private string BuildNormalizedVector(bool addEmptyValues)
{
var param = new List <string>
{
$"AV:{AttackVector.StringValue()}",
$"AC:{AttackComplexity.StringValue()}",
$"PR:{PrivilegesRequired.StringValue()}",
$"UI:{UserInteraction.StringValue()}",
$"S:{Scope.StringValue()}",
$"C:{ConfidentialityImpact.StringValue()}",
$"I:{IntegrityImpact.StringValue()}",
$"A:{AvailabilityImpact.StringValue()}"
};
void AddConditional(string key, string value)
{
if (!string.IsNullOrEmpty(value))
{
param.Add($"{key}:{value}");
}
else if (addEmptyValues)
{
param.Add($"{key}:X");
}
}
AddConditional("E", ExploitCodeMaturity?.StringValue());
AddConditional("RL", RemediationLevel?.StringValue());
AddConditional("RC", ReportConfidence?.StringValue());
AddConditional("CR", ConfidentialityRequirement?.StringValue());
AddConditional("IR", IntegrityRequirement?.StringValue());
AddConditional("AR", AvailabilityRequirement?.StringValue());
AddConditional("MAV", ModifiedAttackVector?.StringValue());
AddConditional("MAC", ModifiedAttackComplexity?.StringValue());
AddConditional("MPR", ModifiedPrivilegesRequired?.StringValue());
AddConditional("MUI", ModifiedUserInteraction?.StringValue());
AddConditional("MS", ModifiedScope?.StringValue());
AddConditional("MC", ModifiedConfidentialityImpact?.StringValue());
AddConditional("MI", ModifiedIntegrityImpact?.StringValue());
AddConditional("MA", ModifiedAvailabilityImpact?.StringValue());
StringBuilder sb = new StringBuilder();
sb.Append(VectorPrefix);
foreach (var current in param)
{
sb.Append('/');
sb.Append(current);
}
return(sb.ToString());
}
public static string StringValue(this ExploitCodeMaturity exploitCodeMaturity)
{
switch (exploitCodeMaturity)
{
case ExploitCodeMaturity.High: return("H");
case ExploitCodeMaturity.Functional: return("F");
case ExploitCodeMaturity.ProofOfConcept: return("P");
case ExploitCodeMaturity.Unproven: return("U");
default:
throw new ArgumentOutOfRangeException(nameof(exploitCodeMaturity), exploitCodeMaturity, null);
}
}
internal void CalculateScores()
{
double ImpactSubScore(Scope scope, double subScore)
{
switch (scope)
{
case Scope.Unchanged:
return(6.42 * subScore);
case Scope.Changed:
return(7.52 * (subScore - 0.029) - 3.25 * Math.Pow(subScore - 0.02, 15));
default:
throw new ArgumentOutOfRangeException(nameof(Scope), Scope, "Invalid scope");
}
}
double Score(Scope scope, double impactSub, double exploitSub)
{
if (impactSub <= 0)
{
return(0);
}
switch (scope)
{
case Scope.Unchanged:
return(Math.Min(impactSub + exploitSub, 10).RoundUp(1));
case Scope.Changed:
return(Math.Min(1.08 * (impactSub + exploitSub), 10).RoundUp(1));
default:
throw new ArgumentOutOfRangeException(nameof(Scope), Scope, "Invalid scope");
}
}
double TempScore(double baseScore)
{
return((baseScore * ExploitCodeMaturity.NumericValue() * RemediationLevel.NumericValue() *
ReportConfidence.NumericValue()).RoundUp(1));
}
var impactSubScoreBase = 1 - (1 - ConfidentialityImpact.NumericValue()) * (1 - IntegrityImpact.NumericValue()) *
(1 - AvailabilityImpact.NumericValue());
var impactSubScore = ImpactSubScore(Scope, impactSubScoreBase);
var exploitabilitySubScore = 8.22 * AttackVector.NumericValue() * AttackComplexity.NumericValue() *
PrivilegesRequired.NumericValue(Scope) * UserInteraction.NumericValue();
BaseScore = Score(Scope, impactSubScore, exploitabilitySubScore);
//Temporal
TemporalScore = TempScore(BaseScore);
//Environmental
var impactSubScoreModified = Math.Min(0.915,
1 - (1 - ModifiedConfidentialityImpact.Modified(ConfidentialityImpact, EnumExtensions.NumericValue) *
ConfidentialityRequirement.NumericValue()) * (1 - ModifiedIntegrityImpact.Modified(IntegrityImpact,
EnumExtensions
.NumericValue) *
IntegrityRequirement.NumericValue()) *
(1 - ModifiedAvailabilityImpact.Modified(AvailabilityImpact, EnumExtensions.NumericValue) *
AvailabilityRequirement.NumericValue()));
var modifiedImpactSubScore = ImpactSubScore(ModifiedScope ?? Scope, impactSubScoreModified);
var modifiedExploitabilitySubScore =
8.22 * ModifiedAttackVector.Modified(AttackVector, EnumExtensions.NumericValue) *
ModifiedAttackComplexity.Modified(AttackComplexity, EnumExtensions.NumericValue) *
ModifiedPrivilegesRequired.Modified(PrivilegesRequired, required => required.NumericValue(ModifiedScope ?? Scope)) *
ModifiedUserInteraction.Modified(UserInteraction, EnumExtensions.NumericValue);
EnvironmentalScore = TempScore(
Score(ModifiedScope ?? Scope, modifiedImpactSubScore, modifiedExploitabilitySubScore));
}