go-cvss

module
v0.4.2 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Sep 23, 2022 License: MIT

README

Go-CVSS

reference go report codecov CI CodeQL

Go-CVSS is a low-allocation Go module made to manipulate Common Vulnerability Scoring System (CVSS)

Specified by first.org, the CVSS provides a way to capture the principal characteristics of a vulnerability and produce a numerical score reflecting its severity.

It currently supports :

It won't support CVSS v1.0, as despite it was a good CVSS start, it can't get vectorized, abreviations and enumerations are not strongly specified, so the cohesion and interoperability can't be satisfied.

Summary

How to use

The following code gives an example on how to use the present Go module.

It parses a CVSS v3.1 vector, then compute its base score and gives the associated rating. It ends by printing it as the score followed by its rating, as it is often displayed.

package main

import (
	"fmt"
	"log"

	gocvss31 "github.com/pandatix/go-cvss/31"
)

func main() {
	cvss31, err := gocvss31.ParseVector("CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N")
	if err != nil {
		log.Fatal(err)
	}
	baseScore := cvss31.BaseScore()
	rat, err := gocvss31.Rating(baseScore)
	if err != nil {
		log.Fatal(err)
	}
	fmt.Printf("%.1f %s\n", baseScore, rat)
	// Prints "5.4 MEDIUM"
}

A word on performances

We are aware that manipulating a CVSS object does not provide the most value to your business needs. This is why we paid a big attention to performances of this module.

What we made is making this module 0 to 1 allocs/op for the whole API. This reduce drastically the pressure on the Garbage Collector using this Go module, without cutting through security (fuzzing ensures the API does not contain obvious security issues). It also reduces the time and bytes per op to a really acceptable level.

The following shows the performances results. We challenge any other Go implementation to do better 😜

CVSS v2.0
goos: linux
goarch: amd64
pkg: github.com/pandatix/go-cvss/20
cpu: Intel(R) Core(TM) i5-2450M CPU @ 2.50GHz
BenchmarkParseVector_Base-4                  1750524           631.0 ns/op       224 B/op          1 allocs/op
BenchmarkParseVector_WithTempAndEnv-4         983698            2216 ns/op       224 B/op          1 allocs/op
BenchmarkCVSS20Vector-4                      6241333           189.2 ns/op        80 B/op          1 allocs/op
BenchmarkCVSS20Get-4                        41707770           38.30 ns/op         0 B/op          0 allocs/op
BenchmarkCVSS20Set-4                        35828242           31.82 ns/op         0 B/op          0 allocs/op
BenchmarkCVSS20BaseScore-4                  15570378           67.29 ns/op         0 B/op          0 allocs/op
BenchmarkCVSS20TemporalScore-4              12213030           92.93 ns/op         0 B/op          0 allocs/op
BenchmarkCVSS20EnvironmentalScore-4         12509287           92.03 ns/op         0 B/op          0 allocs/op
CVSS v3.0
goos: linux
goarch: amd64
pkg: github.com/pandatix/go-cvss/30
cpu: Intel(R) Core(TM) i5-2450M CPU @ 2.50GHz
BenchmarkParseVector_Base-4                  1564752           793.1 ns/op       352 B/op          1 allocs/op
BenchmarkParseVector_WithTempAndEnv-4         763330            1588 ns/op       352 B/op          1 allocs/op
BenchmarkCVSS30Vector-4                      4708683           247.6 ns/op        96 B/op          1 allocs/op
BenchmarkCVSS30Get-4                        23825982           43.71 ns/op         0 B/op          0 allocs/op
BenchmarkCVSS30Set-4                        31735555           37.64 ns/op         0 B/op          0 allocs/op
BenchmarkCVSS30BaseScore-4                   7696878           151.7 ns/op         0 B/op          0 allocs/op
BenchmarkCVSS30TemporalScore-4               5761302           200.7 ns/op         0 B/op          0 allocs/op
BenchmarkCVSS30EnvironmentalScore-4          5636908           206.6 ns/op         0 B/op          0 allocs/op
CVSS v3.1
goos: linux
goarch: amd64
pkg: github.com/pandatix/go-cvss/31
cpu: Intel(R) Core(TM) i5-2450M CPU @ 2.50GHz
BenchmarkParseVector_Base-4                  1543551           768.7 ns/op       352 B/op          1 allocs/op
BenchmarkParseVector_WithTempAndEnv-4         754154            1614 ns/op       352 B/op          1 allocs/op
BenchmarkCVSS31Vector-4                      4671334           254.7 ns/op        96 B/op          1 allocs/op
BenchmarkCVSS31Get-4                        24025206           43.89 ns/op         0 B/op          0 allocs/op
BenchmarkCVSS31Set-4                        31292902           40.29 ns/op         0 B/op          0 allocs/op
BenchmarkCVSS31BaseScore-4                   7711374           177.9 ns/op         0 B/op          0 allocs/op
BenchmarkCVSS31TemporalScore-4               5245575           234.1 ns/op         0 B/op          0 allocs/op
BenchmarkCVSS31EnvironmentalScore-4          4021914           293.4 ns/op         0 B/op          0 allocs/op

Feedbacks

CVSS v2.0
  • Section 3.3.1's base vector gives a base score of 7.8, while verbosely documented as 6.4.
  • round_to_1_decimal may have been specified, so that it's not guessed and adjusted to fit precomputed scores. It's not even CVSS v3.1 roundup specification.
CVSS v3.0
  • Formulas are pretty, but complex to read as the variables does not refer to the specified abbreviations.
  • There is a lack of examples, as it's achieved by the CVSS v2.0 specification.
CVSS v3.1
  • There is a lack of examples, as it's achieved by the CVSS v2.0 specification.

Directories

Path Synopsis

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.