search

stevespringett / cvss-calculator

A Java library for calculating CVSSv2 and CVSSv3 scores and vectors
Apache License 2.0
36 stars 21 forks source link

Refactor parsing to fix v3 / v3.1 detection, and handle unordered metrics #90

Closed nscuro closed 3 months ago

nscuro commented 4 months ago

Replaces the regex-based parsing with pattern matching. The new implementation is able to detect:

In all above cases, a MalformedVectorException is thrown, containing details about the issue at hand. Previously, trying to parse an invalid vector merely resulted in a null return value.

Parsing is now able to properly detect whether the provided vector is CVSSv3.0 or CVSSv3.1, which addresses #56.

[!NOTE] This implementation does not enforce metric order for CVSSv2.

Closes https://github.com/stevespringett/cvss-calculator/issues/49 Fixes https://github.com/stevespringett/cvss-calculator/issues/56

Additionally, defaults optional metrics to "Not Defined".

Score calculation is not designed to deal with null values. If a metric is not provided, it is assumed to be "Not Defined" (ND for CVSSv2, X for CVSSv3). This ensures that score calculation continues to work, when only a subset of optional metrics is provided.

Metrics with "Not Defined" values are omitted when constructing a vector string. This is in line with how visual CVSS calculators operate.

Initialization of metrics with null is prevented via Objects#requireNonNull checks on setters.

Fixes https://github.com/stevespringett/cvss-calculator/issues/65