Merge branch 'master' into dependabot/maven/org.apache.maven.plugins-…

…maven-javadoc-plugin-3.5.0
stevespringett · Nov 2, 2023 · d29a0dc · d29a0dc
2 parents ac9637d + aa9cb82
commit d29a0dc
Show file tree

Hide file tree

Showing 8 changed files with 294 additions and 256 deletions.
diff --git a/.github/workflows/maven.yml b/.github/workflows/maven.yml
@@ -8,7 +8,7 @@ jobs:
     runs-on: ubuntu-latest
 
     steps:
-    - uses: actions/checkout@v3.2.0
+    - uses: actions/checkout@v3.5.0
     - name: Set up JDK 1.8
       uses: actions/setup-java@v1
       with:

diff --git a/README.md b/README.md
@@ -44,7 +44,7 @@ CVSS Calculator is available in the Maven Central Repository.
 <dependency>
     <groupId>us.springett</groupId>
     <artifactId>cvss-calculator</artifactId>
-    <version>1.4.1</version>
+    <version>1.4.2</version>
 </dependency>
 ```
 

diff --git a/pom.xml b/pom.xml
@@ -4,7 +4,7 @@
 
     <groupId>us.springett</groupId>
     <artifactId>cvss-calculator</artifactId>
-    <version>1.4.2-SNAPSHOT</version>
+    <version>1.4.3-SNAPSHOT</version>
     <packaging>jar</packaging>
 
     <name>CVSS Calculator</name>
@@ -27,7 +27,7 @@
         <project.reporting.outputEncoding>UTF-8</project.reporting.outputEncoding>
         <maven.javadoc.failOnError>false</maven.javadoc.failOnError>
         <!-- Maven Plugin Versions -->
-        <maven.cyclonedx.plugin.version>2.7.3</maven.cyclonedx.plugin.version>
+        <maven.cyclonedx.plugin.version>2.7.6</maven.cyclonedx.plugin.version>
         <maven.javadoc.plugin.version>3.5.0</maven.javadoc.plugin.version>
         <maven.source.plugin.version>3.2.1</maven.source.plugin.version>
     </properties>
@@ -135,7 +135,7 @@
                     <plugin>
                         <groupId>org.apache.maven.plugins</groupId>
                         <artifactId>maven-enforcer-plugin</artifactId>
-                        <version>3.1.0</version>
+                        <version>3.2.1</version>
                         <executions>
                             <execution>
                                 <id>enforce-java</id>

diff --git a/src/main/java/us/springett/cvss/Cvss.java b/src/main/java/us/springett/cvss/Cvss.java
@@ -15,7 +15,6 @@
  */
 package us.springett.cvss;
 
-import java.util.StringTokenizer;
 import java.util.regex.Matcher;
 import java.util.regex.Pattern;
 
@@ -27,12 +26,12 @@
  */
 public interface Cvss {
 
-    String V2_PATTERN = "AV:[NAL]\\/AC:[LMH]\\/A[Uu]:[NSM]\\/C:[NPC]\\/I:[NPC]\\/A:[NPC]";
+    String V2_PATTERN = "AV:(N|A|L)\\/AC:(L|M|H)\\/A[Uu]:(N|S|M)\\/C:(N|P|C)\\/I:(N|P|C)\\/A:(N|P|C)";
     String V2_TEMPORAL = "\\/E:\\b(F|H|U|POC|ND)\\b\\/RL:\\b(W|U|TF|OF|ND)\\b\\/RC:\\b(C|UR|UC|ND)\\b";
 
-    String V3_PATTERN = "AV:[NALP]\\/AC:[LH]\\/PR:[NLH]\\/UI:[NR]\\/S:[UC]\\/C:[NLH]\\/I:[NLH]\\/A:[NLH]";
-    String V3_TEMPORAL = "\\/E:[F|H|U|P|X]\\/RL:[W|U|T|O|X]\\/RC:[C|R|U|X]";
-    String V3_1_ENVIRONMENTAL = "\\/CR:[X|L|M|H]\\/IR:[X|L|M|H]\\/AR:[X|L|M|H]\\/MAV:[X|N|A|L|P]\\/MAC:[X|L|H]\\/MPR:[X|N|L|H]\\/MUI:[X|N|R]\\/MS:[X|U|C]\\/MC:[X|N|L|H]\\/MI:[X|N|L|H]\\/MA:[X|N|L|H]";
+    String V3_PATTERN = "AV:(N|A|L|P)\\/AC:(L|H)\\/PR:(N|L|H)\\/UI:(N|R)\\/S:(U|C)\\/C:(N|L|H)\\/I:(N|L|H)\\/A:(N|L|H)";
+    String V3_TEMPORAL = "\\/E:(F|H|U|P|X)\\/RL:(W|U|T|O|X)\\/RC:(C|R|U|X)";
+    String V3_1_ENVIRONMENTAL = "\\/CR:(X|L|M|H)\\/IR:(X|L|M|H)\\/AR:(X|L|M|H)\\/MAV:(X|N|A|L|P)\\/MAC:(X|L|H)\\/MPR:(X|N|L|H)\\/MUI:(X|N|R)\\/MS:(X|U|C)\\/MC:(X|N|L|H)\\/MI:(X|N|L|H)\\/MA:(X|N|L|H)";
 
     Pattern CVSSv2_PATTERN = Pattern.compile(V2_PATTERN);
     Pattern CVSSv2_PATTERN_TEMPORAL = Pattern.compile(V2_PATTERN + V2_TEMPORAL);
@@ -54,102 +53,97 @@ static Cvss fromVector(String vector) {
         if (vector == null) {
             return null;
         }
-        Matcher v2Matcher = CVSSv2_PATTERN.matcher(vector);
-        Matcher v2TemporalMatcher = CVSSv2_PATTERN_TEMPORAL.matcher(vector);
-        Matcher v3Matcher = CVSSv3_PATTERN.matcher(vector);
-        Matcher v3TemporalMatcher = CVSSv3_PATTERN_TEMPORAL.matcher(vector);
-        Matcher v3_1Matcher = CVSSv3_1_PATTERN.matcher(vector);
 
-        if (v2TemporalMatcher.find()) {
-            // Found a valid CVSSv2 vector with temporal values
-            String matchedVector = v2TemporalMatcher.group(0);
-            StringTokenizer st = new StringTokenizer(matchedVector, "/");
-            CvssV2 cvssV2 = getCvssV2BaseVector(st);
-            cvssV2.exploitability(CvssV2.Exploitability.fromString(st.nextElement().toString().split(":")[1]));
-            cvssV2.remediationLevel(CvssV2.RemediationLevel.fromString(st.nextElement().toString().split(":")[1]));
-            cvssV2.reportConfidence(CvssV2.ReportConfidence.fromString(st.nextElement().toString().split(":")[1]));
-            return cvssV2;
-        } else if (v2Matcher.find()) {
-            // Found a valid CVSSv2 vector
-            String matchedVector = v2Matcher.group(0);
-            StringTokenizer st = new StringTokenizer(matchedVector, "/");
-            return getCvssV2BaseVector(st);
-        } else if (v3_1Matcher.find()) {
+        Matcher v3_1Matcher = CVSSv3_1_PATTERN.matcher(vector);
+        if (v3_1Matcher.find()) {
             // Found a valid CVSSv3.1 vector
-            String matchedVector = v3_1Matcher.group(0);
-            StringTokenizer st = new StringTokenizer(matchedVector, "/");
-            CvssV3_1 cvssV3_1 = getCvssV3_1BaseVector(st);
-
-            cvssV3_1.exploitability(CvssV3.Exploitability.fromString(st.nextElement().toString().split(":")[1]));
-            cvssV3_1.remediationLevel(CvssV3.RemediationLevel.fromString(st.nextElement().toString().split(":")[1]));
-            cvssV3_1.reportConfidence(CvssV3.ReportConfidence.fromString(st.nextElement().toString().split(":")[1]));
-            cvssV3_1.confidentialityRequirement(CvssV3_1.ConfidentialityRequirement.fromString(st.nextElement().toString().split(":")[1]));
-            cvssV3_1.integrityRequirement(CvssV3_1.IntegrityRequirement.fromString(st.nextElement().toString().split(":")[1]));
-            cvssV3_1.availabilityRequirement(CvssV3_1.AvailabilityRequirement.fromString(st.nextElement().toString().split(":")[1]));
-            cvssV3_1.modifiedAttackVector(CvssV3_1.ModifiedAttackVector.fromString(st.nextElement().toString().split(":")[1]));
-            cvssV3_1.modifiedAttackComplexity(CvssV3_1.ModifiedAttackComplexity.fromString(st.nextElement().toString().split(":")[1]));
-            cvssV3_1.modifiedPrivilegesRequired(CvssV3_1.ModifiedPrivilegesRequired.fromString(st.nextElement().toString().split(":")[1]));
-            cvssV3_1.modifiedUserInteraction(CvssV3_1.ModifiedUserInteraction.fromString(st.nextElement().toString().split(":")[1]));
-            cvssV3_1.modifiedScope(CvssV3_1.ModifiedScope.fromString(st.nextElement().toString().split(":")[1]));
-            cvssV3_1.modifiedConfidentialityImpact(CvssV3_1.ModifiedCIA.fromString(st.nextElement().toString().split(":")[1]));
-            cvssV3_1.modifiedIntegrityImpact(CvssV3_1.ModifiedCIA.fromString(st.nextElement().toString().split(":")[1]));
-            cvssV3_1.modifiedAvailabilityImpact(CvssV3_1.ModifiedCIA.fromString(st.nextElement().toString().split(":")[1]));
+            char [] vectorChars = vector.toCharArray();
+            CvssV3_1 cvssV3_1 = getCvssV3_1BaseVector(v3_1Matcher, vectorChars);
+            fillV3TemporalValues(v3_1Matcher, vectorChars, cvssV3_1);
+            cvssV3_1.confidentialityRequirement(CvssV3_1.ConfidentialityRequirement.fromChar(vectorChars[v3_1Matcher.start(12)]));
+            cvssV3_1.integrityRequirement(CvssV3_1.IntegrityRequirement.fromChar(vectorChars[v3_1Matcher.start(13)]));
+            cvssV3_1.availabilityRequirement(CvssV3_1.AvailabilityRequirement.fromChar(vectorChars[v3_1Matcher.start(14)]));
+            cvssV3_1.modifiedAttackVector(CvssV3_1.ModifiedAttackVector.fromChar(vectorChars[v3_1Matcher.start(15)]));
+            cvssV3_1.modifiedAttackComplexity(CvssV3_1.ModifiedAttackComplexity.fromChar(vectorChars[v3_1Matcher.start(16)]));
+            cvssV3_1.modifiedPrivilegesRequired(CvssV3_1.ModifiedPrivilegesRequired.fromChar(vectorChars[v3_1Matcher.start(17)]));
+            cvssV3_1.modifiedUserInteraction(CvssV3_1.ModifiedUserInteraction.fromChar(vectorChars[v3_1Matcher.start(18)]));
+            cvssV3_1.modifiedScope(CvssV3_1.ModifiedScope.fromChar(vectorChars[v3_1Matcher.start(19)]));
+            cvssV3_1.modifiedConfidentialityImpact(CvssV3_1.ModifiedCIA.fromChar(vectorChars[v3_1Matcher.start(20)]));
+            cvssV3_1.modifiedIntegrityImpact(CvssV3_1.ModifiedCIA.fromChar(vectorChars[v3_1Matcher.start(21)]));
+            cvssV3_1.modifiedAvailabilityImpact(CvssV3_1.ModifiedCIA.fromChar(vectorChars[v3_1Matcher.start(22)]));
             return cvssV3_1;
-        } else if (v3TemporalMatcher.find()) {
+        }
+        Matcher v3TemporalMatcher = CVSSv3_PATTERN_TEMPORAL.matcher(vector);
+        if (v3TemporalMatcher.find()) {
+            char [] vectorChars = vector.toCharArray();
             // Found a valid CVSSv3 vector with temporal values
-            String matchedVector = v3TemporalMatcher.group(0);
-            StringTokenizer st = new StringTokenizer(matchedVector, "/");
-            CvssV3 cvssV3;
-            cvssV3 = getCvssV3BaseVector(st);
-
-            cvssV3.exploitability(CvssV3.Exploitability.fromString(st.nextElement().toString().split(":")[1]));
-            cvssV3.remediationLevel(CvssV3.RemediationLevel.fromString(st.nextElement().toString().split(":")[1]));
-            cvssV3.reportConfidence(CvssV3.ReportConfidence.fromString(st.nextElement().toString().split(":")[1]));
+            CvssV3 cvssV3 = getCvssV3BaseVector(v3TemporalMatcher, vectorChars);
+            fillV3TemporalValues(v3TemporalMatcher, vectorChars, cvssV3);
             return cvssV3;
-        } else if (v3Matcher.find()) {
+        }
+        Matcher v3Matcher = CVSSv3_PATTERN.matcher(vector);
+        if (v3Matcher.find()) {
+            char [] vectorChars = vector.toCharArray();
             // Found a valid CVSSv3 vector
-            String matchedVector = v3Matcher.group(0);
-            StringTokenizer st = new StringTokenizer(matchedVector, "/");
-
-            return getCvssV3BaseVector(st);
+            return getCvssV3BaseVector(v3Matcher, vectorChars);
         }
+        Matcher v2TemporalMatcher = CVSSv2_PATTERN_TEMPORAL.matcher(vector);
+        if (v2TemporalMatcher.find()) {
+            // Found a valid CVSSv2 vector with temporal values
+            CvssV2 cvssV2 = getCvssV2BaseVector(v2TemporalMatcher, vector.toCharArray());
+            cvssV2.exploitability(CvssV2.Exploitability.fromString(v2TemporalMatcher.group(7)));
+            cvssV2.remediationLevel(CvssV2.RemediationLevel.fromString(v2TemporalMatcher.group(8)));
+            cvssV2.reportConfidence(CvssV2.ReportConfidence.fromString(v2TemporalMatcher.group(9)));
+            return cvssV2;
+        }
+        Matcher v2Matcher = CVSSv2_PATTERN.matcher(vector);
+        if (v2Matcher.find()) {
+            // Found a valid CVSSv2 vector
+            return getCvssV2BaseVector(v2Matcher, vector.toCharArray());
+        } else
         return null;
     }
 
-    static CvssV2 getCvssV2BaseVector(StringTokenizer st) {
+    static void fillV3TemporalValues(Matcher v3TemporalMatcher, char[] vectorChars, CvssV3 cvssV3) {
+        cvssV3.exploitability(CvssV3.Exploitability.fromChar(vectorChars[v3TemporalMatcher.start(9)]));
+        cvssV3.remediationLevel(CvssV3.RemediationLevel.fromChar(vectorChars[v3TemporalMatcher.start(10)]));
+        cvssV3.reportConfidence(CvssV3.ReportConfidence.fromChar(vectorChars[v3TemporalMatcher.start(11)]));
+    }
+
+    static CvssV2 getCvssV2BaseVector(Matcher st, char [] array) {
         CvssV2 cvssV2 = new CvssV2();
-        cvssV2.attackVector(CvssV2.AttackVector.fromString(st.nextElement().toString().split(":")[1]));
-        cvssV2.attackComplexity(CvssV2.AttackComplexity.fromString(st.nextElement().toString().split(":")[1]));
-        cvssV2.authentication(CvssV2.Authentication.fromString(st.nextElement().toString().split(":")[1]));
-        cvssV2.confidentiality(CvssV2.CIA.fromString(st.nextElement().toString().split(":")[1]));
-        cvssV2.integrity(CvssV2.CIA.fromString(st.nextElement().toString().split(":")[1]));
-        cvssV2.availability(CvssV2.CIA.fromString(st.nextElement().toString().split(":")[1]));
+        cvssV2.attackVector(CvssV2.AttackVector.fromChar(array[st.start(1)]));
+        cvssV2.attackComplexity(CvssV2.AttackComplexity.fromChar(array[st.start(2)]));
+        cvssV2.authentication(CvssV2.Authentication.fromChar(array[st.start(3)]));
+        cvssV2.confidentiality(CvssV2.CIA.fromChar(array[st.start(4)]));
+        cvssV2.integrity(CvssV2.CIA.fromChar(array[st.start(5)]));
+        cvssV2.availability(CvssV2.CIA.fromChar(array[st.start(6)]));
         return cvssV2;
     }
 
-    static CvssV3 getCvssV3BaseVector(StringTokenizer st) {
+    static CvssV3 getCvssV3BaseVector(Matcher st, char [] array) {
         CvssV3 cvssV3 = new CvssV3();
-        cvssV3.attackVector(CvssV3.AttackVector.fromString(st.nextElement().toString().split(":")[1]));
-        cvssV3.attackComplexity(CvssV3.AttackComplexity.fromString(st.nextElement().toString().split(":")[1]));
-        cvssV3.privilegesRequired(CvssV3.PrivilegesRequired.fromString(st.nextElement().toString().split(":")[1]));
-        cvssV3.userInteraction(CvssV3.UserInteraction.fromString(st.nextElement().toString().split(":")[1]));
-        cvssV3.scope(CvssV3.Scope.fromString(st.nextElement().toString().split(":")[1]));
-        cvssV3.confidentiality(CvssV3.CIA.fromString(st.nextElement().toString().split(":")[1]));
-        cvssV3.integrity(CvssV3.CIA.fromString(st.nextElement().toString().split(":")[1]));
-        cvssV3.availability(CvssV3.CIA.fromString(st.nextElement().toString().split(":")[1]));
+        cvssV3.attackVector(CvssV3.AttackVector.fromChar(array[st.start(1)]));
+        cvssV3.attackComplexity(CvssV3.AttackComplexity.fromChar(array[st.start(2)]));
+        cvssV3.privilegesRequired(CvssV3.PrivilegesRequired.fromChar(array[st.start(3)]));
+        cvssV3.userInteraction(CvssV3.UserInteraction.fromChar(array[st.start(4)]));
+        cvssV3.scope(CvssV3.Scope.fromChar(array[st.start(5)]));
+        cvssV3.confidentiality(CvssV3.CIA.fromString(array[st.start(6)]));
+        cvssV3.integrity(CvssV3.CIA.fromString(array[st.start(7)]));
+        cvssV3.availability(CvssV3.CIA.fromString(array[st.start(8)]));
         return cvssV3;
     }
 
-    static CvssV3_1 getCvssV3_1BaseVector(StringTokenizer st) {
+    static CvssV3_1 getCvssV3_1BaseVector(Matcher st, char [] array) {
         CvssV3_1 cvssV3_1 = new CvssV3_1();
-        cvssV3_1.attackVector(CvssV3.AttackVector.fromString(st.nextElement().toString().split(":")[1]));
-        cvssV3_1.attackComplexity(CvssV3.AttackComplexity.fromString(st.nextElement().toString().split(":")[1]));
-        cvssV3_1.privilegesRequired(CvssV3.PrivilegesRequired.fromString(st.nextElement().toString().split(":")[1]));
-        cvssV3_1.userInteraction(CvssV3.UserInteraction.fromString(st.nextElement().toString().split(":")[1]));
-        cvssV3_1.scope(CvssV3.Scope.fromString(st.nextElement().toString().split(":")[1]));
-        cvssV3_1.confidentiality(CvssV3.CIA.fromString(st.nextElement().toString().split(":")[1]));
-        cvssV3_1.integrity(CvssV3.CIA.fromString(st.nextElement().toString().split(":")[1]));
-        cvssV3_1.availability(CvssV3.CIA.fromString(st.nextElement().toString().split(":")[1]));
+        cvssV3_1.attackVector(CvssV3.AttackVector.fromChar(array[st.start(1)]));
+        cvssV3_1.attackComplexity(CvssV3.AttackComplexity.fromChar(array[st.start(2)]));
+        cvssV3_1.privilegesRequired(CvssV3.PrivilegesRequired.fromChar(array[st.start(3)]));
+        cvssV3_1.userInteraction(CvssV3.UserInteraction.fromChar(array[st.start(4)]));
+        cvssV3_1.scope(CvssV3.Scope.fromChar(array[st.start(5)]));
+        cvssV3_1.confidentiality(CvssV3.CIA.fromString(array[st.start(6)]));
+        cvssV3_1.integrity(CvssV3.CIA.fromString(array[st.start(7)]));
+        cvssV3_1.availability(CvssV3.CIA.fromString(array[st.start(8)]));
         return cvssV3_1;
     }