Merge pull request #266 from thesp0nge/issue_259

* Issue #259: cvss rubygem was 10 years old and only used in dawnscan…

Changelog.md

@@ -7,8 +7,15 @@ frameworks.
 
 _latest update: Mon 17 Apr 2023, 18:07:04, CEST_
 
+
+## Version 2.3.0 (2023-xx-xx)
+
 * Fixed issue #257. Now the knowledge base is searched in three different
   locations, $HOME, /usr/share and /usr/local/share
+* Issue #259: cvss rubygem was 10 years old and only used in dawnscanner. Being
+  a separate gem, requires more effort in creating pacakges for distributions.
+  It makes sense to integrate cvss gem within the project.
+
 
 ## Version 2.2.0 (2023-04-17)
 

dawnscanner.gemspec

@@ -17,7 +17,8 @@ Gem::Specification.new do |gem|
 
   gem.required_ruby_version = '>= 3.0.0'
 
-  gem.add_dependency 'cvss'
+  # Issue #259
+  # gem.add_dependency 'cvss'
   gem.add_dependency 'haml'
   gem.add_dependency 'ruby_parser'
   gem.add_dependency 'sys-uname'

lib/cvss/cvss.rb

@@ -0,0 +1,52 @@
+require 'cvss/parser'
+require 'cvss/helpers'
+
+module Cvss
+  class Engine
+    include Cvss::Parser
+    include Cvss::Helpers
+
+    def score(vector)
+      # AV
+      #   L = 0.395
+      #   A = 0.646
+      #   N = 1
+      # AC
+      #   H = 0.35
+      #   M = 0.61
+      #   L = 0.71
+      # AU
+      #   M = 0.45
+      #   S = 0.56
+      #   N = 0.704
+      # C
+      #   N = 0
+      #   P = 0.275
+      #   C = 0.660
+      # I
+      #   N = 0
+      #   P = 0.275
+      #   C = 0.660
+      # A
+      #   N = 0
+      #   P = 0.275
+      #   C = 0.660
+      return -1 unless parse(vector)
+      av = {:L => 0.395, :A=> 0.646, :N=>1}
+      ac = {:H => 0.35, :M=>0.61, :L=>0.71}
+      au = {:M=>0.45, :S=>0.56, :N=>0.704 }
+
+      exploitability = 20 * av[@base[:av].to_sym] * ac[@base[:ac].to_sym] * au[@base[:au].to_sym]
+      c = {:N=>0, :P=>0.275, :C=>0.660}
+      i = {:N=>0, :P=>0.275, :C=>0.660}
+      a = {:N=>0, :P=>0.275, :C=>0.660}
+
+      impact = 10.41 * (1 - (1-c[@base[:c].to_sym]) * (1-i[@base[:i].to_sym]) * (1-a[@base[:a].to_sym]))
+      f = 0
+      f = 1.176 unless impact == 0
+
+      (((0.6 * impact) + (0.4*exploitability) - 1.5) * f).round(1)
+
+    end
+  end
+end

lib/cvss/helpers.rb

@@ -0,0 +1,13 @@
+module Cvss
+  module Helpers
+    def data_integrity
+      @base[:i]
+    end
+    def data_confidentiality
+      @base[:c]
+    end
+    def data_availability
+      @base[:a]
+    end
+  end
+end

lib/cvss/parser.rb

@@ -0,0 +1,44 @@
+module Cvss
+  module Parser
+
+    attr_reader :base
+
+    # It parses a string and it says if it's a good CVSS vector or not.
+    def parse(string)
+      @base = {}
+
+      toks = string.split("/")
+      return parse_base(toks)
+    end
+
+
+    private
+    # AV:N/AC:L/Au:N/C:N/I:N/A:C
+    def parse_base(tokens)
+      return false if tokens.count != 6
+      av = tokens[0].split(":")
+      return false if av.count != 2 or av[0] != "AV" or (av[1] != "N" and av[1] != "L" and av[1] != "A")
+
+      ac = tokens[1].split(":")
+      return false if ac.count != 2 or ac[0] != "AC" or (ac[1] != "H" and ac[1] != "M" and ac[1] != "L")
+      au = tokens[2].split(":")
+
+      return false if au.count != 2 or au[0] != "Au" or (au[1] != "M" and au[1] != "S" and au[1] != "N")
+
+      c = tokens[3].split(":")
+      return false if c.count != 2 or c[0] != "C" or (c[1] != "P" and c[1] != "C" and c[1] != "N")
+
+      i = tokens[4].split(":")
+      return false if i.count != 2 or i[0] != "I" or (i[1] != "P" and i[1] != "C" and i[1] != "N")
+
+      a = tokens[5].split(":")
+      return false if a.count != 2 or a[0] != "A" or (a[1] != "P" and a[1] != "C" and a[1] != "N")
+
+
+
+
+      @base = {:av=>av[1], :ac=>ac[1], :au=>au[1], :c=>c[1], :i=>i[1], :a=>a[1]}
+      true
+    end
+  end
+end

lib/dawn/kb/basic_check.rb

@@ -1,4 +1,4 @@
-require 'cvss'
+require 'cvss/cvss'
 
 module Dawn
   module Kb