Merge pull request #3 from softrams/cvss-data

mkmurali · web-flow · commit 15601cf3cfdf · 2023-10-25T18:58:04.000-05:00
Update usage, addl cvss details
diff --git a/bin/index.js b/bin/index.js
@@ -105,7 +105,7 @@ async function checkCVSS(cveID) {
   }
 
   const cvssScoreV31 = data.vulnerabilities[0].cve.metrics.cvssMetricV31;
-  return cvssScoreV31 ? cvssScoreV31[0].cvssData : null;
+  return cvssScoreV31 ? cvssScoreV31[0] : null;
 }
 
 async function audit(
@@ -167,10 +167,12 @@ async function audit(
   if (!cvssScoreV31) {
     console.log(` No CVSS score found for CVE ${cveID}\n`);
   } else {
-    const { baseScore, baseSeverity } = cvssScoreV31;
-    console.log(` CVSS v3.1 Base Score: ${baseScore} (${baseSeverity})\n`);
+    const { exploitabilityScore, impactScore } = cvssScoreV31;
+    const { baseScore, baseSeverity } = cvssScoreV31.cvssData;
+    console.log(` CVSS v3.1 Base Score: ${baseScore} (${baseSeverity}) 
+                \n\t Exploitability Score: ${exploitabilityScore} Impact Score : ${impactScore} \n`);
 
-    // If CVSS score is above threshold, fail the audit
+    // If CVSS score is above threshold, fail the audiat
     if (Number(score) > 0.0 && parseFloat(baseScore) > score) {
       console.warn(
         ` CVSS v3.1 Base Score is above threshold of ${score}. Failing the audit.\n`
@@ -187,13 +189,13 @@ async function audit(
     const options = yargs
       .scriptName("cve-risk-scores")
       .usage(
-        "Usage: $0 <CVE-NUMBER> [-v|--verbose] [-r|--refresh] [-f|--fail-on-past-duedate] [-t|--threshold]"
+        "Usage: $0 <CVE-NUMBER> [-v|--verbose] [-r|--refresh] [-f|--fail-on-past-duedate] [-t|--threshold] [-s|--score] "
       )
       .option("v", {
         alias: "verbose",
         describe: "Verbose output",
       })
-      .option("r", { alias: "refresh", describe: "Refresh EPSS scores" })
+      .option("r", { alias: "refresh", describe: "Refresh EPSS, KEV data" })
       .option("f", {
         alias: "fail-on-past-duedate",
         describe: "Fail on past CISA KVE due date",
diff --git a/package.json b/package.json
@@ -1,6 +1,6 @@
 {
   "name": "cve-risk-scores",
-  "version": "0.0.3",
+  "version": "0.0.4",
   "description": "Check risk scores for CVEs",
   "main": "bin/index.js",
   "bin": {

Original file line number	Diff line number	Diff line change
`@@ -1,6 +1,6 @@`
`1`	`1`	`{`
`2`	`2`	`"name": "cve-risk-scores",`
`3`		`- "version": "0.0.3",`
	`3`	`+ "version": "0.0.4",`
`4`	`4`	`"description": "Check risk scores for CVEs",`
`5`	`5`	`"main": "bin/index.js",`
`6`	`6`	`"bin": {`