Ghostwriter icon indicating copy to clipboard operation
Ghostwriter copied to clipboard
verified publisher icon GhostManager

CVSS v4 calculator

Open felix-caboff opened this issue 2 years ago • 10 comments

Is your feature request related to a problem? Please describe. The current in-built calculator is for version 3.x of CVSS. There seems to be a lot of good improvements made in v4.0 that has just been released.

Describe the solution you'd like Can we please convert to v4.0

Describe alternatives you've considered Perhaps we should consider allowing the system owner choose which version they want to use?

Additional context See the new FIRST calculator here

felix-caboff avatar Nov 02 '23 11:11 felix-caboff

We can look into this. Changing the calculator is a significant change, so it's not something that can be done too easily. The feature was originally a community contribution. The person who did it used this version of CVSS v3. There's a recent PR for expanding the CVSS v3 calculator. I'd like to add an option for CVSS v4, but it would have to be an option for people to pick v3 or v4. I'm not sure when that will be possible, but maybe sometime in 2024.

chrismaddalena avatar Nov 09 '23 20:11 chrismaddalena

Just preventing this from going stale. Latest is in this https://github.com/GhostManager/Ghostwriter/pull/387. Really sorry I haven't had a chance to review it yet - I'm not really set up for dev etc and I have precious little spare work time.

felix-caboff avatar Jun 17 '24 07:06 felix-caboff

Hi All, This might help On all Finding edit views (ReportFindingLink and Finding) a CVSSv4 tab is displayed in the "CVSS Calculator" dropdown. This is essentially an iframe that displays the prebuilt vue.js application by FIRST.org (https://github.com/FIRSTdotorg/cvss-v4-calculator) image

There is also some custom js to extract the vector and cvss score from this iframe

I think this is the best way of implementing a users choice between CVSS Calculators, Its probably best if a CVSSv3.1 calculator is added as a tab in another pull request

domwhewell-sage avatar Jun 17 '24 11:06 domwhewell-sage

No problem @felix-caboff! Everyone is busy, but this hasn't been forgotten. Feedback and testing will be very welcome whenever someone has the time.

chrismaddalena avatar Jun 17 '24 22:06 chrismaddalena

I think this is the best way of implementing a users choice between CVSS Calculators, Its probably best if a CVSSv3.1 calculator is added as a tab in another pull request

@domwhewell-sage just a thought for you. My understanding is that the difference between CVSSv3.0 and CVSSv3.1 is not a mechanics change, but a wording clarification and that the two versions essentially operate the same. I appreciate this is an over simplification, but, I wonder how much demand there will actually be for two sub-versions of CVSSv3? Adding the extra may not be worth any time at all. Happy in any case, just wanted to raise this in case it became complex.

felix-caboff avatar Jul 01 '24 09:07 felix-caboff

Hi @felix-caboff, I think there are some slight mechanics changes in the "Impact Sub-formula" in the Environmental Metric Group but other than that the majority of the changes are restructuring and wording changes.

I already have a private fork which is using CVSSv3.1 so if there is enough demand for it I can quickly whip up a new tab pointing to that js calculator (Granted it is not as easy as CVSSv4.0 with the iframe)

domwhewell-sage avatar Jul 01 '24 10:07 domwhewell-sage

What can I do to help move this pull request along?

domwhewell-sage avatar Aug 16 '24 10:08 domwhewell-sage