New Case Study:See how Anthropic automated 95% of dependency reviews with Socket.Learn More
Socket
Sign inDemoInstall
Socket
Sign inDemoInstall

@turingpointde/cvss.js

Package Overview
Dependencies
Maintainers
1
Versions
19
Alerts
File Explorer

Advanced tools

License
Socket logo

Install Socket

Detect and block malicious and high-risk dependencies

Install

@turingpointde/cvss.js

A tiny library to work with cvss vectors

  • 1.5.0
  • latest
  • Source
  • npm
  • Socket score
Version published
Weekly downloads
166
decreased by-82.02%
Maintainers
1
Weekly downloads
 
Created
Source

cvss.js by turingpoint.

Version License: MIT

A tiny library to work with CVSS vectors (v3.0 and v3.1) in JavaScript. The Common Vulnerability Scoring System (CVSS) is a free and open standard. It is owned and managed by FIRST.Org.

Installation

Install the @turingpointde/cvss.js package:

# use yarn or npm
yarn add @turingpointde/cvss.js

Import the library to use it in your code:

const CVSS = require("@turingpointde/cvss.js");
// or
import CVSS from "@turingpointde/cvss.js";

You can also use the library directly from the CDN (instead of yarn or npm):

<script src="https://unpkg.com/@turingpointde/cvss.js@latest/dist/production.min.js"></script>

Usage

After importing the library, the CVSS function must first be called with the vector as parameter.

// Vector only with base score
const vector1 = CVSS("CVSS:3.0/AV:N/AC:H/PR:L/UI:R/S:C/C:N/I:L/A:L");
// Vector with temporal score
const vector2 = CVSS(
    "CVSS:3.0/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:L/E:U/RL:T/RC:R"
);
// Vector with environmental score
const vector3 = CVSS(
    "CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/CR:M/IR:H/AR:M/MAV:N/MAC:H/MPR:L/MUI:N/MS:C/MC:N/MI:L/MA:L"
);

It is possible to pass in an object as well

const vectorObject = {
    CVSS: "3.0",
    AV: "N",
    AC: "H",
    PR: "H",
    UI: "R",
    S: "U",
    C: "H",
    I: "N",
    A: "N",
};

console.log(CVSS(vectorObject).vector); // "CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:N/A:N"

To get the scores, simply call the respective function.

// Create a vector
const vector = CVSS(
    "CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/CR:M/IR:H/AR:M/MAV:N/MAC:H/MPR:L/MUI:N/MS:C/MC:N/MI:L/MA:L"
);

console.log(vector.getScore()); // 3.6
console.log(vector.getTemporalScore()); // 3.3
console.log(vector.getEnvironmentalScore()); // 5.1
console.log(vector.getImpactSubScore()); // 2.5
console.log(vector.getExploitabilitySubScore()); // 1

Sometimes it is useful to get a qualitative rating of a score

const vector = CVSS("CVSS:3.0/AV:N/AC:H/PR:L/UI:R/S:C/C:N/I:L/A:L");

console.log(vector.getRating()); // Medium
console.log(vector.getTemporalRating()); // Medium
console.log(vector.getEnvironmentalRating()); // Low

A few useful variables/functions to work with the vectors:

const vector = CVSS("CVSS:3.0/AV:N/AC:H/PR:L/UI:R/S:C/C:N/I:L/A:L");

console.log(vector.isValid); // true
console.log(vector.vector); // CVSS:3.0/AV:N/AC:H/PR:L/UI:R/S:C/C:N/I:L/A:L
console.log(vector.getVersion()); // "3.0"

The following functions are suitable for displaying the vector in a human-readable form or for performing your own calculations with the vector

const vector = CVSS(
    "CVSS:3.0/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:L/E:U/RL:T/RC:R/MAC:X/MUI:X/MA:X/MI:X"
);

console.log(vector.getVectorObject()); // { CVSS: "3.0", AV: "N", AC: "H", PR: "L", UI: "R", S: "C", C: "L", I: "L", A: "L", E: "U", RL: "T", RC: "R", CR: "X", IR: "X", AR: "X", MAV: "X", MAC: "X", MPR: "X", MUI: "X", MS: "X" , MC: "X", MI: "X", MA: "X" }
console.log(vector.getCleanVectorString()); // "CVSS:3.0/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:L/E:U/RL:T/RC:R"
console.log(vector.getDetailedVectorObject()); // see spoiler below
Output of vector.getDetailedVectorObject 
  {
    CVSS: '3.0',
    metrics: {
      AV: {
        name: 'Attack Vector',
        abbr: 'AV',
        fullName: 'Attack Vector (AV)',
        value: 'Network',
        valueAbbr: 'N'
      },
      AC: {
        name: 'Attack Complexity',
        abbr: 'AC',
        fullName: 'Attack Complexity (AC)',
        value: 'High',
        valueAbbr: 'H'
      },
      PR: {
        name: 'Privileges Required',
        abbr: 'PR',
        fullName: 'Privileges Required (PR)',
        value: 'Low',
        valueAbbr: 'L'
      },
      UI: {
        name: 'User Interaction',
        abbr: 'UI',
        fullName: 'User Interaction (UI)',
        value: 'Required',
        valueAbbr: 'R'
      },
      S: {
        name: 'Scope',
        abbr: 'S',
        fullName: 'Scope (S)',
        value: 'Changed',
        valueAbbr: 'C'
      },
      C: {
        name: 'Confidentiality',
        abbr: 'C',
        fullName: 'Confidentiality (C)',
        value: 'Low',
        valueAbbr: 'L'
      },
      I: {
        name: 'Integrity',
        abbr: 'I',
        fullName: 'Integrity (I)',
        value: 'Low',
        valueAbbr: 'L'
      },
      A: {
        name: 'Availability',
        abbr: 'A',
        fullName: 'Availability (A)',
        value: 'Low',
        valueAbbr: 'L'
      },
      E: {
        name: 'Exploit Code Maturity',
        abbr: 'E',
        fullName: 'Exploit Code Maturity (E)',
        value: 'Unproven',
        valueAbbr: 'U'
      },
      RL: {
        name: 'Remediation Level',
        abbr: 'RL',
        fullName: 'Remediation Level (RL)',
        value: 'Temporary Fix',
        valueAbbr: 'T'
      },
      RC: {
        name: 'Report Confidence',
        abbr: 'RC',
        fullName: 'Report Confidence (RC)',
        value: 'Reasonable',
        valueAbbr: 'R'
      },
      MAC: {
        name: 'Modified Attack Complexity',
        abbr: 'MAC',
        fullName: 'Modified Attack Complexity (MAC)',
        value: 'Not Defined',
        valueAbbr: 'X'
      },
      MUI: {
        name: 'Modified User Interaction',
        abbr: 'MUI',
        fullName: 'Modified User Interaction (MUI)',
        value: 'Not Defined',
        valueAbbr: 'X'
      },
      MA: {
        name: 'Modified Availability',
        abbr: 'MA',
        fullName: 'Modified Availability (MA)',
        value: 'Not Defined',
        valueAbbr: 'X'
      },
      MI: {
        name: 'Modified Integrity',
        abbr: 'MI',
        fullName: 'Modified Integrity (MI)',
        value: 'Not Defined',
        valueAbbr: 'X'
      }
    }
  }

To update a vector's metric:

const vector = CVSS(
    "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N/RL:X/RC:X"
).updateVectorValue("AV", "L");
console.log(vector); // "CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N"

Contributing

Contributions, issues and feature requests are welcome. Feel free to check out the issues page if you want to contribute.

License

Copyright © 2022 turingpoint GmbH. This project is MIT licensed.

Keywords

FAQs

Package last updated on 28 Jun 2023

Did you know?

Socket

Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.

Install

Related posts

Linux Foundation Warns Open Source Developers: Compliance with Sanctions Is Not Optional

Security News

Linux Foundation Warns Open Source Developers: Compliance with Sanctions Is Not Optional

The Linux Foundation is warning open source developers that compliance with global sanctions is mandatory, highlighting legal risks and restrictions on contributions.

By Sarah Gooding  -  Feb 06, 2025
SocketSocket SOC 2 Logo

Product

  • Package Alerts
  • Integrations
  • Docs
  • Pricing
  • FAQ
  • Roadmap
  • Changelog

About

Packages

npm

Go

Maven

PyPI

Rubygems

Stay in touch

Get open source security insights delivered straight into your inbox.

  • Terms
  • Privacy
  • Security

Made with ⚡️ by Socket Inc