1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
|
# Change Log
All notable changes to this project will be documented in this file.
This project adheres to [Semantic Versioning](http://semver.org/).
## [4.1.2] - 2025-12-05
### Improvements
* Relax the dependency requirement for bigdecimal, now compatible with all versions below 4.x. (@sachin-sandhu)
## [4.1.1] - 2025-05-11
### Fixes
See [v4.1.1](https://github.com/0llirocks/cvss-suite/releases/tag/v4.1.1). (@jgarber-cisco)
## [4.1.0] - 2025-04-27
### Improvements
* Expose impact and exploitability sub-scores for CVSS 2 and CVSS 3.x. (@jgarber-cisco)
## [4.0.0] - 2024-08-31
### Breaking Changes
* Removed score method for all CVSS 4.0 metrics. Since CVSS 4.0 only has one score, it doesn't make sense for each metric to return a separate score. See [#46](https://github.com/0llirocks/cvss-suite/issues/46) for more information.
## [3.3.0] - 2024-08-31
### Improvements
* Prepare support for ruby 3.4. Closes [#44](https://github.com/0llirocks/cvss-suite/issues/44). Many thanks to @HParker for adding this feature.
* Add score method for CVSS 4.0 and later as an alias for overall_score.
## [3.2.2] - 2024-08-04
### Fixes
* Add extra CVSS vector validations for 3.1 and lower. Fixes [#41](https://github.com/0llirocks/cvss-suite/issues/41)
### Notes
* An invalid value like E:R (R doesn't exists) now counts as invalid, resulting in an invalid vector. In <= 3.2.1 an invalid value would be ignored/counted as default value.
## [3.2.1] - 2024-05-25
### Fixes
* String.truncate method in Rails gets overwritten. Fixes [#39](https://github.com/0llirocks/cvss-suite/issues/39)
## [3.2.0] - 2024-05-04
### Improvements
* Add support for CVSS version 4. Closes [#32](https://github.com/0llirocks/cvss-suite/issues/32). Many thanks to @brphelps for adding this feature.
### Notes
* CVSS version 4 no longer has multiple scores, only one overall score. Keep that in mind when using CVSS version 4.
## [3.1.1] - 2023-10-15
### Fixes
* CVSS prefix is missing in v3.1.0. Fixes [#33](https://github.com/0llirocks/cvss-suite/issues/33)
## [3.1.0] - 2022-09-27
### Fixes
* Metrics are no longer order-dependent. Fixes [#30](https://github.com/0llirocks/cvss-suite/issues/30)
### Improvements
* Temporal and Environmental metrics can now be partly omitted instead of setting them to X.
## [3.0.1] - 2022-03-13
### Notes
* Updated specification reference due to [Removing the edit linkset form](https://blog.rubygems.org/2019/03/08/and-then-there-was-one-metadata-links.html) and [Unable to edit gem online](https://github.com/rubygems/rubygems.org/issues/1899)
## [3.0.0] - 2022-03-13
### Breaking Changes
* Ruby >= 2.6 is now required
### Notes
* Moved repository to its new home
## [2.0.2] - 2020-12-05
### Fixes
* CVSS v2 now returns the correct severity values based on NVD recommendation
* CVSS v2 now supports vectors which are enclosed in parenthesis e.g. (AV:N/AC:L/Au:N/C:P/I:P/A:P)
## [2.0.1] - 2020-07-19
### Fixes
Fixed an error that resulted in incorrect environmental score if modified attributes were not defined.
## [2.0.0] - 2020-05-10
### Breaking Changes
* Ruby >= 2.4 is now required
* Renamed choice/choices to value/values
### Improvements
* Added CvssSuite module to every class (thanks to @fwininger)
* Removed override for integer and float (thanks to @fwininger)
* Added rubocop to development environment (thanks to @fwininger)
### Notes
Adding CvssSuite module everywhere means it’s no longer possible to access a class without it. Since this only affects the undocumented and ‚internal‘ classes this should not affect you. If you’re using them, stop it.
Still works:
```ruby
cvss = CvssSuite.new('string')
```
Won’t work anymore (without any code change):
```ruby
cvss = Cvss31.new('string')
```
This would need to be CvssSuite::Cvss31.new('string') to work. Or you could include the whole namespace.
## [1.2.0] - 2019-07-02
### Notes
Because version 2.0 of this gem will include breaking changes, please make sure to include this gem in your gemfile as shown below to not automatically update to version 2.0.
```ruby
gem 'cvss-suite', '~> 1.2'
```
### Improvements
* Added Severity
* Added CVSS 3.1
* CVSS 3.0 vectors now return 3.0 instead of 3 as version
### Changes in CVSS 3.1 [Source] (https://www.first.org/cvss/v3.1/user-guide)
* The Temporal Score for all vulnerabilities which have a Base Score of 2.5, 5.0 or 10.0, Exploit Code Maturity (E) of High (H), Remediation Level (RL) of Unavailable (U) and Report Confidence (RC) of Unknown (U) is 0.1 lower in CVSS v3.1 than for 3.0.
* Some combinations of metrics have Environmental Scores that differ when scored with CVSS v3.1 rather than v3.0. This is due to a combination of the redefinition of Roundup and the change to the ModifiedImpact sub-formula. Less than 7% of metric combinations are 0.1 higher in CVSS v3.1 than v3.0, and less than 1% are 0.1 lower. No Environmental Scores differ by more than 0.1.
* Other implementations of the CVSS formulas may see different scoring changes between CVSS v3.0 and v3.1 if they previously generated different CVSS v3.0 scores due to the problems that the CVSS v3.1 formula changes are intended to fix.
## [1.1.2] - 2018-12-28
### Fixes
Replaced Fixnum by Integer to improve compatibility with newer versions of Ruby.
### Improvements
Added example for CVSS v3 to README.
## [1.1.1] - 2018-10-18
### Fixes
Corrects behaviour when using "CVSS:3.0/" as vector. Bugfix for #3.
## [1.1.0] - 2018-10-17
### Notes
This update might break some of your code, please check the following changes carefully.
### Fixes
* New CvssSuiteErrors are introduced to improve exception handling.
* Initialization of CvssSuite with an invalid vector does not throw an exception anymore. It will return an InvalidCvss
instead, which returns false for valid? and throws an exception for all other methods. See the updated README for
examples.
### Improvements
Finally the webpage is officially linked in the gem.
## [1.0.8] - 2016-09-30
### Fixes
Fixes a bug with rounding Fixnums in CVSS3.
## [1.0.7] - 2016-06-23
### Improvements
Removes gems: Rake & badgerbadgerbadger. Improved documentation, webpage (github) is coming very soon!
## [1.0.6] - 2016-04-15
### Fixes
While production we spotted a problem with calculating the temporal score in CVSS3. This version fixes this issue.
## [1.0.5] - 2016-04-15
### Fixes
Due to troubleshooting issues I forgot to rename a variable, this version fixes this issue.
Versions 1.0.1 to 1.0.4 are broken due to this error, do **NOT** use these versions. Use ≥ 1.0.5 instead.
## [1.0.2] - 2016-04-15
### Troubleshooting
Tried to fix an error. It turned out to be a local problem. Due to this I increased the version by 2. It's 1.0.2 now.
## [1.0.0] - 2016-04-15
### Initial release
First release of this gem.
|
