Research
Security News
Malicious npm Packages Inject SSH Backdoors via Typosquatted Libraries
Socket’s threat research team has detected six malicious npm packages typosquatting popular libraries to insert SSH backdoors.
cvss-v3.1-react
Advanced tools
The CVSS (Common Vulnerability Scoring System) is an open framework that calculates the severity of software vulnerabilities in the form of a numerical value (called Base Score), ranging from 0 to 10. The score value reflects whether the vulnerabilities present in the software are low, medium, high or critical in nature.
What we are providing here is the npm package of the CVSS calculator which was not available before. There were no plugin available for this calculator in react js so we have created this plugin for reactjs users. CVSS V3.1 Standalone Calculator Demo
This calculator directly calculates the severity level of the vulnerabilities by determining the base score. Let’s check out the procedure below-
The very first step is to install the npm package with the following command on the Command Prompt-
npm install cvss-v3.1-react
1 . After installation, you need to import cvss-v3.1-react-
import CvssV3 from 'cvss-v3.1-react'
2 . Include cvss-v3.1-react component
const severityVector = "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:L";
//severityVector is optional variable. It can be used initialize the calculator.
<CvssV3 severityVector={severityVector} onChange={(data)=>{
console.log('data-----------', data);
}}/>
3 . By default, styles are listed below. You can customize the styles based on your requirements. You can pass styles prop to override these styles. You need to pass on onChange prop to get the selected severity string.
const defaultProps = {
styles: {
matricesTitle: {
minWidth: 200,
font: '400 16px Arial',
marginRight: 15
},
matricesItem: {
display: 'flex',
alignItems: 'center',
font: '400 13.3333px Arial'
},
severityBtn: {
background: 'none',
border: 'solid 1px #ccc',
borderRadius: 3,
padding: '0 20px',
height: 36,
marginRight: 15,
cursor: 'pointer'
},
selected: {
background: 'blue',
color: 'white'
},
scoreTextColor: {
color: 'blue'
},
scoreBar: {
background: '#f7f8f9',
padding: '1px 10px 15px'
},
None: {
background: 'rgb(162, 213, 114)'
},
Low: {
background: 'rgb(208, 212, 134)'
},
Medium: {
background: 'rgb(250, 230, 120)'
},
High: {
background: 'rgb(240, 170, 83)'
},
Critical: {
background: 'rgb(240, 130, 120)'
}
}
}
4 . To make it read only you can pass on optional prop readOnly=true. If you pass this then user will not be able to update the CVSS calculator.
const severityVector = "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:L";
const readOnly = true;
//severityVector is optional variable. It can be used initialize the calculator.
<CvssV3 severityVector={severityVector} readOnly={readOnly} onChange={(data)=>{
console.log('data-----------', data);
}}/>
The base score will be calculated by the CVSS calculator based upon the eight metrics, or you can say Base Parameters, that are as follows-
####Attack Vector (AV)
This metric evaluates the context by which the vulnerability can be exploited. More remote the attacker is, the larger will be the base score. Instead of writing the whole string, you can just select the metric value from the available options i.e. Network<Value 0.85>, Adjacent <Value 0.62>, Local <Value 0.55> and Physical <Value 0.2>.
####Attack Complexity (AC)
This metric reflects how complex/easy it is to exploit the vulnerability i.e. the base score will be greatest for the least complex attacks. You need to select one of the values from ‘Low’ <Value 0.77> and ‘High’ <Value 0.44>.
####Privileges Required (PR)
It determines the privilege level the attacker must possess for successful exploitation of the vulnerability. The base score will be highest in case of no privileges. The possible values are None <Value 0.85>, Low <Value 0.62> and High <Value 0.27>.
####User Interaction (UI)
It describes whether a vulnerability can be exploited without the participation of a separate user or not. The values it contains are: None <Value 0.85> and Required <Value 0.62>.
####Scope (S)
It captures whether a vulnerability has any impact upon the components beyond its security scope. The base score is lowest when no change occurs. There are two values basically i.e. Changed and Unchanged.
####Impact Metrics
The impact metrics i.e. Confidentiality (C), Availability (A) and Integrity (I) determine the impact level of the exploited vulnerability on the component. The final impact is defined by the combined effect of all the three metrics together. The values for the impact metrics are as follows: High <Value 0.56>, Low <Value 0.22> and None <Value 0>.
####How to Calculate the Base Score?? The ISS (Impact Sub Score) is defined as- <ISS= 1- [(1-C) *(1-I) *(1-A)]> Where, C= Confidentiality, I= Integrity and A= Availability. Impact can be determined as-
Else,
The final CVSS Base Score range and ratings has been mentioned below:
Copyright (c) 2015-2019, Shankar Morwal.
Copyright (c) 2019, Habilelabs Private limited
FAQs
CVSS V3.1 calculator
The npm package cvss-v3.1-react receives a total of 143 weekly downloads. As such, cvss-v3.1-react popularity was classified as not popular.
We found that cvss-v3.1-react demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Research
Security News
Socket’s threat research team has detected six malicious npm packages typosquatting popular libraries to insert SSH backdoors.
Security News
MITRE's 2024 CWE Top 25 highlights critical software vulnerabilities like XSS, SQL Injection, and CSRF, reflecting shifts due to a refined ranking methodology.
Security News
In this segment of the Risky Business podcast, Feross Aboukhadijeh and Patrick Gray discuss the challenges of tracking malware discovered in open source softare.