add support for calculating CVSS score from the CVSS vector

ziadhany · ziadhany · commit 4d3ae9380121 · 2022-05-21T14:10:29.000+02:00
Reference: #713 Signed-off-by: Ziad <ziadhany2016@gmail.com>
diff --git a/requirements.txt b/requirements.txt
@@ -113,4 +113,5 @@ wcwidth==0.2.5
 websocket-client==0.59.0
 yarl==1.7.2
 zipp==3.8.0
-dateparser==1.1.1
+dateparser==1.1.1
+cvss==2.4
diff --git a/setup.cfg b/setup.cfg
@@ -76,6 +76,7 @@ install_requires =
     defusedxml>=0.7.1
     Markdown>=3.3.0
     dateparser>=1.1.1
+    cvss>=2.4
 
     # networking
     GitPython>=3.1.17
diff --git a/vulnerabilities/severity_systems.py b/vulnerabilities/severity_systems.py
@@ -21,6 +21,10 @@
 #  Visit https://github.com/nexB/vulnerablecode/ for support and download.
 
 import dataclasses
+from decimal import Decimal
+
+from cvss import CVSS2
+from cvss import CVSS3
 
 """
 Vulnerability scoring systems define scales, values and approach to score a
@@ -30,7 +34,6 @@
 
 @dataclasses.dataclass(order=True)
 class ScoringSystem:
-
     # a short identifier for the scoring system.
     identifier: str
     # a name which represents the scoring system such as `RedHat bug severity`.
@@ -41,13 +44,20 @@ class ScoringSystem:
     # notes about that scoring system
     notes: str = ""
 
-    def as_score(self, value):
+    def as_score(self, value) -> Decimal:
         """
         Return a normalized numeric score for this scoring system  given a raw
         value. For instance this can be used to convert a CVSS vector to a base
         score.
         """
-        raise NotImplementedError
+        if self.identifier == "cvssv2_vector":
+            c = CVSS2(value)
+            return c.base_score
+        elif self.identifier in ["cvssv3_vector", "cvssv3.1_vector"]:
+            c = CVSS3(value)
+            return c.base_score
+        else:
+            raise NotImplementedError
 
 
 CVSSV2 = ScoringSystem(
