Skip to content

Add validation for CVSS V3 vector strings

Brian Williams requested to merge bwill/cvss-validation into master

What does this MR do and why?

Describe in detail what your merge request does and why.

Relates to: #371540 (closed)

This MR adds a new class for handling CVSS v3.1 vector strings. Initially, this is used in order to validate the cvss_v3 field on the Vulnerabilities::Advisory model. In the future, it can also be extended to calculate the severity rating of an advisory.

I considered using a gem for this, however the candidates do not seem suitable. The most downloaded CVSS gem has no license and does not parse vector strings correctly. cvss-suite is licensed under MIT and seems decent, but does not allow us to surface error messages.

Validation Requirements

Example of a valid vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N

The specification document for CVSS 3.1 vector strings gives these validation requirements:

  • The CVSS v3.1 vector string begins with the label CVSS: and a numeric representation of the current version, 3.1
  • Metrics (ex: AV:N) are delimited by /
  • Metrics have a name (ex: AV) and a value (ex: N) which are delimited by :
  • All Base metrics must be included in the vector string
  • Temporal and Environmental metrics with a value of Not Defined (X) can be explicitly included in a vector string if desired. - We ignore this rule because the first iteration will support only base metrics.
  • Metrics must have the values indicated in table 15 of the specification document - For Base metrics, for Temporal and Environmental metrics
  • Programs reading CVSS v3.1 vector strings must accept metrics in any order
  • Programs reading CVSS v3.1 vector strings must treat unspecified Temporal and Environmental metrics as Not Defined
  • A vector string must not include the same metric more than once.

How to set up and validate locally

Numbered steps to set up and validate the change are strongly suggested.

  1. Start the Rails console: bundle exec rails c

  2. Run this ruby code:

    %w[
      CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N
      CVSS:3.1/AV:N/AV:N
      CVSS:3.1/AV:X/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N
      CVSS:2.0/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N
    ].each do |vector|
      cvss = Gitlab::Vulnerabilities::Cvss::V3.new(vector)
      puts "Vector: #{cvss.vector}"
      puts "Valid: #{cvss.valid?}"
      puts "Errors: #{cvss.errors}"
    end

    Example output:

    Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N
    Valid: true
    Errors: []
    Vector: CVSS:3.1/AV:N/AV:N
    Valid: false
    Errors: ["vector contains multiple values for parameter `AV`", "`AC` parameter is required", "`PR` parameter is required", "`UI` parameter is required", "`S` parameter is required", "`C` parameter is required", "`I` parameter is required", "`A` parameter is required"]
    Vector: CVSS:3.1/AV:X/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N
    Valid: false
    Errors: ["`X` is not a valid value for `AV`", "`AV` parameter is required"]
    Vector: CVSS:2.0/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N
    Valid: false
    Errors: ["version `2.0` is not supported. Supported versions are: 3.1"]

MR acceptance checklist

This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.

Edited by Brian Williams

Merge request reports

Loading