Security News
Research
Data Theft Repackaged: A Case Study in Malicious Wrapper Packages on npm
The Socket Research Team breaks down a malicious wrapper package that uses obfuscation to harvest credentials and exfiltrate sensitive data.
A powerful, flexible CVSS parser, calculator and validator written for JavaScript/TypeScript.
A powerful, flexible CVSS parser, calculator and validator written for JavaScript/TypeScript.
Vuln/Vects is a library written in TypeScript, targeting JavaScript (server-side Node.js or browser) that aims to provide all the generation, validation, scoring and manipulation functionality you could ever need when working with CVSS (common vulnerability scoring system) vectors of any version. CVSS v2, v3.0 and v3.1 are currently supported.
Installing the project is very straightforward via npm:
npm install --save vuln-vects
If you're working in TypeScript and need type annotations etc. you might also want to run:
npm install --save @types/vuln-vects
It's only necessary to build the project if you're doing development work on it. There's no need to do so if you're just installing it to use as a library. Ensure that Node.js v14.x and npm is installed and run:
npm run build
Build output is to /dist
. To build accompanying documentation, you need the following command:
npm run docs
Documentation is generated using TypeDoc and rendered as HTML to /docs/api
.
You'll need to bundle the library if you want to use it in-browser (remember to build it first):
npm run build && npm run bundle
This will give you a single file in /bundle
that you can import into your webpages (see Usage section).
Tests are on Mocha and Chai. You can run them like so:
npm run test
Usage of the library will vary, depending on whether you want to run in-browser or as part of a server-side Node.js project. In any case, you'll need to begin by installing the library:
npm install --save vuln-vects
If you want to do a deep dive on the functionality of the library, take a look at the full API documentation.
Usage in the browser is super straightforward. After installation, simply import the bundled library into your webpage like so:
<script src="node_modules/vuln-vects/bundle/vuln-vects.js"></script>
You'll then get a VulnVects
object in the global namespace through which you can use the library:
<script>
alert(VulnVects.parseCvss2Vector('CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N').baseScore); // Shows '5.0'.
</script>
Importing and invoking the library is slightly different on the server side.
import { parseCvss2Vector } from 'vuln-vects';
console.log(parseCvss2Vector('CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N').baseScore); // Prints '5.0'.
Aside from this, the API is identical. There is a lot more you can do with the library aside from just the above. See Features for more details.
The library provides 4 main features: validation, scoring, rendering and mocking. If there's anything else you'd like to see, please consider opening an issue.
Validation of CVSS vectors of any currently supported version is possible. Convenience methods offer the simplest API for this:
import {
validateCvss2Vector,
validateCvss3Vector,
validateCvssVector
} from 'vuln-vects';
// Will be true on validation success, false on failure.
const isValidCvss2Vector = validateCvss2Vector('(AV:N/AC:L/Au:N/C:P/I:N/A:N)'); // For CVSS v2.
const isValidCvss3Vector = validateCvss3Vector('AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N'); // For CVSS v3.x.
const isValidCvssVector = validateCvssVector('AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N'); // Version-agnostic.
Validation, in this context, means that CVSS vectors must be both well-formed and contain all required fields. If a CVSS vector is not well-formed (e.g. is missing separators as in AV:NAC:LPR:NUI:NS:UC:NI:LA:N
) or does not contain all required fields to compute a score (e.g. does not contain a confidentiality impact as in AV:N/AC:L/PR:N/UI:N/S:U/I:L/A:N
) validation will fail.
To get more detail about exactly why a vector failed validation, you can use the scoring API. For CVSS v2 vectors for example:
import {
Cvss2VectorParser
} from 'vuln-vects';
const parser = new Cvss2VectorParser();
const scoringEngine = parser.generateScoringEngine('AV:N/AC:L/Au:N/C:P/I:N'); // Missing availability impact.
const isValid = scoringEngine.isValid(); // Will be true on validation success, false on failure.
const errors = scoringEngine.validate(); // Will return a list of human-readable validation errors.
Scoring CVSS vectors (i.e. converting them into a CVSS score from 1-10) is the most common use-case for the library, and as such has been designed to be very convenient to use via helper methods:
import {
parseCvss2Vector,
parseCvss3Vector,
parseCvssVector
} from 'vuln-vects';
// Will yield score objects.
const cvss2VectorScore = parseCvss2Vector('(AV:N/AC:L/Au:N/C:P/I:N/A:N)'); // For CVSS v2.
const cvss3VectorScore = parseCvss3Vector('AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N'); // For CVSS v3.x.
const cvssVectorScore = parseCvssVector('AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N'); // Version-agnostic.
// The resulting score objects contain several subscores, but you probably want base score or overall score.
console.log(cvss2VectorScore.baseScore);
console.log(cvss2VectorScore.overallScore);
Rendering CVSS vectors refers to the process of generating CVSS vector strings from a set of metrics. This is a bit more involved, but still not especially complex:
import {
Cvss2ScoringEngine,
Cvss2VectorRenderer,
Cvss2VectorPrefixOption,
cvss2, // Enums specific to CVSS v2.
} from 'vuln-vects';
// Set up and configure a scoring engine.
const scoringEngine = new Cvss2ScoringEngine();
scoringEngine.accessVector = cvss2.AccessVector.NETWORK;
scoringEngine.accessComplexity = cvss2.AccessComplexity.MEDIUM;
scoringEngine.authentication = cvss2.Authentication.NONE;
scoringEngine.confidentialityImpact = cvss2.Impact.NONE;
scoringEngine.integrityImpact = cvss2.AccessVector.COMPLETE;
scoringEngine.availabilityImpact = cvss2.AccessVector.NONE;
// Feed this to an appropriate vector renderer.
const vectorRenderer = new Cvss2VectorRenderer(Cvss2VectorPrefixOption.BRACKETED);
console.log(vectorRenderer.render(scoringEngine));
The ability to randomly generate (i.e. mock) CVSS vectors for use in unit testing application that consume them can be very useful. Convenience methods are provided for this purpose:
import {
randomCvss2Vector,
randomCvss3Vector,
Cvss2VectorPrefixOption
} from 'vuln-vects';
// Shows a random CVSS v2 and v3.x vector.
console.log(randomCvss2Vector());
console.log(randomCvss3Vector());
// Temporal/environmental scores and any valid prefixing scheme are supported:
console.log(randomCvss2Vector(true, true, Cvss2VectorPrefixOption.BRACKETED));
The main contributors to this project so far are as follows:
FAQs
A powerful, flexible CVSS parser, calculator and validator written for JavaScript/TypeScript.
We found that vuln-vects demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
Research
The Socket Research Team breaks down a malicious wrapper package that uses obfuscation to harvest credentials and exfiltrate sensitive data.
Research
Security News
Attackers used a malicious npm package typosquatting a popular ESLint plugin to steal sensitive data, execute commands, and exploit developer systems.
Security News
The Ultralytics' PyPI Package was compromised four times in one weekend through GitHub Actions cache poisoning and failure to rotate previously compromised API tokens.