Merge pull request #62 from n3rada/main

Solving issue #33, refreshing the README and adapt to FIRST commits
RedHatProductSecurity · Sep 6, 2024 · 75d6c98 · 75d6c98
2 parents 0604bed + 0e8b0c4
commit 75d6c98
Show file tree

Hide file tree

Showing 3 changed files with 63 additions and 25 deletions.
diff --git a/README.md b/README.md
@@ -1,3 +1,12 @@
 # CVSS v4.0 calculator
+The CVSS v4.0 Calculator is built based on the Common Vulnerability Scoring System (CVSS) version 4.0 [Specification Document](https://www.first.org/cvss/v4.0/specification-document). This document serves as the authoritative reference for understanding how to calculate the severity of vulnerabilities.
 
-Deployed: https://redhatproductsecurity.github.io/cvss-v4-calculator/
+This project is a web-based application that calculates the CVSS score for a given vulnerability. The core logic is implemented using JavaScript classes that encapsulate the CVSS metrics, scoring calculations, and vector string manipulations:
+
+- The `Vector` class handles the CVSS vector string and the associated metrics. It is the backbone of the application's logic, providing methods to update and validate the vector string, compute equivalent classes, and derive metrics values.
+- The `CVSS40` class is responsible for calculating the CVSS v4.0 score. It interacts with an instance of the `Vector` class to derive the score and determine the severity level.
+
+The application is live and can be accessed at [CVSS v4.0 Calculator](https://redhatproductsecurity.github.io/cvss-v4-calculator/).
+
+## License
+This project is licensed under the BSD-2-Clause License. See the [LICENSE](./LICENSE) file for more information.
diff --git a/cvss40.js b/cvss40.js
@@ -285,8 +285,9 @@ class Vector {
     /**
      * Generates a detailed breakdown of equivalent classes with their associated severity levels.
      *
-     * This method returns an object where each key is a metric description (e.g., "Exploitability")
-     * and each value is the corresponding severity level (e.g., "High", "Medium").
+     * This method analyzes a vector string representing various dimensions of a vulnerability
+     * (known as macrovectors) and maps them to their corresponding human-readable severity levels
+     * ("High", "Medium", "Low").
      *
      * @example
      * const breakdown = vectorInstance.severityBreakdown();
@@ -298,31 +299,37 @@ class Vector {
     get severityBreakdown() {
         const macroVector = this.equivalentClasses;
 
-        const macroVectorDetails = {
-            "Exploitability": 0,
-            "Complexity": 1,
-            "Vulnerable system": 2,
-            "Subsequent system": 3,
-            "Exploitation": 4,
-            "Security requirements": 5
-        };
+        // Define the macrovectors and their positions
+        const macroVectorDetails = [
+            "Exploitability",
+            "Complexity",
+            "Vulnerable system",
+            "Subsequent system",
+            "Exploitation",
+            "Security requirements"
+        ];
 
-        const macroVectorValues = {
-            "0": "High",
-            "1": "Medium",
-            "2": "Low",
-            "3": "None"
-        };
+        // Define which macrovectors have only two severity options
+        const macroVectorsWithTwoSeverities = ["Complexity", "Security requirements"];
 
-        // Constructing the detailed breakdown
+        // Lookup tables for macrovectors with two and three possible severity levels
+        const threeSeverities = ["High", "Medium", "Low"];
+        const twoSeverities = ["High", "Low"];
+
+        // Construct the detailed breakdown
         return Object.fromEntries(
-            Object.entries(macroVectorDetails).map(([description, index]) => [
-                description,
-                macroVectorValues[macroVector[index]]
-            ])
+            macroVectorDetails.map((description, index) => {
+                // Determine which lookup table to use based on the macrovector description
+                const macroVectorValueOptions = macroVectorsWithTwoSeverities.includes(description)
+                    ? twoSeverities
+                    : threeSeverities;
+
+                return [description, macroVectorValueOptions[macroVector[index]]];
+            })
         );
     }
 
+
     /**
      * Gets the effective value for a given CVSS metric.
      *

diff --git a/index.html b/index.html
@@ -27,7 +27,7 @@
 <head>
     <meta charset="utf-8">
     <meta name="viewport" content="width=device-width, initial-scale=1.0, shrink-to-fit=no">
-    <title>CVSS v4.0 calculator</title>
+    <title>Common Vulnerability Scoring System Version 4.0 Calculator</title>
     <!-- External Libraries -->
     <script src="https://unpkg.com/[email protected]/dist/vue.global.prod.js"></script>
     <!-- Stylesheets -->
@@ -41,7 +41,8 @@
     <div id="app" class="container">
         <!-- Header Section -->
         <header id="header">
-            <h4 class="page-title">CVSS v4.0 calculator</h4>
+            <img alt="CVSS logo" src="https://first.org/cvss/identity/cvssv4_web.png" width="125">
+            <h3 class="page-title">Common Vulnerability Scoring System Version 4.0 Calculator</h3>
             <mark
                 class="tooltip c-hand"
                 aria-label="Click to copy vector to clipboard"
@@ -78,11 +79,32 @@ <h5 class="score-line">
 
         <!-- Metrics Section -->
         <main class="columns" :style="{'margin-top': header_height + 10 + 'px'}">
+            <h6 id="cvssReference" style="width: 100%; max-width: 1065px; margin: 10px;">
+                Hover over metric names and metric values for a summary of the information in the official
+                <a href="https://www.first.org/cvss/v4.0/specification-document" target="_blank">
+                    CVSS v4.0 Specification Document
+                </a>.
+                The Specification is available along with a
+                <a href="https://www.first.org/cvss/v4.0/user-guide" target="_blank">
+                    User Guide
+                </a>
+                providing additional scoring guidance, an
+                <a href="https://www.first.org/cvss/v4.0/examples" target="_blank">
+                    Examples document
+                </a>
+                of scored vulnerabilities, a set of
+                <a href="https://www.first.org/cvss/v4.0/faq" target="_blank">
+                    Frequently Asked Questions (FAQ)
+                </a>, and both JSON and XML Data Representations for all versions of CVSS, including the
+                <a href="https://www.first.org/cvss/cvss-v4.0.json" target="_blank">
+                    JSON format
+                </a>.
+            </h6>
             <div class="column col-10 col-xl-12">
                 <div class="metric-type" v-for="(metricTypeData, metricType) in cvssConfigData">
                     <h4 class="text-center">
                         {{ metricType }}
-                        <span class="tooltip tooltip-left c-hand text-small" :data-tooltip="'This category is usually filled \n by the ' + metricTypeData.fill">
+                        <span class="tooltip tooltip-left c-hand text-small" :data-tooltip="'This category should be filled \n by the ' + metricTypeData.fill">
                             <sup>?</sup>
                         </span>
                     </h4>