github.com/safedep/dry@v0.0.0-20241016050132-a15651f0548b/cvss/cvss.go

github.com/safedep/dry@v0.0.0-20241016050132-a15651f0548b/cvss/cvss.go (about)

     1  package cvss
     2  
     3  import (
     4  	"fmt"
     5  
     6  	v2_metric "github.com/goark/go-cvss/v2/metric"
     7  	v3_metric "github.com/goark/go-cvss/v3/metric"
     8  )
     9  
    10  type CvssVersion string
    11  
    12  // As per OSV schema
    13  // https://ossf.github.io/osv-schema/#severitytype-field
    14  const (
    15  	CVSS_V2 CvssVersion = "CVSS_V2"
    16  	CVSS_V3 CvssVersion = "CVSS_V3"
    17  	CVSS_V4 CvssVersion = "CVSS_V4"
    18  )
    19  
    20  type CvssRisk string
    21  
    22  // Qualitative Severity Ratings
    23  // https://nvd.nist.gov/vuln-metrics/cvss
    24  const (
    25  	// Introduced in v3
    26  	CRITICAL CvssRisk = "CRITICAL"
    27  
    28  	// Present in both v3 and v2
    29  	HIGH   CvssRisk = "HIGH"
    30  	MEDIUM CvssRisk = "MEDIUM"
    31  	LOW    CvssRisk = "LOW"
    32  	NONE   CvssRisk = "NONE"
    33  )
    34  
    35  // This is the API. Everything else should be hidden
    36  // within the package
    37  type CVSS interface {
    38  	Severity() CvssRisk
    39  }
    40  
    41  // Implementation for V2
    42  type cvssV2 struct {
    43  	base *v2_metric.Base
    44  }
    45  
    46  func newBaseCvssV2(base string) (CVSS, error) {
    47  	bm, err := v2_metric.NewBase().Decode(base)
    48  	if err != nil {
    49  		return nil, err
    50  	}
    51  
    52  	return &cvssV2{
    53  		base: bm,
    54  	}, nil
    55  }
    56  
    57  func (c *cvssV2) Severity() CvssRisk {
    58  	s := c.base.Severity()
    59  	switch s {
    60  	case v2_metric.SeverityHigh:
    61  		return HIGH
    62  	case v2_metric.SeverityMedium:
    63  		return MEDIUM
    64  	case v2_metric.SeverityLow:
    65  		return LOW
    66  	default:
    67  		return NONE
    68  	}
    69  }
    70  
    71  // Implementation for V3
    72  type cvssV3 struct {
    73  	base *v3_metric.Base
    74  }
    75  
    76  func newBaseCvssV3(base string) (CVSS, error) {
    77  	bm, err := v3_metric.NewBase().Decode(base)
    78  	if err != nil {
    79  		return nil, err
    80  	}
    81  
    82  	return &cvssV3{
    83  		base: bm,
    84  	}, nil
    85  }
    86  
    87  func (c *cvssV3) Severity() CvssRisk {
    88  	s := c.base.Severity()
    89  	switch s {
    90  	case v3_metric.SeverityCritical:
    91  		return CRITICAL
    92  	case v3_metric.SeverityHigh:
    93  		return HIGH
    94  	case v3_metric.SeverityMedium:
    95  		return MEDIUM
    96  	case v3_metric.SeverityLow:
    97  		return LOW
    98  	default:
    99  		return NONE
   100  	}
   101  }
   102  
   103  // Factory
   104  func NewCvssBaseString(raw string, version CvssVersion) (CVSS, error) {
   105  	switch version {
   106  	case CVSS_V2:
   107  		return newBaseCvssV2(raw)
   108  	case CVSS_V3:
   109  		return newBaseCvssV3(raw)
   110  	default:
   111  		return nil, fmt.Errorf("unsupported CVSS version: %s", version)
   112  	}
   113  }