cvss.cr
A Crystal library that parses, scores, and serializes CVSS vector strings. Supports every released version of the standard.
| Version | Status | Notes |
|---|---|---|
| CVSS v2.0 | ✅ | Base + Temporal + Environmental |
| CVSS v3.0 | ✅ | Base + Temporal + Environmental (legacy RoundUp) |
| CVSS v3.1 | ✅ | Base + Temporal + Environmental |
| CVSS v4.0 | ✅ | MacroVector lookup + EQ-distance correction (FIRST reference algorithm) |
Quick Links
- Getting Started — installation and first use
- Basic Usage — parse, score, severity
- Scoring & Severity — base / temporal / environmental
- JSON & Filters — NVD-compatible serialization, classification helpers
- API Reference — all classes and methods
Highlights
- Auto-detecting top-level
CVSS.parse(string)— routes byCVSS:x.y/prefix. - Strict spec-compliant scoring: v3.1 RoundUp and v4.0 macro-vector tables ported from FIRST's reference implementations.
Comparable(Vector)— sort and compare by base score across versions.- Structural equality +
hash— vectors work asSet/Hashkeys. - NVD-shaped
to_jsonandfrom_jsonfor SBOM / SARIF tooling interop. - 25+ classification helpers (
network?,requires_privileges?,scope_changed?, …). - Non-raising
parse?— for input validation paths.
Installation
Add the dependency to your shard.yml:
dependencies:
cvss:
github: hahwul/cvss.cr
Then run:
shards install
Quick Example
require "cvss"
vec = CVSS.parse("CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H")
vec.base_score # => 9.8
vec.severity # => CVSS::Severity::Critical
vec.network? # => true
vec.to_json # => {"version":"3.1","vectorString":"CVSS:3.1/...","baseScore":9.8, ...}