CVSSlib

Common errors

• ModuleNotFoundError: No module named 'cvsslib'

  cause The 'cvsslib' package has not been installed in your Python environment.
  fix Run `pip install cvsslib` to install the library.

• TypeError: calculate_vector() missing 1 required positional argument: 'cvss_version_module'

  cause The `calculate_vector` function requires both the CVSS vector string and the corresponding CVSS version module (e.g., `cvss2`, `cvss3`, or `cvss31`) as arguments.
  fix Ensure you pass the correct CVSS version module. Example: `calculate_vector(my_vector_string, cvss3)`.

• AttributeError: module 'cvsslib.cvss3' has no attribute 'AttackVector'

  cause You are trying to access CVSS enums directly from the `cvsslib.cvss3` module without importing them or accessing them via the module's `enums` submodule.
  fix Access enums via the specific version module, e.g., `cvss3.AttackVector.NETWORK` or `from cvsslib.cvss3.enums import AttackVector`.

Warnings

• gotcha The cvsslib library does not currently support CVSS v4.0. CVSS v4.0 was officially launched in November 2023 and introduces significant changes to metric definitions and scoring.
  Fix: For CVSS v4.0 support, consider alternative libraries like 'RedHatProductSecurity/cvss' or monitor for future updates to cvsslib.
• gotcha The last release (1.0.0) of cvsslib was in March 2020. While functional for supported CVSS versions, it is not under active feature development or frequent maintenance for new standards or major bug fixes.
  Fix: Be aware of the project's maintenance status. For new CVSS standards or highly active development, evaluate other libraries.
• gotcha Some combinations of CVSS v3.0 and v3.1 environmental scores may differ slightly due to redefinitions in the v3.1 specification (e.g., Roundup changes and ModifiedImpact sub-formula).
  Fix: Ensure you are using the correct CVSS version module (cvss3 or cvss31) matching the vector string and specification you intend to follow. Review FIRST's CVSS v3.1 User Guide for detailed differences.

Install

• pip install cvsslib Install stable version

Imports

• cvss2, cvss3, cvss31, calculate_vector

  from cvsslib import cvss2, cvss3, cvss31, calculate_vector

  Imports the modules for CVSS v2, v3, and v3.1 definitions, and the main calculation function.
• class_mixin

  from cvsslib import class_mixin

  Used to create base classes for CVSS members with utility functions like to_vector() and from_vector().

Quickstart

This quickstart demonstrates how to import the necessary modules from `cvsslib` and use the `calculate_vector` function to compute CVSS scores for different versions (v2, v3.0, and v3.1) from their respective vector strings. It prints the base, impact, and exploitability scores.

from cvsslib import cvss2, cvss3, cvss31, calculate_vector

# Calculate CVSS v2 score
vector_v2 = "AV:L/AC:M/Au:S/C:N/I:P/A:C/E:U/RL:OF/RC:UR/CDP:N/TD:L/CR:H/IR:H/AR:H"
base_score_v2, impact_v2, exploitability_v2 = calculate_vector(vector_v2, cvss2)
print(f"CVSS v2 Vector: {vector_v2}")
print(f"Base Score: {base_score_v2}, Impact Score: {impact_v2}, Exploitability Score: {exploitability_v2}\n")

# Calculate CVSS v3.0 score
vector_v3 = "CVSS:3.0/AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:N/A:H/MPR:N"
base_score_v3, impact_v3, exploitability_v3 = calculate_vector(vector_v3, cvss3)
print(f"CVSS v3.0 Vector: {vector_v3}")
print(f"Base Score: {base_score_v3}, Impact Score: {impact_v3}, Exploitability Score: {exploitability_v3}\n")

# Calculate CVSS v3.1 score
vector_v31 = "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H"
base_score_v31, impact_v31, exploitability_v31 = calculate_vector(vector_v31, cvss31)
print(f"CVSS v3.1 Vector: {vector_v31}")
print(f"Base Score: {base_score_v31}, Impact Score: {impact_v31}, Exploitability Score: {exploitability_v31}")