Various Fixes: bug in CVSS calculation, rephrasing in legal texts, background color for table headers, correct titles in appendix, add CVSSv3.1 string to a CVSS table

2025-12-10 15:28:15 +01:00 · 2025-12-10 15:28:15 +01:00 · b3e0763b40
commit b3e0763b40
parent 0e3a4516fc
2 changed files with 38 additions and 15 deletions
--- a/helper.typ
+++ b/helper.typ
@ -88,7 +88,7 @@
  let privilegesLookup = ("N": 0.85, "L": if scope == "U" { 0.62 } else { 0.68 }, "H": if scope == "U" { 0.27 } else { 0.5 })
  let userInteractionLookup = ("N": 0.85, "R": 0.62)
  let iss = 1 - ((1 - issLookup.at(confidentiality)) * (1 - issLookup.at(integrity)) * (1 - issLookup.at(availability)))
-  let impact = if scope == "U" { 6.42 * iss } else { 7.52 * (ISS - 0.029) - 3.25 * (ISS - 0.02)}
+  let impact = if scope == "U" { 6.42 * iss } else { 7.52 * (iss - 0.029) - 3.25 * (iss - 0.02)}
  let exploitability = 8.22 * attackVectorLookup.at(attackVector) * attackComplexityLookup.at(attackComplexity) * privilegesLookup.at(privilegesRequired) * userInteractionLookup.at(userInteraction)
  let baseScore = if impact <= 0 { 0 } else { if scope == "U" { calc.round(calc.min(impact + exploitability, 10), digits: 1) } else { calc.round(calc.min(1.08 * (impact + exploitability), 10), digits: 1) } }

@ -105,15 +105,35 @@
    status = "None"
  }

-  table(
-    columns: (1fr, 1fr, 1fr, 1fr, 1fr, 1fr, 1fr, 1fr, 1fr),
-    align: center,
-    stroke: 1pt,
-    table.cell(colspan: 5)[*Exploitability Metrics*],
-    table.cell(colspan: 3)[*Impact Metrics*],
-    table.cell(rowspan: 2, align: bottom)[*#sym.sum*],
-    [*AV*], [*AC*], [*PR*], [*UI*], [*S*], [*C*], [*I*], [*A*],
-    attackVector, attackComplexity, privilegesRequired, userInteraction, scope, ciacolor(confidentiality), ciacolor(integrity), ciacolor(availability), cvsscolor(status),
+  block(
+    [
+      #block(
+        spacing: 0.4em,
+        table(
+          columns: (1fr, 1fr, 1fr, 1fr, 1fr, 1fr, 1fr, 1fr, 1fr),
+          align: center,
+          stroke: 1pt,
+          table.cell(colspan: 5)[*Exploitability Metrics*],
+          table.cell(colspan: 3)[*Impact Metrics*],
+          table.cell(rowspan: 2, align: bottom)[*#sym.sum*],
+          [*AV*], [*AC*], [*PR*], [*UI*], [*S*], [*C*], [*I*], [*A*],
+          attackVector, attackComplexity, privilegesRequired, userInteraction, scope, ciacolor(confidentiality), ciacolor(integrity), ciacolor(availability), cvsscolor(status),
+        )
+      )
+      #align(right)[
+        #text(
+        size: 10pt,
+        fill: gray,
+        "CVSS:3.1/AV:" + attackVector +
+        "/AC:" + attackComplexity +
+        "/PR:" + privilegesRequired +
+        "/UI:" + userInteraction +
+        "/S:" + scope +
+        "/C:" + confidentiality +
+        "/I:" + integrity +
+        "/A:" + availability
+      )]
+    ]
  )

  updateRiskCategoryStats(status)
--- a/pages.typ
+++ b/pages.typ
@ -75,12 +75,12 @@
    )

    #heading(level: 2, outlined:false, "Classification")
-    This report and all associated materials are strictly confidential and may be communicated and/or distributed by the Client only with written approval of the author. All report data, including findings and recommendations, may be stored encrypted in the author's secure archive for a minimum of 3 months post-engagement, in compliance with applicable data protection regulations.
+    This report and all associated materials are strictly confidential and may be communicated and/or distributed by the Client only with written approval of the author. All report data, including findings and recommendations, may be stored encrypted in the author's secure archive post-engagement, in compliance with applicable data protection regulations.

    #heading(level: 2, outlined:false, "Legal Disclaimer")
    This report constitutes the professional findings of a penetration test conducted under the scope and terms agreed upon by the client. All results reflect the state of security vulnerabilities as assessed during the engagement using standardized methodologies and tools. The findings presented are not guarantees of security or compliance; they represent identified weaknesses which may require remediation as by the professional impression of the author.

-    The client is responsible for interpreting these findings within their operational context and for implementing appropriate security measures. No liability is assumed for actions taken based on this report. This assessment does not constitute security certification, and its results are valid only for the scope and timeframe of the engagement. Neither the contents of this document nor the expressions of the author in any form are legal advice.
+    The client is responsible for interpreting these findings within their operational context and for implementing appropriate security measures. No liability is taken for actions which are based on this report. This assessment does not constitute security certification, and its results are valid only for the scope and timeframe of the engagement. Neither the contents of this document nor the expressions of the author in any form are legal advice.
  ])
 }

@ -158,7 +158,10 @@
    #table(
      columns: (25%, 50%, 25%),
      align: center,
-      [*Type*], [*Value*], [*State*],
+      inset: 10pt,
+      table.cell(fill: color.linear-rgb(4.5%, 14.5%, 14.5%, 100))[*Type*],
+      table.cell(fill: color.linear-rgb(4.5%, 14.5%, 14.5%, 100))[*Value*],
+      table.cell(fill: color.linear-rgb(4.5%, 14.5%, 14.5%, 100))[*State*],
      ..for (i, value) in scope.enumerate() {
        (
          table.cell(value.type),
@ -265,7 +268,7 @@

 #let boxAppendix() = {
  [
-    == Appendix: Penetration Testing Box Scenarios
+    == Penetration Testing Box Scenarios

    Penetration testing engagements are classified by the level of information provided to the testing team. This classification directly impacts the methodology, scope, and findings. The three standard scenarios are *Black Box*, *Grey Box*, and *White Box*. While Black Box and White Box refer to quite clear and precise situations, Grey box is a bit vague, in-between of both. Due to this, these terms should always be interpreted in the current situation and not be seen as precise and clear terminology. Nonetheless, the selection of the box scenario directly determines the scope of findings and realism of threat simulation. Black box tests external risks, grey box evaluates insider-adjacent threats, and white box provides the deepest technical analysis.

@ -291,7 +294,7 @@

 #let tlpAppendix() = {
  [
-    == Appendix: Traffic Light Protocol
+    == Traffic Light Protocol

    The Traffic Light Protocol (TLP) is a standardised system designed to accelerate collaborative response to security incidents by clarifying sharing boundaries for sensitive information. Information flows from an information source (e.g., a pentesting team) to recipients (e.g., clients or partners), with TLP labels governing permissible dissemination. The TLP labels standardised by FIRST#footnote("https://www.first.org/tlp/") are *RED*, *AMBER* and *AMBER+STRICT*, *GREEN*, and *CLEAR*.