From 2d62ddf17fb27d221f87f7543eae9adaee78ab72 Mon Sep 17 00:00:00 2001 From: Kacper Date: Mon, 2 Oct 2023 16:26:48 +0200 Subject: [PATCH 1/3] cvss dialog update --- src/app/app.module.ts | 6 +- .../dialog-cvss/dialog-cvss.component.html | 26 +++++--- src/app/dialog-cvss/dialog-cvss.component.ts | 65 ++++++++++++------- 3 files changed, 64 insertions(+), 33 deletions(-) diff --git a/src/app/app.module.ts b/src/app/app.module.ts index 9b7eb9b5a..39a20cf4a 100644 --- a/src/app/app.module.ts +++ b/src/app/app.module.ts @@ -71,6 +71,8 @@ import { DialogAddreportprofileComponent } from './dialog-addreportprofile/dialo import { DialogApierrorComponent } from './dialog-apierror/dialog-apierror.component'; import { DialogReportcssComponent } from './dialog-reportcss/dialog-reportcss.component'; import { NoSanitizePipe } from './nosanitizerpipe'; +import { ClipboardModule } from '@angular/cdk/clipboard'; +import { MatTooltipModule } from '@angular/material/tooltip'; @NgModule({ declarations: [ @@ -138,7 +140,9 @@ import { NoSanitizePipe } from './nosanitizerpipe'; MatRadioModule, HammerModule, MatProgressBarModule, - NgxChartsModule + NgxChartsModule, + ClipboardModule, + MatTooltipModule ], providers: [MessageService, IndexeddbService, DatePipe], exports: [], diff --git a/src/app/dialog-cvss/dialog-cvss.component.html b/src/app/dialog-cvss/dialog-cvss.component.html index 215910dd2..dd5c5fdca 100644 --- a/src/app/dialog-cvss/dialog-cvss.component.html +++ b/src/app/dialog-cvss/dialog-cvss.component.html @@ -11,7 +11,7 @@


- {{item[0]}} @@ -21,7 +21,7 @@


- {{item[0]}} @@ -31,7 +31,7 @@


- {{item[0]}} @@ -41,7 +41,7 @@


- {{item[0]}} @@ -56,7 +56,7 @@


- {{item[0]}} @@ -66,7 +66,7 @@


- {{item[0]}} @@ -76,7 +76,7 @@


- {{item[0]}} @@ -86,7 +86,7 @@


- {{item[0]}} @@ -94,8 +94,14 @@

-
-
{{selectedItem}}
+ + + Score Vector + + + diff --git a/src/app/dialog-cvss/dialog-cvss.component.ts b/src/app/dialog-cvss/dialog-cvss.component.ts index c0162f82c..b78bdbc27 100644 --- a/src/app/dialog-cvss/dialog-cvss.component.ts +++ b/src/app/dialog-cvss/dialog-cvss.component.ts @@ -2,6 +2,7 @@ import { Component, OnInit } from '@angular/core'; import { Inject } from '@angular/core'; import { MatDialogRef, MAT_DIALOG_DATA } from '@angular/material/dialog'; import { Router } from '@angular/router'; +import { UntypedFormControl } from '@angular/forms'; @Component({ selector: 'app-dialog-cvss', @@ -23,81 +24,101 @@ export class DialogCvssComponent implements OnInit { Cvalue: any; Ivalue: any; Avalue: any; + scorevector = new UntypedFormControl(); - AV: any[] = [['Network (N)', 'A vulnerability exploitable with network access means the vulnerable component is bound to the network stack and the attacker\'s path is through OSI layer 3 (the network layer). Such a vulnerability is often termed "remotely exploitable" and can be thought of as an attack being exploitable one or more network hops away (e.g. across layer 3 boundaries from routers). An example of a network attack is an attacker causing a denial of service (DoS) by sending a specially crafted TCP packet from across the public Internet (e.g. CVE 2004 0230).', 0.85], - ['Adjacent', 'A vulnerability exploitable with adjacent network access means the vulnerable component is bound to the network stack, however the attack is limited to the same shared physical (e.g. Bluetooth, IEEE 802.11), or logical (e.g. local IP subnet) network, and cannot be performed across an OSI layer 3 boundary (e.g. a router). An example of an Adjacent attack would be an ARP (IPv4) or neighbor discovery (IPv6) flood leading to a denial of service on the local LAN segment. See also CVE 2013 6014.', 0.62], - ['Local (L)', 'A vulnerability exploitable with Local access means that the vulnerable component is not bound to the network stack, and the attacker\'s path is via read/write/execute capabilities. In some cases, the attacker may be logged in locally in order to exploit the vulnerability, otherwise, she may rely on User Interaction to execute a malicious file.', 0.55], - ['Physical (P)', 'A vulnerability exploitable with Physical access requires the attacker to physically touch or manipulate the vulnerable component. Physical interaction may be brief (e.g. evil maid attack [1]) or persistent. An example of such an attack is a cold boot attack which allows an attacker to access to disk encryption keys after gaining physical access to the system, or peripheral attacks such as Firewire/USB Direct Memory Access attacks.', 0.2]]; + AV: any[] = [['Network (N)', 'A vulnerability exploitable with network access means the vulnerable component is bound to the network stack and the attacker\'s path is through OSI layer 3 (the network layer). Such a vulnerability is often termed "remotely exploitable" and can be thought of as an attack being exploitable one or more network hops away (e.g. across layer 3 boundaries from routers). An example of a network attack is an attacker causing a denial of service (DoS) by sending a specially crafted TCP packet from across the public Internet (e.g. CVE 2004 0230).', 0.85, 'N'], + ['Adjacent', 'A vulnerability exploitable with adjacent network access means the vulnerable component is bound to the network stack, however the attack is limited to the same shared physical (e.g. Bluetooth, IEEE 802.11), or logical (e.g. local IP subnet) network, and cannot be performed across an OSI layer 3 boundary (e.g. a router). An example of an Adjacent attack would be an ARP (IPv4) or neighbor discovery (IPv6) flood leading to a denial of service on the local LAN segment. See also CVE 2013 6014.', 0.62, 'A'], + ['Local (L)', 'A vulnerability exploitable with Local access means that the vulnerable component is not bound to the network stack, and the attacker\'s path is via read/write/execute capabilities. In some cases, the attacker may be logged in locally in order to exploit the vulnerability, otherwise, she may rely on User Interaction to execute a malicious file.', 0.55, 'L'], + ['Physical (P)', 'A vulnerability exploitable with Physical access requires the attacker to physically touch or manipulate the vulnerable component. Physical interaction may be brief (e.g. evil maid attack [1]) or persistent. An example of such an attack is a cold boot attack which allows an attacker to access to disk encryption keys after gaining physical access to the system, or peripheral attacks such as Firewire/USB Direct Memory Access attacks.', 0.2, 'P']]; - AC: any[] = [['Low (L)', 'Specialized access conditions or extenuating circumstances do not exist. An attacker can expect repeatable success against the vulnerable component.', 0.77], - ['High (H)', 'A successful attack depends on conditions beyond the attacker\'s control. That is, a successful attack cannot be accomplished at will, but requires the attacker to invest in some measurable amount of effort in preparation or execution against the vulnerable component before a successful attack can be expected. 2 For example, a successful attack may depend on an attacker overcoming any of the following conditions:\n- The attacker must conduct target-specific reconnaissance. For example, on target configuration settings, sequence numbers, shared secrets, etc.\n- The attacker must prepare the target environment to improve exploit reliability. For example, repeated exploitation to win a race condition, or overcoming advanced exploit mitigation techniques.\n- The attacker must inject herself into the logical network path between the target and the resource requested by the victim in order to read and/or modify network communications (e.g. man in the middle attack).', 0.44]]; + AC: any[] = [['Low (L)', 'Specialized access conditions or extenuating circumstances do not exist. An attacker can expect repeatable success against the vulnerable component.', 0.77, 'L'], + ['High (H)', 'A successful attack depends on conditions beyond the attacker\'s control. That is, a successful attack cannot be accomplished at will, but requires the attacker to invest in some measurable amount of effort in preparation or execution against the vulnerable component before a successful attack can be expected. 2 For example, a successful attack may depend on an attacker overcoming any of the following conditions:\n- The attacker must conduct target-specific reconnaissance. For example, on target configuration settings, sequence numbers, shared secrets, etc.\n- The attacker must prepare the target environment to improve exploit reliability. For example, repeated exploitation to win a race condition, or overcoming advanced exploit mitigation techniques.\n- The attacker must inject herself into the logical network path between the target and the resource requested by the victim in order to read and/or modify network communications (e.g. man in the middle attack).', 0.44, 'H']]; - PR: any[] = [['None (N)', 'The attacker is unauthorized prior to attack, and therefore does not require any access to settings or files to carry out an attack.', 0.85], - ['Low (L)', 'The attacker is authorized with (i.e. requires) privileges that provide basic user capabilities that could normally affect only settings and files owned by a user. Alternatively, an attacker with Low privileges may have the ability to cause an impact only to non-sensitive resources.', [0.62, 0.68]], - ['High (H)', 'The attacker is authorized with (i.e. requires) privileges that provide significant (e.g. administrative) control over the vulnerable component that could affect component-wide settings and files.', [0.27, 0.5]]]; + PR: any[] = [['None (N)', 'The attacker is unauthorized prior to attack, and therefore does not require any access to settings or files to carry out an attack.', 0.85, 'N'], + ['Low (L)', 'The attacker is authorized with (i.e. requires) privileges that provide basic user capabilities that could normally affect only settings and files owned by a user. Alternatively, an attacker with Low privileges may have the ability to cause an impact only to non-sensitive resources.', [0.62, 0.68], 'L'], + ['High (H)', 'The attacker is authorized with (i.e. requires) privileges that provide significant (e.g. administrative) control over the vulnerable component that could affect component-wide settings and files.', [0.27, 0.5], 'H']]; - UI: any[] = [['None (N)', 'The vulnerable system can be exploited without interaction from any user.', 0.85], - ['Required (R)', 'Successful exploitation of this vulnerability requires a user to take some action before the vulnerability can be exploited. For example, a successful exploit may only be possible during the installation of an application by a system administrator.', 0.62]]; + UI: any[] = [['None (N)', 'The vulnerable system can be exploited without interaction from any user.', 0.85, 'N'], + ['Required (R)', 'Successful exploitation of this vulnerability requires a user to take some action before the vulnerability can be exploited. For example, a successful exploit may only be possible during the installation of an application by a system administrator.', 0.62, 'R']]; - S: any[] = [['Unchanged (U)', 'An exploited vulnerability can only affect resources managed by the same authority. In this case the vulnerable component and the impacted component are the same.', [true, 6.42]], ['Changed (C)', 'An exploited vulnerability can affect resources beyond the authorization privileges intended by the vulnerable component. In this case the vulnerable component and the impacted component are different.', [false, 7.52]]]; + S: any[] = [['Unchanged (U)', 'An exploited vulnerability can only affect resources managed by the same authority. In this case the vulnerable component and the impacted component are the same.', [true, 6.42], 'U'], ['Changed (C)', 'An exploited vulnerability can affect resources beyond the authorization privileges intended by the vulnerable component. In this case the vulnerable component and the impacted component are different.', [false, 7.52], 'C']]; - C: any[] = [['High (H)', 'There is total loss of confidentiality, resulting in all resources within the impacted component being divulged to the attacker. Alternatively, access to only some restricted information is obtained, but the disclosed information presents a direct, serious impact. For example, an attacker steals the administrator\'s password, or private encryption keys of a web server.', 0.56], - ['Low (L)', 'There is some loss of confidentiality. Access to some restricted information is obtained, but the attacker does not have control over what information is obtained, or the amount or kind of loss is constrained. The information disclosure does not cause a direct, serious loss to the impacted component.', 0.22], - ['None (N)', 'There is no loss of confidentiality within the impacted component.', 0]]; + C: any[] = [['High (H)', 'There is total loss of confidentiality, resulting in all resources within the impacted component being divulged to the attacker. Alternatively, access to only some restricted information is obtained, but the disclosed information presents a direct, serious impact. For example, an attacker steals the administrator\'s password, or private encryption keys of a web server.', 0.56, 'H'], + ['Low (L)', 'There is some loss of confidentiality. Access to some restricted information is obtained, but the attacker does not have control over what information is obtained, or the amount or kind of loss is constrained. The information disclosure does not cause a direct, serious loss to the impacted component.', 0.22, 'L'], + ['None (N)', 'There is no loss of confidentiality within the impacted component.', 0, 'N']]; - I: any[] = [['High (H)', 'There is a total loss of integrity, or a complete loss of protection. For example, the attacker is able to modify any/all files protected by the impacted component. Alternatively, only some files can be modified, but malicious modification would present a direct, serious consequence to the impacted component.', 0.56], - ['Low (L)', 'Modification of data is possible, but the attacker does not have control over the consequence of a modification, or the amount of modification is constrained. The data modification does not have a direct, serious impact on the impacted component.', 0.22], - ['None (N)', 'There is no loss of integrity within the impacted component.', 0]]; + I: any[] = [['High (H)', 'There is a total loss of integrity, or a complete loss of protection. For example, the attacker is able to modify any/all files protected by the impacted component. Alternatively, only some files can be modified, but malicious modification would present a direct, serious consequence to the impacted component.', 0.56, 'H'], + ['Low (L)', 'Modification of data is possible, but the attacker does not have control over the consequence of a modification, or the amount of modification is constrained. The data modification does not have a direct, serious impact on the impacted component.', 0.22, 'L'], + ['None (N)', 'There is no loss of integrity within the impacted component.', 0, 'N']]; - A: any[] = [['High (H)', 'There is total loss of availability, resulting in the attacker being able to fully deny access to resources in the impacted component; this loss is either sustained (while the attacker continues to deliver the attack) or persistent (the condition persists even after the attack has completed). Alternatively, the attacker has the ability to deny some availability, but the loss of availability presents a direct, serious consequence to the impacted component (e.g., the attacker cannot disrupt existing connections, but can prevent new connections; the attacker can repeatedly exploit a vulnerability that, in each instance of a successful attack, leaks a only small amount of memory, but after repeated exploitation causes a service to become completely unavailable).', 0.56], - ['Low (L)', 'There is reduced performance or interruptions in resource availability. Even if repeated exploitation of the vulnerability is possible, the attacker does not have the ability to completely deny service to legitimate users. The resources in the impacted component are either partially available all of the time, or fully available only some of the time, but overall there is no direct, serious consequence to the impacted component.', 0.22], - ['None (N)', 'There is no impact to availability within the impacted component.', 0]]; + A: any[] = [['High (H)', 'There is total loss of availability, resulting in the attacker being able to fully deny access to resources in the impacted component; this loss is either sustained (while the attacker continues to deliver the attack) or persistent (the condition persists even after the attack has completed). Alternatively, the attacker has the ability to deny some availability, but the loss of availability presents a direct, serious consequence to the impacted component (e.g., the attacker cannot disrupt existing connections, but can prevent new connections; the attacker can repeatedly exploit a vulnerability that, in each instance of a successful attack, leaks a only small amount of memory, but after repeated exploitation causes a service to become completely unavailable).', 0.56, 'H'], + ['Low (L)', 'There is reduced performance or interruptions in resource availability. Even if repeated exploitation of the vulnerability is possible, the attacker does not have the ability to completely deny service to legitimate users. The resources in the impacted component are either partially available all of the time, or fully available only some of the time, but overall there is no direct, serious consequence to the impacted component.', 0.22, 'L'], + ['None (N)', 'There is no impact to availability within the impacted component.', 0, 'N']]; constructor(public router: Router, public dialogRef: MatDialogRef, @Inject(MAT_DIALOG_DATA) public data) { } - ngOnInit() {} + ngOnInit() { + this.scorevector.disable(); + this.scorevector.setValue('CVSS:3.1/AV:_/AC:_/PR:_/UI:_/S:_/C:_/I:_/A:_'); + } + + changevector(vector, event) { + const regex = new RegExp("\/"+vector+':(\\w)', 'gi'); + const newstr = this.scorevector.value.replace("\/"+vector+":_", "/"+vector+":"+event); + const newstr2 = newstr.replace(regex, "\/"+vector+":"+event); + this.scorevector.setValue(newstr2); + + } AVonclick(event) { this.selectedItem = event[0] + ': ' + event[1]; this.AVvalue = event[2]; this.calcit(); + this.changevector("AV", event[3]); } AConclick(event) { this.selectedItem = event[0] + ': ' + event[1]; this.ACvalue = event[2]; this.calcit(); + this.changevector("AC", event[3]); } PRonclick(event) { this.selectedItem = event[0] + ': ' + event[1]; this.PRvalue = event[2]; this.calcit(); + this.changevector("PR", event[3]); } UIonclick(event) { this.selectedItem = event[0] + ': ' + event[1]; this.UIvalue = event[2]; this.calcit(); + this.changevector("UI", event[3]); } Sonclick(event) { this.selectedItem = event[0] + ': ' + event[1]; this.Svalue = event[2]; this.calcit(); + this.changevector("S", event[3]); } Conclick(event) { this.selectedItem = event[0] + ': ' + event[1]; this.Cvalue = event[2]; this.calcit(); + this.changevector("C", event[3]); } Ionclick(event) { this.selectedItem = event[0] + ': ' + event[1]; this.Ivalue = event[2]; this.calcit(); + this.changevector("I", event[3]); } Aonclick(event) { this.selectedItem = event[0] + ': ' + event[1]; this.Avalue = event[2]; this.calcit(); + this.changevector("A", event[3]); } From 371fcd81e25cfe8d5e6ac21f147731c0d046e06c Mon Sep 17 00:00:00 2001 From: Kacper Date: Mon, 2 Oct 2023 16:38:52 +0200 Subject: [PATCH 2/3] cvss dialog test --- src/app/dialog-cvss/dialog-cvss.component.html | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/src/app/dialog-cvss/dialog-cvss.component.html b/src/app/dialog-cvss/dialog-cvss.component.html index dd5c5fdca..9c24a247c 100644 --- a/src/app/dialog-cvss/dialog-cvss.component.html +++ b/src/app/dialog-cvss/dialog-cvss.component.html @@ -103,7 +103,8 @@

- +
+
{{selectedItem}}
  From c2d81ad00d21c45221ccc9caed8f6020185a30f6 Mon Sep 17 00:00:00 2001 From: Kacper Date: Tue, 3 Oct 2023 13:49:31 +0200 Subject: [PATCH 3/3] cvss dialog update --- .../dialog-cvss/dialog-cvss.component.html | 10 +++++++--- src/app/dialog-cvss/dialog-cvss.component.ts | 19 ++++++++++++++++++- 2 files changed, 25 insertions(+), 4 deletions(-) diff --git a/src/app/dialog-cvss/dialog-cvss.component.html b/src/app/dialog-cvss/dialog-cvss.component.html index 9c24a247c..f0da8bc2a 100644 --- a/src/app/dialog-cvss/dialog-cvss.component.html +++ b/src/app/dialog-cvss/dialog-cvss.component.html @@ -98,13 +98,17 @@

Score Vector - + -
-
{{selectedItem}}
+
+
+
{{selectedItem}}
+
+   diff --git a/src/app/dialog-cvss/dialog-cvss.component.ts b/src/app/dialog-cvss/dialog-cvss.component.ts index b78bdbc27..989910746 100644 --- a/src/app/dialog-cvss/dialog-cvss.component.ts +++ b/src/app/dialog-cvss/dialog-cvss.component.ts @@ -1,19 +1,24 @@ -import { Component, OnInit } from '@angular/core'; +import { Component, OnInit, ViewChild } from '@angular/core'; import { Inject } from '@angular/core'; import { MatDialogRef, MAT_DIALOG_DATA } from '@angular/material/dialog'; import { Router } from '@angular/router'; import { UntypedFormControl } from '@angular/forms'; +import { MatTooltip } from '@angular/material/tooltip'; @Component({ selector: 'app-dialog-cvss', templateUrl: './dialog-cvss.component.html', styleUrls: ['./dialog-cvss.component.scss'] }) + export class DialogCvssComponent implements OnInit { + @ViewChild('tooltip') tooltip: MatTooltip; + selectedAnswers = []; selectedItem: string; show = false; + mobile = false; severity: string; basescore: number; AVvalue: any; @@ -59,10 +64,22 @@ export class DialogCvssComponent implements OnInit { @Inject(MAT_DIALOG_DATA) public data) { } ngOnInit() { + window.onresize = () => this.mobile = window.innerWidth <= 1024; this.scorevector.disable(); this.scorevector.setValue('CVSS:3.1/AV:_/AC:_/PR:_/UI:_/S:_/C:_/I:_/A:_'); } + copyText() { + setTimeout(() => { + this.tooltip.show(); + this.tooltip.message = "Copied!"; + }); + setTimeout(() => { + this.tooltip.hide(); + this.tooltip.message = "Copy to clipboard"; + }, 2000); + } + changevector(vector, event) { const regex = new RegExp("\/"+vector+':(\\w)', 'gi'); const newstr = this.scorevector.value.replace("\/"+vector+":_", "/"+vector+":"+event);