Skip to content
/ cvss Public

CVSS V3.0, V3.1 & V4.0 Calculation for your JS Projects!

License

MIT license
0 stars 0 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

rohitcoder/cvss

BranchesTags

Repository files navigation

CVSS

The Common Vulnerability Scoring System (CVSS) is a scoring framework that provides numerical scores to assess the severity of software vulnerabilities. This TypeScript-based library offers support for CVSS versions 3.0, 3.1, and 4.0 for calculating and validating Base Scores.

Basics

CVSS produces numerical scores based on principal vulnerability characteristics to determine the severity of a vulnerability. These scores help compare the relative risks of different vulnerabilities.

A CVSS vector string consists of:

  1. A version identifier starting with CVSS:.
  2. A set of /-separated metrics. Each metric is represented as a key-value pair (metric:value).

Example Vector String

Sample CVSS v3.1 vector string:
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N

Base Score: 3.8
Severity: Low

Features

  1. Supported CVSS Versions:

  2. Metric Group Coverage:
    Currently supports Base Metrics. Future updates may include Temporal and Environmental Metrics.

Installation

Install the library using npm:

npm install --save cvss4

API Reference

Score Calculation

  • calculateBaseScore(cvssString): number
    Computes the Base Score of a CVSS vector string.
    Example:

    import { calculateBaseScore } from 'cvss4';
console.log(calculateBaseScore('CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N'));

  • calculateIss(metricsMap): number
    Calculates the Impact Sub-Score (ISS).

  • calculateImpact(metricsMap, iss): number
    Computes the Impact.

  • calculateExploitability(metricsMap): number
    Computes the Exploitability.

Validation

  • validate(cvssString): void
    Validates the CVSS vector string. Throws an error if the string is invalid or unsupported.
    Example: 
    import { validate } from 'cvss4';
validate('CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N');

Humanization

  • humanizeBaseMetric(metric: string): string
    Converts an abbreviated metric name to its full form.
    Example:

    humanizeBaseMetric('C'); // Returns: 'Confidentiality'

  • humanizeBaseMetricValue(value: string, metric: string): string
    Converts an abbreviated metric value to its full form.
    Example:

    humanizeBaseMetricValue('N', 'AV'); // Returns: 'Network'

Usage Examples

Node.js (CommonJS)

const cvss = require('cvss4');
console.log(cvss.calculateBaseScore('CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N'));

Node.js (ES Modules)

import { calculateBaseScore } from 'cvss4';
console.log(calculateBaseScore('CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N'));

Browser (UMD)

<script src="./node_modules/cvss4/dist/bundle.umd.js"></script>
<script>
  alert(cvss.calculateBaseScore('CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N'));
</script>

Development

Contributions are welcome. Please ensure your code passes linting (npm run lint) and tests (npm test) before submitting a pull request.

License

This project is licensed under the MIT License. See the LICENSE file for details.

Special thanks to NeuraLegion for the initial version of this library.

About

CVSS V3.0, V3.1 & V4.0 Calculation for your JS Projects!

Topics

vulnerability-management cvss cvssv3 cvssv4

Resources

Readme

License

MIT license
Activity

Stars

0 stars

Watchers

1 watching

Forks

0 forks
Report repository

Releases 8

v1.0.7 Latest
Jan 1, 2025
+ 7 releases

Packages

No packages published

Languages