Add CVSSv4 Calculator

[domwhewell-sage]

Working PR to add CVSSv4 calculator onto the findings views as requested in #356.

The CVSSv4 calculator should appear as a optional tab once you click the "CVSS Calculator" accordion.
So as to minimize changes in future all Metrics are included.

[domwhewell-sage]

The calculator at https://www.first.org/cvss/calculator/4.0 is slightly different to previous cvss versions in that it is being distributed as a vue.js application. https://github.com/FIRSTdotorg/cvss-v4-calculator

To avoid in inaccurate calculations by converting the vue.js app to javascript and mirror the existing cvss-v3 calculator it might make sense to fork the github project into the /static folder and display it within an iframe (Like first.org is doing). The only custom code will be extracting the final score and vector from the iframe and placing them into the cvss_score and cvss_vector fields.

[felix-caboff]

Hi Team,

Is there anything I can do to move this particular pull request along? Not sure what your process is, whether you need someone to do some testing or similar. (We are desperate for it, don't worry if you have a plan, just trying to be helpful)

It looks like the CodeFactor checks failed because of the third-party library. I would suggest that these failures are ignored as that code is not a GW specific element.

Thanks!

[chrismaddalena]

@felix-caboff Once we wrap-up some features that have been in-flight for v4.1, we'll take a look at this. The big question is how easy it is for someone to choose the calculator they want to use. Some people still want CVSS v3. Others are asking for CVSS v3.1. Another group wants CVSS v4. The ideal end state is they're all available and you can pick which one to use.

In the meantime, checking out this PR and providing feedback is very helpful.

[codecov]

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 91.97%. Comparing base (0616f4e) to head (2fa5754).
Report is 165 commits behind head on master.

Additional details and impacted files

@@            Coverage Diff             @@
##           master     #387      +/-   ##
==========================================
+ Coverage   91.95%   91.97%   +0.01%     
==========================================
  Files         314      318       +4     
  Lines       18158    18176      +18     
==========================================
+ Hits        16698    16717      +19     
+ Misses       1460     1459       -1     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[felix-caboff]

@domwhewell-sage wow this looks like a lot has happened! Thank you for prepping it for testing. Unless you say otherwise I will try and test it this afternoon (UK time).

[felix-caboff]

For anyone reading this, please also see a competing PR #509

[SecurityPingu]

Awesome work! Any update on when this will be merged?

[felix-caboff]

Hey, you are probably best looking at the original issue that was raised: #356

[chrismaddalena]

Alex has implemented this PR along with some related feedback/requests from other issues in PR #509. I think the PRs are essentially identical in the basic functionality of offering CVSS v3 and v4 calculators. You can switch from one to the other on the fly.

I want to get this feature merged in so I'm looking to reconcile the two PRs. Is there anything missing from #509 that is in this PR?

Here is an example of the calc in PR #509:

[domwhewell-sage]

Hi @chrismaddalena, #509 is only including the base score, and is missing the Supplemental Metrics, Environmental (Modified Base Metrics), Environmental (Security Requirements) and Threat Metrics.
If you are the consumer those additional metrics are pretty essential to be added onto the vector, to take into account the consumers specific environment the system is deployed in.

The CVSSv3 calculator is missing the Temporal Score and Environmental Score (I know they didn't exist in the base branch anyway)

[chrismaddalena]

@domwhewell-sage We should add supplemental metrics to the calculator. That shouldn't be difficult.

[chrismaddalena]

This has been addressed in #509! I have to zoom out to show the whole calc now, but that's OK. I think we'll want some way to close the calc without scrolling back up to click the header. It could also become a modal later on. There are pros and cons to both user experiences.

Everyone has put a lot of work into this, which I appreciate, so I want to make sure this covers all the needs. Is there anything missing at this point? @felix-caboff @SecurityPingu @domwhewell-sage

[felix-caboff]

This looks shiny to me!

Not immediately important, but related.... Do the changes made in this PR open up the ability for GW to have other scoring systems in the future? Like for example, could we do the CWSS? (_W_eakenss not _V_ulnerability)? It looks to me that so long as there is a scope and a vector that isn't using wildly different character sets we are good.

[chrismaddalena]

@felix-caboff Probably. The calculators are built with JavaScript, so it seems feasible to allow you to switch to more than just CVSS v3 or v4. A quick search didn't return any readily available CWSS calculators for JavaScript, so the most significant lift would probably be developing that.

[SecurityPingu]

Nice work! I'm currently doing some light changes (mainly around reporting) but at some point I will be looking to implement an impact x likelihood = risk scoring matrix.

https://github.com/hknio/severity-formula

[felix-caboff]

@chrismaddalena If I prep that CWSS JS, how do you want me to provide it? I'm not in a position to implement / test integration to GW at the moment but I think I can probably provide a basic HTML / JS demonstrator in the next couple of days?