org.owasp.dependencycheck.utils

Class SeverityUtil

java.lang.Object

org.owasp.dependencycheck.utils.SeverityUtil

public final class SeverityUtil
extends java.lang.Object

Utility to estimate severity level scores.

Author:

Jeremy Long

Method Summary

Modifier and Type	Method and Description
static java.lang.Double	estimateCvssV2(java.lang.String severity) Estimates the CVSS V2 Score based on a given severity.
static java.lang.Double	estimatedSortAdjustedCVSSv3(java.lang.String severity) Creates an estimated sort-adjusted CVSSv3 score for an unscored textual severity.
static java.lang.Double	sortAdjustedCVSSv3BaseScore(java.lang.Double cvssV3BaseScore) Compute an adjusted CVSSv3 baseScore that ensures that CRITICAL CVSSv3 scores will win over HIGH CVSSv2 and CRITICAL unscored severities to allow for a best-effort sorting that enables the report to list a reliable 'highest severity' in the report.
static java.lang.String	unscoredToSeveritytext(java.lang.String severity) Converts a textual severity to the text that should be used to signal it in a report.

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Method Detail

estimateCvssV2

public static java.lang.Double estimateCvssV2(java.lang.String severity)

Estimates the CVSS V2 Score based on a given severity. The implementation will default to 3.9 if no recognized "severity" level is given (critical, high, low).

Parameters:

severity - the severity text (e.g. "medium")

Returns:

a score from 0 to 10

unscoredToSeveritytext

public static java.lang.String unscoredToSeveritytext(java.lang.String severity)

Converts a textual severity to the text that should be used to signal it in a report.

Parameters:

severity - The textual unscored severity

Returns:

The severity when properly recognized, otherwise the severity extended with a remark that it was not recognized and assumed to represent a critical severity.

estimatedSortAdjustedCVSSv3

public static java.lang.Double estimatedSortAdjustedCVSSv3(java.lang.String severity)

Creates an estimated sort-adjusted CVSSv3 score for an unscored textual severity. For recognized severities below critical it returns a value at the lower bound of the CVSSv3 baseScore for that severity. For recognized critical severities it returns a score in-between the upper bound of the HIGH CVSSv2 score and the lowest sort-adjusted CVSSv3 critical score, so that unscored critical vulnerabilties are ordered in between CRITICAL scored CVSSv3 rated vulnerabilities and HIGH-scored CVSSv2 rated vulnerabilities. For unrecognized severities it returns a score in-between the top HIGH CVSSv2 score and the estimatedSortAdjustedCVSSv3 score for an unscored severity recognized as critical, so that recognized critical will win over unrecognized severities while unrecognized severities are assumed to be of a critical nature.

Parameters:

severity - The textual severity, may be null

Returns:

A float that can be used to numerically sort vulnerabilities in approximated severity (highest float represents highest severity).

See Also:

#sortAdjustedCVSSv3BaseScore(float)

sortAdjustedCVSSv3BaseScore

public static java.lang.Double sortAdjustedCVSSv3BaseScore(java.lang.Double cvssV3BaseScore)

Compute an adjusted CVSSv3 baseScore that ensures that CRITICAL CVSSv3 scores will win over HIGH CVSSv2 and CRITICAL unscored severities to allow for a best-effort sorting that enables the report to list a reliable 'highest severity' in the report.

Parameters:

cvssV3BaseScore - The cvssV3 baseScore severity of a vulnerability

Returns:

The cvssV3 baseScore, adjusted if necessary in order to guarantee that CVSSv3 CRITICAL scores will rate higher than CVSSv2 HIGH, unscored critical severities and unscored unrecognized severities (which are assumed for sorting to be of a critical nature)

See Also:

estimatedSortAdjustedCVSSv3(String)