stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity
Files
635c70e828d70031b40c0fc9275acd36e19e57e6
git.stella-ops.org/src/Policy/StellaOps.Policy.Scoring/CvssMetrics.cs
StellaOps Bot 909d9b6220
Some checks failed
AOC Guard CI / aoc-guard (push) Has been cancelled
Details
AOC Guard CI / aoc-verify (push) Has been cancelled
Details
Docs CI / lint-and-preview (push) Has been cancelled
Details
Policy Lint & Smoke / policy-lint (push) Has been cancelled
Details
up
2025-12-01 21:16:22 +02:00

367 lines
12 KiB
C#
Raw Blame History

using System.Text.Json.Serialization;
namespace StellaOps.Policy.Scoring;
/// <summary>
/// CVSS v4.0 Base metric group - Exploitability and impact metrics.
/// Per FIRST CVSS v4.0 Specification Document.
/// </summary>
public sealed record CvssBaseMetrics
{
/// <summary>Attack Vector (AV) - Mandatory.</summary>
[JsonPropertyName("av")]
public required AttackVector AttackVector { get; init; }
/// <summary>Attack Complexity (AC) - Mandatory.</summary>
[JsonPropertyName("ac")]
public required AttackComplexity AttackComplexity { get; init; }
/// <summary>Attack Requirements (AT) - Mandatory.</summary>
[JsonPropertyName("at")]
public required AttackRequirements AttackRequirements { get; init; }
/// <summary>Privileges Required (PR) - Mandatory.</summary>
[JsonPropertyName("pr")]
public required PrivilegesRequired PrivilegesRequired { get; init; }
/// <summary>User Interaction (UI) - Mandatory.</summary>
[JsonPropertyName("ui")]
public required UserInteraction UserInteraction { get; init; }
/// <summary>Vulnerable System Confidentiality (VC) - Mandatory.</summary>
[JsonPropertyName("vc")]
public required ImpactMetricValue VulnerableSystemConfidentiality { get; init; }
/// <summary>Vulnerable System Integrity (VI) - Mandatory.</summary>
[JsonPropertyName("vi")]
public required ImpactMetricValue VulnerableSystemIntegrity { get; init; }
/// <summary>Vulnerable System Availability (VA) - Mandatory.</summary>
[JsonPropertyName("va")]
public required ImpactMetricValue VulnerableSystemAvailability { get; init; }
/// <summary>Subsequent System Confidentiality (SC) - Mandatory.</summary>
[JsonPropertyName("sc")]
public required ImpactMetricValue SubsequentSystemConfidentiality { get; init; }
/// <summary>Subsequent System Integrity (SI) - Mandatory.</summary>
[JsonPropertyName("si")]
public required ImpactMetricValue SubsequentSystemIntegrity { get; init; }
/// <summary>Subsequent System Availability (SA) - Mandatory.</summary>
[JsonPropertyName("sa")]
public required ImpactMetricValue SubsequentSystemAvailability { get; init; }
}
/// <summary>
/// CVSS v4.0 Threat metric group.
/// </summary>
public sealed record CvssThreatMetrics
{
/// <summary>Exploit Maturity (E) - Optional, defaults to Not Defined.</summary>
[JsonPropertyName("e")]
public ExploitMaturity ExploitMaturity { get; init; } = ExploitMaturity.NotDefined;
/// <summary>When the threat signal was last observed (UTC).</summary>
[JsonPropertyName("observedAt")]
public DateTimeOffset? ObservedAt { get; init; }
/// <summary>When this threat signal should expire.</summary>
[JsonPropertyName("expiresAt")]
public DateTimeOffset? ExpiresAt { get; init; }
/// <summary>Source of threat intelligence (kev, epss, internal).</summary>
[JsonPropertyName("source")]
public string? Source { get; init; }
}
/// <summary>
/// CVSS v4.0 Environmental metric group - Modified base metrics for specific environments.
/// </summary>
public sealed record CvssEnvironmentalMetrics
{
/// <summary>Modified Attack Vector (MAV).</summary>
[JsonPropertyName("mav")]
public ModifiedAttackVector? ModifiedAttackVector { get; init; }
/// <summary>Modified Attack Complexity (MAC).</summary>
[JsonPropertyName("mac")]
public ModifiedAttackComplexity? ModifiedAttackComplexity { get; init; }
/// <summary>Modified Attack Requirements (MAT).</summary>
[JsonPropertyName("mat")]
public ModifiedAttackRequirements? ModifiedAttackRequirements { get; init; }
/// <summary>Modified Privileges Required (MPR).</summary>
[JsonPropertyName("mpr")]
public ModifiedPrivilegesRequired? ModifiedPrivilegesRequired { get; init; }
/// <summary>Modified User Interaction (MUI).</summary>
[JsonPropertyName("mui")]
public ModifiedUserInteraction? ModifiedUserInteraction { get; init; }
/// <summary>Modified Vulnerable System Confidentiality (MVC).</summary>
[JsonPropertyName("mvc")]
public ModifiedImpactMetricValue? ModifiedVulnerableSystemConfidentiality { get; init; }
/// <summary>Modified Vulnerable System Integrity (MVI).</summary>
[JsonPropertyName("mvi")]
public ModifiedImpactMetricValue? ModifiedVulnerableSystemIntegrity { get; init; }
/// <summary>Modified Vulnerable System Availability (MVA).</summary>
[JsonPropertyName("mva")]
public ModifiedImpactMetricValue? ModifiedVulnerableSystemAvailability { get; init; }
/// <summary>Modified Subsequent System Confidentiality (MSC).</summary>
[JsonPropertyName("msc")]
public ModifiedImpactMetricValue? ModifiedSubsequentSystemConfidentiality { get; init; }
/// <summary>Modified Subsequent System Integrity (MSI).</summary>
[JsonPropertyName("msi")]
public ModifiedSubsequentImpact? ModifiedSubsequentSystemIntegrity { get; init; }
/// <summary>Modified Subsequent System Availability (MSA).</summary>
[JsonPropertyName("msa")]
public ModifiedSubsequentImpact? ModifiedSubsequentSystemAvailability { get; init; }
/// <summary>Confidentiality Requirement (CR).</summary>
[JsonPropertyName("cr")]
public SecurityRequirement? ConfidentialityRequirement { get; init; }
/// <summary>Integrity Requirement (IR).</summary>
[JsonPropertyName("ir")]
public SecurityRequirement? IntegrityRequirement { get; init; }
/// <summary>Availability Requirement (AR).</summary>
[JsonPropertyName("ar")]
public SecurityRequirement? AvailabilityRequirement { get; init; }
}
/// <summary>
/// CVSS v4.0 Supplemental metric group - Additional context metrics that do not affect scoring.
/// </summary>
public sealed record CvssSupplementalMetrics
{
/// <summary>Safety (S) - Does the vulnerability affect human safety?</summary>
[JsonPropertyName("s")]
public Safety? Safety { get; init; }
/// <summary>Automatable (AU) - Can the vulnerability be exploited automatically?</summary>
[JsonPropertyName("au")]
public Automatable? Automatable { get; init; }
/// <summary>Recovery (R) - What is the recovery capability?</summary>
[JsonPropertyName("r")]
public Recovery? Recovery { get; init; }
/// <summary>Value Density (V) - Resource density of the vulnerable system.</summary>
[JsonPropertyName("v")]
public ValueDensity? ValueDensity { get; init; }
/// <summary>Vulnerability Response Effort (RE) - Effort required to respond.</summary>
[JsonPropertyName("re")]
public ResponseEffort? VulnerabilityResponseEffort { get; init; }
/// <summary>Provider Urgency (U) - Urgency as assessed by the provider.</summary>
[JsonPropertyName("u")]
public ProviderUrgency? ProviderUrgency { get; init; }
}
#region Base Metric Enums
/// <summary>Attack Vector values per CVSS v4.0.</summary>
[JsonConverter(typeof(JsonStringEnumConverter))]
public enum AttackVector
{
/// <summary>Network (N) - Remotely exploitable.</summary>
Network,
/// <summary>Adjacent (A) - Same network segment.</summary>
Adjacent,
/// <summary>Local (L) - Local access required.</summary>
Local,
/// <summary>Physical (P) - Physical access required.</summary>
Physical
}
/// <summary>Attack Complexity values per CVSS v4.0.</summary>
[JsonConverter(typeof(JsonStringEnumConverter))]
public enum AttackComplexity
{
/// <summary>Low (L) - No specialized conditions.</summary>
Low,
/// <summary>High (H) - Specialized conditions required.</summary>
High
}
/// <summary>Attack Requirements values per CVSS v4.0.</summary>
[JsonConverter(typeof(JsonStringEnumConverter))]
public enum AttackRequirements
{
/// <summary>None (N) - No preconditions required.</summary>
None,
/// <summary>Present (P) - Preconditions must exist.</summary>
Present
}
/// <summary>Privileges Required values per CVSS v4.0.</summary>
[JsonConverter(typeof(JsonStringEnumConverter))]
public enum PrivilegesRequired
{
/// <summary>None (N) - No privileges needed.</summary>
None,
/// <summary>Low (L) - Basic user privileges needed.</summary>
Low,
/// <summary>High (H) - Admin/elevated privileges needed.</summary>
High
}
/// <summary>User Interaction values per CVSS v4.0.</summary>
[JsonConverter(typeof(JsonStringEnumConverter))]
public enum UserInteraction
{
/// <summary>None (N) - No user interaction required.</summary>
None,
/// <summary>Passive (P) - Involuntary user action.</summary>
Passive,
/// <summary>Active (A) - Conscious user action required.</summary>
Active
}
/// <summary>Impact metric values (None/Low/High) per CVSS v4.0.</summary>
[JsonConverter(typeof(JsonStringEnumConverter))]
public enum ImpactMetricValue
{
/// <summary>None (N) - No impact.</summary>
None,
/// <summary>Low (L) - Limited impact.</summary>
Low,
/// <summary>High (H) - Serious impact.</summary>
High
}
#endregion
#region Threat Metric Enums
/// <summary>Exploit Maturity values per CVSS v4.0.</summary>
[JsonConverter(typeof(JsonStringEnumConverter))]
public enum ExploitMaturity
{
/// <summary>Not Defined (X) - Not assessed.</summary>
NotDefined,
/// <summary>Attacked (A) - Active exploitation observed.</summary>
Attacked,
/// <summary>Proof of Concept (P) - PoC code exists.</summary>
ProofOfConcept,
/// <summary>Unreported (U) - No public exploit code.</summary>
Unreported
}
#endregion
#region Environmental Metric Enums (Modified versions)
/// <summary>Modified Attack Vector values.</summary>
[JsonConverter(typeof(JsonStringEnumConverter))]
public enum ModifiedAttackVector
{
NotDefined, Network, Adjacent, Local, Physical
}
/// <summary>Modified Attack Complexity values.</summary>
[JsonConverter(typeof(JsonStringEnumConverter))]
public enum ModifiedAttackComplexity
{
NotDefined, Low, High
}
/// <summary>Modified Attack Requirements values.</summary>
[JsonConverter(typeof(JsonStringEnumConverter))]
public enum ModifiedAttackRequirements
{
NotDefined, None, Present
}
/// <summary>Modified Privileges Required values.</summary>
[JsonConverter(typeof(JsonStringEnumConverter))]
public enum ModifiedPrivilegesRequired
{
NotDefined, None, Low, High
}
/// <summary>Modified User Interaction values.</summary>
[JsonConverter(typeof(JsonStringEnumConverter))]
public enum ModifiedUserInteraction
{
NotDefined, None, Passive, Active
}
/// <summary>Modified Impact metric values.</summary>
[JsonConverter(typeof(JsonStringEnumConverter))]
public enum ModifiedImpactMetricValue
{
NotDefined, None, Low, High
}
/// <summary>Modified Subsequent System Impact values (includes Safety dimension).</summary>
[JsonConverter(typeof(JsonStringEnumConverter))]
public enum ModifiedSubsequentImpact
{
NotDefined, Negligible, Low, High, Safety
}
/// <summary>Security Requirement values.</summary>
[JsonConverter(typeof(JsonStringEnumConverter))]
public enum SecurityRequirement
{
NotDefined, Low, Medium, High
}
#endregion
#region Supplemental Metric Enums
/// <summary>Safety values per CVSS v4.0.</summary>
[JsonConverter(typeof(JsonStringEnumConverter))]
public enum Safety
{
NotDefined, Negligible, Present
}
/// <summary>Automatable values per CVSS v4.0.</summary>
[JsonConverter(typeof(JsonStringEnumConverter))]
public enum Automatable
{
NotDefined, No, Yes
}
/// <summary>Recovery values per CVSS v4.0.</summary>
[JsonConverter(typeof(JsonStringEnumConverter))]
public enum Recovery
{
NotDefined, Automatic, User, Irrecoverable
}
/// <summary>Value Density values per CVSS v4.0.</summary>
[JsonConverter(typeof(JsonStringEnumConverter))]
public enum ValueDensity
{
NotDefined, Diffuse, Concentrated
}
/// <summary>Response Effort values per CVSS v4.0.</summary>
[JsonConverter(typeof(JsonStringEnumConverter))]
public enum ResponseEffort
{
NotDefined, Low, Moderate, High
}
/// <summary>Provider Urgency values per CVSS v4.0.</summary>
[JsonConverter(typeof(JsonStringEnumConverter))]
public enum ProviderUrgency
{
NotDefined, Clear, Green, Amber, Red
}
#endregion
Reference in New Issue View Git Blame Copy Permalink