CVSS v4.0
CVSS::V4::Vector
v = CVSS::V4::Vector.parse(
"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"
)
v.base_score # => 9.3
v.macro_vector # => "000200"
v.impacts_subsequent_system? # => false
Class methods
| Method |
Description |
parse(input : String) : Vector |
Requires the CVSS:4.0/ prefix. |
parse?(input : String) : Vector? |
Non-raising. |
Constructor
All eleven base metrics are required; threat / environmental / supplemental fields default to nil (unset).
CVSS::V4::Vector.new(
av:, ac:, at:, pr:, ui:,
vc:, vi:, va:, sc:, si:, sa:,
e: nil,
cr: nil, ir: nil, ar: nil,
mav: nil, mac: nil, mat: nil, mpr: nil, mui: nil,
mvc: nil, mvi: nil, mva: nil, msc: nil, msi: nil, msa: nil,
s: nil, au: nil, r: nil, v: nil, re: nil, u: nil,
)
Scoring
| Method |
Description |
base_score : Float64 |
The single combined score. Threat (E) and Environmental are folded in via the macro vector. |
threat_score : Float64 / environmental_score : Float64 |
Aliases of base_score for API symmetry with v3. |
macro_vector : String |
The 6-character macro vector (EQ1 EQ2 EQ3 EQ4 EQ5 EQ6). |
nomenclature : Nomenclature |
Spec §6 classification: Base / BaseThreat / BaseEnvironmental / BaseThreatEnvironmental. to_s emits "CVSS-B" / "CVSS-BT" / "CVSS-BE" / "CVSS-BTE". |
threat_set? : Bool |
True when the Threat metric (E) is set and not X. |
environmental_set? : Bool |
True when any CR/IR/AR or Modified-base metric is set and not X. |
severity : Severity |
Standard 5-tier rating. |
Effective metric resolution
effective_code(name : String) : String mirrors the FIRST reference algorithm's m() function: it applies X-defaults (E:X → A, CR/IR/AR:X → H) and Modified-base overrides where applicable.
v.effective_code("E") # => "A" (E:X defaults to Attacked)
v.effective_code("AV") # => "P" if MAV:P set, otherwise the parsed AV
Classification helpers
| Method |
Returns |
network? / adjacent_network? / local? / physical? |
Bool |
requires_privileges? |
Bool |
requires_user_interaction? |
Bool (true when UI != N — covers Passive and Active) |
impacts_confidentiality? / impacts_integrity? / impacts_availability? |
Bool (vulnerable system impact) |
impacts_subsequent_system? |
Bool (any of SC/SI/SA != N) |
Serialization
| Method |
Description |
to_s |
Canonical FIRST metric ordering. |
to_h : Hash(String, String) |
All set metrics. U keeps its full-word value (Clear, Green, Amber, Red). |
to_json |
NVD-shaped JSON with the macroVector field. |
Metric enums
Base (required)
| Enum |
Codes |
AttackVector |
N, A, L, P |
AttackComplexity |
L, H |
AttackRequirements |
N, P |
PrivilegesRequired |
N, L, H |
UserInteraction |
N, P, A |
VulnerableImpact (VC/VI/VA) |
H, L, N |
SubsequentImpact (SC/SI/SA) |
H, L, N |
Threat
| Enum |
Codes |
ExploitMaturity |
X, A, P, U |
Environmental
| Enum |
Codes |
SecurityRequirement (CR/IR/AR) |
X, H, M, L |
ModifiedAttackVector |
X + base AV codes |
ModifiedAttackComplexity |
X, L, H |
ModifiedAttackRequirements |
X, N, P |
ModifiedPrivilegesRequired |
X, N, L, H |
ModifiedUserInteraction |
X, N, P, A |
ModifiedVulnerableImpact (MVC/MVI/MVA) |
X, H, L, N |
ModifiedSubsequentConfidentiality (MSC) |
X, H, L, N |
ModifiedSubsequentIntegrity (MSI) |
X, S, H, L, N (adds Safety) |
ModifiedSubsequentAvailability (MSA) |
X, S, H, L, N (adds Safety) |
MSI:S or MSA:S forces EQ4 = 0 in the macro vector.
| Enum |
Codes |
Safety (S) |
X, N, P |
Automatable (AU) |
X, N, Y |
Recovery (R) |
X, A, U, I |
ValueDensity (V) |
X, D, C |
ResponseEffort (RE) |
X, L, M, H |
ProviderUrgency (U) |
X, Clear, Green, Amber, Red |
Macro vector internals
The 270-entry lookup table, max-severity vectors per equivalence class, and the depth-distance correction algorithm are ported verbatim from FIRSTdotorg/cvss-v4-calculator (BSD-2-Clause). Tables live in CVSS::V4::MacroVectorTables (LOOKUP, EQ1_MAXES, …, MAX_SEVERITY_EQ4). The scoring algorithm is in CVSS::V4::Score.