CVSS v4 calculator - Githubissues

GhostManager / Ghostwriter

The SpecterOps project management and reporting engine

https://ghostwriter.wiki

BSD 3-Clause "New" or "Revised" License

1.23k stars 174 forks source link

CVSS v4 calculator #356

Open felix-caboff opened 8 months ago

felix-caboff commented 8 months ago

Is your feature request related to a problem? Please describe. The current in-built calculator is for version 3.x of CVSS. There seems to be a lot of good improvements made in v4.0 that has just been released.

Describe the solution you'd like Can we please convert to v4.0

Describe alternatives you've considered Perhaps we should consider allowing the system owner choose which version they want to use?

Additional context See the new FIRST calculator here

chrismaddalena commented 8 months ago

We can look into this. Changing the calculator is a significant change, so it's not something that can be done too easily. The feature was originally a community contribution. The person who did it used this version of CVSS v3. There's a recent PR for expanding the CVSS v3 calculator. I'd like to add an option for CVSS v4, but it would have to be an option for people to pick v3 or v4. I'm not sure when that will be possible, but maybe sometime in 2024.

felix-caboff commented 3 weeks ago

Just preventing this from going stale. Latest is in this https://github.com/GhostManager/Ghostwriter/pull/387. Really sorry I haven't had a chance to review it yet - I'm not really set up for dev etc and I have precious little spare work time.

domwhewell-sage commented 3 weeks ago

Hi All, This might help On all Finding edit views (ReportFindingLink and Finding) a CVSSv4 tab is displayed in the "CVSS Calculator" dropdown. This is essentially an iframe that displays the prebuilt vue.js application by FIRST.org (https://github.com/FIRSTdotorg/cvss-v4-calculator)

There is also some custom js to extract the vector and cvss score from this iframe

I think this is the best way of implementing a users choice between CVSS Calculators, Its probably best if a CVSSv3.1 calculator is added as a tab in another pull request

chrismaddalena commented 2 weeks ago

No problem @felix-caboff! Everyone is busy, but this hasn't been forgotten. Feedback and testing will be very welcome whenever someone has the time.

felix-caboff commented 1 week ago

I think this is the best way of implementing a users choice between CVSS Calculators, Its probably best if a CVSSv3.1 calculator is added as a tab in another pull request

@domwhewell-sage just a thought for you. My understanding is that the difference between CVSSv3.0 and CVSSv3.1 is not a mechanics change, but a wording clarification and that the two versions essentially operate the same. I appreciate this is an over simplification, but, I wonder how much demand there will actually be for two sub-versions of CVSSv3? Adding the extra may not be worth any time at all. Happy in any case, just wanted to raise this in case it became complex.

domwhewell-sage commented 1 week ago

Hi @felix-caboff, I think there are some slight mechanics changes in the "Impact Sub-formula" in the Environmental Metric Group but other than that the majority of the changes are restructuring and wording changes.

I already have a private fork which is using CVSSv3.1 so if there is enough demand for it I can quickly whip up a new tab pointing to that js calculator (Granted it is not as easy as CVSSv4.0 with the iframe)