Add library to validate and score CVSS string

Author: TristanCacqueray

code/cvss/cvss.cabal

@@ -0,0 +1,41 @@
+cabal-version:   2.4
+name:            cvss
+version:         0.1
+synopsis:        Common Vulnerability Scoring System.
+description:
+  Use this library to parse CVSS string and compute its score.
+
+license:         BSD-3-Clause
+author:          Tristan de Cacqueray
+maintainer:      [email protected]
+category:        Data
+extra-doc-files: CHANGELOG.md
+tested-with:     GHC ==8.10.7 || ==9.0.2 || ==9.2.7 || ==9.4.5 || ==9.6.2
+
+library
+  exposed-modules:  Security.CVSS
+  build-depends:
+    , base  >=4.14 && <5
+    , text  >=1.2  && <2
+
+  hs-source-dirs:   src
+  default-language: Haskell2010
+  ghc-options:
+    -Wall -Wcompat -Widentities -Wincomplete-record-updates
+    -Wincomplete-uni-patterns -Wpartial-fields -Wredundant-constraints
+
+test-suite spec
+  type:             exitcode-stdio-1.0
+  hs-source-dirs:   test
+  main-is:          Spec.hs
+  build-depends:
+    , base         <5
+    , cvss
+    , tasty        <1.5
+    , tasty-hunit  <1.0
+    , text
+
+  default-language: Haskell2010
+  ghc-options:
+    -Wall -Wcompat -Widentities -Wincomplete-record-updates
+    -Wincomplete-uni-patterns -Wpartial-fields -Wredundant-constraints

code/cvss/src/Security/CVSS.hs

@@ -0,0 +1,289 @@
+{-# LANGUAGE ImportQualifiedPost #-}
+{-# LANGUAGE OverloadedStrings #-}
+{-# LANGUAGE PatternSynonyms #-}
+
+{- | This module provides a CVSS parser and utility functions
+ adapted from https://www.first.org/cvss/v3.1/specification-document
+-}
+module Security.CVSS (
+    -- * Type
+    CVSS,
+    Rating (..),
+    parseCVSS,
+
+    -- * Helpers
+    cvssScore,
+    cvssInfo,
+) where
+
+import Data.Foldable (traverse_)
+import Data.List (find, group, sort)
+import Data.Maybe (mapMaybe)
+import Data.Text (Text)
+import Data.Text qualified as Text
+import GHC.Float (powerFloat)
+
+data CVSSVersion = CVSS31
+
+-- | Parsed CVSS string obtained with 'parseCVSS'
+data CVSS = CVSS
+    { cvssVersion :: CVSSVersion
+    , cvssMetrics :: [Metric]
+    -- ^ The metrics are stored as provided by the user
+    }
+
+-- | CVSS Rating obtained with 'cvssScore'
+data Rating = None | Low | Medium | High | Critical
+    deriving (Enum, Eq, Ord, Show)
+
+toRating :: Float -> Rating
+toRating score
+    | score <= 0 = None
+    | score <= 3.9 = Low
+    | score <= 6.9 = Medium
+    | score <= 8.9 = High
+    | otherwise = Critical
+
+type Metric = (Text, Char)
+
+-- example CVSS string: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N
+
+-- | Parse a CVSS string.
+parseCVSS :: Text -> Either Text CVSS
+parseCVSS txt
+    | "CVSS:3.1/" `Text.isPrefixOf` txt = parseCVSS31
+    | otherwise = Left "Unknown CVSS version"
+  where
+    parseCVSS31 =
+        CVSS CVSS31 <$> do
+            metrics <- traverse splitComponent components
+            validateCvss31 metrics
+
+    components = drop 1 $ Text.split (== '/') txt
+    splitComponent :: Text -> Either Text Metric
+    splitComponent componentTxt = case Text.unsnoc componentTxt of
+        Nothing -> Left "Empty component"
+        Just (rest, c) -> case Text.unsnoc rest of
+            Just (name, ':') -> Right (name, c)
+            _ -> Left "Expected :"
+
+-- | Compute the base score.
+cvssScore :: CVSS -> (Rating, Float)
+cvssScore cvss = case cvssVersion cvss of
+    CVSS31 -> cvss31score (cvssMetrics cvss)
+
+-- | Explain the CVSS metrics.
+cvssInfo :: CVSS -> [Text]
+cvssInfo cvss = case cvssVersion cvss of
+    CVSS31 -> cvss31info (cvssMetrics cvss)
+
+-- | Description of a metric group.
+data MetricGroup = MetricGroup
+    { mgName :: Text
+    , mgMetrics :: [MetricInfo]
+    }
+
+-- | Description of a single metric.
+data MetricInfo = MetricInfo
+    { miName :: Text
+    , miShortName :: Text
+    , miRequired :: Bool
+    , miValues :: [MetricValue]
+    }
+
+-- | Description of a single metric value
+data MetricValue = MetricValue
+    { mvName :: Text
+    , mvChar :: Char
+    , mvNum :: Float
+    , mvNumChangedScope :: Maybe Float
+    , mvDesc :: Text
+    }
+
+-- | CVSS3.1 metrics pulled from section 2. "Base Metrics" and section section 7.4. "Metric Values"
+cvss31 :: [MetricGroup]
+cvss31 =
+    [ MetricGroup "Base" baseMetrics
+    , MetricGroup "Temporal" temporalMetrics
+    , MetricGroup "Environmental" environmentalMetrics
+    ]
+  where
+    baseMetrics =
+        [ MetricInfo
+            "Attack Vector"
+            "AV"
+            True
+            [ MetricValue "Network" 'N' 0.85 Nothing "The vulnerable component is bound to the network stack and the set of possible attackers extends beyond the other options listed below, up to and including the entire Internet."
+            , MetricValue "Adjacent" 'A' 0.62 Nothing "The vulnerable component is bound to the network stack, but the attack is limited at the protocol level to a logically adjacent topology."
+            , MetricValue "Local" 'L' 0.55 Nothing "The vulnerable component is not bound to the network stack and the attacker’s path is via read/write/execute capabilities."
+            , MetricValue "Physical" 'P' 0.2 Nothing "The attack requires the attacker to physically touch or manipulate the vulnerable component."
+            ]
+        , MetricInfo
+            "Attack Complexity"
+            "AC"
+            True
+            [ MetricValue "Low" 'L' 0.77 Nothing "Specialized access conditions or extenuating circumstances do not exist."
+            , MetricValue "High" 'H' 0.44 Nothing "A successful attack depends on conditions beyond the attacker's control."
+            ]
+        , MetricInfo
+            "Privileges Required"
+            "PR"
+            True
+            [ MetricValue "None" 'N' 0.85 Nothing "The attacker is unauthorized prior to attack, and therefore does not require any access to settings or files of the vulnerable system to carry out an attack."
+            , MetricValue "Low" 'L' 0.62 (Just 0.68) "The attacker requires privileges that provide basic user capabilities that could normally affect only settings and files owned by a user."
+            , MetricValue "High" 'H' 0.27 (Just 0.5) "The attacker requires privileges that provide significant (e.g., administrative) control over the vulnerable component allowing access to component-wide settings and files."
+            ]
+        , MetricInfo
+            "User Interaction"
+            "UI"
+            True
+            [ MetricValue "None" 'N' 0.85 Nothing "The vulnerable system can be exploited without interaction from any user."
+            , MetricValue "Required" 'R' 0.62 Nothing "Successful exploitation of this vulnerability requires a user to take some action before the vulnerability can be exploited."
+            ]
+        , MetricInfo
+            "Scope"
+            "S"
+            True
+            [ -- Note: not defined as contants in specification
+              MetricValue "Unchanged" 'U' Unchanged Nothing "An exploited vulnerability can only affect resources managed by the same security authority."
+            , MetricValue "Changed" 'C' Changed Nothing "An exploited vulnerability can affect resources beyond the security scope managed by the security authority of the vulnerable component."
+            ]
+        , MetricInfo
+            "Confidentiality Impact"
+            "C"
+            True
+            [ mkHigh "There is a total loss of confidentiality, resulting in all resources within the impacted component being divulged to the attacker."
+            , mkLow "There is some loss of confidentiality."
+            , mkNone "There is no loss of confidentiality within the impacted component."
+            ]
+        , MetricInfo
+            "Integrity Impact"
+            "I"
+            True
+            [ mkHigh "There is a total loss of integrity, or a complete loss of protection."
+            , mkLow "Modification of data is possible, but the attacker does not have control over the consequence of a modification, or the amount of modification is limited."
+            , mkNone "There is no loss of integrity within the impacted component."
+            ]
+        , MetricInfo
+            "Availability Impact"
+            "A"
+            True
+            [ mkHigh "There is a total loss of availability, resulting in the attacker being able to fully deny access to resources in the impacted component"
+            , mkLow "Performance is reduced or there are interruptions in resource availability."
+            , mkNone "There is no impact to availability within the impacted component."
+            ]
+        ]
+    mkHigh = MetricValue "High" 'H' 0.56 Nothing
+    mkLow = MetricValue "Low" 'L' 0.22 Nothing
+    mkNone = MetricValue "None" 'N' 0 Nothing
+    -- TODOs
+    temporalMetrics = []
+    environmentalMetrics = []
+
+pattern Unchanged :: Float
+pattern Unchanged = 6.42
+pattern Changed :: Float
+pattern Changed = 7.52
+
+cvss31info :: [Metric] -> [Text]
+cvss31info = map showMetricInfo
+  where
+    showMetricInfo metric = case mapMaybe (getInfo metric) cvss31 of
+        [(mg, mi, mv)] ->
+            mconcat [mgName mg, " ", miName mi, ": ", mvName mv, " (", mvDesc mv, ")"]
+        _ -> error $ "The impossible have happened for " <> show metric
+    getInfo (name, value) mg = do
+        mi <- find (\mi -> miShortName mi == name) (mgMetrics mg)
+        mv <- find (\mv -> mvChar mv == value) (miValues mi)
+        pure (mg, mi, mv)
+
+allMetrics :: [MetricInfo]
+allMetrics = concatMap mgMetrics cvss31
+
+roundup :: Float -> Float
+roundup input
+    | int_input `mod` 10000 == 0 = fromIntegral int_input / 100000
+    | otherwise = (fromIntegral (floor_int (fromIntegral int_input / 10000)) + 1) / 10
+  where
+    floor_int :: Float -> Int
+    floor_int = floor
+    int_input :: Int
+    int_input = round (input * 100000)
+
+-- | Implementation of section 7.1. Base Metrics Equations
+cvss31score :: [Metric] -> (Rating, Float)
+cvss31score metrics = (toRating score, score)
+  where
+    iss = 1 - (1 - gm "Confidentiality Impact") * (1 - gm "Integrity Impact") * (1 - gm "Availability Impact")
+    impact
+        | scope == Unchanged = scope * iss
+        | otherwise = scope * (iss - 0.029) - 3.25 * powerFloat (iss - 0.02) 15
+    exploitability = 8.22 * gm "Attack Vector" * gm "Attack Complexity" * gm "Privileges Required" * gm "User Interaction"
+    score
+        | impact <= 0 = 0
+        | scope == Unchanged = roundup (min (impact + exploitability) 10)
+        | otherwise = roundup (min (1.08 * (impact + exploitability)) 10)
+    scope = gm "Scope"
+
+    gm :: Text -> Float
+    gm name = case getMetric name of
+        Nothing -> error $ "The impossible have happened, unknown metric: " <> Text.unpack name
+        Just v -> v
+    getMetric :: Text -> Maybe Float
+    getMetric name = do
+        mi <- find (\mi -> miName mi == name) allMetrics
+        valueChar <- lookup (miShortName mi) metrics
+        mv <- find (\mv -> mvChar mv == valueChar) (miValues mi)
+        pure $ case mvNumChangedScope mv of
+            Just value | scope /= Unchanged -> value
+            _ -> mvNum mv
+
+validateCvss31 :: [Metric] -> Either Text [Metric]
+validateCvss31 metrics = do
+    traverse_ (\t -> t metrics) [validateUnique, validateKnown, validateRequired]
+    pure metrics
+
+{- | Check for duplicates metric
+
+ >>> validateUnique [("AV", 'N'), ("AC", 'L'), ("AV", 'L')]
+ Left "Duplicated \"AV\""
+-}
+validateUnique :: [Metric] -> Either Text ()
+validateUnique = traverse_ checkDouble . group . sort . map fst
+  where
+    checkDouble [] = error "The impossible have happened"
+    checkDouble [_] = pure ()
+    checkDouble (n : _) = Left $ "Duplicated \"" <> n <> "\""
+
+{- | Check for unknown metric
+
+ >>> validateKnown [("AV", 'M')]
+ Left "Unknown value: 'M'"
+
+ >>> validateKnown [("AW", 'L')]
+ Left "Unknown metric: \"AW\""
+-}
+validateKnown :: [Metric] -> Either Text ()
+validateKnown = traverse_ checkKnown
+  where
+    checkKnown (name, value) = do
+        mi <- case find (\mi -> miShortName mi == name) allMetrics of
+            Nothing -> Left $ "Unknown metric: \"" <> name <> "\""
+            Just m -> pure m
+        case find (\mv -> mvChar mv == value) (miValues mi) of
+            Nothing -> Left $ "Unknown value: '" <> Text.pack (show value) <> "'"
+            Just _ -> pure ()
+
+{- | Check for required metric
+
+ >>> validateRequired []
+ Left "Missing \"Attack Vector\""
+-}
+validateRequired :: [Metric] -> Either Text ()
+validateRequired metrics = traverse_ checkRequired allMetrics
+  where
+    checkRequired mi
+        | miRequired mi
+        , Nothing <- lookup (miShortName mi) metrics =
+            Left $ "Missing \"" <> miName mi <> "\""
+        | otherwise = pure ()

code/cvss/test/Spec.hs

@@ -0,0 +1,24 @@
+{-# LANGUAGE OverloadedStrings #-}
+
+module Main where
+
+import Control.Monad
+import Data.Text (Text, unpack)
+import qualified Security.CVSS as CVSS
+import Test.Tasty
+import Test.Tasty.HUnit
+
+main :: IO ()
+main = defaultMain $
+    testCase "Security.CVSS" $ do
+        forM_ examples $ \(cvssString, score, rating) -> do
+            case CVSS.parseCVSS cvssString of
+                Left e -> assertFailure (unpack e)
+                Right cvss -> CVSS.cvssScore cvss @?= (rating, score)
+
+examples :: [(Text, Float, CVSS.Rating)]
+examples =
+    [ ("CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N", 5.8, CVSS.Medium)
+    , ("CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", 6.4, CVSS.Medium)
+    , ("CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N", 3.1, CVSS.Low)
+    ]