Open trolldbois opened 1 week ago
trolldbois
commented
1 week ago The issue has a solution here: https://github.com/python-jsonschema/jsonschema/issues/1274#issuecomment-2200726793
The solution is to load json files with parse_float=decimal.Decimal
trolldbois
commented
1 week ago Deep down, the error boils to cvss v4 base Score comparison to being a multiple of 0.1 :
# jsonschema._keywords:L172
# quotient = instance / dB
# where instance == 7.1 and dB == 0.1
>>> 7.1/0.1
70.99999999999999This fails the verification (L174) that int(70.9999..) == 70.9999... And therefore the baseScore in CVSS 4 fails validation.
trolldbois
commented
5 days ago On Apr 18 2024 , CVEProject/cve-schema seems to have partially fixed/avoided this problem by changing the cvssv4 schema scoreType to list all decimal values, instead of using multipleOf https://github.com/CVEProject/cve-schema/commit/84a2b1ed8bf98218a822843e06236c1e91cae0f8
Conclusion: There is a new json schema for cvss v4 https://github.com/CVEProject/cve-schema/blob/84a2b1ed8bf98218a822843e06236c1e91cae0f8/schema/imports/cvss/cvss-v4.0.json that also fixes this problem by removing the usage of multipleOf, therefore avoiding the "float bug"
https://github.com/CVEProject/cve-schema/releases/tag/v5.1.0
mprpic
commented
2 hours ago Updated to the latest schema files in the linked PR; the 5.1.0 schema that was included in cvelib was I guess still the RC version. I tested the record attached here against the newer schema and it validates correctly.
The attached file was generated with vulnogram.github.io CVE-0000-1234.json
cvelib fails when trying to validate that file.
A deep dive seems to point to a failure in the jsonschema dependency ( see https://github.com/python-jsonschema/jsonschema/issues/1274 ) , where jsonschema fails to validate a number in a range. The error comes back as "7.1 is not a multiple of 0.1"