CVSS logo

Common Vulnerability Scoring System v3.0: Calculator Use & Design

This guide covers the following aspects of the CVSS Calculator:

Calculator Use

The CVSS calculator implements the formula defined in the CVSS version 3.0 standard, generating scores based on the metric values you enter. You should refer to the standard for details of the metrics to ensure you pick the correct values for a given vulnerability. Hovering your mouse pointer over metric group names, metric names and metric values displays a summary of the information in the standard. This feature is not available on devices with no pointer, such as touchscreen devices.

The standard only defines scores when all Base metrics have values. If one or more Base metrics have no value set, no score is displayed and a reminder that all values first need to be set is shown. Select values for all Base metrics to enable scoring.

The standard defines a concise representation of the metric values forming a CVSS score, known as a Vector String. When you have chosen a value for every Base metric, the Vector String will be displayed beneath the Base score. This will be updated as you make further changes to metric values. Right-clicking on the Vector String selects the entire string, making it easier to copy.

A Vector String can be passed on the URL to set the calculator metric buttons to the values given in the URL. The Vector String must conform to the format specified in the CVSS v3.0 standard. As per the standard, it must include all Base metrics. Temporal and Environmental metrics are optional and will default to "Not Defined (X)" if not included in the Vector String. It is permissible to include some but not all Temporal and Environmental metrics. An example URL is: https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:A/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:L

When all Base metrics are chosen, the Vector String is added to the URL (if it wasn't already present), and updated if further metric changes are made. This enables the whole URL to be copied and used to link to the calculator in a way that restores the current metric values and scores.

The calculator does not work with Microsoft Internet Explorer 8 and earlier.

Changelog

The following changes have been made to the CVSS Calculator since it was first made available. The changes are listed starting with the most recent.

4 August 2015

  • Added CVSS.generateXMLFromMetrics and CVSS.generateXMLFromVector functions to return XML string representations of metric values passed in separate values and as a Vector String, respectively.
  • Moved all constants and functions to an object named "CVSS" to reduce the chance of conflicts in global variables when this file is combined with other JavaScript code. This will break all existing code that uses anything from this file until the string CVSS. (including the dot at the end) is prepended to all constant and function names. For example, calls to calculateCVSSFromMetrics should be changed to CVSS.calculateCVSSFromMetrics.
  • The Exploitability metric has been renamed Exploit Code Maturity in the specification, so the same change has been made in throughout the code in this file.

29 April 2015

  • Environmental formula modified to eliminate undesirable behavior caused by differences in rounding between Temporal and Environmental formulas that often caused the latter to be 0.1 lower than than the former when all Environmental metrics are Not defined. This is a change to the formula in the CVSS specification.
  • The same change also stopped the Environmental score being higher than the Temporal score when: the Base Score is 10.0, the Temporal Score is lower than 10.0, and all Environmental metrics are Not defined.
  • Added the RoundUp1 function to simplify formulas by replacing several similar lines of code to round a floating point number up to one decimal place with a function.
  • Added the calculateCVSSFromVector function to allow CVSS Scores to be calculated by providing a single CVSS Vector String.
  • License and copyright information added to all files.
  • Code cleaned up and comments added or improved.

12 December 2014

  • Initial release for CVSS 3.0 Preview 2.

CVSS Calculator Technical Design

This section explains the CVSS Calculator's implementation. This may be useful if you wish to implement your own CVSS calculator based on FIRST's code. Each file is listed with an explanation of how it may be useful in your CVSS calculator implementation.

If you are planning to create new code or modify existing code to implement the CVSS 3.0 formulas, be aware that different languages, operating systems or hardware platforms may perform floating point operations slightly differently, leading to different results. At the time of writing, the vector CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N/E:H/RL:U/RC:U is known to have Temporal and Environmental scores close to a boundary and some implementations may give scores of 9.2 rather than the expected 9.3. The JavaScript implementation of the formulas on FIRST's web site is considered the reference implementation, so please ensure your code create results that are consistent.

JavaScript Functions in cvsscalc30.js

The following is a summary of available functions. The comments preceding the function definitions in the source code provide more detail.

CVSS.calculateCVSSFromMetrics

Takes Base, Temporal and Environmental metric values as individual parameters and returns: scores for each, severity ratings for each, and a complete Vector String. The input parameters are:

Parameter values are passed in the short format defined in the CVSS v3.0 standard definition of the Vector String. For example, the AttackComplexity parameter should be either "H" or "L". All Base metrics are mandatory; Temporal and Environmental metrics are optional. The function returns an object. The object always has a Boolean property named "success" that will be "true" if no error occurred. Assuming this to be the case, the following properties are also defined:

Each "Score" property contains a number representing the score, each "Severity" property contains a string with the associated severity rating, and the "vectorString" property is a complete Vector String.

An example of a call to this function is:

var output = calculateCVSSFromMetrics('N','L','N','R','C','L','L','N');

var result;
if (output.success === true) {
  result =
    "Base score is " + output.baseMetricScore + ". " +
    "Base severity is " + output.baseSeverity + ". " +
    "Temporal score is " + output.temporalMetricScore + ". " +
    "Temporal severity is " + output.temporalSeverity + ". " +
    "Environmental score is " + output.environmentalMetricScore + ". " +
    "Environmental severity is " + output.environmentalSeverity + ". " +
    "Vector string is " + output.vectorString + ". ";
} else {
  result =
    "An error occurred. The error type is '" + errorType +
    "' and the metrics with errors are " + errorMetrics + ".";
}

alert (result);

This displays an alert box with the contents:

Base score is 6.1. Base severity is Medium. Temporal score is 6.1. Temporal severity is Medium. Environmental score is 6.1. Environmental severity is Medium. Vector string is CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N.

Refer to the source code for more details on how errors are returned.

CVSS.calculateCVSSFromVector

This is similar to the previous function except that it takes a Vector String as input. Outputs are the same, except that additional error types are defined to handle problems in the format of the Vector String.

var output = calculateCVSSFromVector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N/RL:O/CR:L");

var result;
if (output.success === true) {
  result =
    "Base score is " + output.baseMetricScore + ". " +
    "Base severity is " + output.baseSeverity + ". " +
    "Temporal score is " + output.temporalMetricScore + ". " +
    "Temporal severity is " + output.temporalSeverity + ". " +
    "Environmental score is " + output.environmentalMetricScore + ". " +
    "Environmental severity is " + output.environmentalSeverity + ". " +
    "Vector string is " + output.vectorString + ". ";
} else {
  result =
    "An error occurred. The error type is '" + output.errorType +
    "' and the metrics with errors are " + output.errorMetrics + ".";
}

alert (result);

This displays an alert box with the contents:

Base score is 8.6. Base severity is High. Temporal score is 8.2. Temporal severity is High. Environmental score is 6.0. Environmental severity is Medium. Vector string is CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N/RL:O/CR:L.

CVSS.roundUp1

Takes an integer as input and returns it rounded up to one decimal place. An example of a call to this function is:

alert (roundUp1(3.141));

This displays an alert box with the contents:

3.2

CVSS.severityRating

Takes a CVSS score as input and returns the severity rating name associated with that score. An example of a call to this function is:

var rating = severityRating(4.8);

var result;
if (typeof rating === 'string') {
  result = "Returned severity rating is " + rating;
} else if (typeof rating === 'undefined') {
  result = "The input is not within the range of any defined severity rating.";
} else {
  result = "The input is not recognized as a number.";
}

alert (result);

This displays an alert box with the contents:

Returned severity rating is Medium.

CVSS.generateXMLFromMetrics

This is a rudimentary function to demonstrate how an XML representation of a given set of metric values can be generated. The inputs and errors are the same as for the CVSS.calculateCVSSFromMetrics function. The output is a string containing an XML representation of the metric values passed. If no error occurs, the string will be available in the xmlString property of the returned object.

An example of a call to this function is:

var output = CVSS.generateXMLFromMetrics('N','L','N','R','C','L','L','N',undefined,'W');

var result;
if (output.success === true) {
  result = output.xmlString;
} else {
  result =
    "An error occurred. The error type is '" + errorType +
    "' and the metrics with errors are " + errorMetrics + ".";
}

alert (result);

This displays an alert box whose contents begin with:

<pre class="output" markdown="1">
<?xml version="1.0" encoding="UTF-8"? markdown="1">
<cvssv3.0 xmlns="https://www.first.org/cvss/cvss-v3.0.xsd"
  xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
  xsi:schemaLocation="https://www.first.org/cvss/cvss-v3.0.xsd https://www.first.org/cvss/cvss-v3.0.xsd"
  >

  <base_metrics markdown="1">
    <attack-vector markdown="1">NETWORK</attack-vector>
    <attack-complexity markdown="1">LOW</attack-complexity>
    <privileges-required markdown="1">NONE</privileges-required>
    …

Refer to the source code for more details on how errors are returned.

CVSS.generateXMLFromVector

This is a rudimentary function to demonstrate how an XML representation of a given Vector String can be generated. It is similar to the previous function except that it takes a Vector String as input. Outputs are the same, except that additional error types are defined to handle problems in the format of the Vector String.

An example of a call to this function is:

var output = CVSS.generateXMLFromVector('CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/RL:W');

var result;
if (output.success === true) {
  result = output.xmlString;
} else {
  result =
    "An error occurred. The error type is '" + errorType +
    "' and the metrics with errors are " + errorMetrics + ".";
}

alert (result);

This displays an alert box whose contents begin with:

<pre class="output" markdown="1">
<?xml version="1.0" encoding="UTF-8"? markdown="1">
<cvssv3.0 xmlns="https://www.first.org/cvss/cvss-v3.0.xsd"
  xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
  xsi:schemaLocation="https://www.first.org/cvss/cvss-v3.0.xsd https://www.first.org/cvss/cvss-v3.0.xsd"
  >

  <base_metrics markdown="1">
    <attack-vector markdown="1">NETWORK</attack-vector>
    <attack-complexity markdown="1">LOW</attack-complexity>
    <privileges-required markdown="1">NONE</privileges-required>
    …

Refer to the source code for more details on how errors are returned.

XML Schema Definition

It is sometimes useful to represent the CVSS metric values and scores for a vulnerability in XML format, e.g. to transfer CVSS data between systems. CVSS v3.0 has an XML Schema Definition (XSD) that defines an XML format for CVSS v3.0 vulnerabilities. The CVSS.generateXMLFromMetrics and CVSS.generateXMLFromVector functions output a given set of CVSS metrics in this XML format, and maybe a useful starting point if you wish to use XML. The following XSD files are available: