1 /*
2 * This file is part of dependency-check-core.
3 *
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
7 *
8 * http://www.apache.org/licenses/LICENSE-2.0
9 *
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
15 *
16 * Copyright (c) 2018 Jeremy Long. All Rights Reserved.
17 */
18 package org.owasp.dependencycheck.dependency;
19
20 import java.io.Serializable;
21
22 /**
23 * CVSS V2 scoring information.
24 *
25 * @author Jeremy Long
26 */
27 public class CvssV2 implements Serializable {
28
29 /**
30 * Serial version UID.
31 */
32 private static final long serialVersionUID = -2203955879356702367L;
33
34 /**
35 * CVSS Score.
36 */
37 private final float score;
38 /**
39 * CVSS Access Vector.
40 */
41 private final String accessVector;
42 /**
43 * CVSS Access Complexity.
44 */
45 private final String accessComplexity;
46 /**
47 * CVSS Authentication.
48 */
49 private final String authentication;
50 /**
51 * CVSS Confidentiality Impact.
52 */
53 private final String confidentialityImpact;
54 /**
55 * CVSS Integrity Impact.
56 */
57 private final String integrityImpact;
58 /**
59 * CVSS Availability Impact.
60 */
61 private final String availabilityImpact;
62 /**
63 * CVSS version.
64 */
65 private final String version;
66
67 /**
68 * CVSSv2 Base Metric severity.
69 */
70 private final String severity;
71 /**
72 * CVSSv2 Base Metric exploitability score.
73 */
74 private final Float exploitabilityScore;
75 /**
76 * CVSSv2 Base Metric impact score.
77 */
78 private final Float impactScore;
79 /**
80 * CVSSv2 Base Metric acInsufInfo.
81 */
82 private final Boolean acInsufInfo;
83 /**
84 * CVSSv2 Base Metric obtain all privilege.
85 */
86 private final Boolean obtainAllPrivilege;
87 /**
88 * CVSSv2 Base Metric obtain user privilege.
89 */
90 private final Boolean obtainUserPrivilege;
91 /**
92 * CVSSv2 Base Metric obtain other privilege.
93 */
94 private final Boolean obtainOtherPrivilege;
95 /**
96 * CVSSv2 Base Metric user interaction required.
97 */
98 private final Boolean userInteractionRequired;
99
100 /**
101 * Constructs a new CVSS V2 object.
102 *
103 * @param score the score
104 * @param accessVector the access vector
105 * @param accessComplexity the access complexity
106 * @param authentication the authentication
107 * @param confidentialityImpact the confidentiality impact
108 * @param integrityImpact the integrity impact
109 * @param availabilityImpact the availability impact
110 * @param severity the severity
111 */
112 //CSOFF: ParameterNumber
113 public CvssV2(float score, String accessVector, String accessComplexity, String authentication,
114 String confidentialityImpact, String integrityImpact, String availabilityImpact, String severity) {
115 this(score, accessVector, accessComplexity, authentication, confidentialityImpact,
116 integrityImpact, availabilityImpact, severity, null, null, null, null, null, null, null, null);
117 }
118
119 /**
120 * Constructs a new CVSS V2 object.
121 *
122 * @param score the score
123 * @param accessVector the access vector
124 * @param accessComplexity the access complexity
125 * @param authentication the authentication
126 * @param confidentialityImpact the confidentiality impact
127 * @param integrityImpact the integrity impact
128 * @param availabilityImpact the availability impact
129 * @param severity the severity
130 * @param exploitabilityScore the exploitability score
131 * @param impactScore the impact score
132 * @param acInsufInfo the acInsufInfo
133 * @param obtainAllPrivilege whether or not the vulnerability allows one to obtain all privileges
134 * @param obtainUserPrivilege whether or not the vulnerability allows one to obtain user privileges
135 * @param obtainOtherPrivilege whether or not the vulnerability allows one to obtain other privileges
136 * @param userInteractionRequired whether or not user interaction is required
137 * @param version the CVSS version
138 */
139 //CSOFF: ParameterNumber
140 public CvssV2(float score, String accessVector, String accessComplexity, String authentication,
141 String confidentialityImpact, String integrityImpact, String availabilityImpact, String severity,
142 Float exploitabilityScore, Float impactScore, Boolean acInsufInfo, Boolean obtainAllPrivilege,
143 Boolean obtainUserPrivilege, Boolean obtainOtherPrivilege, Boolean userInteractionRequired, String version) {
144 this.score = score;
145 this.accessVector = accessVector;
146 this.accessComplexity = accessComplexity;
147 this.authentication = authentication;
148 this.confidentialityImpact = confidentialityImpact;
149 this.integrityImpact = integrityImpact;
150 this.availabilityImpact = availabilityImpact;
151
152 this.severity = severity;
153 this.exploitabilityScore = exploitabilityScore;
154 this.impactScore = impactScore;
155 this.acInsufInfo = acInsufInfo;
156 this.obtainAllPrivilege = obtainAllPrivilege;
157 this.obtainUserPrivilege = obtainUserPrivilege;
158 this.obtainOtherPrivilege = obtainOtherPrivilege;
159 this.userInteractionRequired = userInteractionRequired;
160 this.version = version;
161 }
162 //CSON: ParameterNumber
163
164 /**
165 * Get the value of score.
166 *
167 * @return the value of score
168 */
169 public float getScore() {
170 return score;
171 }
172
173 /**
174 * Get the value of accessVector.
175 *
176 * @return the value of accessVector
177 */
178 public String getAccessVector() {
179 return accessVector;
180 }
181
182 /**
183 * Get the value of accessComplexity.
184 *
185 * @return the value of accessComplexity
186 */
187 public String getAccessComplexity() {
188 return accessComplexity;
189 }
190
191 /**
192 * Get the value of authentication.
193 *
194 * @return the value of authentication
195 */
196 public String getAuthentication() {
197 return authentication;
198 }
199
200 /**
201 * Get the value of confidentialityImpact.
202 *
203 * @return the value of confidentialityImpact
204 */
205 public String getConfidentialityImpact() {
206 return confidentialityImpact;
207 }
208
209 /**
210 * Get the value of integrityImpact.
211 *
212 * @return the value of integrityImpact
213 */
214 public String getIntegrityImpact() {
215 return integrityImpact;
216 }
217
218 /**
219 * Get the value of availabilityImpact.
220 *
221 * @return the value of availabilityImpact
222 */
223 public String getAvailabilityImpact() {
224 return availabilityImpact;
225 }
226
227 /**
228 * Get the value of version.
229 *
230 * @return the value of version
231 */
232 public String getVersion() {
233 return version;
234 }
235
236 /**
237 * Returns the severity for the vulnerability.
238 *
239 * @return the severity
240 */
241 public String getSeverity() {
242 return severity;
243 }
244
245 /**
246 * Returns the exploitabilityScore for the vulnerability.
247 *
248 * @return the exploitabilityScore
249 */
250 public Float getExploitabilityScore() {
251 return exploitabilityScore;
252 }
253
254 /**
255 * Returns the impactScore for the vulnerability.
256 *
257 * @return the impactScore
258 */
259 public Float getImpactScore() {
260 return impactScore;
261 }
262
263 /**
264 * Returns the acInsufInfo for the vulnerability.
265 *
266 * @return the acInsufInfo
267 */
268 public Boolean isAcInsufInfo() {
269 return acInsufInfo;
270 }
271
272 /**
273 * Returns the obtainAllPrivilege for the vulnerability.
274 *
275 * @return the obtainAllPrivilege
276 */
277 public Boolean isObtainAllPrivilege() {
278 return obtainAllPrivilege;
279 }
280
281 /**
282 * Returns the obtainUserPrivilege for the vulnerability.
283 *
284 * @return the obtainUserPrivilege
285 */
286 public Boolean isObtainUserPrivilege() {
287 return obtainUserPrivilege;
288 }
289
290 /**
291 * Returns the obtainOtherPrivilege for the vulnerability.
292 *
293 * @return the obtainOtherPrivilege
294 */
295 public Boolean isObtainOtherPrivilege() {
296 return obtainOtherPrivilege;
297 }
298
299 /**
300 * Returns the userInteractionRequired for the vulnerability.
301 *
302 * @return the userInteractionRequired
303 */
304 public Boolean isUserInteractionRequired() {
305 return userInteractionRequired;
306 }
307
308 @Override
309 public String toString() {
310 return String.format("/AV:%s/AC:%s/Au:%s/C:%s/I:%s/A:%s",
311 accessVector == null ? "" : accessVector.substring(0, 1),
312 accessComplexity == null ? "" : accessComplexity.substring(0, 1),
313 authentication == null ? "" : authentication.substring(0, 1),
314 confidentialityImpact == null ? "" : confidentialityImpact.substring(0, 1),
315 integrityImpact == null ? "" : integrityImpact.substring(0, 1),
316 availabilityImpact == null ? "" : availabilityImpact.substring(0, 1));
317 }
318 }