undefined method `-' for nil:NilClass (NoMethodError) for CVSS 4.0 vector string

[mpurusottamc]

While trying to calculate score & severity for a CVSS 4.0 vector string and getting the below error:

 undefined method `-' for nil:NilClass (NoMethodError)

severity_distance_av = AV_LEVELS[m('AV')] - AV_LEVELS[extract_value_metric('AV', max_vector)]

Here's the code:

vector_string="CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:P/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N"
cvss = CvssSuite.new(vector_string)
environmental_score = cvss.environmental&.score

version of cvss-suite gem - 3.2.2 version of ruby - ruby 3.2.2 (2023-03-30 revision e51014f9c0) [arm64-darwin23]

Reference URLs: https://osv.dev/vulnerability/GHSA-99hm-86h7-gr3g https://www.first.org/cvss/calculator/4.0#CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:P/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N

Appreciate any help on this.

[0llirocks]

Hello @mpurusottamc, thank you for reporting this issue. I think the metrics are currently not completely functional for cvss 4. I will fix this in the next days (or maybe few weeks). But just to let you know, the environmental score will always return the overall score. Cvss 4 only provides one score which will always be returned, even if no environmental score is provided.

[mpurusottamc]

@0llirocks Thanks for the clarification. Helpful.

I will use the overall score instead of environmental score.

[0llirocks]

@mpurusottamc Since returning the overall score for a specific metrics is wrong and misleading, I decided to completely remove the score attribute from the metrics starting with cvss v4. This change will be included in version 4.0.0 of this gem. since it is a breaking change.

[0llirocks]

Behaviour is changed in 4.0.0

[mpurusottamc]

@0llirocks Makes sense. I will upgrade to the 4.x version and verify. Thanks for making the adjustments.