Add validation for CVSS V3 vector strings
What does this MR do and why?
Describe in detail what your merge request does and why.
Relates to: #371540 (closed)
This MR adds a new class for handling CVSS v3.1 vector strings.
Initially, this is used in order to validate the cvss_v3
field on the Vulnerabilities::Advisory
model. In the future,
it can also be extended to calculate the severity rating
of an advisory.
I considered using a gem for this, however the candidates do not seem suitable. The most downloaded CVSS gem has no license and does not parse vector strings correctly. cvss-suite is licensed under MIT and seems decent, but does not allow us to surface error messages.
Validation Requirements
Example of a valid vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N
The specification document for CVSS 3.1 vector strings gives these validation requirements:
-
✅ The CVSS v3.1 vector string begins with the labelCVSS:
and a numeric representation of the current version,3.1
-
✅ Metrics (ex:AV:N
) are delimited by/
-
✅ Metrics have a name (ex:AV
) and a value (ex:N
) which are delimited by:
-
✅ All Base metrics must be included in the vector string -
❌ Temporal and Environmental metrics with a value of Not Defined (X
) can be explicitly included in a vector string if desired. - We ignore this rule because the first iteration will support only base metrics. - Metrics must have the values indicated in table 15 of the specification document -
✅ For Base metrics,❌ for Temporal and Environmental metrics -
✅ Programs reading CVSS v3.1 vector strings must accept metrics in any order -
✅ Programs reading CVSS v3.1 vector strings must treat unspecified Temporal and Environmental metrics as Not Defined -
✅ A vector string must not include the same metric more than once.
How to set up and validate locally
Numbered steps to set up and validate the change are strongly suggested.
-
Start the Rails console:
bundle exec rails c
-
Run this ruby code:
%w[ CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N CVSS:3.1/AV:N/AV:N CVSS:3.1/AV:X/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N CVSS:2.0/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N ].each do |vector| cvss = Gitlab::Vulnerabilities::Cvss::V3.new(vector) puts "Vector: #{cvss.vector}" puts "Valid: #{cvss.valid?}" puts "Errors: #{cvss.errors}" end
Example output:
Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N Valid: true Errors: [] Vector: CVSS:3.1/AV:N/AV:N Valid: false Errors: ["vector contains multiple values for parameter `AV`", "`AC` parameter is required", "`PR` parameter is required", "`UI` parameter is required", "`S` parameter is required", "`C` parameter is required", "`I` parameter is required", "`A` parameter is required"] Vector: CVSS:3.1/AV:X/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N Valid: false Errors: ["`X` is not a valid value for `AV`", "`AV` parameter is required"] Vector: CVSS:2.0/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N Valid: false Errors: ["version `2.0` is not supported. Supported versions are: 3.1"]
MR acceptance checklist
This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.
-
I have evaluated the MR acceptance checklist for this MR.