GitHub - l4rm4nd/Pentest-Risk-API: Simple Python Flask API server that returns OWASP/CVSS scores for vector strings · GitHub
Skip to content

l4rm4nd/Pentest-Risk-API

BranchesTags

Repository files navigation

Pentest-Risk-API (PRA)

Simple Python Flask API server that returns risk scores for CVSS and OWASP Risk Rating vector strings.

🐳 Usage

You can use the provided docker-compose.yml or just run:

docker run -it -rm -p 5000:5000 ghcr.io/l4rm4nd/pentest-risk-api:latest

CVSS Risk Rating

# query CVSS 2.0 vector
curl "http://127.0.0.1:5000/cvss?vector=CVSS:2.0/AV:N/AC:L/Au:N/C:C/I:C/A:C"
# query CVSS 3.1 vector
curl "http://127.0.0.1:5000/cvss?vector=CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
# query CVSS 4.0 vector
curl "http://127.0.0.1:5000/cvss?vector=CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"

Example response:

{
  "api_version": "0.1.0",
  "cvss_score": 9.8,
  "cvss_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
  "risk_severity": "CRITICAL"
}

Tip

For CVSS 4.0, the API server defines Subsequent System Impact Metrics as optional.

Therefore, you can neglect SC, SI and SA from your provided vector string. The backend will automatically set those to N (None).

OWASP Risk Rating

Implements the OWASP Risk Rating Methodology based on 16 factors split across Likelihood and Impact.

# with optional parentheses
curl "http://127.0.0.1:5000/owasp?vector=(SL:5/M:5/O:5/S:5/ED:5/EE:5/A:5/ID:5/LC:5/LI:5/LAV:5/LAC:5/FD:5/RD:5/NC:5/PV:5)"
# without parentheses
curl "http://127.0.0.1:5000/owasp?vector=SL:5/M:5/O:5/S:5/ED:5/EE:5/A:5/ID:5/LC:5/LI:5/LAV:5/LAC:5/FD:5/RD:5/NC:5/PV:5"

Example response:

{
  "api_version": "0.1.0",
  "impact_label": "MEDIUM",
  "impact_score": 5.0,
  "likelihood_label": "MEDIUM",
  "likelihood_score": 5.0,
  "owasp_vector": "(SL:5/M:5/O:5/S:5/ED:5/EE:5/A:5/ID:5/LC:5/LI:5/LAV:5/LAC:5/FD:5/RD:5/NC:5/PV:5)",
  "risk_severity": "MEDIUM"
}

Vector factors

All factor values must be numeric in the range 0–9.

Group Key Factor
Likelihood SL Skill Level
Likelihood M Motive
Likelihood O Opportunity
Likelihood S Population Size
Likelihood ED Ease of Discovery
Likelihood EE Ease of Exploit
Likelihood A Awareness
Likelihood ID Intrusion Detection
Impact LC Loss of Confidentiality
Impact LI Loss of Integrity
Impact LAV Loss of Availability
Impact LAC Loss of Accountability
Impact FD Financial Damage
Impact RD Reputation Damage
Impact NC Non-Compliance
Impact PV Privacy Violation

Risk severity matrix

Likelihood \ Impact NOTE LOW MEDIUM HIGH
NOTE NOTE NOTE LOW MEDIUM
LOW NOTE NOTE LOW MEDIUM
MEDIUM LOW LOW MEDIUM HIGH
HIGH MEDIUM MEDIUM HIGH CRITICAL

Combine with a TLS reverse proxy. CORS is already allowed on the Flask application.

About

Simple Python Flask API server that returns OWASP/CVSS scores for vector strings

Resources

Readme
Activity

Stars

0 stars

Watchers

0 watching

Forks

1 fork
Report repository

Releases 2

v0.1.2 Latest
Jun 19, 2026
+ 1 release

Packages

Contributors

Languages