update

emo-crab · Nov 21, 2023 · 98b02c5 · 98b02c5
1 parent f6e1689
commit 98b02c5
Show file tree

Hide file tree

Showing 24 changed files with 1,344 additions and 1,008 deletions.
diff --git a/cvss/src/lib.rs b/cvss/src/lib.rs
@@ -14,5 +14,26 @@ pub mod metric;
 pub mod severity;
 pub mod v2;
 pub mod v3;
-pub mod version;
 pub mod v4;
+pub mod version;
+/// Roundup保留小数点后一位，小数点后第二位大于零则进一。 例如, Roundup(4.02) = 4.1; 或者 Roundup(4.00) = 4.0
+///
+/// Where “Round up” is defined as the smallest number,
+/// specified to one decimal place, that is equal to or higher than its input. For example,
+/// Round up (4.02) is 4.1; and Round up (4.00) is 4.0.
+///
+/// 1.  `function Roundup (input):`
+/// 2.  `    int_input = round_to_nearest_integer (input * 100000)`
+/// 3.  `    if (int_input % 10000) == 0:`
+/// 4.  `        return int_input / 100000.0`
+/// 5.  `    else:`
+/// 6.  `        return (floor(int_input / 10000) + 1) / 10.0`
+pub(crate) fn roundup(input: f32) -> f32 {
+  let int_input = (input * 100_000.0) as u32;
+  if int_input % 10000 == 0 {
+    (int_input as f32) / 100_000.0
+  } else {
+    let score_floor = ((int_input as f32) / 10_000.0).floor();
+    (score_floor + 1.0) / 10.0
+  }
+}
diff --git a/cvss/src/metric/v4.rs b/cvss/src/metric/v4.rs
@@ -35,6 +35,11 @@ pub enum MetricTypeV4 {
 
   /// User Interaction (UI)
   UI,
+
+  CR,
+  IR,
+  AR,
+  E,
 }
 
 impl MetricTypeV4 {
@@ -52,6 +57,10 @@ impl MetricTypeV4 {
       Self::SC => "SC",
       Self::SI => "SI",
       Self::SA => "SA",
+      Self::CR => "CR",
+      Self::IR => "IR",
+      Self::AR => "AR",
+      Self::E => "E",
     }
   }
 }

diff --git a/cvss/src/v2/access_complexity.rs b/cvss/src/v2/access_complexity.rs
@@ -56,15 +56,15 @@ impl Metric for AccessComplexityType {
 
   fn help(&self) -> Help {
     match self {
-      AccessComplexityType::High => Help {
+      Self::High => Help {
         worth: Worth::Bad,
         des: "In most configurations, the attacking party must already have elevated privileges or spoof additional systems in addition to the attacking system (e.g., DNS hijacking).".to_string(),
       },
-      AccessComplexityType::Medium => Help {
+      Self::Medium => Help {
         worth: Worth::Worse,
         des: "The attacking party is limited to a group of systems or users at some level of authorization, possibly untrusted.".to_string(),
       },
-      AccessComplexityType::Low => Help {
+      Self::Low => Help {
         worth: Worth::Worst,
         des: "The affected product typically requires access to a wide range of systems and users, possibly anonymous and untrusted (e.g., Internet-facing web or mail server).".to_string(),
       },
@@ -73,47 +73,41 @@ impl Metric for AccessComplexityType {
 
   fn score(&self) -> f32 {
     match self {
-      AccessComplexityType::High => 0.35,
-      AccessComplexityType::Medium => 0.61,
-      AccessComplexityType::Low => 0.71,
+      Self::High => 0.35,
+      Self::Medium => 0.61,
+      Self::Low => 0.71,
     }
   }
 
   fn as_str(&self) -> &'static str {
     match self {
-      AccessComplexityType::High => "H",
-      AccessComplexityType::Medium => "M",
-      AccessComplexityType::Low => "L",
+      Self::High => "H",
+      Self::Medium => "M",
+      Self::Low => "L",
     }
   }
 }
 impl FromStr for AccessComplexityType {
   type Err = CVSSError;
 
   fn from_str(s: &str) -> Result<Self> {
-    let mut s = s.to_uppercase();
     let name = Self::name();
-    if s.starts_with(name) {
-      s = s
-        .strip_prefix(&format!("{}:", name))
-        .unwrap_or_default()
-        .to_string();
-    }
-    let c = {
-      let c = s.chars().next();
-      c.ok_or(CVSSError::InvalidCVSS {
+    let s = s.to_uppercase();
+    let (_name, v) = s
+      .split_once(&format!("{}:", name))
+      .ok_or(CVSSError::InvalidCVSS {
         key: name.to_string(),
-        value: s,
+        value: s.to_string(),
         expected: name.to_string(),
-      })?
-    };
+      })?;
+    let c = v.chars().next();
     match c {
-      'H' => Ok(Self::High),
-      'M' => Ok(Self::Medium),
-      'L' => Ok(Self::Low),
+      Some('H') => Ok(Self::High),
+      Some('M') => Ok(Self::Medium),
+      Some('L') => Ok(Self::Low),
       _ => Err(CVSSError::InvalidCVSS {
         key: name.to_string(),
-        value: c.to_string(),
+        value: format!("{:?}", c),
         expected: "H,M,L".to_string(),
       }),
     }

diff --git a/cvss/src/v2/access_vector.rs b/cvss/src/v2/access_vector.rs
@@ -46,55 +46,49 @@ impl Metric for AccessVectorType {
 
   fn help(&self) -> Help {
     match self {
-      AccessVectorType::Network => {Help{ worth: Worth::Worst, des: "A vulnerability exploitable with network access means the vulnerable software is bound to the network stack and the attacker does not require local network access or local access. Such a vulnerability is often termed \"remotely exploitable\". An example of a network attack is an RPC buffer overflow.".to_string() }}
-      AccessVectorType::AdjacentNetwork => {Help{ worth: Worth::Worse, des: "A vulnerability exploitable with adjacent network access requires the attacker to have access to either the broadcast or collision domain of the vulnerable software.  Examples of local networks include local IP subnet, Bluetooth, IEEE 802.11, and local Ethernet segment.".to_string() }}
-      AccessVectorType::Local => {Help{ worth: Worth::Bad, des: "A vulnerability exploitable with only local access requires the attacker to have either physical access to the vulnerable system or a local (shell) account. Examples of locally exploitable vulnerabilities are peripheral attacks such as Firewire/USB DMA attacks, and local privilege escalations (e.g., sudo).".to_string() }}
+      Self::Network => {Help{ worth: Worth::Worst, des: "A vulnerability exploitable with network access means the vulnerable software is bound to the network stack and the attacker does not require local network access or local access. Such a vulnerability is often termed \"remotely exploitable\". An example of a network attack is an RPC buffer overflow.".to_string() }}
+      Self::AdjacentNetwork => {Help{ worth: Worth::Worse, des: "A vulnerability exploitable with adjacent network access requires the attacker to have access to either the broadcast or collision domain of the vulnerable software.  Examples of local networks include local IP subnet, Bluetooth, IEEE 802.11, and local Ethernet segment.".to_string() }}
+      Self::Local => {Help{ worth: Worth::Bad, des: "A vulnerability exploitable with only local access requires the attacker to have either physical access to the vulnerable system or a local (shell) account. Examples of locally exploitable vulnerabilities are peripheral attacks such as Firewire/USB DMA attacks, and local privilege escalations (e.g., sudo).".to_string() }}
     }
   }
 
   fn score(&self) -> f32 {
     match self {
-      AccessVectorType::Network => 1.0,
-      AccessVectorType::AdjacentNetwork => 0.646,
-      AccessVectorType::Local => 0.395,
+      Self::Network => 1.0,
+      Self::AdjacentNetwork => 0.646,
+      Self::Local => 0.395,
     }
   }
 
   fn as_str(&self) -> &'static str {
     match self {
-      AccessVectorType::Network => "N",
-      AccessVectorType::AdjacentNetwork => "A",
-      AccessVectorType::Local => "L",
+      Self::Network => "N",
+      Self::AdjacentNetwork => "A",
+      Self::Local => "L",
     }
   }
 }
 impl FromStr for AccessVectorType {
   type Err = CVSSError;
 
   fn from_str(s: &str) -> Result<Self> {
-    let mut s = s.to_uppercase();
     let name = Self::name();
-    if s.starts_with(name) {
-      s = s
-        .strip_prefix(&format!("{}:", name))
-        .unwrap_or_default()
-        .to_string();
-    }
-    let c = {
-      let c = s.chars().next();
-      c.ok_or(CVSSError::InvalidCVSS {
-        key: name.to_string(),
-        value: s,
-        expected: name.to_string(),
-      })?
-    };
+    let s = s.to_uppercase();
+    let (_name, v) = s
+        .split_once(&format!("{}:", name))
+        .ok_or(CVSSError::InvalidCVSS {
+          key: name.to_string(),
+          value: s.to_string(),
+          expected: name.to_string(),
+        })?;
+    let c = v.chars().next();
     match c {
-      'N' => Ok(Self::Network),
-      'A' => Ok(Self::AdjacentNetwork),
-      'L' => Ok(Self::Local),
+      Some('N') => Ok(Self::Network),
+      Some('A') => Ok(Self::AdjacentNetwork),
+      Some('L') => Ok(Self::Local),
       _ => Err(CVSSError::InvalidCVSS {
         key: name.to_string(),
-        value: c.to_string(),
+        value:format!("{:?}", c),
         expected: "N,A,L".to_string(),
       }),
     }

diff --git a/cvss/src/v2/authentication.rs b/cvss/src/v2/authentication.rs
@@ -45,15 +45,15 @@ impl Metric for AuthenticationType {
 
   fn help(&self) -> Help {
     match self {
-      AuthenticationType::Multiple => Help {
+      Self::Multiple => Help {
         worth: Worth::Bad,
         des: "Exploiting the vulnerability requires that the attacker authenticate two or more times, even if the same credentials are used each time. An example is an attacker authenticating to an operating system in addition to providing credentials to access an application hosted on that system.".to_string(),
       },
-      AuthenticationType::Single => Help {
+      Self::Single => Help {
         worth: Worth::Worse,
         des: "The vulnerability requires an attacker to be logged into the system (such as at a command line or via a desktop session or web interface).".to_string(),
       },
-      AuthenticationType::None => Help {
+      Self::None => Help {
         worth: Worth::Worst,
         des: "Authentication is not required to exploit the vulnerability.".to_string(),
       },
@@ -62,47 +62,41 @@ impl Metric for AuthenticationType {
 
   fn score(&self) -> f32 {
     match self {
-      AuthenticationType::Multiple => 0.45,
-      AuthenticationType::Single => 0.56,
-      AuthenticationType::None => 0.704,
+      Self::Multiple => 0.45,
+      Self::Single => 0.56,
+      Self::None => 0.704,
     }
   }
 
   fn as_str(&self) -> &'static str {
     match self {
-      AuthenticationType::Multiple => "M",
-      AuthenticationType::Single => "S",
-      AuthenticationType::None => "N",
+      Self::Multiple => "M",
+      Self::Single => "S",
+      Self::None => "N",
     }
   }
 }
 impl FromStr for AuthenticationType {
   type Err = CVSSError;
 
   fn from_str(s: &str) -> Result<Self> {
-    let mut s = s.to_string();
     let name = Self::name();
-    if s.starts_with(name) {
-      s = s
-        .strip_prefix(&format!("{}:", name))
-        .unwrap_or_default()
-        .to_string();
-    }
-    let c = {
-      let c = s.to_uppercase().chars().next();
-      c.ok_or(CVSSError::InvalidCVSS {
-        key: name.to_string(),
-        value: s,
-        expected: name.to_string(),
-      })?
-    };
+    let s = s.to_uppercase();
+    let (_name, v) = s
+        .split_once(&format!("{}:", name))
+        .ok_or(CVSSError::InvalidCVSS {
+          key: name.to_string(),
+          value: s.to_string(),
+          expected: name.to_string(),
+        })?;
+    let c = v.chars().next();
     match c {
-      'M' => Ok(Self::Multiple),
-      'S' => Ok(Self::Single),
-      'N' => Ok(Self::None),
+      Some('M') => Ok(Self::Multiple),
+      Some('S') => Ok(Self::Single),
+      Some('N') => Ok(Self::None),
       _ => Err(CVSSError::InvalidCVSS {
         key: name.to_string(),
-        value: c.to_string(),
+        value:format!("{:?}", c),
         expected: "M,S,N".to_string(),
       }),
     }