CVSSv4, mprpic review changes

-Added additional CVSS4 imports to cvss/__init__.py -Added additional metric checks that raise CVSS4MalformedError -Cleaned up some left over comments -Added additional tests for malformed CVSS4 strings
RedHatProductSecurity · Dec 14, 2023 · 6c56b75 · 6c56b75
1 parent 0f9079a
commit 6c56b75
Show file tree

Hide file tree

Showing 3 changed files with 39 additions and 4 deletions.
diff --git a/cvss/__init__.py b/cvss/__init__.py
@@ -4,7 +4,8 @@
 
 from .cvss2 import CVSS2
 from .cvss3 import CVSS3
-from .exceptions import CVSS2Error, CVSS3Error, CVSSError
+from .cvss4 import CVSS4
+from .exceptions import CVSS2Error, CVSS3Error, CVSS4Error, CVSSError
 from .interactive import ask_interactively
 
 __version__ = "2.6"
diff --git a/cvss/cvss4.py b/cvss/cvss4.py
@@ -176,6 +176,15 @@ def parse_vector(self):
 
             if metric in self.metrics:
                 raise CVSS4MalformedError('Duplicate metric "{0}"'.format(metric))
+
+            if metric not in METRICS_VALUE_NAMES:
+                raise CVSS4MalformedError('Invalid metric key in CVSS4 vector "{0}"'.format(field))
+
+            if value not in METRICS_VALUE_NAMES[metric]:
+                raise CVSS4MalformedError(
+                    'Invalid metric value in CVSS4 vector "{0}"'.format(field)
+                )
+
             self.metrics[metric] = value
 
     def get_eq_maxes(self, lookup, eq):
@@ -213,9 +222,6 @@ def m(self, metric):
             if modified_selected != "X":
                 return modified_selected
 
-        # if metric not in self.metrics and "M" + metric not in self.metrics:
-        #     return "X"
-
         return selected
 
     def macroVector(self):

diff --git a/tests/test_cvss4.py b/tests/test_cvss4.py
@@ -5,6 +5,7 @@
 sys.path.insert(0, path.dirname(path.dirname(path.abspath(__file__))))
 
 from cvss.cvss4 import CVSS4
+from cvss.exceptions import CVSS4MalformedError
 
 WD = path.dirname(path.abspath(sys.argv[0]))  # Manage to run script anywhere in the path
 
@@ -163,6 +164,33 @@ def test_json_schema_high_msi(self):
         self.assertIn("modifiedSubsequentSystemImpactIntegrity", json_data)
         self.assertIn("subsequentSystemImpactIntegrity", json_data)
 
+    def test_invalid_metric_key(self):
+        v = "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:N/SA:N/JJ:H"
+        error = ""
+        try:
+            CVSS4(v)
+        except CVSS4MalformedError as e:
+            error = str(e)
+        self.assertEqual(error, 'Invalid metric key in CVSS4 vector "JJ:H"')
+
+    def test_invalid_metric_value(self):
+        v = "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:N/SA:J"
+        error = ""
+        try:
+            CVSS4(v)
+        except CVSS4MalformedError as e:
+            error = str(e)
+        self.assertEqual(error, 'Invalid metric value in CVSS4 vector "SA:J"')
+
+    def test_duplicate_metric_key(self):
+        v = "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:N/SI:H"
+        error = ""
+        try:
+            CVSS4(v)
+        except CVSS4MalformedError as e:
+            error = str(e)
+        self.assertEqual(error, 'Duplicate metric "SI"')
+
 
 if __name__ == "__main__":
     unittest.main()