{"id":3946,"library":"cvss","title":"CVSS Library","description":"The `cvss` library provides a Python implementation for calculating and parsing Common Vulnerability Scoring System (CVSS) scores for versions 2, 3, and 4. It enables users to convert CVSS vectors into human-readable scores and provides programmatic access to individual metric values. The current version is 3.6, and it sees active maintenance with several releases per year addressing bug fixes and new CVSS specification versions.","status":"active","version":"3.6","language":"en","source_language":"en","source_url":"https://github.com/RedHatProductSecurity/cvss","tags":["security","vulnerability","cvss","score"],"install":[{"cmd":"pip install cvss","lang":"bash","label":"Install latest version"}],"dependencies":[],"imports":[{"symbol":"CVSS2","correct":"from cvss import CVSS2"},{"symbol":"CVSS3","correct":"from cvss import CVSS3"},{"symbol":"CVSS4","correct":"from cvss import CVSS4"}],"quickstart":{"code":"from cvss import CVSS3, CVSS4\n\n# Example CVSS v3.1 vector\ncvss3_vector = \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\"\ncvss3_obj = CVSS3(cvss3_vector)\nprint(f\"CVSS v3 Base Score: {cvss3_obj.base_score}\")\nprint(f\"CVSS v3 Vector: {cvss3_obj.vector}\")\n\n# Example CVSS v4.0 vector\ncvss4_vector = \"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H\"\ncvss4_obj = CVSS4(cvss4_vector)\nprint(f\"CVSS v4 Base Score: {cvss4_obj.base_score}\")\nprint(f\"CVSS v4 Vector: {cvss4_obj.vector}\")","lang":"python","description":"Initialize CVSS objects with a vector string and retrieve base scores and individual metrics."},"warnings":[{"fix":"Upgrade your Python environment to 3.7 or newer. If you must use Python 2.7, use an older version of the `cvss` library (e.g., <3.5), but note it will not support CVSS v4.0.","message":"Python 2.7 support was officially removed in version 3.5. Users running on Python 2.x will need to upgrade to Python 3.7+.","severity":"breaking","affected_versions":">=3.5"},{"fix":"Ensure your Python environment is version 3.7 or higher.","message":"Starting with version 3.5, the library officially requires Python 3.7 or newer.","severity":"breaking","affected_versions":">=3.5"},{"fix":"Inspect the CVSS vector string (e.g., 'CVSS:3.1/' indicates v3.1, 'CVSS:4.0/' indicates v4.0) and instantiate the appropriate class (e.g., `CVSS3(...)` or `CVSS4(...)`).","message":"When parsing CVSS vectors, you must use the correct class (`CVSS2`, `CVSS3`, or `CVSS4`) corresponding to the vector's version. Attempting to parse a CVSS v3 vector with `CVSS2` will result in errors or incorrect parsing.","severity":"gotcha","affected_versions":"All"},{"fix":"Ensure you are using `cvss` library version 3.2 or newer when calculating CVSS v4.0 scores for accurate rounding.","message":"Early versions of CVSS v4.0 implementation in the library (v3.0, v3.1) had rounding issues for base scores that did not match the official specification. This was fixed in v3.2.","severity":"gotcha","affected_versions":"3.0, 3.1"},{"fix":"Be aware of the `minimal` parameter's effect when generating JSON output, especially if you expect a full representation of all metrics regardless of input.","message":"The `CVSS3.as_json()` method has a `minimal` parameter, which if set to `True`, will output a JSON representation containing only the metrics that the CVSS3 object was initiated with, rather than all possible metrics.","severity":"gotcha","affected_versions":">=2.6"}],"env_vars":null,"last_verified":"2026-04-11T00:00:00.000Z","next_check":"2026-07-10T00:00:00.000Z"}