add support for calculating CVSS

ziadhany · ziadhany · commit 171c83176da5 · 2022-09-12T16:54:57.000+02:00
Signed-off-by: ziadhany &lt;ziadhany2016@gmail.com&gt;
diff --git a/setup.cfg b/setup.cfg
@@ -78,6 +78,7 @@ install_requires =
     defusedxml>=0.7.1
     Markdown>=3.3.0
     dateparser>=1.1.1
+    cvss>=2.4
 
     # networking
     GitPython>=3.1.17
diff --git a/vulnerabilities/migrations/0028_vulnerabilityseverity_scoring_elements_and_more.py b/vulnerabilities/migrations/0028_vulnerabilityseverity_scoring_elements_and_more.py
@@ -0,0 +1,23 @@
+# Generated by Django 4.0.7 on 2022-09-12 14:50
+
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('vulnerabilities', '0027_alter_vulnerabilityreference_url'),
+    ]
+
+    operations = [
+        migrations.AddField(
+            model_name='vulnerabilityseverity',
+            name='scoring_elements',
+            field=models.CharField(help_text='Supporting a scoring elements as a string For example a CVSS vector Important, High, Medium ,Low.Typically used to compute the value', max_length=100, null=True),
+        ),
+        migrations.AlterField(
+            model_name='vulnerabilityseverity',
+            name='value',
+            field=models.CharField(help_text='Score Value expressed as a number such as 9.0 that can be sorted or compared', max_length=50),
+        ),
+    ]
diff --git a/vulnerabilities/models.py b/vulnerabilities/models.py
@@ -278,7 +278,6 @@ def get_absolute_url(self):
 
 
 class PackageRelatedVulnerability(models.Model):
-
     # TODO: Fix related_name
     package = models.ForeignKey(
         Package,
@@ -351,7 +350,6 @@ def update_or_create(self):
 
 
 class VulnerabilitySeverity(models.Model):
-
     reference = models.ForeignKey(VulnerabilityReference, on_delete=models.CASCADE)
 
     scoring_system_choices = tuple(
@@ -369,7 +367,27 @@ class VulnerabilitySeverity(models.Model):
         ),
     )
 
-    value = models.CharField(max_length=50, help_text="Example: 9.0, Important, High")
+    value = models.CharField(
+        max_length=50,
+        help_text="Score Value expressed as a number such as 9.0 that can be sorted or compared",
+    )
+
+    scoring_elements = models.CharField(
+        max_length=100,
+        null=True,
+        help_text="Supporting a scoring elements as a string "
+        "For example a CVSS vector Important, High, Medium ,Low."
+        "Typically used to compute the value",
+    )
+
+    def save(self, *args, **kwargs):
+        super().save(*args, **kwargs)
+        if not self.value and self.scoring_elements:
+            try:
+                self.value = SCORING_SYSTEMS[self.scoring_system].as_score(self.value)
+                super().save(update_fields=["value"])
+            except NotImplementedError:
+                pass
 
     class Meta:
         unique_together = ["reference", "scoring_system", "value"]
diff --git a/vulnerabilities/severity_systems.py b/vulnerabilities/severity_systems.py
@@ -8,6 +8,10 @@
 #
 
 import dataclasses
+from decimal import Decimal
+
+from cvss import CVSS2
+from cvss import CVSS3
 
 """
 Vulnerability scoring systems define scales, values and approach to score a
@@ -17,7 +21,6 @@
 
 @dataclasses.dataclass(order=True)
 class ScoringSystem:
-
     # a short identifier for the scoring system.
     identifier: str
     # a name which represents the scoring system such as `RedHat bug severity`.
@@ -28,13 +31,28 @@ class ScoringSystem:
     # notes about that scoring system
     notes: str = ""
 
-    def as_score(self, value):
+    def as_score(self, value) -> Decimal:
         """
         Return a normalized numeric score for this scoring system  given a raw
         value. For instance this can be used to convert a CVSS vector to a base
         score.
+
+        >>> SCORING_SYSTEMS["cvssv2_vector"].as_score("AV:L/AC:L/Au:M/C:N/I:P/A:C/E:U/RL:W/RC:ND/CDP:L/TD:H/CR:ND/IR:ND/AR:M")
+        Decimal('5.0')
+        >>> SCORING_SYSTEMS["cvssv3_vector"].as_score('CVSS:3.0/S:C/C:H/I:H/A:N/AV:P/AC:H/PR:H/UI:R/E:H/RL:O/RC:R/CR:H/IR:X/AR:X/MAC:H/MPR:X/MUI:X/MC:L/MA:X')
+        Decimal('6.5')
+        >>> SCORING_SYSTEMS["cvssv3.1_vector"].as_score("CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H")
+        Decimal('8.6')
         """
-        raise NotImplementedError
+
+        if self.identifier == "cvssv2_vector":
+            c = CVSS2(value)
+            return c.base_score
+        elif self.identifier in ["cvssv3_vector", "cvssv3.1_vector"]:
+            c = CVSS3(value)
+            return c.base_score
+        else:
+            raise NotImplementedError
 
 
 CVSSV2 = ScoringSystem(
