Universe

Contributors Forks Stargazers Issues MIT License


cvssc

Common Vulnerability Scoring System Calculator

The CVSS Typst Library is a Typst package designed to facilitate the calculation of Common Vulnerability Scoring System (CVSS) scores for vulnerabilities across multiple versions, including CVSS 2.0, 3.0, 3.1, and 4.0. This library provides developers, security analysts, and researchers with a reliable and efficient toolset for assessing the severity of security vulnerabilities based on the CVSS standards.
Explore the docs »

Report Bug · Request Feature

Table of Contents
  1. About The Project
  2. Getting Started
  3. Usage
  4. API Reference
  5. Supported Versions
  6. Roadmap
  7. Contributing
  8. License
  9. Contact
  10. Acknowledgments

About The Project

The cvssc library provides comprehensive support for calculating CVSS scores across all major versions (2.0, 3.0, 3.1, and 4.0). It includes:

  • Auto-detection of CVSS version from vector strings
  • Score calculations with base, temporal, and environmental metrics
  • Visual representations via radar charts
  • Severity badges with color-coded display
  • Dictionary and string formats for flexible input

Based on official specifications from FIRST.org.

(back to top)

Built With

  • Typst
  • Rust
  • WASM

(back to top)

Getting Started

Ensure you have the Typst CLI installed.

Prerequisites

Installation

Import the package in your Typst document:

#import "@preview/cvssc:0.2.0": *

(back to top)

Usage

Quick Start

#import "@preview/cvssc:0.2.0": *

// Auto-detect version and calculate
#let result = calc("CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H")

// Display score and severity
Score: #result.overall-score  // 9.8
Severity: #result.severity    // "CRITICAL"

// Show colored badge
#result.badge               // Displays "CRITICAL"
#result.badge-with-score    // Displays "CRITICAL 9.8"

// Display radar chart
#result.graph

Calculation Functions

Auto-Detection (Recommended)

The calc() function automatically detects the CVSS version:

// CVSS 2.0
#let r1 = calc("CVSS:2.0/AV:N/AC:L/Au:N/C:P/I:P/A:P")

// CVSS 3.1
#let r2 = calc("CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H")

// CVSS 4.0
#let r3 = calc("CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N")

Version-Specific Functions

// CVSS 2.0
#let score = v2("CVSS:2.0/AV:N/AC:L/Au:N/C:C/I:C/A:C")

// CVSS 3.0 or 3.1
#let score = v3("CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H")

// CVSS 4.0
#let score = v4("CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N")

Dictionary Input Format

#let result = calc((
  version: "3.1",
  metrics: (
    "AV": "N", "AC": "L", "PR": "N", "UI": "N",
    "S": "U", "C": "H", "I": "H", "A": "H"
  )
))

Display Methods

Result objects include built-in display methods:

#let result = calc("CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H")

// Badge - severity only (good for inline text)
#result.badge                // CRITICAL

// Badge with score
#result.badge-with-score     // CRITICAL 9.8

// Radar chart visualization
#result.graph

Utility Functions

String Conversion

// Parse CVSS string to dictionary
#let vec = str2vec("CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H")
// vec.version => "3.1"
// vec.metrics => ("AV": "N", "AC": "L", ...)

// Convert dictionary back to string
#let str = vec2str((
  version: "3.1",
  metrics: ("AV": "N", "AC": "L", "PR": "N", "UI": "N", "S": "U", "C": "H", "I": "H", "A": "H")
))

Version Detection

// Extract version from CVSS string
#let version = get-version("CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H")
// version => "3.1"

String Utilities

// Convert camelCase to kebab-case
#kebab-case("helloWorld")        // "hello-world"

// Convert dictionary keys to kebab-case
#kebabify-keys((
  "baseScore": 9.8,
  "overallScore": 9.8
))
// => ("base-score": 9.8, "overall-score": 9.8)

Customization

Color Scheme

// Update severity colors
#set-colors((
  "critical": rgb("#ff0000"),
  "high": rgb("#ff8800"),
  "chart-stroke": rgb("#0000ff")
))

Real-World Examples

CVE-2021-44228 (Log4Shell)

// CVSS 3.1
#let log4shell = calc("CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H")
#log4shell.badge-with-score  // CRITICAL 10.0

CVE-2014-0160 (Heartbleed)

// CVSS 2.0
#let heartbleed_v2 = calc("CVSS:2.0/AV:N/AC:L/Au:N/C:P/I:N/A:N")
#heartbleed_v2.badge-with-score  // MEDIUM 5.0

// CVSS 3.1
#let heartbleed_v3 = calc("CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N")
#heartbleed_v3.badge-with-score  // HIGH 7.5

(back to top)

API Reference

Calculation Functions

calc(vec) -> dict

Calculate CVSS scores with auto-version detection.

  • Input: String (vector) or dictionary
  • Returns: Dictionary with scores, severity, metadata, and display methods (.badge, .badge-with-score, .graph)

v2(vec) -> dict

Calculate CVSS 2.0 scores.

  • Input: String (vector) or dictionary
  • Returns: Dictionary with scores and display methods

v3(vec) -> dict

Calculate CVSS 3.0 or 3.1 scores.

  • Input: String (vector) or dictionary
  • Returns: Dictionary with scores and display methods

v4(vec) -> dict

Calculate CVSS 4.0 scores.

  • Input: String (vector) or dictionary
  • Returns: Dictionary with scores and display methods

Utility Functions

str2vec(s) -> dict

Parse CVSS string to dictionary with version and metrics fields.

vec2str(vec) -> string

Convert CVSS dictionary to string.

get-version(input) -> string

Extract version from CVSS string.

kebab-case(string) -> string

Convert camelCase string to kebab-case.

kebabify-keys(input) -> dict

Convert dictionary keys from camelCase to kebab-case.

Configuration Functions

set-colors(new-colors) -> none

Update CVSS color scheme. Accepts dictionary with color keys.

Return Format

All calculation functions return a dictionary with kebab-case keys:

(
  version: "3.1",
  base-score: 9.8,
  temporal-score: none,
  environmental-score: none,
  overall-score: 9.8,
  severity: "CRITICAL",
  base-severity: "CRITICAL",
  metrics: ("AV": "N", "AC": "L", ...),
  vector: "CVSS:3.1/...",
  specification-document: "https://...",

  // Display methods
  badge: [content],              // Severity badge only
  badge-with-score: [content],   // Severity badge with score
  graph: [content]               // Radar chart visualization
)

CVSS 4.0 also includes:

  • threat-score: Threat score (if applicable)
  • macro-vector: 6-digit macro vector string (e.g., “000020”)

(back to top)

Supported Versions

CVSS 2.0

  • Base Metrics: AV, AC, Au, C, I, A
  • Temporal Metrics: E, RL, RC
  • Environmental Metrics: CDP, TD, CR, IR, AR
  • Severity Ratings: LOW, MEDIUM, HIGH
  • Format: CVSS:2.0/AV:N/AC:L/Au:N/C:P/I:P/A:P

CVSS 3.0

  • Base Metrics: AV, AC, PR, UI, S, C, I, A
  • Temporal Metrics: E, RL, RC
  • Environmental Metrics: CR, IR, AR, MAV, MAC, MPR, MUI, MS, MC, MI, MA
  • Severity Ratings: NONE, LOW, MEDIUM, HIGH, CRITICAL
  • Format: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N

CVSS 3.1

  • Same as CVSS 3.0 with refined environmental score calculation
  • Most widely used version
  • Severity Ratings: NONE, LOW, MEDIUM, HIGH, CRITICAL
  • Format: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N

CVSS 4.0

  • Base Metrics: AV, AC, AT, PR, UI, VC, VI, VA, SC, SI, SA
  • Threat Metrics: E
  • Environmental Metrics: CR, IR, AR, MAV, MAC, MAT, MPR, MUI, MVC, MVI, MVA, MSC, MSI, MSA
  • Supplemental Metrics: S, AU, R, V, RE, U
  • Uses macro vector system for scoring
  • Severity Ratings: NONE, LOW, MEDIUM, HIGH, CRITICAL
  • Format: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Severity Ratings

Score Range CVSS 2.0 CVSS 3.x / 4.0
0.0 - NONE
0.1 - 3.9 LOW LOW
4.0 - 6.9 MEDIUM MEDIUM
7.0 - 8.9 HIGH HIGH
9.0 - 10.0 HIGH CRITICAL

Key Differences Between Versions

CVSS 2.0 → 3.0

  • Added Scope metric
  • Changed “Authentication” to “Privileges Required”
  • Impact values: Partial → Low, Complete → High
  • Added CRITICAL severity rating
  • More granular scoring

CVSS 3.0 → 3.1

  • Refined environmental score calculation
  • One formula difference in Modified Impact calculation
  • Otherwise identical

CVSS 3.1 → 4.0

  • Revolutionary change: Macro vector system replaces formulas
  • Added Attack Requirements (AT)
  • Replaced Scope with Subsequent System impacts (SC, SI, SA)
  • Simplified temporal metrics
  • Added supplemental metrics for context
  • Equivalent Class (EQ) system for scoring

(back to top)

Roadmap

See the open issues for a full list of proposed features (and known issues).

(back to top)

Contributing

Contributions are what make the open source community such an amazing place to learn, inspire, and create. Any contributions you make are greatly appreciated.

If you have a suggestion that would make this better, please fork the repo and create a pull request. You can also simply open an issue with the tag “enhancement”. Don’t forget to give the project a star! Thanks again!

  1. Fork the Project
  2. Create your Feature Branch (git checkout -b feature/AmazingFeature)
  3. Commit your Changes (git commit -m 'Add some AmazingFeature')
  4. Push to the Branch (git push origin feature/AmazingFeature)
  5. Open a Pull Request

(back to top)

License

Distributed under the MIT License. See LICENSE for more information.

(back to top)

Contact

Drake Axelrod - Github Profile - drakeaxelrod@gmail.com

Project Link: https://github.com/DrakeAxelrod/cvssc

Contributors

Drake Axelrod
Drake Axelrod
dwbzn
dwbzn

(back to top)

Acknowledgments

(back to top)