This Python package contains CVSS v2, v3 and v4 computation utilities and interactive calculator (for v2 and v3 only) compatible with Python 3. CVSS (Common Vulnerability Scoring System) is an standardized method for rating the severity of security issues on a scale from 0 (no impact) to 10 (critical).
See the pypi.org - cvss website.
Let's install the cvss python package.
python -m pip install cvss
Collecting cvss
Downloading cvss-3.6-py2.py3-none-any.whl.metadata (3.8 kB)
Downloading cvss-3.6-py2.py3-none-any.whl (31 kB)
Installing collected packages: cvss
WARNING: The script cvss_calculator.exe is installed in 'C:\python-3_10_11\Scripts' which is not on PATH.
Consider adding this directory to PATH or, if you prefer to suppress this warning, use --no-warn-script-location.
Successfully installed cvss-3.6How this works:
NVD Database (online)
|
| JSON feed
v
Python script ----> parses CVE + CVSS vector
|
| uses cvss library
v
Scores vulnerabilities (Base, Temporal, Environmental)
|
| inserts results
v
Your local database (SQL)
|
v
Dashboard / API / Alerts Simple code source example :
#!/usr/bin/env python3
# Demonstrates how to score a CVSS vector using the open-source "cvss" library.
# Validation and error handling included.
from cvss import CVSS3 # CVSS2, CVSS3, CVSS4 are available
import sys
def score_cvss_vector(vector: str):
"""
Validates and scores a CVSS3 vector string.
Returns scores and severities.
"""
if not isinstance(vector, str) or not vector.strip():
raise ValueError("Vector must be a non-empty string.")
try:
c = CVSS3(vector)
except Exception as e:
raise ValueError(f"Invalid CVSS3 vector: {e}")
return c.clean_vector(), c.scores(), c.severities()
def main():
if len(sys.argv) != 2:
print("Usage: python cvss_score.py '<CVSS3_VECTOR>'")
print("Example:")
print("python main.py 'CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'")
sys.exit(1)
vector = sys.argv[1]
try:
clean_v, scores, severity = score_cvss_vector(vector)
print("Input vector:", vector)
print("Normalized vector:", clean_v)
print("Scores:", scores)
print("Severity:", severity)
except ValueError as e:
print("Error:", e)
sys.exit(1)
if __name__ == "__main__":
main()The result is this:
python main.py CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Input vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Normalized vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Scores: (9.8, 9.8, 9.8)
Severity: ('Critical', 'Critical', 'Critical')Another source code with examples:
#!/usr/bin/env python3
# Requires: pip install cvss
from cvss import CVSS3
# Example vulnerabilities (safe, educational)
vulns = [
{
"language": "Python",
"title": "Unsafe eval usage",
"description": "Code that executes user-provided input using eval().",
"cvss_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N"
},
{
"language": "C#",
"title": "Insecure deserialization",
"description": "BinaryFormatter deserialization of untrusted data.",
"cvss_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
},
{
"language": "Godot Engine",
"title": "Unvalidated file path access",
"description": "Loading files from paths provided by the user without validation.",
"cvss_vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N"
}
]
def analyze_vulnerabilities(vuln_list):
for v in vuln_list:
print("\n====================================")
print("Language:", v["language"])
print("Issue:", v["title"])
print("Description:", v["description"])
print("CVSS Vector:", v["cvss_vector"])
try:
cv = CVSS3(v["cvss_vector"])
base, temp, env = cv.scores()
sev_base, sev_temp, sev_env = cv.severities()
print("Base Score:", base, "-", sev_base)
print("Temporal Score:", temp, "-", sev_temp)
print("Environmental Score:", env, "-", sev_env)
except Exception as e:
print("Invalid CVSS vector:", e)
if __name__ == "__main__":
analyze_vulnerabilities(vulns)This is the result:
python main_002.py
====================================
Language: Python
Issue: Unsafe eval usage
Description: Code that executes user-provided input using eval().
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N
Base Score: 8.1 - High
Temporal Score: 8.1 - High
Environmental Score: 8.1 - High
====================================
Language: C#
Issue: Insecure deserialization
Description: BinaryFormatter deserialization of untrusted data.
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Base Score: 9.8 - Critical
Temporal Score: 9.8 - Critical
Environmental Score: 9.8 - Critical
====================================
Language: Godot Engine
Issue: Unvalidated file path access
Description: Loading files from paths provided by the user without validation.
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
Base Score: 4.4 - Medium
Temporal Score: 4.4 - Medium
Environmental Score: 4.4 - Medium