PHP Class for Calculating SCAP CVSS V2 Device Specific Score

17 Jun, 2009  Uncategorized

Did I mention that I wasn’t a programmer? If you can make improvements to this code, I’d love to hear from you. This is my hackjob of code for doing what I need to do. Anyway, here’s my calculator. The DB call code will be in another post.

class calculate_cvss {
	function calculate($cvssDetail)
	{
		$adjustedImpact = $this->adjusted_impact($cvssDetail->conf_impact,$cvssDetail->conf_req,$cvssDetail->integ_impact,$cvssDetail->integ_req,$cvssDetail->avail_impact,$cvssDetail->avail_req);
		$adjustedImpactFunction = $this->adjusted_impact_function($adjustedImpact);
		$exploitabilitySubScore = $this->exploitability_subscore($cvssDetail->access_complexity,$cvssDetail->authentication,$cvssDetail->access_vector);
		$adjustedBaseScore = $this->adjusted_base_score($adjustedImpact,$exploitabilitySubScore,$adjustedImpactFunction);
		$adjustedTemporalScore = $this->adjusted_temporal_score($adjustedBaseScore,$cvssDetail->exploitability,$cvssDetail->remediation_level,$cvssDetail->report_confidence);
		$adjustedTemporalScore = round($adjustedTemporalScore,1);
		$environmentalScore = $this->environmental_score($adjustedTemporalScore,$cvssDetail->collateral_damage_potential,$cvssDetail->target_distribution);
		$impact = $this->impact($cvssDetail->conf_impact,$cvssDetail->integ_impact,$cvssDetail->avail_impact);
		$impact = round($impact,1);
		$impactFunction = $this->impact_function($impact);
		$baseScore = $this->base_score($impact,$exploitabilitySubScore,$impactFunction);
		$baseScore = round($baseScore,1);
		$temporalScore = $this->temporal_score($baseScore,$cvssDetail->exploitability,$cvssDetail->remediation_level,$cvssDetail->report_confidence);
		$overallScore = $this->overall_score($environmentalScore,$temporalScore,$baseScore);
 
		//Debug Printing
		print "CVE Number: $cvssDetail->cve_number<br />";
		print "Server:	$cvssDetail->server<br />";
		print "Impact SubScore: $impact<br />";
		print "Exploitability SubScore: $exploitabilitySubScore<br />";
		print "CVSS Temporal Score: $temporalScore<br />";
		print "CVSS Environmental Score: $environmentalScore<br />";
		print "--Adjusted Temporal Score: $adjustedTemporalScore<br />";
		print "--Collateral Damage Potential: $cvssDetail->collateral_damage_potential<br />";
		print "--Target Distribution: $cvssDetail->target_distribution<br />";
		print "NIST CVSS Score: $cvssDetail->nist_cvss<br />";
		print "CVSS Base Score: $baseScore<br />";
		print "Overall CVSS Score: $overallScore<br />";
 
		return "$overallScore";				
	}
	function adjusted_impact($confImpact,$confReq,$integImpact,$integReq,$availImpact,$availReq)
	{
		$adjustedImpact = min(10,10.41*(1-(1-$confImpact*$confReq)*(1-$integImpact*$integReq)*(1-$availImpact*$availReq)));
		return $adjustedImpact;
	}
	function adjusted_impact_function($adjustedImpact)
	{
		if ($adjustedImpact = 0)
		{
			$adjustedImpactFunction = 0;
		}
		else
		{
			$adjustedImpactFunction = 1.176;
		}
		return $adjustedImpactFunction;
	}
	function exploitability_subscore($accessComplexity,$authentication,$accessVector)
	{
		$exploitabilitySubScore = 20*$accessComplexity*$authentication*$accessVector;
		return $exploitabilitySubScore;
	}
	function adjusted_base_score($adjustedImpact,$exploitabilitySubScore,$adjustedImpactFunction)
	{
		$adjustedBaseScore = (0.6*$adjustedImpact+0.4*$exploitabilitySubScore-1.5)*$adjustedImpactFunction;
		return $adjustedBaseScore;
	}
	function adjusted_temporal_score($adjustedBaseScore,$exploitability,$remediationLevel,$reportConfidence)
	{
		$adjustedTemporalScore = $adjustedBaseScore*$exploitability*$remediationLevel*$reportConfidence;
		return $adjustedTemporalScore;
	}
	function environmental_score($adjustedTemporalScore,$collateralDamagePotential,$targetDistribution)
	{
		$environmentalScore = ($adjustedTemporalScore+(10-$adjustedTemporalScore)*$collateralDamagePotential)*$targetDistribution;
		return $environmentalScore;
	}
	function overall_score($environmentalScore,$temporalScore,$baseScore)
	{
		if(!defined($environmentalScore))
		{
			if(!defined($temporalScore))
			{
				$overallScore = $baseScore;	
			}
			else
			{
				$overallScore = $temporalScore;
			}
		}
		else
		{
			$overallScore = $environmentalScore;
		}
		return $overallScore;
	}
	function impact($confImpact,$integImpact,$availImpact)
	{
		$impact = 10.41*(1-(1-$confImpact)*(1-$integImpact)*(1-$availImpact));
		return $impact;
	}
	function impact_function($impact)
	{
		if ($impact = 0)
		{
			$impactFunction = 0;
		}
		else
		{
			$impactFunction = 1.176;
		}
		return $impactFunction;
	}
	function base_score($impact,$exploitabilitySubScore,$impactFunction)
	{
		$baseScore = (.6*$impact+.4*$exploitabilitySubScore-1.5)*$impactFunction;
		return $baseScore;
	}
	function temporal_score($baseScore,$exploitability,$remediationLevel,$reportConfidence)
	{
		$temporalScore = $baseScore*$exploitability*$remediationLevel*$reportConfidence;
		return $temporalScore;
	}
}

1 Comment so far »

  1. SCAP | PLI Cloud said,

    Wrote on January 1, 2012 @ 16:14

    [...] PHP Class for Calculating SCAP CVSS V2 Device Specific Score | Christopher Mills. [...]

Comment RSS · TrackBack URI

Leave a Comment

Name: (Required)

E-mail: (Required)

Website:

Comment: