Hello, according to the currently published specification section "Vector String" it is stated that "A vector string must not include the same metric more than once".
Due to the current parsing the last time a metric is specified in input, the corresponding value is set. This could be considered part of CWE-20.
Such bug/compliance issue is common in CVSS implementations as I observed through many others, and you should consider ensuring each metric is defined at most once (maybe using a map by checking it has not been already processed).
Hello, according to the currently published specification section "Vector String" it is stated that "A vector string must not include the same metric more than once".
Nevertheless, after #1 you could provide the vector string from the URL as the previous FIRST calculators does (great feature btw 👍 ). Using this, you could provide, for instance, the vector
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:N/SA:N/AV:AwithAVmetric defined twice (head and tail) through the URL https://redhatproductsecurity.github.io/cvss-v4-calculator/#CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:N/SA:N/AV:A, which is then parsed and supposed valid.Due to the current parsing the last time a metric is specified in input, the corresponding value is set. This could be considered part of CWE-20.
Such bug/compliance issue is common in CVSS implementations as I observed through many others, and you should consider ensuring each metric is defined at most once (maybe using a map by checking it has not been already processed).