIntegrityImpact?.StringValue());
            AddConditional("MA", ModifiedAvailabilityImpact?.StringValue());

            StringBuilder sb = new StringBuilder();

            sb.Append(VectorPrefix);
            foreach (var current in param)
            {
                sb.Append('/');
                sb.Append(current);
            }
            return(sb.ToString());
        }
Esempio n. 2
0
        public static string StringValue(this ExploitCodeMaturity exploitCodeMaturity)
        {
            switch (exploitCodeMaturity)
            {
            case ExploitCodeMaturity.High: return("H");

            case ExploitCodeMaturity.Functional: return("F");

            case ExploitCodeMaturity.ProofOfConcept: return("P");

            case ExploitCodeMaturity.Unproven: return("U");

            default:
                throw new ArgumentOutOfRangeException(nameof(exploitCodeMaturity), exploitCodeMaturity, null);
            }
        }
Esempio n. 3
0
        internal void CalculateScores()
        {
            double ImpactSubScore(Scope scope, double subScore)
            {
                switch (scope)
                {
                case Scope.Unchanged:
                    return(6.42 * subScore);

                case Scope.Changed:
                    return(7.52 * (subScore - 0.029) - 3.25 * Math.Pow(subScore - 0.02, 15));

                default:
                    throw new ArgumentOutOfRangeException(nameof(Scope), Scope, "Invalid scope");
                }
            }

            double Score(Scope scope, double impactSub, double exploitSub)
            {
                if (impactSub <= 0)
                {
                    return(0);
                }
                switch (scope)
                {
                case Scope.Unchanged:
                    return(Math.Min(impactSub + exploitSub, 10).RoundUp(1));

                case Scope.Changed:
                    return(Math.Min(1.08 * (impactSub + exploitSub), 10).RoundUp(1));

                default:
                    throw new ArgumentOutOfRangeException(nameof(Scope), Scope, "Invalid scope");
                }
            }

            double TempScore(double baseScore)
            {
                return((baseScore * ExploitCodeMaturity.NumericValue() * RemediationLevel.NumericValue() *
                        ReportConfidence.NumericValue()).RoundUp(1));
            }

            var impactSubScoreBase = 1 - (1 - ConfidentialityImpact.NumericValue()) * (1 - IntegrityImpact.NumericValue()) *
                                     (1 - AvailabilityImpact.NumericValue());
            var impactSubScore         = ImpactSubScore(Scope, impactSubScoreBase);
            var exploitabilitySubScore = 8.22 * AttackVector.NumericValue() * AttackComplexity.NumericValue() *
                                         PrivilegesRequired.NumericValue(Scope) * UserInteraction.NumericValue();

            BaseScore = Score(Scope, impactSubScore, exploitabilitySubScore);

            //Temporal
            TemporalScore = TempScore(BaseScore);

            //Environmental
            var impactSubScoreModified = Math.Min(0.915,
                                                  1 - (1 - ModifiedConfidentialityImpact.Modified(ConfidentialityImpact, EnumExtensions.NumericValue) *
                                                       ConfidentialityRequirement.NumericValue()) * (1 - ModifiedIntegrityImpact.Modified(IntegrityImpact,
                                                                                                                                          EnumExtensions
                                                                                                                                          .NumericValue) *
                                                                                                     IntegrityRequirement.NumericValue()) *
                                                  (1 - ModifiedAvailabilityImpact.Modified(AvailabilityImpact, EnumExtensions.NumericValue) *
                                                   AvailabilityRequirement.NumericValue()));
            var modifiedImpactSubScore         = ImpactSubScore(ModifiedScope ?? Scope, impactSubScoreModified);
            var modifiedExploitabilitySubScore =
                8.22 * ModifiedAttackVector.Modified(AttackVector, EnumExtensions.NumericValue) *
                ModifiedAttackComplexity.Modified(AttackComplexity, EnumExtensions.NumericValue) *
                ModifiedPrivilegesRequired.Modified(PrivilegesRequired, required => required.NumericValue(ModifiedScope ?? Scope)) *
                ModifiedUserInteraction.Modified(UserInteraction, EnumExtensions.NumericValue);

            EnvironmentalScore = TempScore(
                Score(ModifiedScope ?? Scope, modifiedImpactSubScore, modifiedExploitabilitySubScore));
        }