Added CVSS Environmental metrics #345
Closed
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
One additional note is that the previous linting configurations are deprecated in newer versions of VS Code, so the external dependencies were migrated to the official recommended extensions instead, and added to the A side effect is that longer lines were automatically split up into multiple line statements by the linter. If this is undesired, changes can be cherrypicked without affecting the PR functionality, however, deprecation of external linters should be noted in that case. |
|
Thanks for submitting this! I will take a look at it soon. I will try to look at it before I leave on a trip, but it may be toward the end of the month if not. |
Closed
|
Good call out that this was still open. I'll close it 😄 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Issue
#232
Description of the Change
This PR adds support for CVSS 3.0 Environmental metrics to the CVSS calculator.
The bulk of the changes are purely the addition of a new form and part of the JavaScript to handle it, with the exception of the change to the Finding model, increasing the length of the
cvss_vectorfield to fit the new increased vector with additional metrics.The Environmental calculator was added only when editing a finding inside a report as it's supposed to be a more case-by-case metric and not intrinsic to the vulnerability.
Temporal metrics were also omitted due to their smaller relevance for pentest reporting. However, implementation is trivial if required.
One possible future improvement is adding a new field in the Finding model, storing the Base and Environmental scores separately so they can both be laid out in reports.
Alternate Designs
N/A
Possible Drawbacks
The only downside is making the calculator a little more full, another reason the less relevant Temporal metrics were excluded in this change. The calculator can be easily collapsed, however.
Verification Process
The changes are almost purely front-end and very granular so changes were manually tested, scores were compared to the NIST calculator, and new findings were created and edited with and without environmental metrics.
Release Notes