Skip to content
Fluid Attacks Development Portal

Introduction

Scores is Fluid Attacks’ CVSS v4 calculator tool designed to assist users in calculating CVSS v4 vectors and scores using context. It interprets vulnerability descriptions, suggests appropriate metric values, and generates a complete CVSS vector.

One of the most important context providers when calculating the score is the CVSS v3 score. If this score does not exist, the one defined in “Defines” will be used by default, which will influence the final score. This approach is taken because the context provided in vulnerability descriptions is often very poor.

Contributing

Please read the contributing page first.

Using the CLI

The Scores module provides a command-line interface (CLI) to facilitate the calculation of CVSS scores. Below are the instructions on how to use the CLI effectively.

Command Structure

To run the CLI, use the following command:

Terminal window
nix run ./scores [arg]
Terminal window
nix run ./scores -- [options]

Arguments

  • arg (optional): A valid JSON string representing a VulnerabilityMetadata object. This argument allows you to pass vulnerability details directly to the CLI for processing.
class VulnerabilityMetadata(BaseModel):
  vulnerability_description: str
  finding: str
  finding_description: str | None = None
  cwe: list[str] | None = None
  cvss_v3: str | None = None

Options

  • --interactive: Run the CLI in interactive mode. When this option is used, the CLI will prompt you to enter the required fields one by one.

Example Usage

  1. Interactive Mode: To run the CLI in interactive mode, simply use the command:

    Terminal window
    nix run ./scores -- --interactive

    You will be prompted to enter the following fields:

    • vulnerability_description: A description of the vulnerability (required).
    • finding: The finding associated with the vulnerability (required).
    • cwe: A comma-separated list of Common Weakness Enumerations (optional).
    • cvss_v3: An existing CVSS v3 vector (optional).

  2. Using JSON Argument: If you have a JSON string ready, you can pass it directly as an argument:

    Terminal window
    nix run ./scores '{
     "vulnerability_description": "Example description",
     "finding": "F123",
     "cwe": ["CWE-79"],
     "cvss_v3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/C:N/I:N/A:N"
     }'

Output

Upon successful validation of the input, the CLI will display the validated input and generate the corresponding CVSS score.

If there are any validation errors, appropriate error messages will be displayed to guide you in correcting the input.